Decision-forest voting scheme for classification of rare classes in network intrusion detection

TL;DR

This paper presents a Bayesian ensemble method for decision forests that improves detection of rare classes in network intrusion detection, maintaining high precision and increasing detection rates without additional parameter tuning.

Contribution

The novel Bayesian aggregation approach effectively handles class imbalance in decision forests without extra parameters, enhancing network intrusion detection performance.

Findings

Maintains over 94% precision in detection

Increases detection rate by approximately 7%

Effectively handles large-scale network data

Abstract

In this paper, Bayesian based aggregation of decision trees in an ensemble (decision forest) is investigated. The focus is laid on multi-class classification with number of samples significantly skewed toward one of the classes. The algorithm leverages out-of-bag datasets to estimate prediction errors of individual trees, which are then used in accordance with the Bayes rule to refine the decision of the ensemble. The algorithm takes prevalence of individual classes into account and does not require setting of any additional parameters related to class weights or decision-score thresholds. Evaluation is based on publicly available datasets as well as on an proprietary dataset comprising network traffic telemetry from hundreds of enterprise networks with over a million of users overall. The aim is to increase the detection capabilities of an operating malware detection system. While we were able to keep precision of the system higher than 94\%, that is only 6 out of 100 detections shown to the network administrator are false alarms, we were able to achieve increase of approximately 7\% in the number of detections. The algorithm effectively handles large amounts of data, and can be used in conjunction with most of the state-of-the-art algorithms used to train decision forests.