A Sequential Classifiers Combination Method to Reduce False Negative for Intrusion Detection System

Sornxayya PHETLASY  Satoshi OHZAHATA  Celimuge WU  Toshihito KATO  

IEICE TRANSACTIONS on Information and Systems   Vol.E102-D   No.5   pp.888-897
Publication Date: 2019/05/01
Publicized: 2019/02/27
Online ISSN: 1745-1361
DOI: 10.1587/transinf.2018NTP0019
Type of Manuscript: Special Section PAPER (Special Section on the Architectures, Protocols, and Applications for the Future Internet)
sequential classifiers combination,  false negative,  intrusion detection,  machine learning,  

Full Text: PDF>>
Buy this Article

Intrusion detection system (IDS) is a device or software to monitor a network system for malicious activity. In terms of detection results, there could be two types of false, namely, the false positive (FP) which incorrectly detects normal traffic as abnormal, and the false negative (FN) which incorrectly judges malicious traffic as normal. To protect the network system, we expect that FN should be minimized as low as possible. However, since there is a trade-off between FP and FN when IDS detects malicious traffic, it is difficult to reduce the both metrics simultaneously. In this paper, we propose a sequential classifiers combination method to reduce the effect of the trade-off. The single classifier suffers a high FN rate in general, therefore additional classifiers are sequentially combined in order to detect more positives (reduce more FN). Since each classifier can reduce FN and does not generate much FP in our approach, we can achieve a reduction of FN at the final output. In evaluations, we use NSL-KDD dataset, which is an updated version of KDD Cup'99 dataset. WEKA is utilized as a classification tool in experiment, and the results show that the proposed approach can reduce FN while improving the sensitivity and accuracy.