Comparison of classification techniques applied for network intrusion detection and classification

In a previous research, a multi-agent artificial immune system for network intrusion detection and classification was proposed and tested, where a multi-layer detection and classification process was executed on each agent, for each host in the network. In this paper, we show the experiments that were held to chose the appropriate classifiers by testing different classifiers and comparing them to increase the detection accuracy and obtain more information on the detected anomalies. It will be shown that no single classifier should be used for all types of attacks, due to different classification rates obtained. This is due to attacks representations in the train set and dependency between features used to detect them. It will also be shown that a basic and simple classifier such as Naive Bayes has better classification results in the case of low-represented attacks, and the basic decision trees such as Naive-Bayes Tree and Best-First Tree give very good results compared to well-known J48 (Weka implementation of C4.5) and Random Forest decision trees. Based on these experiments and their results, Naive Bayes and Best-First tree classifiers were selected to classify the anomaly-detected traffic. It was shown that in the detection phase, 90% of anomalies were detected, and in the classification phase, 88% of false positives were successfully labeled as normal traffic connections, and 79% of DoS and Probe attacks were labeled correctly, mostly by NB, NBTree, and BFTree classifiers.