Intrusion Detection Research Papers

Intrusion Detection Research Papers-21
In Section 6, we present and thoroughly discuss the results of the first set of experiments that aimed to serve as a proof of concept.In Section 7, we discuss the results of the second set of experiments that investigated threshold adaptation under different feature sets and data balance scenarios.

In Section 6, we present and thoroughly discuss the results of the first set of experiments that aimed to serve as a proof of concept.In Section 7, we discuss the results of the second set of experiments that investigated threshold adaptation under different feature sets and data balance scenarios.

For example, a network under high volume attacks, such as denial of service (Do S) or scan attacks, would have different class (normal to attack) distributions than when under low volume, but stealthy attacks such as SQL injection and command-and-control (C&C). Due to the traffic evolution, most, if not all, of these assumptions are violated in real environments, as new traffic will start to exhibit different statistical properties to those of the training data.

Unpredictable differences between the training and evaluated (tested) data can be introduced over time because of such traffic evolution, known as concept drift.

Finally, Section 8 concludes this work and lists future work and directions.

In a typical (batch-based) scenario, a network-based anomaly ID model would be built to protect specific environments from attackers.

As network traffic evolves over time, due to changes in services and users and their behaviours, the capability of these methods to adapt to such changes is being challenged.

Ever evolving traffic makes the process of building ID models a particularly challenging task, as learning all possible variations of traffic patterns for all different kinds of traffic and users is an impossible quest.

The effects of threshold adaptation on improving accuracy were statistically analysed.

Of the three compared algorithms, Random Forest was the most adaptable and had the highest detection rates.

The model building phase would require some training data that were previously captured from old traffic to generate the ID model, which would be tuned and set to detect anomalous behaviours.

However, as such a model is used to analyse new, real traffic, it will suffer from high false alarms and low detection accuracy.

SHOW COMMENTS

Comments Intrusion Detection Research Papers

The Latest from www.pmhr.ru ©