Next Article in Journal
P2P Botnet Detection Based on Nodes Correlation by the Mahalanobis Distance
Previous Article in Journal
Efficient Ensemble Classification for Multi-Label Data Streams with Concept Drift
Previous Article in Special Issue
DGA CapsNet: 1D Application of Capsule Networks to DGA Detection
Article Menu
Issue 5 (May) cover image

Export Article

Open AccessArticle

Improving Intrusion Detection Model Prediction by Threshold Adaptation

1
Centre of Information Systems, Sultan Qaboos University, Al-Khoud, P.O. Box 40, P.C. 123, Sultanate of Oman
2
School of Computer Science, University of St. Andrews, St. Andrews KY16 9AJ, UK
*
Author to whom correspondence should be addressed.
Information 2019, 10(5), 159; https://doi.org/10.3390/info10050159
Received: 26 February 2019 / Revised: 10 April 2019 / Accepted: 25 April 2019 / Published: 30 April 2019
(This article belongs to the Special Issue Machine Learning for Cyber-Security)
  |  
PDF [8031 KB, uploaded 14 May 2019]
  |  

Abstract

Network traffic exhibits a high level of variability over short periods of time. This variability impacts negatively on the accuracy of anomaly-based network intrusion detection systems (IDS) that are built using predictive models in a batch learning setup. This work investigates how adapting the discriminating threshold of model predictions, specifically to the evaluated traffic, improves the detection rates of these intrusion detection models. Specifically, this research studied the adaptability features of three well known machine learning algorithms: C5.0, Random Forest and Support Vector Machine. Each algorithm’s ability to adapt their prediction thresholds was assessed and analysed under different scenarios that simulated real world settings using the prospective sampling approach. Multiple IDS datasets were used for the analysis, including a newly generated dataset (STA2018). This research demonstrated empirically the importance of threshold adaptation in improving the accuracy of detection models when training and evaluation traffic have different statistical properties. Tests were undertaken to analyse the effects of feature selection and data balancing on model accuracy when different significant features in traffic were used. The effects of threshold adaptation on improving accuracy were statistically analysed. Of the three compared algorithms, Random Forest was the most adaptable and had the highest detection rates. View Full-Text
Keywords: Intrusion Detection System; anomaly-based IDS; Threshold adaptation; Prediction accuracy improvement; Machine Learning; STA2018 dataset; C5.0; Random Forest; Support Vector Machine Intrusion Detection System; anomaly-based IDS; Threshold adaptation; Prediction accuracy improvement; Machine Learning; STA2018 dataset; C5.0; Random Forest; Support Vector Machine
Figures

Figure 1

This is an open access article distributed under the Creative Commons Attribution License which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited (CC BY 4.0).
SciFeed

Share & Cite This Article

MDPI and ACS Style

Al Tobi, A.M.; Duncan, I. Improving Intrusion Detection Model Prediction by Threshold Adaptation. Information 2019, 10, 159.

Show more citation formats Show less citations formats

Note that from the first issue of 2016, MDPI journals use article numbers instead of page numbers. See further details here.

Related Articles

Article Metrics

Article Access Statistics

1

Comments

[Return to top]
Information EISSN 2078-2489 Published by MDPI AG, Basel, Switzerland RSS E-Mail Table of Contents Alert
Back to Top