Intrusion detection using probabilistic graphical models

In order to defend against extraordinary intelligent attacks in the era of rapidly growing information and technology nowadays, effective and efficient intrusion detection models are needed to detect and prevent intrusion promptly. Bayesian network (BN) classifiers with powerful reasoning capabilities have been increasingly utilized to detect intrusion attacks with reasonable accuracy and efficiency. However, existing approaches using BN classifiers for intrusion detection face two problems. First, the structures of Bayesian network classifiers are either manually built with the help of domain knowledge or trained from data using heuristic methods that usually select suboptimal models. Second, the classifiers are trained using very large datasets which may be time consuming to obtain in practice. When the size of training dataset is small, the performance of a single Bayesian network classifier is significantly reduced due to its inability to represent the whole probability distribution. To alleviate these problems, we build a Bayesian classifier by Bayesian Model Averaging (BMA) over the k-best Bayesian network classifiers, called Bayesian Network Model Averaging (BNMA) classifier. We train and evaluate the classifier on the NSL-KDD dataset, which is less redundant, thus more judicial than the commonly used KDD Cup 99 dataset. We show that the BNMA classifier performs significantly better in terms of detection accuracy and Area Under ROC (AUC) than the Naive Bayes classifier and the Bayesian network classifier built with heuristic method. We also show that the BNMA classifier trained using a small dataset even outperforms two other classifiers trained using a very large dataset, thus BNMA is particularly effective when large training datasets are unavailable. This also implies that the BNMA is beneficial in accelerating the