Intrusion detection systems have been playing an important role in defeating treats in the Cyberspace. In this context, researchers have been proposing anomaly-based methods for intrusion detection, on which the "normal" behavior is defined and the deviations (anomalies) are pointed out as intrusions. In this case, profiling is a relevant procedure used to establish a baseline for the normal behavior. In this work, an adaptive approach based on genetic algorithm is used to select features for profiling and parameters for anomaly-based intrusion detection methods. Additionally, two anomaly-based methods are introduced to be coupled with the proposed approach. One is based on basic statistics and the other is based on a projected clustering procedure. In the presented experiments performed on the CICIDS2017 dataset, our methods achieved results as good as detection rate equals to 92.85% and false positive rate of 0.69%. The presented approach iteratively adapts to new attacks and to the environmental requirements, such as security staff's preferences and available computational resources.
KEYWORDSadaptive intrusion detection systems, anomaly-based intrusion detection, apache spark, machine learning, profiling, projected clustering 1 Security Privacy. 2018;1:e36.wileyonlinelibrary.com/journal/spy2