Anomaly detection in computer networks using linear SVMs

Carolina Fortuna*, Blaž Fortuna#, Mihael Mohorčič*

* Department of Communication Systems, Jožef Stefan Institute,
Jamova 39, 1000 Ljubljana, Slovenia
#Department of Knowledge Technologies, Jožef Stefan Institute,
Jamova 39, 1000 Ljubljana, Slovenia


Modern computer networks are subject to various malicious attacks. Since attacks are becoming more sophisticated and networks are becoming larger there is a need for an efficient intrusion detection systems (IDSs) that can distinguish between legitimate and illegitimate traffic and be able to signal attacks in real time, before serious damages are produced. In this paper we use linear support vector machines (SVMs) for detecting abnormal traffic patterns in the KDD Cup 1999 data. The IDS system is supposed to distinguish normal traffic from intrusions and to classify the intrusions into four classes: DoS, probe, R2L and U2R. The dataset is quite unbalanced, with 79% of the traffic belonging to the DoS category, 19% is normal traffic and less than 2% constitute the other three categories. This paper studies the performance of IDSs based on linear multiclass SVMs with highest confidence (one-to-all), majority (one-to-one) and two level (one-to-all-3categ) voting on this particular dataset. The one-to-all-3categ IDS is tailored to perform well on the unbalanced dataset but it proves to be less efficient when trained on large datasets. The one-to-one IDS turns to perform the best on larger training dataset. The best performing IDS has a 90.9% intrusion detection rate, 90.7% intrusion  diagnosis rate and 0.2479 average cost per test example (ACTE).

pdf | ppt

%d bloggers like this: