Effective Hybrid Intrusion Detection System: A Layered Approach

I. J. Computer Network ad Iformatio Security, 2015, 3, 35-41 Published Olie February 2015 i MECS (http://www.mecs-press.org/) DOI: 10.5815/ijcis.2015.03.05 Effective Hybrid Itrusio Detectio System: A Layered Approach Abebe Tesfahu, D. Lalitha Bhaskari AUCE (A), Adhra Uiversity, Visakhapatam, AP, Idia Email: abesummit@yahoo.com, lalithabhaskari@yahoo.co.i Abstract Although there are differet techiques proposed for itrusio detectio i the literature, most of them cosider stadaloe misuse or aomaly itrusio detectio systems. However, by takig the advatages of both systems a better hybrid itrusio detectio system ca be developed. I this paper, we preset a effective hybrid layered itrusio detectio system for detectig both previously kow ad zero-day attacks. I particular, a two layer system that combies misuse ad aomaly itrusio detectio systems is proposed. The first layer cosists of misuse detector which ca detect ad block kow attacks ad the secod layer comprises of aomaly detector which ca efficietly detect ad block previously ukow attacks. The misuse detector is modeled based o radom forests classifier ad the aomaly detector is built usig baggig techique with esemble of oe-class support vector machie classifiers. Data pre-processig is doe usig automatic feature selectio ad data ormalizatio. Experimetal results show that the proposed itrusio detectio system outperforms other well-kow itrusio detectio systems i detectig both previously kow ad zero-day attacks. Idex Terms Itrusio, Hybrid, Misuse, Aomaly, Radom Forests, Performace. I. INTRODUCTION The iformatio commuicatio ifrastructure has highly improved the lives of moder society. However, this ifrastructure is always uder the threats of itrusio ad misuse. I order to prevet such threats the research ad idustry commuity have come up with differet threat detectio ad prevetio techologies. Oe of such techologies is Itrusio Detectio Systems (IDS). A itrusio detectio system moitors ad aalyzes the evets occurrig i a computer system or etwork eviromet ad alerts a huma operator to the presece of possible icidets that violate stadard security practices [1]. Based o the deploymet area itrusio detectio techologies could be categorized as Hostbased IDS (deployed at idividual computers) or Network-based IDS (deployed at etwork level). Accordig to the methods used for aalyzig the collected data, IDS ca also be categorized ito two broad categories: Misuse based detectio ad aomaly based detectio. Misuse based (sigature based) itrusio detectio system tries to detect malicious activities based o patters or sigatures of kow attacks. If a patter match is detected, a alarm is reported to the etwork admiistrator. Sice misuse based detectio system is specifically desiged for detectig kow attacks, it geerates low umber of false alarms. However, misuse based itrusio detectio systems could ot detect ovel attacks [2]. Aomaly based itrusio detectio refers to idetifyig evets that are aomalous with respect to the ormal system behavior. If the icomig etwork traffic patters do ot follow the ormal etwork traffic behavior, a alarm will be reported ad such patters are called aomalies or outliers [2]. Despite their capability i detectig ovel attacks aomaly based itrusio detectio systems suffer from high false positive rate. The misuse ad aomaly based itrusio detectio systems are complemetary [3]. Hece, by takig advatages of low false-positive rate by sigature-based itrusio detectio system ad the ability of aomaly detectio system to detect zero-day attacks some researchers itroduce a hybrid itrusio detectio system. Accordig to the fusio mechaisms of the two systems, hybrid itrusio detectio systems ca have layered or parallel architecture. M. A. Aydı et al. [4] proposed a hybrid IDS by sequetially combiig packet header aomaly detectio (PHAD) ad etwork traffic aomaly detectio (NETAD) with Sort. They used the aomaly detectors (PHAD ad NETAD) as a preprocessor for Sort. O the other had Depre et al. [5] proposed a parallel hybrid IDS architecture usig Self-Orgaizig Map as aomaly detector ad J.48 decisio tree for misuse detectio. I their proposed framework decisio support system is implemeted for combiig the detectio results of the two systems. Though, may itrusio detectio frameworks ad systems have bee developed by the research commuity, IDS performace ad zero-day attack detectio are still ope research issues ad challeges. Hece, by takig the advatage of low false alarm of misuse based itrusio detectio system ad the capability of detectig zero-day attacks by aomaly based itrusio detectio system i this paper we proposed a hybrid layered itrusio detectio system. We used radom forests classifier for misuse detectio ad esemble of oe-class support vector machie (1-SVM) with baggig for aomaly

36 Effective Hybrid Itrusio Detectio System: A Layered Approach detectio. I the proposed system automatic feature selectio ad data ormalizatio are used for data preprocessig. The misuse detectio model is built usig a traiig data cotaiig ormal profiles ad kow attacks ad for buildig the aomaly detector model we used oly ormal etwork traffic traiig data. The subsequet sectios of this paper are orgaized as follows. I sectio II we preset some theoretical backgroud iformatio about radom forests, oe-class SVM, ad data pre-processig techiques. Sectio III describes the proposed hybrid itrusio detectio system. The dataset used for the experimet ad performace evaluatio results will be discussed i sectio IV. Fially, we will coclude this research work i sectio V. A. Radom Forests II. THEORETICAL BACKGROUND As the developer of radom forests classifier, L. Breima, defied radom forests as esemble of may decisio trees ad each tree is developed usig a bootstrapped sample from the origial traiig data [6]. If the total umber of attributes is M, the for each tree oly m attributes are chose radomly (where m < M). For each tree radomess is itroduced i two ways: durig bootstrapped sample geeratio ad radom cadidate feature selectio at each ode of a tree. Oce the classifier is built, to classify a icomig test data, the iput vector of icomig data will be put dow to each of the trees i the forest. The majority vote from predictios of the esemble of trees is used to decide to which class the istace uder cosideratio belogs. Compared to a covetioal decisio trees radom forests classifier has better detectio accuracy [7, 13]. I the proposed system, the radom forest classifier is used for misuse detectio. A dataset cotaiig both ormal ad kow attacks is used to trai the radom forests classifier. B. Feature Selectio Oe of the major issues associated with large dataset, like etwork itrusio detectio dataset, is dimesioality problem. I the case of large dataset feature selectio is a crucial step for dimesioality reductio. Feature selectio is a process of data dimesioality reductio by determiig whether a feature is relevat or ot for a give problem. The target of feature selectio is to select feature vector that leads to large betwee-class distace ad small withi-class variace [8]. Usig effective features i desigig a classifier ot oly ca reduce the data size but also ca improve the performace of the classifier ad ehaces data uderstadig ad visualizatio [8]. Geerally, there are three types of feature selectio models: Filter, Wrapper ad Hybrid [15]. I wrapper model the feature selectio is depedet o the performace of the learig algorithm. O the other had, i filter model the quality of selected features is depedet oly o the statistical property of the data. I this paper filter type of feature selectio algorithm is implemeted usig Iformatio Gai (IG) of a attribute. As stated i [7] the iformatio gai for a give iput feature X with respect to the class attribute C ca be computed as follows: Where I( C; X ) H( C) H( C X ) (1) ( i 1 i 2 Ci H C) P( C c )log P( C ) (2) P( C ci ) is the probability that the class attribute c i occurs, ad m H( C X ) P( X c ) H( C X ) (3) i 1 i ci H(C) is etropy of C ad H( C X ) is the average coditioal etropy of C. I this paper, X defies idividual iput attributes i the traiig dataset, ad C defies class label (Normal or Attack). C. Oe Class Support Vector Machie A Support Vector Machie (SVM) is a learig systems based o mappig the traiig data ito a high dimesioal feature space usig some o-liear mappig fuctios. By projectig to a high dimesioal feature space a o-liear decisio boudary ca be built. Scholkopf et al. [10] motivated by SVM proposed oeclass SVM classificatio. The idea behid oe-class SVM is to determie a hyperplae that separates the required fractio of oe class traiig patters from the origi i the feature space F. I oe-class SVM there is a tradeoff betwee maximizig the distace betwee the origi ad the separatig plae ad a rejectio rate. It is ot always the case to fid the separatig hyperplae i the origial feature space. Hece, the fuctio Φ: X F is used for mappig the origial feature space to kerel space. The objective fuctio for oe-class SVM is formulated usig quadratic programmig miimizatio as follows mi Subjected to: ( 1 W 2 1 v 2 W, i, i 1 i ) W. ( xi ) i, i 0 i 1,2,..., Where x i is the i-th traiig istace, is the umber of traiig istaces, ρ is the margi, w is a ormal vector to the hyperplae, v represets fractio of outliers. For each traiig istace i, there is a slack variable ξ i associated with a pealty for rejectio. If the miimizatio problem i equatio 4 solved usig Lagrage multipliers i quadratic programig, the decisio fuctio oly depeds o the dot-product of the vectors i the feature space. Hece it is ot ecessary to (4)

Effective Hybrid Itrusio Detectio System: A Layered Approach 37 perform a explicit mappig to that space rather the dot product i the feature space ca be computed usig kerel fuctio K(x)=ϕ(x) T ϕ(x). Usig the Lagrage multipliers ad kerel trick the decisio fuctio for test data z will be as follows: z sg(( K( z, x )) ) i 1 i i F (5) α i is a Lagrage multiplier. Sice majority of α i are zero, the computatio of F(z) i equatio 5 is efficiet. If F(z) 0, the the test data z is similar to the traiig data ad classified to the class of the traiig class. Otherwise, the test data will be rejected as a outlier. K(z,x i ) is a kerel fuctio. There are differet types of kerel fuctio such as liear, polyomial, Gaussia radial basis, ad sigmoid. However, Gaussia radial basis fuctio (RBF) show i equatio 6 is the most commoly used fuctio for aomaly detectio. K z 2 z xi, x i e (6) The value of γ determies how much a support vector iflueces its eighbors. If γ is large, most of the traiig vectors will be support vectors. There will be few support vectors if the value of γ is small. D. Normalizatio I publicly available itrusio detectio dataset some of the features are omial ad others are ot ormalized. For learers that lear from statistical characteristics of features ormalizatio of data is a crucial pre-processig step. Data ormalizatio is the way of scalig the values of each attribute to fall withi a specific rage so that the effect of oe attribute should ot domiate the others. Feature based data ormalizatio ca be broadly categorized ito liear ad o-liear methods. For our system we used mi-max based liear data ormalizatio techique. The formula for mi-max based ormalizatio is show i equatio 7. X X mi max mi ' A (7) X ad X' are value to be ormalized ad the ormalized attribute value respectively. mi A ad max A are the miimum ad maximum possible values for attribute A before ormalizatio. For hadlig omial features for SVM, it is importat to covert them to umeric represetatio. Hsu [11] recommeded the coversio of omial features i to biary represetatio prior to usig them for SVM. III. PROPOSED HYBRID INTRUSION DETECTION SYSTEM The proposed hybrid layered itrusio detectio framework is show i Fig. 1. The iformatio gai (IG) based feature selectio module computes the iformatio gai of each attribute usig equatio 1. Oce the A A iformatio gai of each attribute is computed the ext step is to select optimal subset of features for the classifier. For optimal feature selectio we used Algorthim-1. I Algorthim-1 X is the origial feature vector ad IG is iformatio gai for the respective features. The selected feature vector is represeted by Y. T is some threshold value that used for selectig optimal features subset. T is depedet o the traiig data used for classificatio. Algorithm-1: Optimal Feature Subset Selectio Iput: X={X 1, X 2,,X m }, IG={IG 1, IG 2,, IG m } ad T Output: Y= {Y 1, Y 2,,Y } 1: IGTotal m i 1 IGi 2: X ' Descedig Sort( X, IG) 3: For i is from 1 to m do 4: IGi Wx' i IGTotal 5: Ed for 6: S 0 7: For i is from 1 to m ad S T do 8: S S Wx' i 9: i 10: Y i X ' i 11: Ed for As soo as the relevat features are idetified, the the feature selectio module will forward the data with the selected features to the misuse itrusio detector. The misuse detector is implemeted usig radom forests classifier. The radom forests classifier model is built usig traiig data which cotais both ormal ad kow attack patters. The radom forests classifier approach provides mechaisms for excludig well-kow attacks from beig reprocessed by the subsequet oeclass SVM based aomaly detector. Oly patters which are classified as ormal by the radom forests classifier are forwarded to aomaly detector module for fial decisio. The radom forests classifier-based misuse detector is autoomous. It ca block the detected attacks without waitig for the decisio of the aomaly detector. Such capability of the misuse detector somehow reduces the time required to detect kow attacks. If ulabeled etwork traffic istaces arrived to the proposed model, the those istaces classified as attack by the radom forests classifier would be blocked whereas those istaces classified as ormal by the radom forests classifier would be set to the ext level. Traiig data, which are classified as ormal by the radom forests classifier usig cross validatio, are used for feature selectio for the oe-class SVM classifier. Though the data classified as ormal by radom forests classifier is imbalaced (large umber of ormal profiles ad small umber of attacks), it is eough for selectig relevat features for idetifyig aomalies from ormal profiles.

38 Effective Hybrid Itrusio Detectio System: A Layered Approach The ext compoet, data ormalizatio module, will preprocess the icomig data to ehace the performace of oe-class SVM. Normalizatio is made usig equatio 7. I order to hadle omial values we coverted all omial attributes i to biary represetatio as recommeded by Hsu [11]. Update data Traiig Block Attack Yes Yes Network Traffic Data Traiig Data IG-based Feature selectio Misuse Radom forests Classifier Fig. 1. Proposed Hybrid Layered Itrusio Detectio System. No IG-based Feature selectio Aomaly Is attack? Esemble Oe-Class SVM Is attack? Normal traffic Test Data Detector Data ormalizatio Detector No The aomaly detector is built usig oly ormal traiig istaces which are also classified by the misuse detector as ormal. Istead of sigle oe-class SVM, to improve the performace of the aomaly detector, we proposed the use of esemble of oe-class SVM classifiers with bootstrap aggregatig techique. As it has bee doe i radom forests algorithm, each of the oeclass SVM classifiers is built usig a bootstrapped sample of traiig istaces. The decisio of each of these classifiers is aggregated ad a majority votig is doe for fial decisio. The aomaly detector will block detected attacks which were cosidered as ormal traffic by the misuse detector. The sigatures of these attacks will be used for updatig the origial traiig data. IV. EXPERIMENTS All the experimets i this paper are implemeted usig WEKA 3.7.9 machie learig tool ad MATLAB 2013a. A. Dataset Descriptio The proposed system is evaluated usig publicly available NSL-KDD itrusio detectio dataset which is a ehaced versio of the KDD99 itrusio detectio dataset. KDD99 dataset is the oly well-kow ad publicly available data set i the area of itrusio detectio [14]. It is still widely used i evaluatig the performace of proposed itrusio detectio algorithms. O the KDD99 itrusio detectio dataset 78% of traiig istaces ad 75% of test istaces are duplicated. Hece the NSL-KDD dataset is geerated by removig redudat istaces i both the traiig ad test data of the KDD99 itrusio detectio dataset [12]. This dataset has 41 features ad oe class attribute. The traiig data cotais 24 types of attacks ad the testig data cotais extra 14 types of attacks. The attacks i this dataset are categorized i oe of the four attack categories (DoS, Probig, User to Root ad Remote to Local attacks) Though NSL-KDD dataset is ehaced versio of the KDD99 dataset we observed two basic problems i this dataset. First as show i Fig. 2 there are ambiguities i some records of the testig dataset. That is some records have same value for all the 41 features, however they are labeled to differet classes (oe as ormal ad the other as attack). The secod observatio we made is there is a feature called um_outbouds_cmds which has a value of zero for all the records i both the traiig ad testig data. This feature will ot have ay cotributio i idetifyig attacks from ormal profiles. Hece we made two improvemets i usig NSL-KDD dataset: we removed all ambiguous records ad the um_outbouds_cmds feature from the dataset. The distributio of the dataset used i this experimet is depicted i Table 1. B. Data Pre-processig After calculatig iformatio gai for each of the features i the traiig data, for the radom forests classifier we selected 20 features by applyig the optimal feature selectio algorithm with T=0.9. List of all the selected features with their iformatio gai value (IG) is show i Table 2. The radom forests classifier is built usig the selected features ad the KDDTrai+ full traiig data. For the esemble oe-class SVM classifiers 11 features are selected from the 20 features by applyig optimal feature selectio algorithm with T=0.9

Effective Hybrid Itrusio Detectio System: A Layered Approach 39 o the portio of traiig data which are classified as ormal by the radom forests classifier. The bootstrap traiig sample for each of the 1-SVM classifier is geerated from 20% of the ormal KDDTrai+ istaces which are also classified as ormal by the radom forests classifier. Record# 7833 0,udp,private,SF,105,105,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,2,0,0,0,0,1,0,0,255,255,1,0,0,0,0,0,0,0,ormal 8327 0,udp,private,SF,105,105,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,2,0,0,0,0,1,0,0,255,255,1,0,0,0,0,0,0,0,smpgetattack 11695 0,udp,private,SF,105,105,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,3,0,0,0,0,1,0,0,255,255,1,0,0.01,0,0,0,0,0,ormal 16303 0,udp,private,SF,105,105,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,3,0,0,0,0,1,0,0,255,255,1,0,0.01,0,0,0,0,0,smpgetattack Fig. 2. Sample ambiguous records i the NSL-KDD Test dataset Table 1. Experimet dataset distributio Data Normal Attack Traiig data 67,343 58,630 Test data 9,515 12,663 Table 2. Selected features list Rak Feature ame IG 1 srs_bytes 0.816 2 Service 0.672 3 dst_bytes 0.633 4 Flag 0.519 5 diff_srv_rate 0.519 6 same_srv_rate 0.510 7 Dst_host_srv_cout 0.476 8 Dst_host_same_srv_rate 0.438 9 Dst_host_diff_srv_rate 0.411 10 Dst_host_serror_rate 0.406 11 logged_i 0.405 12 Dst_host_srv_serror_rate 0.398 13 serror_rate 0.393 14 Cout 0.384 15 srv_serror_rate 0.379 16 Dst_host_srv_diff_host_rate 0.271 17 Dst_host_cout 0.198 18 Dst_host_same_src_port_rate 0.189 19 srv_diff_host_rate 0.142 20 srv_cout 0.094 C. Performace Measure I this paper attack detectio rate (DR), false positive rate (FPR) ad receiver operatig characteristic (ROC) curve are used for performace evaluatio ad compariso of classifiers. I the case of itrusio detectio, detectio rate is the ratio of the umber correctly detected attacks to the total umber of attacks. False positive rate is the ratio of the umber of ormal traffic data which are detected as attack to the total umber of ormal data. The ROC curve is used for comparig the proposed hybrid system with the idividual stadaloe radom forest based misuse detector ad aomaly based SVM biary classifier. Depre et al. [5] evaluated their proposed system usig cross validatio with the KDD99 traiig dataset. However, such way of evaluatio i itrusio detectio does t iclude ovel attacks i the test data. For evaluatig our system we used the test data which cotais 14 more attack types tha the traiig data. The performace of the proposed hybrid layered itrusio detectio system for the test data with differet attack distributios is show i Table 3. For these specific results Gaussia Basis kerel Fuctio (RBF) with parameter γ= 0.02 ad v =0.1 were used for oeclass SVM learer. As it ca be visualized from the ROC curve show i Fig. 3 the proposed system outperforms stadaloe radom forests-based misuse detector ad ordiary SVM-based aomaly detector. This ROC curve is geerated for 50% of the attacks i the NSL- KDDTest+ dataset. Attack detectio rate ad false positive rate for the proposed system ad some well-kow models usig full test data is show i Table 4. Attack detectio rate ad false positive rate for the proposed system is 92.13% ad 6.42% respectively. The result shows that compared to some well-kow methods the proposed system ca effectively detect attacks. Table 3. Performace of the proposed hybrid itrusio detectio system for the test data Attack distributio Detectio rate False Positive i test data rate 1% Attack 0.8968 0.0642 2% Attack 0.9091 0.0642 5% Attack 0.9303 0.0642 10% Attack 0.9202 0.0642 20% Attack 0.9194 0.0642 30% Attack 0.9205 0.0642 50% Attack 0.9253 0.0642 100% Attack 0.9213 0.0642

Detectio Rate (DR) 40 Effective Hybrid Itrusio Detectio System: A Layered Approach 1 0.9 0.8 0.7 0.6 0.5 Proposed RF_1-SVM Radom Forests 0.4 0.3 C-SVM 0.2 0.1 0 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 False Postive Rate (FPR) Fig. 3. ROC curve for the test data with 50% attack distributio whe γ= 0.01 Model Table 4. Performace compariso for the full test data Attack Detectio Rate (DR) Naive Bayes 0.588 0.063 J48 decisio tree 0.647 0.029 Radom forests 0.734 0.031 SVM(γ = 0.02 ) 0.591 0.068 Proposed RF_1-SVM (γ=0.02 ad ν =0.1) 0.9213 0.0642 V. CONCLUSION False Positive Rate (FPR) I this paper a hybrid layered IDS was preseted by combiig both misused ad aomaly itrusio detectio systems. The radom forests classifier was used to detect previously kow attacks. The aomaly detector, esemble of oe-class SVM classifiers, was built usig baggig techique. The proposed system addresses the problem of attack detectio for previously kow ad ukow attacks. The experimetal results show that the proposed system is very effective i improvig attack detectio rate with small false positive rate. We compared our approach with some well-kow methods ad foud that the proposed system ca effectively detect previously ukow attacks with a detectio rate improvemet of 18.73%. I usig publically available itrusio detectio datasets for traiig ad evaluatio of a proposed model care has to be take. Those ambiguous records i the dataset should be removed. The optimal feature subset selectio method preseted i this paper has ot oly cotributed for dimesioality reductio it also has cotributio for performace improvemet for both the misuse ad aomaly itrusio detectio systems. Though the developed system updates the traiig data with ew attack types, it is ot adaptive. Hece, i our future work, we pla to make the proposed system real time ad adaptive to cope with dyamic attack scearios. REFERENCES [1] Scarfoe, K., Mell, P., Guide to Itrusio Detectio ad Prevetio Systems (IDPS). NIST Special Publicatio 800-94, 2007. [2] M. H. Bhuya, D. K. Bhattacharyya, ad J. K. Kalita, Network Aomaly Detectio: Methods, Systems ad Tools, Commuicatios Surveys & Tutorials, IEEE press, vol. 16, o. 1, pp. 303 336, 2013. [3] H.-J. Liao, C.-H. R. Li, Y.-C. Li, ad K.-Y. Tug, Itrusio Detectio System: A Comprehesive Review, Joural of Network ad Computer Applicatios, vol. 36, Issue 1, pp. 16-24, 2013. [4] M. A. Aydı, A. H. Zaim, ad K. G. Ceyla, A Hybrid Itrusio Detectio System Desig for Computer Network Security, Computers ad Electrical Egieerig, vol. 35, o. 3, pp.517-526, 2009. [5] O. Depre, M. Topallar, E. Aarim, ad M. K. Ciliz, A Itelliget Itrusio Detectio System (IDS) for Aomaly ad Misuse Detectio i Computer Networks, Expert Systems with Applicatios, pp. 713 722, 2005. [6] L. Breima, Radom Forests, Machie Learig, vol. 45, o. 1, pp. 5 32, 2001. [7] A. Tesfahu, ad D. L. Bhaskari, Itrusio Detectio Usig Radom Forests Classifier with SMOTE ad Feature Reductio, i Proc. of 2013 Iteratioal Coferece o Cloud & Ubiquitous Computig & Emergig Techologies, pp.127-132, 2013. [8] S. Theodoridis, ad K. Koutroumbas, Patter Recogitio, Academic press, 2009. [9] B. Scholkopf, R. Williamso, A. Smola, J. Shawe-Taylor, ad J. Platt, Support Vector Method for Novelty Detectio, NIPS, vol. 12, pp. 582-588, 1999.

Effective Hybrid Itrusio Detectio System: A Layered Approach 41 [10] Z. Xue-qi, G. Chu-hua, ad L. Jia-ji, Itrusio Detectio System Based o Feature Selectio ad Support Vector machie, i Proc. of First Iteratioal Coferece o Commuicatios ad Networkig i Chia, pp. 1-5, Oct. 2006. [11] Hsu, Chih-Wei, Chag, Chih-Chug, ad Chih-Je, A Practical Guide to Support Vector Classificatio, Natioal Taiwa Uiversity, 2003. [12] Tavallaee, E. Bagheri, W. Lu, ad A.A. Ghorbai A Detailed Aalysis of the KDD CUP 99 Data Set, i proc. of IEEE Symposium o Computatioal Itelligece for Security ad Defese Applicatios, pp. 1-6, 2009. [13] Zhag ad M. Zulkerie, Network Itrusio Detectio usig Radom Forests, School of Computig Quee s Uiversity, Kigsto Otario, 2006. [14] W. Lee, S. Stolfo, P. Cha, E. Eski, W. Fa, M. Miller, S. Hershkop, ad J. Zhag, Real Time Data Miig-based Itrusio Detectio, The 2001 DARPA Iformatio Survivability Coferece ad Expositio (DISCEX II), Aaheim, CA, Jue 2001. [15] Y. Che, Y. Li, X. Q. Cheg, ad L. Guo, Survey ad taxoomy of feature selectio algorithms i itrusio detectio system, i Proc. of the 2d SKLOIS coferece o Iformatio Security ad Cryptology, pp. 153 167, 2006. Authors Profiles Abebe Tesfahu received his B.Sc. degree i Electrical ad Computer Egieerig ad M.Tech i Electroics ad Computer Egieerig from Addis Ababa Uiversity, Ethiopia. He is curretly a PhD cadidate i Adhra Uiversity, Visakhapatam, Idia. His research iterest icludes Network Security, Critical Ifrastructure Protectio, ad Machie learig. D. Lalitha Bhaskari is a Professor i the departmet of Computer Sciece ad Systems Egieerig, Adhra Uiversity, Visakhapatam, Idia. She is guidig more tha 15 PhD Scholars from various istitutes. Her mai research iterest icludes Network Security, Image Processig, Patter Recogitio, Stegaography ad Digital Watermarkig. Prof. D. Lalitha Bhaskari is a member of IEEE, IJSCI, CSI ad Associate Member of Istitute of Egieers.