Semi-supervised Statistical Approach for Network Anomaly Detection

Intrusion Detection Systems (IDS) have become a very important defense measure against security threats. In recent years, computer networks are widely deployed for critical and complex systems, which make them more vulnerable to network attacks. In this paper, we propose a two-stage Semi-supervised Statistical approach for Anomaly Detection (SSAD). The first stage of SSAD aims to build a probabilistic model of normal instances and measures any deviation that exceeds an established threshold. This threshold is deduced from a regularized discriminant function of Maximum Likelihood (ML). The purpose of the second stage is to reduce False Alarm Rate (FAR) through an iterative process that reclassifies anomaly cluster, from the first stage, using a similarity distance and anomaly’s cluster dispersion rate. We evaluate the proposed approach on the well-known intrusion detection dataset NSL-KDD and Kyoto 2006+. The experimental results show that SSAD outperforms the Naïve Bayes methods in terms of Detection Rate and False Positive Rate. © 2016 The Authors. Published by Elsevier B.V. Peer-review under responsibility of the Conference Program Chairs.