Using Improved GHSOM for Intrusion Detection

Self-organizing Maps (SOM) have been shown to be successful for intrusion detection. However, the static architecture and the lack of representation of hierarchical relations often results in low detection rates. The Growing Hierarchical SOM (GHSOM) addresses these limitations of SOM. In this paper, in order to obtain higher detection rate and improve the stability of intrusion detection, some improvements on GHSOM algorithm are made: (1) we introduce a new metric that includes both numerical and symbolic data as input patterns. (2) by using Tension and Mapping Ratio (TMR) instead of parameter τ1, the growth of a map is automatically controlled. This improved GHSOM is implemented and applied to intrusion detection. The validity of this approach is confirmed through experiments on KDD Cup 99 datasets. Our experimental results show that the detection rate has been increased by employing the improved GHSOM compared to the original SOM and GHSOM.