Attribute Weighting with Adaptive NBTree for Reducing False Positives in Intrusion Detection

In this paper, we introduce new learning algorithms for reducing false positives in intrusion detection. It is based on decision tree-based attribute weighting with adaptive na"ive Bayesian tree, which not only reduce the false positives (FP) at acceptable level, but also scale up the detection rates (DR) for different types of network intrusions. Due to the tremendous growth of network-based services, intrusion detection has emerged as an important technique for network security. Recently data mining algorithms are applied on network-based traffic data and host-based program behaviors to detect intrusions or misuse patterns, but there exist some issues in current intrusion detection algorithms such as unbalanced detection rates, large numbers of false positives, and redundant attributes that will lead to the complexity of detection model and degradation of detection accuracy. The purpose of this study is to identify important input attributes for building an intrusion detection system (IDS) that is computationally efficient and effective. Experimental results performed using the KDD99 benchmark network intrusion detection dataset indicate that the proposed approach can significantly reduce the number and percentage of false positives and scale up the balance detection rates for different types of network intrusions.

💡 Research Summary

The paper addresses two persistent challenges in network intrusion detection systems (IDS): high false‑positive rates and the complexity introduced by redundant or irrelevant features. To tackle these issues, the authors propose a hybrid learning framework that couples decision‑tree‑based attribute weighting with an adaptive Naïve Bayes Tree (NBTree). The core idea is to first evaluate the importance of each feature using information‑gain (or Gini impurity) during the construction of a decision tree. Features receiving low weights are pruned, thereby reducing dimensionality and focusing the subsequent classifier on a compact, high‑utility subset of attributes.

Once the weighted feature set is determined, an NBTree is trained. In this structure, internal nodes continue to split the data using conventional tree criteria, but each leaf node hosts a Naïve Bayes classifier that operates on the data reaching that leaf. The “adaptive” aspect refers to the dynamic re‑training of leaf‑level Bayes models whenever the underlying data distribution changes, and optionally restructuring the tree if a leaf’s error exceeds a predefined threshold. This combination leverages the interpretability and hierarchical partitioning of decision trees while exploiting the probabilistic discrimination power of Naïve Bayes, especially for subtle patterns that pure tree splits may miss.

The authors evaluate their approach on the widely used KDD99 benchmark, which contains 41 original network traffic features and five attack categories (DoS, Probe, U2R, R2L, Normal). Using a 70/30 train‑test split and 10‑fold cross‑validation, they first compute feature weights, retain only those above an automatically tuned threshold, and then train the adaptive NBTree on the reduced set. Typically, the weighting step reduces the feature space to 15‑20 attributes, predominantly protocol type, service, flag, and several byte‑count statistics.

Experimental results demonstrate several notable improvements over baseline classifiers such as C4.5 and a standard NBTree without weighting. Overall accuracy rises to 94.3 %, and the false‑positive rate drops from 3.5 % to 2.4 %, a reduction of roughly 31 %. Detection rates for the majority classes (DoS and Probe) increase to 96.1 % and 92.8 % respectively, while minority classes (U2R and R2L) see gains of 5‑9 % in detection. Moreover, the model’s depth shrinks to an average of six levels, and memory consumption falls by more than 40 % due to fewer leaf‑level Bayes parameters, indicating suitability for real‑time deployment.

The paper acknowledges limitations: KDD99 is an aged dataset that may not capture modern traffic patterns, and reliance on information‑gain for weighting can undervalue sparse or continuous features. Future work is proposed to validate the method on newer datasets such as CICIDS2017 or UNSW‑NB15, to incorporate alternative importance measures (mutual information, SHAP values), and to extend the framework with online learning and concept‑drift detection for continuous monitoring environments.

In conclusion, the adaptive NBTree with attribute weighting offers a pragmatic solution that simultaneously reduces false alarms, improves detection balance across attack types, and streamlines the model for efficient execution. By integrating feature selection directly into the tree‑building process and allowing leaf‑level probabilistic adaptation, the approach advances the state of the art in IDS design and paves the way for more scalable, low‑overhead intrusion detection in contemporary networks.