Читать книгу Intelligent Network Management and Control - Badr Benmammar - Страница 27

Many researchers suggested that the monitoring capacity of current IDS systems could be improved by adopting a hybrid approach including detection techniques of both anomalies and signatures (Lunt et al. 1992; Anderson et al. 1995; Fortuna et al. 2002; Hwang et al. 2007). Sabhnani and Serpen (2003) proved that no single classification technique enables the detection of all the attack classes at an acceptable false alarm rate and with a good detection accuracy. The authors used various techniques to classify the intrusions by means of a KDD 1998 dataset. Many researchers proved that the hybrid or set-based classification technique can improve detection accuracy (Mukkamala et al. 2005; Chen et al. 2005; Aslahi-Shahri et al. 2016; Hamamoto et al. 2018; Hajimirzaei and Navimipour 2019; Sai Satyanarayana Reddy et al. 2019). A hybrid approach involves the integration of various learning or decision-making models. Each learning model operates differently and uses a different set of functionalities. The integration of various learning models yields better results than the individual learning or decision-making models and reduces their individual limitations. A significant advantage of the combination of redundant and complementary classification techniques is that it increases robustness and accuracy in most applications.

Various methods combining various classification techniques were proposed in the literature (Menahem et al. 2009; Witten et al. 2016). Ensemble methods have a common objective: to build a combination of certain models, instead of using a single model to improve the results. Mukkamala and its collaborators (2005) proved that the use of ensemble classifiers led to the best possible accuracy for each category of attack models. Chebrolu et al. (2005) used the Classification And Regression Trees-Bayesian network (CART-BN) approach for intrusion detection. Zainal et al. (2009) proposed the hybridization of linear genetic programming of the adaptive neural fuzzy inference system and of random forests for intrusion detection. They proved empirically that by assigning appropriate weights to the classifiers in a hybrid approach, the accuracy of detection of all the classes of network traffic is improved compared to an individual classifier. Menahem et al. (2009) used various classifiers and tried to take advantage of their strengths. Hwang et al. (2007) proposed a three-level hybrid approach to detect intrusions. The first level of the system is a signature-based approach in order to filter the known attacks using the black list concept. The second level of the system is an anomaly detector that uses the white list concept to distinguish between the normal traffic and the attack traffic surpassed by the first level. The third level of the system uses support vectors machines in order to classify the unknown attack traffic. The success of a hybrid method depends on many factors, notably the size of the learning sample, the choice of a basic classifier, the exact manner in which the forming set is modified, the choice of combination method and finally the data distribution and the potential capacity of the basic classifier chosen for solving the problem (Rokach 2010).