Pairwise clusters optimization and cluster most significant feature methods for anomaly-based network intrusion detection system (POC2MSF) / Gervais Hatungimana

Anomaly-based Intrusion Detection System (IDS) uses known baseline to detect patterns which have deviated from normal behaviour. If the baseline is faulty, the IDS performance degrades. Most of researches in IDS which use k-centroids-based clustering methods like K-means, K-medoids, Fuzzy, Hierarchical and agglomerative algorithms to baseline network traffic suffer from high false positive rate compared to signature-based IDS, simply because the nature of these algorithms risk to force some network traffic into wrong profiles depending on K number of clusters needed. In this paper, we propose an alternative method which instead of defining K number of clusters, defines t distance threshold. The unrecognizable IDS; IDS which is neither HIDS nor NIDS is the consequence of using statistical methods for features selection. The speed, memory and accuracy of IDS are affected by inappropriate features reduction method or ignorance of irrelevant features. In this paper, we use two-step features selection and Quality Threshold with Optimization methods to design anomaly-based HIDS and NIDS separately. The performance of our system is 0% ,99.99%, 1,1 false positive rates, accuracy, precision and recall respectively for NIDS and 0%,99.61%, 0.991,0.97 false positive rates, accuracy, precision and recall respectively for HIDS