Evaluation of black-marker and bilateral classification with J48 decision tree in anomaly based intrusion detection system

Yee Jian Chew, Shih Yin Ooi, Kok-Seng Wong, Ying Han Pang, Seong Oun Hwang

Research output: Contribution to journalArticle

1 Citation (Scopus)

Abstract

Anomaly-based intrusion detection system (IDS) is gaining wide attention from the research community, due to its robustness in detecting and profiling the newly discovered network attacks. Unlike signature-based IDS which solely relying on a set of pre-defined rules through some massive human efforts, anomaly-based IDS utilises the collected network traces in building its own classification model. The classification model can optimised when a large set of network traces is available. The ideal way of pooling the network traces is through database sharing. However, not many organisations are willing to release or share their network databases due to some privacy concerns, i.e. to avoid some kinds of internet traffic behaviour profiling. To address this issue, a number of anonymisation techniques was developed. The main usage of anonymisation techniques is to conceal the potentially sensitive information in the network traces. However, it is also important to ensure the anonymisation techniques are not over abusing the performances of IDS. To do so, the convention way is by using a Snort IDS to measure the number of alarms generated before-and-after an anonymisation solution is applied. However, this approach is infeasible for Anomaly-Based IDS. Thus, an alternative way of using machine learning approach is proposed and explored in this manuscript. Instead of manual evaluation through the usage of Snort IDS, a J48 decision tree (Weka package of C4.5 algorithm) is used. In this manuscript, two anonymisation techniques, (1) black-marker, and (2) bilateral classification are used to hide the value of port numbers; and their before-and-after performances are evaluated through a J48 decision tree.
Original languageEnglish
Pages (from-to)5927
Number of pages5937
JournalJournal of Intelligent and Fuzzy Systems
Volume35
Issue number6
Publication statusPublished - Dec 24 2018

Fingerprint

Intrusion detection
Intrusion Detection
Decision trees
Decision tree
Anomaly
Evaluation
Trace
Profiling
Internet Traffic
Pooling
Large Set
Privacy
Learning systems
Machine Learning
Sharing
Signature
Attack
Internet
Robustness
Alternatives

Keywords

  • network packet traces
  • intrusion detection system (IDS)
  • J48 decision tree
  • anonymization
  • black-marker
  • bilateral classification

ASJC Scopus subject areas

  • Computer Science(all)

Cite this

Evaluation of black-marker and bilateral classification with J48 decision tree in anomaly based intrusion detection system. / Chew, Yee Jian; Ooi, Shih Yin; Wong, Kok-Seng; Pang, Ying Han; Hwang, Seong Oun.

In: Journal of Intelligent and Fuzzy Systems, Vol. 35, No. 6, 24.12.2018, p. 5927.

Research output: Contribution to journalArticle

@article{9dc54ba77a8d485da4ce839bded32150,
title = "Evaluation of black-marker and bilateral classification with J48 decision tree in anomaly based intrusion detection system",
abstract = "Anomaly-based intrusion detection system (IDS) is gaining wide attention from the research community, due to its robustness in detecting and profiling the newly discovered network attacks. Unlike signature-based IDS which solely relying on a set of pre-defined rules through some massive human efforts, anomaly-based IDS utilises the collected network traces in building its own classification model. The classification model can optimised when a large set of network traces is available. The ideal way of pooling the network traces is through database sharing. However, not many organisations are willing to release or share their network databases due to some privacy concerns, i.e. to avoid some kinds of internet traffic behaviour profiling. To address this issue, a number of anonymisation techniques was developed. The main usage of anonymisation techniques is to conceal the potentially sensitive information in the network traces. However, it is also important to ensure the anonymisation techniques are not over abusing the performances of IDS. To do so, the convention way is by using a Snort IDS to measure the number of alarms generated before-and-after an anonymisation solution is applied. However, this approach is infeasible for Anomaly-Based IDS. Thus, an alternative way of using machine learning approach is proposed and explored in this manuscript. Instead of manual evaluation through the usage of Snort IDS, a J48 decision tree (Weka package of C4.5 algorithm) is used. In this manuscript, two anonymisation techniques, (1) black-marker, and (2) bilateral classification are used to hide the value of port numbers; and their before-and-after performances are evaluated through a J48 decision tree.",
keywords = "network packet traces, intrusion detection system (IDS), J48 decision tree, anonymization, black-marker, bilateral classification",
author = "Chew, {Yee Jian} and Ooi, {Shih Yin} and Kok-Seng Wong and Pang, {Ying Han} and Hwang, {Seong Oun}",
year = "2018",
month = "12",
day = "24",
language = "English",
volume = "35",
pages = "5927",
journal = "Journal of Intelligent and Fuzzy Systems",
issn = "1064-1246",
publisher = "IOS Press",
number = "6",

}

TY - JOUR

T1 - Evaluation of black-marker and bilateral classification with J48 decision tree in anomaly based intrusion detection system

AU - Chew, Yee Jian

AU - Ooi, Shih Yin

AU - Wong, Kok-Seng

AU - Pang, Ying Han

AU - Hwang, Seong Oun

PY - 2018/12/24

Y1 - 2018/12/24

N2 - Anomaly-based intrusion detection system (IDS) is gaining wide attention from the research community, due to its robustness in detecting and profiling the newly discovered network attacks. Unlike signature-based IDS which solely relying on a set of pre-defined rules through some massive human efforts, anomaly-based IDS utilises the collected network traces in building its own classification model. The classification model can optimised when a large set of network traces is available. The ideal way of pooling the network traces is through database sharing. However, not many organisations are willing to release or share their network databases due to some privacy concerns, i.e. to avoid some kinds of internet traffic behaviour profiling. To address this issue, a number of anonymisation techniques was developed. The main usage of anonymisation techniques is to conceal the potentially sensitive information in the network traces. However, it is also important to ensure the anonymisation techniques are not over abusing the performances of IDS. To do so, the convention way is by using a Snort IDS to measure the number of alarms generated before-and-after an anonymisation solution is applied. However, this approach is infeasible for Anomaly-Based IDS. Thus, an alternative way of using machine learning approach is proposed and explored in this manuscript. Instead of manual evaluation through the usage of Snort IDS, a J48 decision tree (Weka package of C4.5 algorithm) is used. In this manuscript, two anonymisation techniques, (1) black-marker, and (2) bilateral classification are used to hide the value of port numbers; and their before-and-after performances are evaluated through a J48 decision tree.

AB - Anomaly-based intrusion detection system (IDS) is gaining wide attention from the research community, due to its robustness in detecting and profiling the newly discovered network attacks. Unlike signature-based IDS which solely relying on a set of pre-defined rules through some massive human efforts, anomaly-based IDS utilises the collected network traces in building its own classification model. The classification model can optimised when a large set of network traces is available. The ideal way of pooling the network traces is through database sharing. However, not many organisations are willing to release or share their network databases due to some privacy concerns, i.e. to avoid some kinds of internet traffic behaviour profiling. To address this issue, a number of anonymisation techniques was developed. The main usage of anonymisation techniques is to conceal the potentially sensitive information in the network traces. However, it is also important to ensure the anonymisation techniques are not over abusing the performances of IDS. To do so, the convention way is by using a Snort IDS to measure the number of alarms generated before-and-after an anonymisation solution is applied. However, this approach is infeasible for Anomaly-Based IDS. Thus, an alternative way of using machine learning approach is proposed and explored in this manuscript. Instead of manual evaluation through the usage of Snort IDS, a J48 decision tree (Weka package of C4.5 algorithm) is used. In this manuscript, two anonymisation techniques, (1) black-marker, and (2) bilateral classification are used to hide the value of port numbers; and their before-and-after performances are evaluated through a J48 decision tree.

KW - network packet traces

KW - intrusion detection system (IDS)

KW - J48 decision tree

KW - anonymization

KW - black-marker

KW - bilateral classification

M3 - Article

VL - 35

SP - 5927

JO - Journal of Intelligent and Fuzzy Systems

JF - Journal of Intelligent and Fuzzy Systems

SN - 1064-1246

IS - 6

ER -