Performance Evaluation of Decision Tree for Intrusion Detection Using Reduced Feature Spaces

  • Behrouz Minaei Bidgoli
  • Morteza Analoui
  • Mohammad Hossein Rezvani
  • Hadi Shahriar Shahhoseini
Part of the Lecture Notes in Electrical Engineering book series (LNEE, volume 6)

Attack is a serious problem in computer networks. Computer network security is summarized in CIA concepts including confidentiality, data integrity, and availability. Confidentiality means that information is disclosed only according to policy. Data integrity means that information is not destroyed or corrupted and that the system performs correctly. Availability means that the system services are available when they are needed. Security threats have different causes, such as flood, fire, system failure, intruders, and so on.

The rest of this chapter is organized as follows. In Sect. 20.2, we discuss the DARPA intrusion detection dataset. Section 20.3 discusses related works about the decision tree and feature deduction. In Sect. 20.4, we explain the decision tree and C4.5 algorithm. Section 20.5 reports the results of our experiments on building an intrusion detection model using the audit data from the DARPA evaluation program and reduced datasets obtained from other research. Section 20.6 offers discussion of future work and conclusive remarks.


Transmission Control Protocol Intrusion Detection Intrusion Detection System Linear Genetic Programming Markov Blanket 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Denning D (1987). An intrusion detection model. IEEE Transactions on Software Engineering, SE-13(2), pp. 222–232.CrossRefGoogle Scholar
  2. 2.
    Lunt TF, Jagannathan R, Lee R, Listgarten S, Edwards DL, Javitz HS (1988). IDES: The enhanced prototype-A real-time intrusion-detection expert system. Number SRI-CSL-88-12. Menlo Park, CA: Computer Science Laboratory, SRI International.Google Scholar
  3. 3.
    Pfahringer B (2000). Winning the KDD99 classification cup: Bagged boosting. SIGKDD Explorations, 1(2), pp. 65–66.CrossRefGoogle Scholar
  4. 4.
    Levin I (2000). KDD-99 classifier learning contest LLSoft’s results overview. SIGKDD Explorations, 1(2), pp. 67–75.CrossRefGoogle Scholar
  5. 5.
    Vladimir M, Alexei V, Ivan S (2000). The MP13 approach to the KDD’99 classifier learning contest. SIGKDD Explorations, 1(2), pp. 76–77.CrossRefGoogle Scholar
  6. 6.
    Mukkamala S, Sung AH, Abraham A (2003). Intrusion detection using ensemble of soft computing paradigms. In: Third International Conference on Intelligent Systems Design and Applications, Intelligent Systems Design and Applications, Advances in Soft Computing, Springer Verlag, Germany, pp. 239–248.Google Scholar
  7. 7.
    Mukkamala S, Sung AH, Abraham A (2004). Modeling intrusion detection systems using linear genetic programming approach. In: The 17th International Conference on Industrial & Engineering Applications of Artificial Intelligence and Expert Systems, Innovations in Applied Artificial Intelligence, Robert Orchard, Chunsheng Yang, Moonis Ali (Eds.), LNCS 3029, Springer Verlag, Germany, pp. 633–642.Google Scholar
  8. 8.
    Mukkamala S, Sung AH, Abraham A, Ramos V (2004). Intrusion detection systems using adaptive regression splines. In: Sixth International Conference on Enterprise Information Systems, ICEIS’04, Portugal, I. Seruca, J. Filipe, S. Hammoudi and J. Cordeiro (Eds.), Vol. 3, pp. 26–33.Google Scholar
  9. 9.
    Shah K, Dave N, Chavan S, Mukherjee S, Abraham A, Sanyal S (2004). Adaptive neuro-fuzzy intrusion detection system. In: IEEE International Conference on Information Technology: Coding and Computing (ITCC’04), USA, IEEE Computer Society, Vol. 1, pp. 70–74.Google Scholar
  10. 10.
    MIT Lincoln Laboratory. URL:
  11. 11.
    Lee W, Stolfo SJ, Mok KW (1999). A data mining framework for building intrusion detection models. In: IEEE Symposium on Security and Privacy, Oakland, CA, pp. 120–132.Google Scholar
  12. 12.
    Lee W, Stolfo SJ, Mok KW (1999). Mining in a data-flow environment: Experience in network intrusion detection. In: Proceedings of the Fifth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, San Diego, CA, pp. 114–124.Google Scholar
  13. 13.
  14. 14.
    Amor NB, Benferhat S, Elouedi Z (2004). Naive Bayes versus decision trees in intrusion detection systems. In: Proceedings of the 2004 ACM Symposium on Applied Computing, pp. 420–424.Google Scholar
  15. 15.
    Punch WF, Goodman ED, Pei M, Chia-Shun L, Hovland P, Enbody R (1993). Further research on feature selection and classification using genetic algorithms. In: Proceedings of the Fifth International Conference on Genetic Algorithms, pp. 557–560.Google Scholar
  16. 16.
    Pei M, Goodman ED, Punch WF (1998). Feature extraction using genetic algorithms. In: Proceedings of the International Symposium on Intelligent Data Engineering and Learning, pp. 371–384.Google Scholar
  17. 17.
    Chebrolu S, Abraham A, Thomas J (2005). Feature Deduction and Ensemble Design of Intrusion Detection Systems. Computers and Security, Vol. 24/4, Elsevier Science, New York, pp. 295–307.Google Scholar
  18. 18.
    Sung AH, Mukkamala S (2003). Identifying important features for intrusion detection using support vector machines and neural networks. In: Proceedings of International Symposium on Applications and the Internet, pp. 209–210.Google Scholar
  19. 19.
    Tsamardinos I, Aliferis CF, Statnikov A (2003). Time and sample efficient discovery of Markov blankets and direct causal relations. In: Ninth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, USA: ACM Press, New York, pp. 673–678.CrossRefGoogle Scholar
  20. 20.
    Agrawal R, Gehrke J, Gunopulos D, Raghavan P (1998). Automatic subspace clustering of high dimensional data for data mining applications. In: Proceedings of ACMSIGMOD’98 International Conference on Management of Data, Seattle, WA, pp. 94–105Google Scholar
  21. 21.
    Quinlan JR (1993). C4.5, Programs for Machine Learning. Morgan Kaufmann, San Mateo, CA.Google Scholar
  22. 22.
    Quinlan JR (1968). Introduction of decision trees. Machine Learning, 1, pp. 86–106Google Scholar
  23. 23.
  24. 24.
    Fawcett T (2004). ROC Graphs: Notes and Practical considerations for Researchers. Kluwer Academic, Dordrecht.Google Scholar
  25. 25.
    Sabhnani M, Serpen G (2003). KDD feature set complaint heuristic rules for R2L attack detection. Journal of Security and Management.Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2008

Authors and Affiliations

  • Behrouz Minaei Bidgoli
    • 1
  • Morteza Analoui
    • 2
  • Mohammad Hossein Rezvani
    • 2
  • Hadi Shahriar Shahhoseini
    • 3
  1. 1.Department of Computer Science and EngineeringMichigan State UniversityEast LansingUSA
  2. 2.Computer Engineering DepartmentIran University of Science and TechnologyNarmakIran
  3. 3.Electrical Engineering DepartmentIran University of Science and TechnologyNarmakIran

Personalised recommendations