On the Use of Decision Trees as Behavioral Approaches in Intrusion Detection

Decision trees are well known and efficient classifiers widely used as behavioral approaches. However, most works pointed out their inefficiency in detecting novel attacks. In this paper, we address the inadequacy of decision trees for behavioral anomaly detection. We first explain why decision trees fail in detecting most of novel attacks. In particular, we provide experimental results showing that minimum description length (MDL) principle used while inducing decision trees is among the main reasons in their failure in detecting novel attacks. Then we propose relaxing MDL principle in order to build compatible decision trees more suitable for novel behavior detection. The strategy of relaxing MDL principle is to exploit additional tests/features in order to discriminate between normal behaviors and intrusive ones while standard decision trees only rely on minimum subset of tests/features. Experimental studies, carried out on real and recent http traffic and several Web attacks, show the significant improvements that can be made by relaxed MDL decision trees.