Application of Unbalanced Data Approach to Network Intrusion Detection

In view of the current problems of HNIDS (high-speed network intrusion detection system), such as high packet loss rate, slow pace of testing for attacks and unbalanced data for detection. This paper presents a novel approach for HNIDS by taking two-stage strategy with load balancing model. In the on-line phase, the system captures the packets from network and split into small according the type of protocol, then detected intrusion through each sensor. In the off-line, training dataset are used to build model, which can detected intrusion. We discuss different approaches to unbalanced data, empirically evaluate the SMOTE over-sampling approaches, AdaBoost and random forests algorithm. We also discuss the approaches for selecting features. Finally report our experimental results over the KDD´99 datasets. The results show that SMOTE and the AdaBoost algorithm by using random forests as weak learner not only can provides better performance to small class, but also has lower build model time.