A Comparison of Algorithms for Intrusion Detection on Batch and Data Stream Environments

TL;DR

This paper compares machine learning algorithms for network intrusion detection in batch and streaming environments, addressing challenges like concept drift and false positives, and evaluates their performance on preprocessed KDD99 datasets.

Contribution

It introduces three variants of KDD99 preprocessing, evaluates batch algorithms, and compares data stream classifiers for intrusion detection, highlighting the best performers in each setting.

Findings

Certain algorithms outperform others in batch environments.

Data stream classifiers show varying robustness to concept drift.

Preprocessing significantly impacts detection accuracy.

Abstract

Intruders detection in computer networks has some deficiencies from machine learning approach, given by the nature of the application. The principal problem is the modest display of detection systems based on learning algorithms under the constraints imposed by real environments. This article focuses on the machine learning approach for network intrusion detection in batch and data stream environments. First, we propose and describe three variants of KDD99 dataset preprocessing including attribute selection. Secondly, a thoroughly experimentation is performed from evaluating and comparing representative batch learning algorithms on the variants obtained from KDD99 pre processing. Finally, since network traffic is a constant data stream, which can present concept drifting with high rate of false positive, along with the fact that there are not many researches addressing intrusion detection on streaming environments, lead us to make a comparison of various representative data stream classification algorithms. This research allows determining the algorithms that better perform on the proposed variants of KDD99 for both batch and data stream environments.