Evaluation of black-marker and bilateral classification with J48 decision tree in anomaly based intrusion detection system

Abstract

Anomaly-based intrusion detection system (IDS) is gaining wide attention from the research community, due to its robustness in detecting and profiling the newly discovered network attacks. Unlike signature-based IDS which solely relying on a set of pre-defined rules through some massive human efforts, anomaly-based IDS utilises the collected network traces in building its own classification model. The classification model can optimised when a large set of network traces is available. The ideal way of pooling the network traces is through database sharing. However, not many organisations are willing to release or share their network databases due to some privacy concerns, i.e. to avoid some kinds of internet traffic behaviour profiling. To address this issue, a number of anonymisation techniques was developed. The main usage of anonymisation techniques is to conceal the potentially sensitive information in the network traces. However, it is also important to ensure the anonymisation techniques are not over abusing the performances of IDS. To do so, the convention way is by using a Snort IDS to measure the number of alarms generated before-and-after an anonymisation solution is applied. However, this approach is infeasible for Anomaly-Based IDS. Thus, an alternative way of using machine learning approach is proposed and explored in this manuscript. Instead of manual evaluation through the usage of Snort IDS, a J48 decision tree (Weka package of C4.5 algorithm) is used. In this manuscript, two anonymisation techniques, (1) black-marker, and (2) bilateral classification are used to hide the value of port numbers; and their before-and-after performances are evaluated through a J48 decision tree.