Skip to main content

Table 21 Summary of ML-based Misuse Detection

From: A comprehensive survey on machine learning for networking: evolution, applications and research opportunities

Ref. ML Technique Dataset Features Evaluation
     Settings Results
Cannady [84] Supervised NN (offline) Normal: RealSecure Attack: [143, 368] TCP, IP, and ICMP header fields and payload -1 Layer MLP: 9, a, 2 -Sigmoid function -Number of nodes in hidden layers determined by trial & error DR: 89%-91% Training + Testing runtime: 26.13 hrs
Pfahringer [358] Supervised Ensemble of C5 DTs (offline) KDD Cup [257] all 41 features -Two-processor (2x300Mhz) -512M memory, 9 GB disc Solaris OS 5.6 -10-folds cross-validation DR Normal: 99.5% DR Probe: 83.3% DR DoS: 97.1% DR U2R: 13.2% DR R2L: 8.4% Training: 24 h
Pan et al. [344] Supervised NN and C4.5 DT (offline) KDD Cup [257] all 41 features -29,313 training data records -111,858 testing data records -1 Layer MLP: 70-14-6 -NN trained until MSE = 0.001 or # Epochs = 1500 -Selected attacks for U2L and R2L -After-the-event analysis DR Normal : 99.5% DR DoS: 97.3% DR Probe (Satan): 95.3% DR Probe (Portsweep): 94.9% DR U2R: 72.7% DR R2L: 100% ADR: 93.28% FP: 0.2%
Moradi et al. [322] Supervised NN (offline) KDD Cup [257] 35 features -12,159 training data records -900 validation data records -6,996 testing data records -Attacks: SYN Flood and Satan -2 Layers MLP: 35 35 35 3 -1 Layer MLP: 35 45 35 -ESVM Method 2 Layers MLP DR: 80% 2 Layers MLP Training time > 25 hrs 2 Layers MLP w/ ESVM DR: 90% 2 Layers MLP w/ ESVM Training time < 5 hrs 1 Layers MLP w/ ESVM DR: 87%
Chebrolu et al. [90] Supervised BN and CART (offline) KDD Cup [257] Feature Selection using Markov Blanket and Gini rule -5,092 training data records -6,890 testing data records - AMD Athlon 1.67 GHz processor with 992 MB of RAM DR Normal: 100% DR Probe: 100% DR DoS: 100% DR U2R: 84% DR R2L: 99.47% Training BN time: 11.03  25.19 sec Testing BN time: 5.01  12.13 sec Training CART time : 0.59  1.15 sec Testing CART time: 0.02  0.13 sec
Amor et al. [20] Supervised NB (offline) KDD Cup [257] all 41 features -494,019 training data records -311,029 testing data records -Pentium III 700 Mhz processor DR Normal: 97.68% PCC DoS: 96.65% PCC R2L: 8.66% PCC U2R: 11.84% PCC Probing: 88.33%
Stein et al. [421] Supervised C4.5 DT (offline) KDD Cup [257] GA-based feature selection -489,843 training data records -311,029 testing data records -10-fold cross validation -GA ran for 100 generations Error rate DoS: 2.22% Error rate Probe: 1.67% Error rate R2L: 19.9% Error rate U2R: 0.1%
Paddabachigari et al. [354] Supervised Ensemble of SVM, DT, and SVM-DT Offline KDD Cup [257] all 41 features 5,092 training data records 6,890 testing data records AMD Athlon, 1.67 GHz processor with 992 MB of RAM -Polynomial kernel DR Normal: 99.7% DR Probe:100% DR DoS: 99.92% DR U2R: 68% DR R2L: 97.16% Training time: 1  19 sec Testing time: 0.03  2.11 sec
Sangkatsanee et al. [402] Supervised C4.5 DT (online) Normal: Reliability Lab Data 2009 (RLD09) Attack: [341, 444, 475] TCP, UPD, and ICMP header fields -55,000 training data records -102,959 testing data records -12 features -2.83 GHz Intel Pentium Core2 Quad 9550 processor with 4 GB RAM and 100 Mbps LAN -Platform used: Weka V.3.6.0 DR Normal: 99.43% DR DoS: 99.17% DR Probe: 98.73% Detection speed: 2  3 sec
Miller et al. [314] Supervised Ensemble MPML (Offline) NSL-KDD [438] all 41 features -125,973 training records -22,544 testing records -3 NBs trained w/ 12, 9, 9 features -Platform used Weka [288] TP: 84.137% FP: 15.863%
Li et al. [272] Supervised TCM K-NN (Offline) KDD Cup [257] all 41 features 8 features selected using Chi-square -Intel Pentium 4, 1.73 GHz, 1 GB RAM, Windows XP Professional - Platform Weka [288] -49,402 training records -12,350 testing records -K = 50 41 features: TP 99.7% 41 features: FP 0% 8 features: TP 99.6% 8 features: FP 0.1%
  1. aDetermined empirically, Mean Square Error (MSE), Percentage Correct Classification (PCC), Average Detection Rate (ADR), Early Stop Validation Method (ESVM)