Intrusion Detection with Multi-Connected Representation

Recently, considerable attention has been given to data mining techniques to improve the performance of intrusion detection systems (IDS). This has led to the application of various classification and clustering techniques for the purpose of intrusion detection. Most of them assume that behaviors, both normal and intrusions, are represented implicitly by connected classes. We state that such assumption isn't evident and is a source of the low detection rate and false alarm. This paper proposes a suitable method able to reach high detection rate and overcomes the disadvantages of conventional approaches which consider that behaviors must be closed to connected representation only. The main strategy of the proposed method is to segment sufficiently each behavior representation by connected subsets called natural classes which are used, with a suitable metric, as tools to build the expected classifier. The results show that the proposed model has many qualities compared to conventional models; especially regarding those have used DARPA data set for testing the effectiveness of their methods. The proposed model provides decreased rates both for false negative rates and for false positives.