This chapter discusses about intrusion detection system with data mining and machine learning techniques and literature review of the research. The first lines of defense for computer security are Protection techniques such as user authentication, data encryption, avoiding programming errors and firewalls prevention and so on. If a password is weak and is compromised, user authentication cannot prevent unauthorized use, firewalls are vulnerable to errors in configuration and suspect to one or more possible or undefined security policies. They are generally unable to protect against malicious insider attacks and unsecured modems. Programming error can be avoided, but it makes the system more complicated. These errors are ignored to simplify the system. The IT system in the future may not be safe. Therefore, despite these preventive technologies, it is necessary to detect intrusions and protect the system. Intrusion detection is useful not only to detect successful infections, but also in monitoring attempts to break security. Quick response will provide important information [22].
Intrusion Detection System
An intrusion detection system (IDS) examines every inbound and outbound network activity and identifies suspicious patterns that indicate a network or system attacks from people trying to affect the system. IDS’ initial design and operation protect the organization’s important information from an outsider. The IDS analyzes the information it collects and compares it to large databases of attack signatures. Intrusion detection functions include:
- Monitoring and analyzing both user and system activities.
- Analyzing system configurations and vulnerabilities.
- Assessing system and file integrity.
- Ability to recognize patterns typical of attacks.
- Analysis of abnormal activity patterns.
- Violation of user policy monitoring [42].
Random Forest Based Intrusion Detection System
Md. AlMehedi Hasan presented a Random Forest model for Intrusion Detection System (IDS) with a emphasis on improving the efficiency of intrusion detection by reducing input features. The experimental results showed that the Random Forest based proposed approach can be selected which are the most important and relevant features that are useful for classification, which, in turn, reduced not only the number of input features and time but also increased the classification accuracy. Research on tracking intrusions and feature selection with the RF approach is still a persistent area due to its good performance. The results of this article will be very useful for research on selection and classification of features. These findings could also be applied to use RF in more meaningful way in order to maximize the performance rate and minimize the false positive rate [37].
Attacks in Wireless Sensor Network (WSN) also are shown and classified according to different criteria. To implement and measure the performance of detection techniques they prepared their dataset, based on KDD’99, into five steps, after normalizing their dataset, they determined normal class and 4 types of attacks, and used the most relevant attributes for the classification process. According to the results, it is highly suggested to use data mining techniques to detect effectively the intrusions and attacks in WSN. However, many problems remain open and require further research such as hierarchical clustering patterns, using machine learning in resource management problem of wireless sensor networks, developing a classifier that is trained well with network patterns, selecting and preprocessing an appropriate dataset. In fact, the advantages of Random Forest intrusion detection technique, SVM, Naïve Bayes and K-means respectively, can be clearly derived, in this order, according to confusion matrix, classification rate, memory, complexity, building time and memory consumption they can classify these techniques, from the higher to lower performance technique [20].
Revathi and Malathi focus on detailed analysis on NSL-KDD dataset and proposed a new technique of combining swarm intelligence (Simplified Swarm Optimization) and data mining algorithm (Random Forest) for feature selection and reduction. SSO is used to find the most appropriate attributes for classifying network intrusions, and Random Forest is used as a classifier. In the preprocessing step, they optimized the dimension of the dataset by the proposed SSO-RF approach and found an optimal set of features. SSO was an optimization method that had a powerful global search function and was used here for dimension optimization. The experimental results showed that the proposed approach performed better than the other approaches for the detection of all types of attacks present in the dataset [6].
Due to the increasing speed of the network and the amount of network traffic, it is important for IDSs to be easy to deal with classification. Feature selection has been successfully used to improve classification accuracy and reduce the false positive for classification of attacks in Intrusion Detection System. In this article, art explored feature selection and classification methods for Denial-of-Service (DoS) attacks detection since they are the most threatening intrusions these days using with Random Forests (RDF) and k-Nearest Neighbor for feature selection and classification respectively. The purpose of this paper was to examine the algorithm for selecting the best features, Random Forest to build the IDS was computerized efficiently and effectively, and the best classification algorithm k-Nearest Neighbors that have been widely used for IDS. Experimental results have shown that the proposed method can achieve the high accuracy in detection those known and unknown attacks by using WEKA tool [8].
Traditional intrusion prevention techniques, such as firewalls, access control or encryption cannot fully protect networks and systems from increased attacks. Therefore an intrusion detection system (IDS) has become an important component of security infrastructure and a key part of system defense to detect these attacks before it causes the destruction of the system. This paper designed an intrusion detection system using Weka Data Mining Software, to verify intruders and classify according to identify the type of invasion, depending on the type of attack in KDD CUP 99 dataset. They build a very expensive, versatile and effective system compared to other systems. The system took nine algorithms in Weka for the classification; the test option which used in all techniques is cross-validation with 10 folds. From the result it is watched that Random Forest performs better results in accuracy [10].
Intrusion detection deals with large amount of data, which contains some irrelevant and unnecessary features and leads to increased processing time and low rate of recognition. Therefore, feature selection should be considered as a necessary preliminary step to improve the overall system performance significantly when extracting on huge datasets. This article focused on a two-step approach of feature selection based on Random Forest. The experimental results showed that the Random Forest based proposed approach can select most important and relevant features useful for classification, which, in turn, reduces not only the number of input features and time but also increases the classification accuracy [15].
The traditional IDS have been based on in-depth knowledge of security professionals, in particular in familiarizing them with protected computer systems. To reduce this dependence, a variety of mining and machine learning techniques had been applied in the literature. The proposed experiments and estimates of intrusion detection system have been performed with the NSL-KDD intrusion detection dataset. Over the years mentioned in other groups until the last one will have the following algorithm: SOMRBF, TAN, KNN-50, PART, KNN-1, RIPPER, NBTREE, C4.5, CART, RANDOM FOREST, this group was the best results obtained. They had used different strategy to build robust and reliable systems to detect intrusion, attacks or threats, and the result had shown that simple and straight forward techniques had obtained the best results, like Decision trees (Random Forest, C4.5) followed by induction of rules and KNN methods. The most important conclusion, the best algorithm was RANDOM FOREST [19].
Cloud computing became a realized computing phenomenon. In fact it is the new way of computing in which systems work. Mobile devices can now join cloud computing. The infrastructure enables virtual mobile instances as part of cloud computing. This new infrastructure can be used by service providers. However, they needed to know about safety issues. They discussed various security issues and mobile cloud infrastructure solutions. This paper aimed to monitor and track abnormal behavior in mobile cloud infrastructure by using Random Forest algorithm. The main focus of this paper was to monitor and detect unusual behavior in mobile cloud infrastructure. The empirical resulted that the mobile cloud infrastructure was built on the given architecture have affected the security of mobile cloud communications [4].
