An Adaptive Growing Hierarchical Self Organizing Map for Network Intrusion Detection

The growing hierarchical self organizing map (GHSOM) has been shown to be an effective technique to facilitate anomaly detection. However, existing approaches based on GHSOM are not able to adapt online to the ever-changing problem domain of network intrusion. This results in low accuracy in identifying network intrusions, particularly "unknown" attacks. In this paper, we propose an adaptive GHSOM based approach (A-GHSOM) to network intrusion detection. It consists of four significant enhancements: enhanced threshold-based training, dynamic input normalization, feedback-based quantization error threshold adaptation, and prediction confidence filtering and forwarding. We test the capability of the A-GHSOM approach for intrusion detection using the KDD\´99 dataset. Extensive experimental results demonstrate that compared with eight representative intrusion detection approaches, A-GHSOM achieves significant overall accuracy improvement and significant improvement in identifying "unknown" attacks while maintaining low false-positive rates. It achieves an overall accuracy rate of 99.63%, and 94.04% accuracy rate in identifying "unknown" attacks while the false positive rate is 1.8%.