Affiliations: Siemens AG, Corporate Research and Technologies, Munich, Germany | [x] University of Magdeburg, Germany | [y] University of Liverpool, UK | [z] University of California at Berkeley, USA
Abstract: Network intrusion detectors analyze network traffic for detecting attacks in computer networks. Achieving a high detection accuracy and in particular a low number of false alarms is crucial for their practical use. In this paper a new stacking approach is suggested for improving the detection accuracy of anomaly and misuse detectors in network intrusion detection systems. Each detector gets a stacked module as a corrective element that is learned on training data. The stacked module shall raise the detector score in case of a true attack and lower the score in case of a normal connection. This is achieved by combining the detector score with context information (statistical features) about the respective connection, making it possible for example to learn in which context a certain detector is reliable and where it is not. The approach is empirically evaluated using real HTTP and FTP network traffic. The results show that the detectors enhanced by stacking typically are significantly better than the original detectors.
Keywords: Intrusion detection, classifier ensemble, bagging, boosting, decision trees
