Skip to main content

Table 21 Summary of ML-based Misuse Detection

From: A comprehensive survey on machine learning for networking: evolution, applications and research opportunities

Ref.

ML Technique

Dataset

Features

Evaluation

    

Settings

Results

Cannady [84]

Supervised NN (offline)

Normal: RealSecure Attack: [143, 368]

TCP, IP, and ICMP header fields and payload

-1 Layer MLP: 9, a, 2 -Sigmoid function -Number of nodes in hidden layers determined by trial & error

DR: 89%-91% Training + Testing runtime: 26.13 hrs

Pfahringer [358]

Supervised Ensemble of C5 DTs (offline)

KDD Cup [257]

all 41 features

-Two-processor (2x300Mhz) -512M memory, 9 GB disc Solaris OS 5.6 -10-folds cross-validation

DR Normal: 99.5% DR Probe: 83.3% DR DoS: 97.1% DR U2R: 13.2% DR R2L: 8.4% Training: 24 h

Pan et al. [344]

Supervised NN and C4.5 DT (offline)

KDD Cup [257]

all 41 features

-29,313 training data records -111,858 testing data records -1 Layer MLP: 70-14-6 -NN trained until MSE = 0.001 or # Epochs = 1500 -Selected attacks for U2L and R2L -After-the-event analysis

DR Normal : 99.5% DR DoS: 97.3% DR Probe (Satan): 95.3% DR Probe (Portsweep): 94.9% DR U2R: 72.7% DR R2L: 100% ADR: 93.28% FP: 0.2%

Moradi et al. [322]

Supervised NN (offline)

KDD Cup [257]

35 features

-12,159 training data records -900 validation data records -6,996 testing data records -Attacks: SYN Flood and Satan -2 Layers MLP: 35 35 35 3 -1 Layer MLP: 35 45 35 -ESVM Method

2 Layers MLP DR: 80% 2 Layers MLP Training time > 25 hrs 2 Layers MLP w/ ESVM DR: 90% 2 Layers MLP w/ ESVM Training time < 5 hrs 1 Layers MLP w/ ESVM DR: 87%

Chebrolu et al. [90]

Supervised BN and CART (offline)

KDD Cup [257]

Feature Selection using Markov Blanket and Gini rule

-5,092 training data records -6,890 testing data records - AMD Athlon 1.67 GHz processor with 992 MB of RAM

DR Normal: 100% DR Probe: 100% DR DoS: 100% DR U2R: 84% DR R2L: 99.47% Training BN time: 11.03 ∼ 25.19 sec Testing BN time: 5.01 ∼ 12.13 sec Training CART time : 0.59 ∼ 1.15 sec Testing CART time: 0.02 ∼ 0.13 sec

Amor et al. [20]

Supervised NB (offline)

KDD Cup [257]

all 41 features

-494,019 training data records -311,029 testing data records -Pentium III 700 Mhz processor

DR Normal: 97.68% PCC DoS: 96.65% PCC R2L: 8.66% PCC U2R: 11.84% PCC Probing: 88.33%

Stein et al. [421]

Supervised C4.5 DT (offline)

KDD Cup [257]

GA-based feature selection

-489,843 training data records -311,029 testing data records -10-fold cross validation -GA ran for 100 generations

Error rate DoS: 2.22% Error rate Probe: 1.67% Error rate R2L: 19.9% Error rate U2R: 0.1%

Paddabachigari et al. [354]

Supervised Ensemble of SVM, DT, and SVM-DT Offline

KDD Cup [257]

all 41 features

5,092 training data records 6,890 testing data records AMD Athlon, 1.67 GHz processor with 992 MB of RAM -Polynomial kernel

DR Normal: 99.7% DR Probe:100% DR DoS: 99.92% DR U2R: 68% DR R2L: 97.16% Training time: 1 ∼ 19 sec Testing time: 0.03 ∼ 2.11 sec

Sangkatsanee et al. [402]

Supervised C4.5 DT (online)

Normal: Reliability Lab Data 2009 (RLD09) Attack: [341, 444, 475]

TCP, UPD, and ICMP header fields

-55,000 training data records -102,959 testing data records -12 features -2.83 GHz Intel Pentium Core2 Quad 9550 processor with 4 GB RAM and 100 Mbps LAN -Platform used: Weka V.3.6.0

DR Normal: 99.43% DR DoS: 99.17% DR Probe: 98.73% Detection speed: 2 ∼ 3 sec

Miller et al. [314]

Supervised Ensemble MPML (Offline)

NSL-KDD [438]

all 41 features

-125,973 training records -22,544 testing records -3 NBs trained w/ 12, 9, 9 features -Platform used Weka [288]

TP: 84.137% FP: 15.863%

Li et al. [272]

Supervised TCM K-NN (Offline)

KDD Cup [257]

all 41 features 8 features selected using Chi-square

-Intel Pentium 4, 1.73 GHz, 1 GB RAM, Windows XP Professional - Platform Weka [288] -49,402 training records -12,350 testing records -K = 50

41 features: TP 99.7% 41 features: FP 0% 8 features: TP 99.6% 8 features: FP 0.1%

  1. aDetermined empirically, Mean Square Error (MSE), Percentage Correct Classification (PCC), Average Detection Rate (ADR), Early Stop Validation Method (ESVM)