Labeling Network Event Records for Intrusion Detection in aWireless LAN

A data mining approach to network intrusion detection requires a training dataset of network event records labeled as either normal or an attack type. Since there are too many events to track, such datasets are typically very large. This is particularly so in a WLAN where number of non-wired devices communicating with the WLAN can be too many and adhoc. This creates a problem for the domain expert in labeling all records in the training dataset which is used to train a machine learner. We present a simple approach by which the number of network records the expert has to examine is a relatively small proportion of the given training dataset. A clustering algorithm is used to form relatively coherent groups which the expert examines as a whole to label records as one of four classes: red (definite intrusion), yellow (possibly intrusion), blue (probably normal), and green (definite normal). An ensemble classifier-based data cleansing approach is then used to detect records that were likely mislabeled by the expert. The proposed approach is investigated with a case study of a real-world WLAN. An ensemble classifier-based intrusion detection model built using the labeled training dataset demonstrates the effectiveness of the labeling approach and the good generalization accuracy