Quantitative Intrusion Intensity Assessment Using Important Feature Selection and Proximity Metrics

The problem of previous approaches in anomaly detection in intrusion detection system (IDS) is to provide only binary detection result; intrusion or normal. This is a main cause of high false rates and inaccurate detection rates in IDS. In this paper, we propose a new approach named quantitative intrusion intensity assessment (QIIA). QIIA exploits feature selection and proximity metrics computation so that it provides intrusion (or normal) quantitative intensity value. It is capable of representing how an instance of audit data is proximal to intrusion or normal in the form of a numerical value. Prior to applying QIIA to audit data, we perform feature selection and parameters optimization of detection model in order not only to decrease the overheads to process audit data but also to enhance detection rates. QIIA then is performed using random forest (RF) and it generates proximity metrics which represent the intrusion intensity in a numerical way. The numerical values are used to determine whether unknown audit data is intrusion or normal. We carry out several experiments on KDD 1999 dataset and show the evaluation results.