Parallel Misuse and Anomaly Detection Model

In this paper a novel hybrid model is being proposed for misuse and anomaly detection. C4.5 based binary decision trees are used for misuse and CBA (Classification Based Association) based classifier is used for anomaly detection. Firstly, the C4.5 based decision tree separates the network traffic into normal and attack categories. The normal traffic is sent to anomaly detector and parallel attacks are sent to a decision trees based classifier for labelling with specific attack type. The CBA based anomaly detection is a single level classifier where as the decision trees based misuse detector is a sequential multilevel classifier which labels one attack at a time in a step by step manner. The model is trained and tested on two disjoint datasets provided in the KDD Cup 99. Results show that 99.995% misuse detection rate with an anomaly detection rate of 99.298% is achievable. The overall attack detection rate is 99.911% and false alarm ratio of the integrated model is 3.229%. To overcome the deficiencies in KDD 99 dataset, a new improved dataset is also proposed. The overall accuracy of integrated model trained on new dataset is 97.495% compared to 97.24% of the old dataset.