Feature selection using information gain for improved structural-based alert correlation
Grouping and clustering alerts for intrusion detection based on the similarity of features is referred to as structurally base alert correlation and can discover a list of attack steps. Previous researchers selected different features and data sources manually based on their knowledge and experience...
Saved in:
Main Authors: | , , , , |
---|---|
Format: | Article |
Language: | English |
Published: |
Public Library of Science
2016
|
Subjects: | |
Online Access: | http://eprints.utm.my/id/eprint/71959/7/AnazidaZainal2016_FeatureSelectionusingInformationGain.pdf http://eprints.utm.my/id/eprint/71959/ https://www.scopus.com/inward/record.uri?eid=2-s2.0-84998705814&doi=10.1371%2fjournal.pone.0166017&partnerID=40&md5=9ac511beaa64f2471387c37e3f9855c1 |
Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
Institution: | Universiti Teknologi Malaysia |
Language: | English |
id |
my.utm.71959 |
---|---|
record_format |
eprints |
spelling |
my.utm.719592017-11-23T06:19:24Z http://eprints.utm.my/id/eprint/71959/ Feature selection using information gain for improved structural-based alert correlation Alhaj, T. A. Siraj, M. M. Zainal, A. Elshoush, H. T. Elhaj, F. QA75 Electronic computers. Computer science Grouping and clustering alerts for intrusion detection based on the similarity of features is referred to as structurally base alert correlation and can discover a list of attack steps. Previous researchers selected different features and data sources manually based on their knowledge and experience, which lead to the less accurate identification of attack steps and inconsistent performance of clustering accuracy. Furthermore, the existing alert correlation systems deal with a huge amount of data that contains null values, incomplete information, and irrelevant features causing the analysis of the alerts to be tedious, time-consuming and error-prone. Therefore, this paper focuses on selecting accurate and significant features of alerts that are appropriate to represent the attack steps, thus, enhancing the structural-based alert correlation model. A two-tier feature selection method is proposed to obtain the significant features. The first tier aims at ranking the subset of features based on high information gain entropy in decreasing order. The second tier extends additional features with a better discriminative ability than the initially ranked features. Performance analysis results show the significance of the selected features in terms of the clustering accuracy using 2000 DARPA intrusion detection scenario-specific dataset. Public Library of Science 2016 Article PeerReviewed application/pdf en http://eprints.utm.my/id/eprint/71959/7/AnazidaZainal2016_FeatureSelectionusingInformationGain.pdf Alhaj, T. A. and Siraj, M. M. and Zainal, A. and Elshoush, H. T. and Elhaj, F. (2016) Feature selection using information gain for improved structural-based alert correlation. PLoS ONE, 11 (11). ISSN 1932-6203 https://www.scopus.com/inward/record.uri?eid=2-s2.0-84998705814&doi=10.1371%2fjournal.pone.0166017&partnerID=40&md5=9ac511beaa64f2471387c37e3f9855c1 |
institution |
Universiti Teknologi Malaysia |
building |
UTM Library |
collection |
Institutional Repository |
continent |
Asia |
country |
Malaysia |
content_provider |
Universiti Teknologi Malaysia |
content_source |
UTM Institutional Repository |
url_provider |
http://eprints.utm.my/ |
language |
English |
topic |
QA75 Electronic computers. Computer science |
spellingShingle |
QA75 Electronic computers. Computer science Alhaj, T. A. Siraj, M. M. Zainal, A. Elshoush, H. T. Elhaj, F. Feature selection using information gain for improved structural-based alert correlation |
description |
Grouping and clustering alerts for intrusion detection based on the similarity of features is referred to as structurally base alert correlation and can discover a list of attack steps. Previous researchers selected different features and data sources manually based on their knowledge and experience, which lead to the less accurate identification of attack steps and inconsistent performance of clustering accuracy. Furthermore, the existing alert correlation systems deal with a huge amount of data that contains null values, incomplete information, and irrelevant features causing the analysis of the alerts to be tedious, time-consuming and error-prone. Therefore, this paper focuses on selecting accurate and significant features of alerts that are appropriate to represent the attack steps, thus, enhancing the structural-based alert correlation model. A two-tier feature selection method is proposed to obtain the significant features. The first tier aims at ranking the subset of features based on high information gain entropy in decreasing order. The second tier extends additional features with a better discriminative ability than the initially ranked features. Performance analysis results show the significance of the selected features in terms of the clustering accuracy using 2000 DARPA intrusion detection scenario-specific dataset. |
format |
Article |
author |
Alhaj, T. A. Siraj, M. M. Zainal, A. Elshoush, H. T. Elhaj, F. |
author_facet |
Alhaj, T. A. Siraj, M. M. Zainal, A. Elshoush, H. T. Elhaj, F. |
author_sort |
Alhaj, T. A. |
title |
Feature selection using information gain for improved structural-based alert correlation |
title_short |
Feature selection using information gain for improved structural-based alert correlation |
title_full |
Feature selection using information gain for improved structural-based alert correlation |
title_fullStr |
Feature selection using information gain for improved structural-based alert correlation |
title_full_unstemmed |
Feature selection using information gain for improved structural-based alert correlation |
title_sort |
feature selection using information gain for improved structural-based alert correlation |
publisher |
Public Library of Science |
publishDate |
2016 |
url |
http://eprints.utm.my/id/eprint/71959/7/AnazidaZainal2016_FeatureSelectionusingInformationGain.pdf http://eprints.utm.my/id/eprint/71959/ https://www.scopus.com/inward/record.uri?eid=2-s2.0-84998705814&doi=10.1371%2fjournal.pone.0166017&partnerID=40&md5=9ac511beaa64f2471387c37e3f9855c1 |
_version_ |
1643656323024289792 |