Dimension reduction using feature extraction methods for real-time misuse detection systems

We present a novel signed gain in information (GI) measure for quantitative evaluation of gain or loss in information due to dimension reduction using feature extraction in misuse detection applications. GI is defined in terms of sensitivity mismatch measure (Φ) and specificity mismatch measure (⊗). ´Φ´ quantifies information gain or loss in feature-extracted data as the change in detection accuracy of a misuse detection system when reduced data is used instead of untransformed original data. Similarly, ´⊗´ quantifies information gain or loss as the change in the number of false alarms generated by a misuse detection system when feature-extracted data is used instead of original data. We present two neural network methods for feature extraction: (1) NNPCA and (2) NLCA for reducing the 41-dimensional KDD Cup 1999 data. We compare our methods with principal component analysis (PCA). Our results show that the NLCA method reduces the test data to approximately 30% of its original size while maintaining a GI comparable to that of PCA and the NNPCA method reduces the test data to approximately 50% with GI measure greater than that of PCA.