# ADDING EXPERT KNOWLEDGE TO TAN-BASED INTRUSION DETECTION SYSTEMS

### S. Benferhat, A. Boudjelida, H. Drias

#### Abstract

Bayesian networks are important knowledge representation tools for handling uncertain pieces of information. The success of these models is strongly related to their capacity to represent and handle (in)dependence relations. A simple form of Bayesian networks, called naive Bayes has been successively applied in many classification tasks. In particular, naive Bayes have been used for intrusion detection. Unfortunately, naive Bayes are based on a strong independence assumption that limits its application scope. This paper considers the well-known Tree Augmented Naïve Bayes (TAN) classifiers in the context of intrusion detection. In particular, we study how additional expert information such that “it is expected that 80% of traffic will be normal” can be integrated in classification tasks. Experimental results show that our approach improves existing results.

#### References

- Ben Amor, N., Benferhat, S., Elouedi, Z.: Naive Bayes vs Decision Trees in Intrusion Detection Systems, ACM Symposium on Applied Computing. SAC'04 (2004)
- Benferhat, S., Tabia, K.: On the combination of Naive Bayes and decision trees for intusion detection. The International Conference of Intelligencecontrol and Automation. CIMCA (2005)
- Bykova, M., Ostermann, S., Tjaden, B.: Detecting network intrusions via a statistical analysis of network packet characteristics. In Proceedings of the 33rd South Eastern Symposium on System Theory (2001)
- Chow, C. K., Liu, C. N.: Approximating discrete probability distributions with dependence trees. IEEE Trans on Info Theory 14. pp 462-467 (1968)
- Cooper, G. F.: Computational complexity of probabilistic inference using Bayes belief networks. Artificial Intelligence. Vol. 42, pp. 393--405 (1990)
- Denning D. E.: An intrusion-detection model. IEEE Transactions on software engeneering, SE-13. pp. 222- -232 (1987)
- Friedman, N., Geiger, D., Goldszmidt, M.: Bayesian network classifiers. Machine Learning, 29(2-3):131-- 163 (1997)
- Geiger, D.: An entropy-based learning algorithm of Bayesian conditional trees. In UAI 7892. pp. 92--97 (1992)
- Hamine, V., Helman, P.: Learning Optimal Augmented Bayes Networks. Dept. of Computer Science. University of New Mexico. Albuquerque. New Mexico 87131 USA (2004)
- John, G., Enhancements to the Data Mining Process. PhD thesis, Stanford University (1997)
- KDD cup 99, intrusion detection dataset task description. University of California Department of Information and Computer Science, http://kdd.ics.uci.edu/databases/kddcup99/task.html (1999)
- Kruegel, C., Mutz, Robertson, W., Valeur, F.: Bayesian Event Classification for Intrusion Detection” Reliable Software Group. University of California, Santa Barbara (2003)
- Langley, P., Iba, W., Thompson, K.: An Analysis of Bayesian Classifiers. In Proceedings of the Tenth National Conference on Artificial Intelligence, pp. 223--228, AAAI Press and MIT Press (1992)
- Scott, S. L.: A bayesian paradigm for designing intrusion detection system. Computational Statistics and Data Analysis (special issue on network intrusion detection). 45: 69--83 (2004)
- Valdes, A., Skinner, K.: Adaptive Model-based Monitoring for Cyber Attack Detection. In proceedings of Recent Advances in Intrusion Detection (RAID). pp. 80--92. Toulouse, France (2000)

#### Paper Citation

#### in Harvard Style

Benferhat S., Boudjelida A. and Drias H. (2009). **ADDING EXPERT KNOWLEDGE TO TAN-BASED INTRUSION DETECTION SYSTEMS** . In *Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2009)* ISBN 978-989-674-005-4, pages 61-64. DOI: 10.5220/0002262200610064

#### in Bibtex Style

@conference{secrypt09,

author={S. Benferhat and A. Boudjelida and H. Drias},

title={ADDING EXPERT KNOWLEDGE TO TAN-BASED INTRUSION DETECTION SYSTEMS},

booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2009)},

year={2009},

pages={61-64},

publisher={SciTePress},

organization={INSTICC},

doi={10.5220/0002262200610064},

isbn={978-989-674-005-4},

}

#### in EndNote Style

TY - CONF

JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2009)

TI - ADDING EXPERT KNOWLEDGE TO TAN-BASED INTRUSION DETECTION SYSTEMS

SN - 978-989-674-005-4

AU - Benferhat S.

AU - Boudjelida A.

AU - Drias H.

PY - 2009

SP - 61

EP - 64

DO - 10.5220/0002262200610064