¡@

In the field of network intrusion detection, both the signature-based intrusion detection system and the machine learning-based intrusion detection system possess advantages and disadvantages. When the two discrepant systems are combined in a way that the former is used as the main system and the latter as a supporting system, the machine learning-based intrusion detection system measures the validity of alarms determined by the signature-based intrusion detection system and filters out any false alarms. What is more, such an approach can also detect attacks that the signature-based system by itself cannot detect. The objective of this paper is to propose a combined model of the signature-based and machine learning-based intrusion detection systems and to show that the combined system is more efficient than each individual system. We used the DARPA Data Set in experiments in order to show the usefulness of the combined model. Snort was used for the experiment as a signature-based intrusion detection system and extended IBL (Instance- based Learner) was used as the principal learning algorithm for the machine learning-based intrusion detection system. To compare performances of the algorithms, C4.5 was used.

Keywords: network intrusion detection system, machine learning, combined model, false alarm, detection of new attack, instance-based learner

Retrieve PDF document (200611_09.pdf)

Received October 8, 2004; revised May 5, 2005; accepted June 8, 2005.
Communicated by Ja-Ling Wu.
^* This research was supported by the Ministry of Information and Communication (MIC), Korea, under the Information Technology Research Center (ITRC) support program supervised by the Institute of Information Technology Assessment (IITA).