Statistical Pattern Recognition Techniques for Intrusion Detection in Computer Networks Challenges and Solutions

Intrusion Detection Systems (IDS) aim at detecting and possibly preventing the execution of attacks against computer networks, thus representing a fundamental component of a network defence-indepth architecture. Designing an IDS can be viewed as a pattern recognition problem. Pattern recognition techniques have been proven successful in learning concepts from example data and constructing classifiers that are able to classify new data with high accuracy. In network intrusion detection the main objective is to design a classifier that is able to distinguish between normal and attack traffic, therefore several researchers have used statistical pattern recognition and related techniques to accomplish this task showing promising results. We explore several aspects of the application of statistical pattern recognition to network intrusion detection from a practitioner point of view. Our intent is to point out significant challenges and possible solutions related to designing statistical pattern classification systems for network intrusion detection. In particular, we discuss three problems: a) Learning from unlabeled traffic; b) Learning in adversarial environment; c) Operating in adversarial environment. Because of the difficulties in constructing labeled datasets of network traffic, unlabeled learning techniques have recently been proposed to construct anomaly-based network IDS. In this case, the traffic used for learning is usually directly extracted from the live network to be protected and does not undergo any labeling process. Unfortunately, learning from unlabeled data is inherently difficult. As a consequence unlabeled anomaly IDS suffer from a relatively high number of false positives. We propose a new unlabeled anomaly IDS based on a modular Multiple Classifier System (MCS), and show that the proposed approach improves the accuracy performance compared to “monolithic” IDS proposed by other researchers. As the network traffic used for training unlabeled IDS is directly extracted from I