A Survey of Random Forest Based Methods for Intrusion Detection Systems

Resende, Paulo Angelo Alves; Drummond, André C.

doi:10.1145/3178582

Cited by 242 publications

(103 citation statements)

References 78 publications

Supporting

Mentioning

100

Contrasting

Unclassified

Order By: Relevance

“…This method provides a comparison metric, which is usually referred by Variable Importance Measure (VIM) or Permutation Importance Index (PIM). This approach is commonly used to create a variable importance rank for feature selection . In cases 6 and 7, we selected the top 30 most important features of the VIM rank.…”

Section: Experiments and Resultsmentioning

confidence: 99%

“…Table 1 Random forest inherits, in some sense, the embedded feature selection of CART decision trees, which on each split evaluates the best feature to split according to a measure, such as Gini index or Residual Sum of Squares (RSS). 32 This method provides a comparison metric, which is usually referred by Variable Importance Measure (VIM) or Permutation Importance Index (PIM). This approach is commonly used to create a variable importance rank for feature selection.…”

Section: Experiments and Resultsmentioning

confidence: 99%

“…This approach is commonly used to create a variable importance rank for feature selection. 32 In cases 6 and 7, we selected the top 30 most important features of the VIM rank.…”

Section: Experiments and Resultsmentioning

confidence: 99%

“…We chose the random forest models because, as we note in Reference , in general, intrusion detection systems should generate low false positive rates and deal with: (1) a large amount of data for training and prediction; (2) imbalanced dataset (malicious data are supposed to be the minority part); (3) a large number of features; (4) categorical and continuous features. In this context, such models are suitable because they have the following advantages when compared with other commonly known machine learning methods: (1) low training time complexity, O ( nlog ( n )), and fast prediction; (2) resilience to deal with imbalanced datasets; (3) embedded feature selection method and intrinsic metric to rank features by importance; and (4) able to deal natively with categorical and continuous features.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

HTTP and contact‐based features for Botnet detection

Resende

Drummond

2018

Security and Privacy

Self Cite

View full text Add to dashboard Cite

Over the past decade, Botnets have been prevailing as a relevant threat on the Internet. A Botnet is compound by many infected computers connected to the global network and subdued to a controller, which uses the computational resources for malicious purposes. Many techniques are used to make difficult the identification of Botnet communications on networks. However, these communications are automated and usually have typical behavioral patterns, which have been used by detection approaches. In this context, we noted that HTTP connections established as command and control (C&C) channels of Botnets commonly have specific implementations, which deviate from the patterns used by legitimate HTTP accesses. Also, C&C channels over other protocols, such as IRC or TCP, typically are compound by similar chunks of data transmission interleaved with times with negligible traffic. We used both particularities to propose new features to distinguish C&C channels from benign traffic. The proposed detection method uses a random forest classifier implemented over Apache Spark, a Big Data processing framework. In the presented experiments, the approach achieved more than 99% of accuracy with virtually zero false positives, which are good results when compared with other available similar approaches. Also, the proposed features can be extracted before the communication end, which enables a premature response.

show abstract

Section: Experiments and Resultsmentioning

confidence: 99%

Section: Experiments and Resultsmentioning

confidence: 99%

“…This approach is commonly used to create a variable importance rank for feature selection. 32 In cases 6 and 7, we selected the top 30 most important features of the VIM rank.…”

Section: Experiments and Resultsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

HTTP and contact‐based features for Botnet detection

Resende

Drummond

2018

Security and Privacy

Self Cite

View full text Add to dashboard Cite

show abstract

“…The RF algorithm has many advantages, such as low training time complexity and fast prediction time [54,55], efficient handling of missing data, no required pre-processing (scaling or normalisation) of data, and efficient handling of imbalanced data and rare cases (due to the bootstrapping feature) [56]. However, this algorithm has some drawbacks, such as slow runtime as the number of its trees increase, and difficulty to interpret its models due to their high complexity (caused by randomisation) [57].…”

Section: Random Forest (Rf)mentioning

confidence: 99%

Improving Intrusion Detection Model Prediction by Threshold Adaptation

Tobi

Duncan

2019

Information

View full text Add to dashboard Cite

Network traffic exhibits a high level of variability over short periods of time. This variability impacts negatively on the accuracy of anomaly-based network intrusion detection systems (IDS) that are built using predictive models in a batch learning setup. This work investigates how adapting the discriminating threshold of model predictions, specifically to the evaluated traffic, improves the detection rates of these intrusion detection models. Specifically, this research studied the adaptability features of three well known machine learning algorithms: C5.0, Random Forest and Support Vector Machine. Each algorithm’s ability to adapt their prediction thresholds was assessed and analysed under different scenarios that simulated real world settings using the prospective sampling approach. Multiple IDS datasets were used for the analysis, including a newly generated dataset (STA2018). This research demonstrated empirically the importance of threshold adaptation in improving the accuracy of detection models when training and evaluation traffic have different statistical properties. Tests were undertaken to analyse the effects of feature selection and data balancing on model accuracy when different significant features in traffic were used. The effects of threshold adaptation on improving accuracy were statistically analysed. Of the three compared algorithms, Random Forest was the most adaptable and had the highest detection rates.

show abstract