A hybrid network intrusion detection framework based on random forests and weighted k-means

Many current NIDSs are rule-based systems, which are very difficult in encoding rules, and cannot detect novel intrusions. Therefore, a hybrid detection framework that depends on data mining classification and clustering techniques is proposed. In misuse detection, random forests classification algorithm is used to build intrusion patterns automatically from a training dataset, and then matches network connections to these intrusion patterns to detect network intrusions. In anomaly detection, the k-means clustering algorithm is used to detect novel intrusions by clustering the network connections’ data to collect the most of intrusions together in one or more clusters. In the proposed hybrid framework, the anomaly part is improved by replacing the k-means algorithm with another one called weighted k-means algorithm, moreover, it uses a proposed method in choosing the anomalous clusters by injecting known attacks into uncertain connections data. Our approaches are evaluated over the Knowledge Discovery and Data Mining (KDD’99) datasets.