A two-level hybrid approach for intrusion detection

To exploit the strengths of misuse detection and anomaly detection, an intensive focus on intrusion detection combines the two. From a novel perspective, in this paper, we proposed a hybrid approach toward achieving a high detection rate with a low false positive rate. The approach is a two-level hybrid solution consisting of two anomaly detection components and a misuse detection component. In stage 1, an anomaly detection method with low computing complexity is developed and employed to build the detection component. The k-nearest neighbors algorithm becomes crucial in building the two detection components for stage 2. In this hybrid approach, all of the detection components are well-coordinated. The detection component of stage 1 becomes involved in the course of building the two detection components of stage 2 that reduce the false positives and false negatives generated by the detection component of stage 1. Experimental results on the KDD'99 dataset and the Kyoto University Benchmark dataset confirm that the proposed hybrid approach can effectively detect network anomalies with a low false positive rate.