Enhancing security attacks analysis using regularized machine learning techniques
Journal article, Peer reviewed
MetadataShow full item record
Original versionAdvanced Information Networking and Applications. 2017, 909-918. 10.1109/AINA.2017.19
With the increasing threats of security attacks, Machine learning (ML) has become a popular technique to detect those attacks. However, most of the ML approaches are black-box methods and their inner-workings are difficult to understand by human beings. In the case of network security, understanding the dynamics behind the classification model is a crucial element towards creating safe and human-friendly systems. In this article, we investigate the most important features in identifying well-known security attacks by using Support Vector Machines (SVMs) and l1-regularized method with Least Absolute Shrinkage and Selection Operator (LASSO) for robust regression both to binary and multiclass attack classification. SVMs are one of the standards of ML classification techniques that give a reasonably good performance but with some drawbacks in terms of interpretability. On the other hand, LASSO is a regularized regression method often performing comparably well and it has extra compelling advantages of being very easily interpretable. LASSO provides coefficients that contribute how individual features affect the probability of specific security attack classes to occur. Hence, we finally use LASSO in particular for multiclass classification to help us better understand which actual features shared by attacks in a network are the most important ones. To perform our analysis, we use the recent NSL-KDD intrusion detection public dataset where the data are labeled into either anomalous (denial-of-service (DoS), remote-to-local (R2L), user-to-root (U2R) and probe attack classes) or normal. Empirical results of the analysis and computational performance comparison over the competing methods used are also presented and discussed. We believe that the methodology presented in this paper may strengthen a future research in network intrusion detection settings.