Network Intrusion Detection with Cascading Classification

The KDD99 network intrusion contest and the related intrusion data sets attracted increased attention of the research community. The success rate of contest participants was evaluated in terms of the obtained classification cost. The classification cost of the contest winner was 0.2331, the best approach prior to our work carries the classification cost of 0.2224. We show that a simple approach based on cascading classification leads to the classification cost of 0.2079. Cascading classification is in our case done by applying 2-nearest-neighbor classification. The samples which could not be predicted with 2-nearest-neighbor classification (4-6%) are further classified with a clustering approach with class priority. This clustering approach when applied in isolation under performs other approaches. However, when applied in cascading classification, it can take advantage of the reduced number of samples. We argue that cascading classification is a viable alternative in scenarios where less complex machine learning approaches are favorable, for example due to possible performance degradation in resource constrained devices such as mobile phones, embedded systems or sensors.