This paper proposes a novel approach for intrusion detection system based on sampling with Least Square Support Vector Machine (LS-SVM). Decision making is performed in two stages. In the first stage, the whole dataset is divided into some predetermined arbitrary subgroups. The proposed algorithm selects representative samples from these subgroups such that the samples reflect the entire dataset. An optimum allocation scheme is developed based on the variability of the observations within the subgroups. In the second stage, least square support vector machine (LS-SVM) is applied to the extracted samples to detect intrusions. We call the proposed algorithm as optimum allocation-based least square support vector machine (OALS-SVM) for IDS. To demonstrate the effectiveness of the proposed method, the experiments are carried out on KDD 99 database which is considered a de facto benchmark for evaluating the performance of intrusions detection algorithm. All binary-classes and multiclass are tested and our proposed approach obtains a realistic performance in terms of accuracy and efficiency. Finally a way out is also shown the usability of the proposed algorithm for incremental datasets.

Introduction

In recent years, there has been an increasing awareness of the risk associated with network attacks as information systems are now more open to the Internet than ever before. Intrusion detection system (IDS) is a program that tries to find indications that the computer has been compromised. An IDS attempts to detect an intruder breaking into computer system or legitimate user misuses system resources. Intrusion detection is an important issue and has captured the attention of network administrators and security professionals. Intrusion detection is the art of detecting unauthorized, inappropriate, or anomalous activity on computer systems. Intrusion detection systems are classified as network based, host based, or application based depending on their mode of deployment and data used for analysis [1, 35]. In addition, intrusion detection systems can also be classified as signature based or anomaly based depending upon the attack detection method. The signature-based systems are trained by extracting specific patterns (or signatures) from previously known attacks while the anomaly-based systems learn from the normal data collected when there is no anomalous activity [1, 30, 31, 32, 43]. The main purpose of an IDS is to detect as many attacks as possible with minimum number of false alarms, i.e., the system must be accurate in detecting attacks. However, an accurate system that cannot handle large amount of network traffic and is slow in decision making will not fulfill the purpose of an intrusion detection system [18]. Hence it is necessary to develop a system that detects most of the attacks, gives very few false alarms, copes with large amount of data, and is fast enough to make real-time decisions. Although the IDS has led to a number of valuable network security techniques [3, 4, 14, 15, 16, 17, 18, 33, 40, 41, 42], the existing solutions are limited only to static data release. That is, in such solutions it is assumed that the entire dataset is available at the time of release. This assumption implies a significant shortcoming, as data today are continuously collected (thus continuously grow) and there is a strong demand for up-to-date data at all times. One possible approach is to use the intrusion detection techniques for the entire dataset whenever the dataset is augmented with new records. In this way, researchers are always provided with up-to-date information. Although this can be accomplished using existing techniques, there are two significant drawbacks. First, it requires redundant computation, as the entire dataset has to be analysed even if only a few records are newly inserted. Sometimes intrusion detection techniques might not work properly due to continuously growing large dataset. Secondly, huge space will be required to store all the previous datasets that may be sometimes impossible.