A Lattice based Nearest Neighbor Classifier for Anomaly Intrusion Detection

As networking and communication technology become more widespread, the quantity and impact of system attackers have been increased rapidly. The methodology of intrusion detection (IDS) is generally classified into two broad categories according to the detection approaches: misuse detection and anomaly detection. In misuse detection approach, abnormal system behavior is defined at first, and then any other behavior is defined as normal behavior. The main goal of the anomaly detection approach is to construct a model representing normal activities. Then, any deviation from this model can be considered as an anomaly, and recognized to be an attack. Recently much more attention is paid to the application of lattice theory in different fields. In this work we propose a lattice based nearest neighbor classifier capable of distinguishing between bad connections, called attacks, and good normal connections. A new nonlinear valuation function is introduced to tune the performance of the proposed model. The performance of the algorithm was evaluated by using KDD Cup 99 Data Set, the benchmark dataset used by Intrusion detection Systems researchers. Simulation results confirm the effectiveness of the proposed method.