Rough Set Theory Based Network Intrusion Detection Method

Recently the machine learning-based intrusion detection approaches have been subjected to extensive researches because they can detect both misuse and anomaly. The learning-based intrusion detection approaches include two key steps: feature extraction and detection model generation. In the research of feature extraction in intrusion detection, Wenke lee used improved Apriori algorithm to acquire features of network connection level. This method is very effective. Later, Srinivas and Sung presented the use of support vector machine(SVM) to rank these extracted features, but this method needs iteration and is very time-consuming. In the research of detection model generation, it is desirable that the detection model be explainable and have high detection rate, but the existing methods cannot achieve these two goals. For example, neural networks could achieve high detection rate but the detection rules generated are not explainable;detection trees could yield explainable rules but the detection rate is row.In this paper we present the use of rough set classification for intrusion detection system feature ranking and intrusion detection rules generation. We create the intrusion detection rules using the reducts as templates, the rules generated by rough set classification have the intuitive "IF-THEN" format and can be understood easily. The main problem of using rough set theory is computing the minimal reducto A reduct is a minimal subset of attributes with the same capability of objects classification as the whole set of attributes. Finding the minimal reduct is a NP-hard problem , so we present a fast hybrid genetic algorithm for the reduct computation of rough set to get the approximate result. Experiments were designed to test the rules detection performance. The experiment data we use is a part of KDDCup99 data. The result of the experiment shows that this model has high detection rate and low false detection rate in detecting DoS and probe attacks, and performs well in detecting R2L and U2R attacks either.