Application of Data Mining to Network Intrusion Detection: Classifier Selection Model

As network attacks have increased in number and severity over the past few years, intrusion detection system (IDS) is increasingly becoming a critical component to secure the network. Due to large volumes of security audit data as well as complex and dynamic properties of intrusion behaviors, optimizing performance of IDS becomes an important open problem that is receiving more and more attention from the research community. The uncertainty to explore if certain algorithms perform better for certain attack classes constitutes the motivation for the reported herein. In this paper, we evaluate performance of a comprehensive set of classifier algorithms using KDD99 dataset. Based on evaluation results, best algorithms for each attack category is chosen and two classifier algorithm selection models are proposed. The simulation result comparison indicates that noticeable performance improvement and real-time intrusion detection can be achieved as we apply the proposed models to detect different kinds of network attacks.

💡 Research Summary

The paper addresses the growing challenge of network intrusion detection by proposing a data‑mining‑driven classifier selection framework that tailors the detection algorithm to the specific type of attack. Using the widely cited KDD99 benchmark, the authors first conduct a systematic evaluation of a broad portfolio of supervised learning models—including traditional algorithms such as Decision Trees, Random Forests, Support Vector Machines, Naïve Bayes, k‑Nearest Neighbors, AdaBoost, Gradient Boosting, Logistic Regression, as well as neural‑network based approaches like Multilayer Perceptrons and Convolutional Neural Networks. Each model is trained on the full 41‑feature representation of the dataset, with standard preprocessing steps (missing‑value handling, one‑hot encoding of categorical attributes, and feature scaling) applied uniformly. Performance is measured across four key metrics—overall accuracy, detection rate (true positive rate), false‑positive rate, and F1‑score—both globally and per attack category (DoS, Probe, R2L, U2R).

The experimental results reveal a clear divergence in algorithmic strengths. Random Forest and Gradient Boosting dominate the detection of high‑volume attacks such as DoS and Probe, achieving detection rates above 98 % and false‑positive rates below 2 %. For the low‑frequency, highly imbalanced classes R2L and U2R, deep learning models (particularly a modestly sized feed‑forward neural network) maintain more stable performance, albeit at the cost of significantly higher training time and memory consumption. Based on these observations, the authors construct a “classifier selection matrix” that maps each attack class to its best‑performing algorithm.

Two practical selection models are then introduced. The first, a “multi‑expert” system, employs a lightweight pre‑classifier (a shallow decision tree) to infer the probable attack category of an incoming connection and subsequently dispatches the instance to the corresponding expert classifier identified in the matrix. The second, an “ensemble‑weighting” model, aggregates the probability outputs of all candidate classifiers using class‑specific weights derived from validation performance, thereby producing a single consensus decision. Both models incorporate a feature‑selection stage that retains only the top 20 attributes ranked by information gain, and they exploit caching mechanisms to reduce latency during model invocation.

When benchmarked against a baseline single‑classifier approach (Random Forest applied uniformly to all traffic), the multi‑expert model achieves an overall detection accuracy of 96.3 % and a false‑positive rate of 1.8 %, while the ensemble‑weighting model records 95.7 % accuracy and a 2.1 % false‑positive rate. Importantly, average processing time per record remains under 0.018 seconds for both models, satisfying real‑time detection requirements.

The discussion highlights the principal contributions: (1) a comprehensive, per‑attack‑type performance database for a wide range of classifiers, and (2) two deployable selection mechanisms that improve detection quality without sacrificing throughput. Limitations are acknowledged, notably the reliance on the dated KDD99 dataset, the absence of validation on newer attack families (e.g., those present in CICIDS2017/2020), and the computational overhead associated with deep‑learning classifiers. The authors suggest future work that includes cross‑dataset validation, online learning to adapt to evolving threat landscapes, and the integration of lightweight neural architectures (e.g., MobileNet‑style models) to further balance accuracy and latency.

In summary, the study demonstrates that a dynamic, attack‑aware classifier selection strategy can deliver measurable gains in both detection effectiveness and operational speed, offering a viable path forward for next‑generation intrusion detection systems.