An Autonomous labeling approach to SVM algorithms for network traffic anomaly detection

BROMBERG, FACUNDO; CATANIA, CARLOS A.; GARCIA GARINO, CARLOS

Mar del Plata, ARGENTINA

Conferencia; Jornadas Argentinas de Informática, Argentinean Symposium of Artificial Intelligence; 2009

Sociedad Argentina de Informática (SADIO)

In the past years, several support vector machines anomalydetection approaches have been proposed in the network intrusion detection field.The main advantage of these approaches is that they can characterizenormal traffic when trained using a data set containing not only normal trafficbut also possible attacks. Unfortunately, these algorithms seem tobe accurate only when the normal traffic vastly outnumbers the numbersof attacks or anomalies present in the dataset. This work presents an approach for autonomous labeling of normal traffic as a way of dealing with situations where class distributions do notpresent the required unbalance. The autonomous labeling process ismade by SNORT, a misuse-based intrusion detection system. Experiments conducted on the 1998DARPA dataset show the proposed autonomous labeling approach not onlyoutperforms existing SVM alternatives but also obtains significantimprovement over SNORT itself.