Revising the Outputs of a Decision Tree with Expert Knowledge: Application to Intrusion Detection and Alert Correlation

Classifiers are well-known and efficient techniques used to predict the class of items descrided by a set of features. In many applications, it is important to take into account some extra knowledge in addition to the one encoded by the classifier. For example, in spam filtering which can be seen as a classification problem, it can make sense for a user to require that the spam filter predicts less than a given rate or number of spams. In this paper, we propose an approach allowing to combine expert knowledge with the results of a decision tree classifier. More precisely, we propose to revise the outputs of a decision tree in order to take into account the available expert knowledge. Our approach can be applied for any classifier where a probability distribution over the set of classes (or decisions) can be estimated from the output of the classification step. In this work, we analyze the advantage of adding expert knowledge to decision tree classifiers in the context of intrusion detection and alert correlation. In particular, we study how additional expert knowledge such as "it is expected that 80% of traffic will be normal" can be integrated in classification tasks. Our aim is to revise classifiers\´ outputs in order to fit the expert knowledge. Experimental studies on intrusion detection and alert correlation problems show that our approach improves the performances on different benchmarks.