Purpose – The task of internet intrusion detection is to detect anomalous network connections caused by intrusive activities. There have been many intrusion detection schemes proposed, most of which apply both normal and intrusion data to construct classifiers. However, normal data and intrusion data are often seriously imbalanced because intrusive connection data are usually difficult to collect. Internet intrusion detection can be considered as a novelty detection problem, which is the identification of new or unknown data, to which a learning system has not been exposed during training. This paper aims to address this issue. Design/methodology/approach – In this paper, a novelty detection‐based intrusion detection system is proposed by combining the self‐organizing map (SOM) and the kernel auto‐associator (KAA) model proposed earlier by the first author. The KAA model is a generalization of auto‐associative networks by training to recall the inputs through kernel subspace. For anomaly detection, the SOM organizes the prototypes of samples while the KAA provides data description for the normal connection patterns. The hybrid SOM/KAA model can also be applied to classify different types of attacks. Findings – Using the KDD CUP, 1999 dataset, the performance of the proposed scheme in separating normal connection patterns from intrusive connection patterns was compared with some state‐of‐art novelty detection methods, showing marked improvements in terms of the high intrusion detection accuracy and low false positives. Simulations on the classification of attack categories also demonstrate favorable results of the accuracy, which are comparable to the entries from the KDD CUP, 1999 data mining competition. Originality/value – The hybrid model of SOM and the KAA model can achieve significant results for intrusion detection.
International Journal of Intelligent Computing and Cybernetics – Emerald Publishing
Published: Nov 23, 2012
Keywords: Network intrusion detection; Self‐organization; Kernel auto‐associator; Novelty detection; Internet; Interrupts