Feature Selection for Detecting Fast Attack in Network Intrusion Detection

Over the last decade, networks have grown in both size and importance especially in exchange data and carry out transactions. They have also become the main mean to attack a host. The popularity of intrusion tools and scripts are the main contributors of the attacks inside the network. Gathering valuable information from vulnerable machine is a first step for an attacker to launch an attack against the vulnerable machine. There are numerous techniques to get this information such as sweeping, scanning, probing and so on. These information gathering techniques can be divided into 2 categories which are fast attack and slow attack. Fast attack can be defined as an attack that uses a large amount of packets or connections within a short period of a few seconds. Meanwhile the slow attack can be defined as an attack which takes a much longer time, usually taking in minutes or a few hours to complete. In order to detect these attacks, introducing intrusion detection system (IDS) inside the network is necessary. An IDS has the capabilities to analyze the network traffic and recognize incoming and on-going intrusion. This system can be classified into 2 types, namely, signature-based IDS and anomaly based IDS. Before developing the intrusion detection system, selecting necessary features are important. Selecting unnecessary features may cause computational issues and decrease the accuracy of detection. Furthermore, current research more concentrates more on the technique of detection rather than feature selection. They just used the features without mentioning the influence of the feature inside the system itself. Therefore this research will reveal the influence of the features in predicting the result of the detection. Besides that, we also introduce a set of minimum features that can be used to detect a fast attack. The result shows that the feature selected in the research has a strong potential to detect the fast attack and significantly reduce the false alarm generated by the intrusion detection system.