Bayesian Model Averaging of Bayesian Network Classifiers for Intrusion Detection

Bayesian network (BN) classifiers with powerful reasoning capabilities have been increasingly utilized to detect intrusion with reasonable accuracy and efficiency. However, existing BN classifiers for intrusion detection suffer two problems. First, such BN classifiers are often trained from data using heuristic methods that usually select suboptimal models. Second, the classifiers are trained using very large datasets which may be time consuming to obtain in practice. When the size of training dataset is small, the performance of a single BN classifier is significantly reduced due to its inability to represent the whole probability distribution. To alleviate these problems, we build a Bayesian classifier by Bayesian Model Averaging(BMA) over the k-best BN classifiers, called Bayesian Network Model Averaging (BNMA) classifier. We train and evaluate BNMA classifier on the NSL-KDD dataset, which is less redundant, thus more judicial than the commonly used KDD Cup 99 dataset. We show that the BNMA classifier performs significantly better in terms of detection accuracy than the Naive Bayes classifier and the BN classifier built with heuristic method. We also show that the BNMA classifier trained using a smaller dataset outperforms two other classifiers trained using a larger dataset. This also implies that the BNMA is beneficial in accelerating the detection process due to its less dependance on the potentially prolonged process of collecting large training datasets.