A Two-Stage Classifier Approach for Network Intrusion Detection

  • Wei Zong
  • Yang-Wai ChowEmail author
  • Willy Susilo
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11125)


Network Intrusion Detection Systems (NIDS) are essential to combat security threats in network environments. These systems monitor and detect malicious behavior to provide automated methods of identifying and dealing with attacks or security breaches in a network. Machine learning is a promising approach in the development of effective NIDS. One of the problems faced in the development of such systems is that the datasets used in the construction of classifiers are typically imbalanced. This is because the classification categories do not have relatively equal representation in the datasets. This study investigates a two-stage classifier approach to NIDS based on imbalanced intrusion detection datasets by separating the training and detection of minority and majority intrusion classes. The purpose of this is to allow flexibility in the classification process, for example, two different classifiers can be used for detecting minority and majority classes respectively. In this paper, we performed experiments using the random forests classifier and the contemporary UNSW-NB15 dataset was used to evaluate the effectiveness of the proposed approach.


Machine learning Network intrusion detection Random forests 


  1. 1.
    Breiman, L.: Random forests. Mach. Learn. 45(1), 5–32 (2001)CrossRefGoogle Scholar
  2. 2.
    Buczak, A.L., Guven, E.: A survey of data mining and machine learning methods for cyber security intrusion detection. IEEE Commun. Surv. Tutor. 18(2), 1153–1176 (2016)CrossRefGoogle Scholar
  3. 3.
    Chawla, N.V., Bowyer, K.W., Hall, L.O., Kegelmeyer, W.P.: SMOTE: synthetic minority over-sampling technique. J. Artif. Intell. Res. 16, 321–357 (2002)CrossRefGoogle Scholar
  4. 4.
    Chen, C., Liaw, A., Breiman, L.: Using random forest to learn imbalanced data. Technical report, University of California, Berkeley (2004)Google Scholar
  5. 5.
    Janarthanan, T., Zargari, S.: Feature selection in UNSW-NB15 and KDDCUP’99 datasets. In: 2017 IEEE 26th International Symposium on Industrial Electronics (ISIE), pp. 1881–1886, June 2017Google Scholar
  6. 6.
    Ji, S., Jeong, B., Choi, S., Jeong, D.H.: A multi-level intrusion detection method for abnormal network behaviors. J. Netw. Comput. Appl. 62, 9–17 (2016)CrossRefGoogle Scholar
  7. 7.
    Kevric, J., Jukic, S., Subasi, A.: An effective combining classifier approach using tree algorithms for network intrusion detection. Neural Comput. Appl. 28(S–1), 1051–1058 (2017)CrossRefGoogle Scholar
  8. 8.
    McHugh, J.: Testing intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by lincoln laboratory. ACM Trans. Inf. Syst. Secur. 3(4), 262–294 (2000)CrossRefGoogle Scholar
  9. 9.
    Moustafa, N., Slay, J.: The significant features of the UNSW-NB15 and the KDD99 data sets for network intrusion detection systems. In: 2015 4th International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), pp. 25–31, November 2015Google Scholar
  10. 10.
    Moustafa, N., Slay, J.: UNSW-NB15: a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set). In: 2015 Military Communications and Information Systems Conference, MilCIS 2015, Canberra, Australia, 10–12 November 2015, pp. 1–6. IEEE (2015)Google Scholar
  11. 11.
    Moustafa, N., Slay, J.: The evaluation of network anomaly detection systems: statistical analysis of the UNSW-NB15 data set and the comparison with the KDD99 data set. Inf. Secur. J.: Glob. Persp. 25(1–3), 18–31 (2016)Google Scholar
  12. 12.
    Pajouh, H.H., Dastghaibyfard, G., Hashemi, S.: Two-tier network anomaly detection model: a machine learning approach. J. Intell. Inf. Syst. 48(1), 61–74 (2017)CrossRefGoogle Scholar
  13. 13.
    Parsaei, M.R., Rostami, S.M., Javidan, R.: A hybrid data mining approach for intrusion detection on imbalanced NSL-KDD dataset. Int. J. Adv. Comput. Sci. Appl. 7(6), 20–25 (2016)Google Scholar
  14. 14.
    Salem, M., Buehler, U.: Mining techniques in network security to enhance intrusion detection systems. Int. J. Netw. Secur. Appl. 4(6) (2012)CrossRefGoogle Scholar
  15. 15.
    Sangkatsanee, P., Wattanapongsakorn, N., Charnsripinyo, C.: Practical real-time intrusion detection using machine learning approaches. Comput. Commun. 34(18), 2227–2235 (2011)CrossRefGoogle Scholar
  16. 16.
    Shyu, M., Sarinnapakorn, K., Kuruppu-Appuhamilage, I., Chen, S., Chang, L., Goldring, T.: Handling nominal features in anomaly intrusion detection problems. In: 15th International Workshop on Research Issues in Data Engineering (RIDE-SDMA 2005), Stream Data Mining and Applications, Tokyo, Japan, 3–7 April 2005, pp. 55–62. IEEE Computer Society (2005)Google Scholar
  17. 17.
    Sommer, R., Paxson, V.: Outside the closed world: on using machine learning for network intrusion detection. In: 31st IEEE Symposium on Security and Privacy, S&P 2010, Berleley/Oakland, California, USA, 16–19 May 2010, pp. 305–316. IEEE Computer Society (2010)Google Scholar
  18. 18.
    Tavallaee, M., Bagheri, E., Lu, W., Ghorbani, A.A.: A detailed analysis of the KDD CUP 99 data set. In: 2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications, CISDA 2009, Ottawa, Canada, 8–10 July 2009, pp. 1–6. IEEE (2009)Google Scholar
  19. 19.
    Tesfahun, A., Bhaskari, D.L.: Intrusion detection using random forests classifier with smote and feature reduction. In: 2013 International Conference on Cloud Ubiquitous Computing Emerging Technologies, pp. 127–132, November 2013Google Scholar
  20. 20.
    The Bro Project. The Bro Network Security Monitor (2014).
  21. 21.
    Witten, I.H., Frank, E., Hall, M.A.: Data Mining: Practical Machine Learning Tools and Techniques, 3rd edn. Morgan Kaufmann Publishers Inc., San Francisco (2011)Google Scholar
  22. 22.
    Zhang, J., Zulkernine, M., Haque, A.: Random-forests-based network intrusion detection systems. IEEE Trans. Syst. Man Cybern. Part C 38(5), 649–659 (2008)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.Institute of Cybersecurity and Cryptology, School of Computing and Information TechnologyUniversity of WollongongWollongongAustralia

Personalised recommendations