Performance Comparison and Implementation of Bayesian Variants for Network Intrusion Detection

TL;DR

This study compares different Bayesian classifiers for network intrusion detection, revealing that their assumptions significantly impact accuracy, with Gaussian performing best due to its assumption of continuous normal-distributed features.

Contribution

The paper implements and compares Multinomial, Bernoulli, and Gaussian Bayesian classifiers for anomaly detection, highlighting the influence of their assumptions on performance.

Findings

Gaussian classifier achieved the highest accuracy (~82%)

Bernoulli classifier had moderate accuracy (~70%)

Multinomial classifier performed poorly (~31%)

Abstract

Bayesian classifiers perform well when each of the features is completely independent of the other which is not always valid in real world application. The aim of this study is to implement and compare the performances of each variant of Bayesian classifier (Multinomial, Bernoulli, and Gaussian) on anomaly detection in network intrusion, and to investigate whether there is any association between each variant assumption and their performance. Our investigation showed that each variant of Bayesian algorithm blindly follows its assumption regardless of feature property, and that the assumption is the single most important factor that influences their accuracy. Experimental results show that Bernoulli has accuracy of 69.9% test (71% train), Multinomial has accuracy of 31.2% test (31.2% train), while Gaussian has accuracy of 81.69% test (82.84% train). Going deeper, we investigated and found that each Naive Bayes variants performances and accuracy is largely due to each classifier assumption, Gaussian classifier performed best on anomaly detection due to its assumption that features follow normal distributions which are continuous, while multinomial classifier have a dismal performance as it simply assumes discreet and multinomial distribution.