A hierarchical SOM-based intrusion detection system

An approach to network intrusion detection is investigated, based purely on a hierarchy of SelfOrganizing Feature Maps. Our principle interest is to establish just how far such an approach can be taken in practice. To do so, the KDD benchmark dataset from the International Knowledge Discovery and Data Mining Tools Competition is employed. Extensive analysis is conducted in order to address the significance of the features employed, the partitioning of training data and the complexity of the architecture. In comparison to results reported previously using unsupervised learning, we demonstrate that best performance is achieved using a two-layer SOM hierarchy, based on all 41-features from the KDD dataset. Moreover, this is achieved whilst utilizing 40% of the original training data. In terms of the contribution of different features, we recommend using ‘Protocol’ as a switching parameter for designing modular solutions to the detection problem, where this observation is also supported by other researchers.