Ref. | ML Technique | Dataset | Features | Evaluation | |
---|---|---|---|---|---|
Settings | Results | ||||
Cannady [84] | Supervised NN (offline) | TCP, IP, and ICMP header fields and payload | -1 Layer MLP: 9, a, 2 -Sigmoid function -Number of nodes in hidden layers determined by trial & error | DR: 89%-91% Training + Testing runtime: 26.13 hrs | |
Pfahringer [358] | Supervised Ensemble of C5 DTs (offline) | KDD Cup [257] | all 41 features | -Two-processor (2x300Mhz) -512M memory, 9 GB disc Solaris OS 5.6 -10-folds cross-validation | DR Normal: 99.5% DR Probe: 83.3% DR DoS: 97.1% DR U2R: 13.2% DR R2L: 8.4% Training: 24 h |
Pan et al. [344] | Supervised NN and C4.5 DT (offline) | KDD Cup [257] | all 41 features | -29,313 training data records -111,858 testing data records -1 Layer MLP: 70-14-6 -NN trained until MSE = 0.001 or # Epochs = 1500 -Selected attacks for U2L and R2L -After-the-event analysis | DR Normal : 99.5% DR DoS: 97.3% DR Probe (Satan): 95.3% DR Probe (Portsweep): 94.9% DR U2R: 72.7% DR R2L: 100% ADR: 93.28% FP: 0.2% |
Moradi et al. [322] | Supervised NN (offline) | KDD Cup [257] | 35 features | -12,159 training data records -900 validation data records -6,996 testing data records -Attacks: SYN Flood and Satan -2 Layers MLP: 35 35 35 3 -1 Layer MLP: 35 45 35 -ESVM Method | 2 Layers MLP DR: 80% 2 Layers MLP Training time > 25 hrs 2 Layers MLP w/ ESVM DR: 90% 2 Layers MLP w/ ESVM Training time < 5 hrs 1 Layers MLP w/ ESVM DR: 87% |
Chebrolu et al. [90] | Supervised BN and CART (offline) | KDD Cup [257] | Feature Selection using Markov Blanket and Gini rule | -5,092 training data records -6,890 testing data records - AMD Athlon 1.67 GHz processor with 992 MB of RAM | DR Normal: 100% DR Probe: 100% DR DoS: 100% DR U2R: 84% DR R2L: 99.47% Training BN time: 11.03 ∼ 25.19 sec Testing BN time: 5.01 ∼ 12.13 sec Training CART time : 0.59 ∼ 1.15 sec Testing CART time: 0.02 ∼ 0.13 sec |
Amor et al. [20] | Supervised NB (offline) | KDD Cup [257] | all 41 features | -494,019 training data records -311,029 testing data records -Pentium III 700 Mhz processor | DR Normal: 97.68% PCC DoS: 96.65% PCC R2L: 8.66% PCC U2R: 11.84% PCC Probing: 88.33% |
Stein et al. [421] | Supervised C4.5 DT (offline) | KDD Cup [257] | GA-based feature selection | -489,843 training data records -311,029 testing data records -10-fold cross validation -GA ran for 100 generations | Error rate DoS: 2.22% Error rate Probe: 1.67% Error rate R2L: 19.9% Error rate U2R: 0.1% |
Paddabachigari et al. [354] | Supervised Ensemble of SVM, DT, and SVM-DT Offline | KDD Cup [257] | all 41 features | 5,092 training data records 6,890 testing data records AMD Athlon, 1.67 GHz processor with 992 MB of RAM -Polynomial kernel | DR Normal: 99.7% DR Probe:100% DR DoS: 99.92% DR U2R: 68% DR R2L: 97.16% Training time: 1 ∼ 19 sec Testing time: 0.03 ∼ 2.11 sec |
Sangkatsanee et al. [402] | Supervised C4.5 DT (online) | Normal: Reliability Lab Data 2009 (RLD09) Attack: [341, 444, 475] | TCP, UPD, and ICMP header fields | -55,000 training data records -102,959 testing data records -12 features -2.83 GHz Intel Pentium Core2 Quad 9550 processor with 4 GB RAM and 100 Mbps LAN -Platform used: Weka V.3.6.0 | DR Normal: 99.43% DR DoS: 99.17% DR Probe: 98.73% Detection speed: 2 ∼ 3 sec |
Miller et al. [314] | Supervised Ensemble MPML (Offline) | NSL-KDD [438] | all 41 features | -125,973 training records -22,544 testing records -3 NBs trained w/ 12, 9, 9 features -Platform used Weka [288] | TP: 84.137% FP: 15.863% |
Li et al. [272] | Supervised TCM K-NN (Offline) | KDD Cup [257] | all 41 features 8 features selected using Chi-square | -Intel Pentium 4, 1.73 GHz, 1 GB RAM, Windows XP Professional - Platform Weka [288] -49,402 training records -12,350 testing records -K = 50 | 41 features: TP 99.7% 41 features: FP 0% 8 features: TP 99.6% 8 features: FP 0.1% |