Open Access
ARTICLE
Improving the Detection Rate of Rarely Appearing Intrusions in Network-Based Intrusion Detection Systems
1 Department of Financial Information Security, Kookmin University, Seoul, 02707, Korea
2 Department of Computer Science and Engineering, Sejong University, Seoul, 05006, Korea
3 Department of Convergence Science, Kongju National University, Gongju, 32588, Korea
* Corresponding Author: Changho Seo. Email:
Computers, Materials & Continua 2021, 66(2), 1647-1663. https://doi.org/10.32604/cmc.2020.013210
Received 29 July 2020; Accepted 11 September 2020; Issue published 26 November 2020
Abstract
In network-based intrusion detection practices, there are more regular instances than intrusion instances. Because there is always a statistical imbalance in the instances, it is difficult to train the intrusion detection system effectively. In this work, we compare intrusion detection performance by increasing the rarely appearing instances rather than by eliminating the frequently appearing duplicate instances. Our technique mitigates the statistical imbalance in these instances. We also carried out an experiment on the training model by increasing the instances, thereby increasing the attack instances step by step up to 13 levels. The experiments included not only known attacks, but also unknown new intrusions. The results are compared with the existing studies from the literature, and show an improvement in accuracy, sensitivity, and specificity over previous studies. The detection rates for the remote-to-user (R2L) and user-to-root (U2L) categories are improved significantly by adding fewer instances. The detection of many intrusions is increased from a very low to a very high detection rate. The detection of newer attacks that had not been used in training improved from 9% to 12%. This study has practical applications in network administration to protect from known and unknown attacks. If network administrators are running out of instances for some attacks, they can increase the number of instances with rarely appearing instances, thereby improving the detection of both known and unknown new attacks.Keywords
Cite This Article
Citations
This work is licensed under a Creative Commons Attribution 4.0 International License , which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.