Self-organizing feature maps for User-to-Root and Remote-to-Local network intrusion detection on the KDD Cup 1999 dataset

The problem of network intrusion detection is one that is ever-changing, ever-evolving, and is always in need of improvement. Society-at-large relies on computer networks everyday for tasks ranging from online banking to e-commerce, social networking, news, gambling, and just about anything else. As such, society demands that these networks remain secure. In order to maintain security the systems used to protect these networks, which are vital to the 21st century world, must be constantly updated. The task of creating a system for the 21st century fell upon several groups for the ACM 1999 KDD Cup Competition. The competition produced a winning entry, but something was lacking: The winning team´s results for two of the intrusion types, User-to-Root and Remote-to-Local, were subpar at best. The winning team produced a 13.8% and 8.4% detection rate for these types respectively, compared to over 90% for each of the Denial of Service and Probing intrusion types. This research aimed to rectify this shortcoming. By implementing an unsupervised learning system, this research has produced a system that correctly detects 62.8% of User-to-Root attacks within the same dataset, with minimal false positives, while maintaining the high detection rates of Denial of Service and Probing attacks.