Files in this item
Anomaly-based network intrusion detection enhancement by prediction threshold adaptation of binary classification models
Item metadata
dc.contributor.advisor | Duncan, Ishbel Mary Macdonald | |
dc.contributor.author | Al Tobi, Amjad Mohamed | |
dc.coverage.spatial | xxvii, 323 p. | en_US |
dc.date.accessioned | 2019-02-13T10:16:04Z | |
dc.date.available | 2019-02-13T10:16:04Z | |
dc.date.issued | 2018-10-19 | |
dc.identifier.uri | https://hdl.handle.net/10023/17050 | |
dc.description.abstract | Network traffic exhibits a high level of variability over short periods of time. This variability impacts negatively on the performance (accuracy) of anomaly-based network Intrusion Detection Systems (IDS) that are built using predictive models in a batch-learning setup. This thesis investigates how adapting the discriminating threshold of model predictions, specifically to the evaluated traffic, improves the detection rates of these Intrusion Detection models. Specifically, this thesis studied the adaptability features of three well known Machine Learning algorithms: C5.0, Random Forest, and Support Vector Machine. The ability of these algorithms to adapt their prediction thresholds was assessed and analysed under different scenarios that simulated real world settings using the prospective sampling approach. A new dataset (STA2018) was generated for this thesis and used for the analysis. This thesis has demonstrated empirically the importance of threshold adaptation in improving the accuracy of detection models when training and evaluation (test) traffic have different statistical properties. Further investigation was undertaken to analyse the effects of feature selection and data balancing processes on a model’s accuracy when evaluation traffic with different significant features were used. The effects of threshold adaptation on reducing the accuracy degradation of these models was statistically analysed. The results showed that, of the three compared algorithms, Random Forest was the most adaptable and had the highest detection rates. This thesis then extended the analysis to apply threshold adaptation on sampled traffic subsets, by using different sample sizes, sampling strategies and label error rates. This investigation showed the robustness of the Random Forest algorithm in identifying the best threshold. The Random Forest algorithm only needed a sample that was 0.05% of the original evaluation traffic to identify a discriminating threshold with an overall accuracy rate of nearly 90% of the optimal threshold. | en_US |
dc.description.sponsorship | "This research was supported and funded by the Government of the Sultanate of Oman represented by the Ministry of Higher Education and the Sultan Qaboos University." -- p. ix | en |
dc.language.iso | en | en_US |
dc.publisher | University of St Andrews | |
dc.relation | STA2018 (Full) (thesis data) Al Tobi, A.M.H., University of St Andrews, DOI: https://doi.org/10.17630/c5f31888-9db5-4ac0-a990-3fd17dcfe865 | en |
dc.relation.uri | https://doi.org/10.17630/c5f31888-9db5-4ac0-a990-3fd17dcfe865 | |
dc.rights | Attribution 4.0 International | * |
dc.rights.uri | http://creativecommons.org/licenses/by/4.0/ | * |
dc.subject | Intrusion detection system | en_US |
dc.subject | Anomaly-based IDS | en_US |
dc.subject | Threshold adaptation | en_US |
dc.subject | Prediction accuracy improvement | en_US |
dc.subject | Machine learning | en_US |
dc.subject | STA2018 dataset | en_US |
dc.subject | C5.0 algorithm | en_US |
dc.subject | Random forest algorithm | en_US |
dc.subject | Support vector machine algorithm | en_US |
dc.subject.lcc | TK5105.59A6 | |
dc.subject.lcsh | Intrusion detection systems (Computer security) | en |
dc.subject.lcsh | Machine learning | en |
dc.title | Anomaly-based network intrusion detection enhancement by prediction threshold adaptation of binary classification models | en_US |
dc.type | Thesis | en_US |
dc.contributor.sponsor | Oman. Ministry of Higher Education | en_US |
dc.contributor.sponsor | Jāmiʻat al-Sulṭān Qābūs | en_US |
dc.type.qualificationlevel | Doctoral | en_US |
dc.type.qualificationname | PhD Doctor of Philosophy | en_US |
dc.publisher.institution | The University of St Andrews | en_US |
dc.publisher.department | School of Computer Science | en_US |
The following licence files are associated with this item:
This item appears in the following Collection(s)
Except where otherwise noted within the work, this item's licence for re-use is described as Attribution 4.0 International
Items in the St Andrews Research Repository are protected by copyright, with all rights reserved, unless otherwise indicated.