Feature Selection for Intrusion Detection using Neural Networks and Support Vector Machines

Computational Intelligence (CI) methods are increasingly being used for problem solving. This paper concerns using CI-type learning machines for intrusion detection, which is a problem of general interest to transportation infrastructure protection since a necessary task thereof is to protect the computers responsible for the infrastructure’s operational control, and an effective Intrusion Detection System (IDS) is essential for ensuring network security. Two classes of learning machines for IDSs are studied: Artificial Neural Networks (ANNs) and Support Vector Machines (SVMs). We show that SVMs are superior to ANNs in three critical respects of IDSs: SVMs train and run an order of magnitude faster; SVMs scale much better; and SVMs give higher classification accuracy. We also address the related issue of ranking the importance of input features, which is itself a problem of great interest. Since elimination of the insignificant and/or useless inputs leads to a simplified problem and possibly faster and more accurate detection, feature selection is very important in intrusion detection. Two methods for feature ranking are presented: the first one is independent of the modeling tool, while the second method is specific to SVMs. The two methods are applied to identify the important features in the 1999 DARPA intrusion data set. It is shown that the two methods produce results that are largely consistent. We present experimental results that indicate that SVM-based IDSs using a reduced number of features can deliver enhanced or comparable performance. Finally, an SVM-based IDS for class-specific detection is proposed.