These days, the malicious attacks and hacks on the networked systems are dramatically increasing, and the patterns of them are changing rapidly. Consequently, it becomes more important to appropriately handle these malicious attacks and hacks, and there exist sufficient interests and demand in effective network security systems just like intrusion detection systems. Intrusion detection systems are the network security systems for detecting, identifying and responding to unauthorized or abnormal activities appropriately. Conventional intrusion detection systems have generally been designed using the experts, implicit knowledge on the network intrusions or the hackers’ abnormal behaviors. However, they cannot handle new or unknown patterns of the network attacks, although they perform very well under the normal situation. As a result, recent studies on intrusion detection systems use artificial intelligence techniques, which can proactively respond to the unknown threats.
For a long time, researchers have adopted and tested various kinds of artificial intelligence techniques such as artificial neural networks, decision trees, and support vector machines to detect intrusions on the network. However, most of them have just applied these techniques singularly, even though combining the techniques may lead to better detection. With this reason, we propose a new integrated model for intrusion detection. Our model is designed to combine prediction results of four different binary classification models-logistic regression (LOGIT), decision trees (DT), artificial neural networks (ANN), and support vector machines (SVM), which may be complementary to each other. As a tool for finding optimal combining weights, genetic algorithms (GA) are used. Our proposed model is designed to be built in two steps. At the first step, the optimal integration model whose prediction error (i.e. erroneous classification rate) is the least is generated. After that, in the second step, it explores the optimal classification threshold for determining intrusions, which minimizes the total misclassification cost. To calculate the total misclassification cost of intrusion detection system, we need to understand its asymmetric error cost scheme. Generally, there are two common forms of errors in intrusion detection. The first error type is the False-Positive Error (FPE). In the case of FPE, the wrong judgment on it may result in the unnecessary fixation. The second error type is the False-Negative Error (FNE) that mainly misjudges the malware of the program as normal. Compared to FPE, FNE is more fatal. Thus, total misclassification cost is more affected by FNE rather than FPE.
To validate the practical applicability of our model, we applied it to the real-world dataset for network intrusion detection. The experimental dataset was collected from the IDS sensor of an official institution in Korea from January to June 2010. We collected 15,000 log data in total, and selected 10,000 samples from them by using random sampling method. Also, we compared the results from our model with the results from single techniques to confirm the superiority of the proposed model. LOGIT and DT was experimented using PASW Statistics vl8.0, and ANN was experimented using Neuroshell R4.0. For SVM, LIB SVM v2.90-a freeware for training SVM classifier-was used.
Empirical results showed that our proposed model based on GA outperformed all the other comparative models in detecting network intrusions from the accuracy perspective. They also showed that the proposed model outperformed all the other comparative models in the total misclassification cost perspective. Consequently, it is expected that our study may contribute to build cost-effective intelligent intrusion detection systems.

1 이형용, "한국 주가지수 등락 예측을 위한 유전자 알고리즘 기반 인공지능 예측기법 결합모형" 엘지씨엔에스 7 (7): 33-43, 2008

2 안현철, "투자 의사결정 지원을 위한 유전자 알고리즘 기반의 다중 인공지능 기법 결합 모형 : KOSPI에의 응용" 국제e-비즈니스학회 10 (10): 215-236, 2009

3 박성갑, "통합보안관리를 위한 네트워크기반의 국방 침입방지시스템에 관한 연구" 연세대학교 정경대학원 2005

4 홍태호, "침입탐지시스템이 비대칭 오류비용을 이용한 데이터마이닝의 적용전략" 251-257, 2005

5 심홍기, "인공신경망을 이용한 대대전투간 작전지속능력 예측" 한국지능정보시스템학회 14 (14): 25-39, 2008

6 이영찬, "인공신경망과 Support Vector Machine의 기업부도예측 성과 비교" 211-218, 2004

7 김성준, "의사결정나무에서 다중 목표변수를 고려한 노드분리" 대학자체/한국퍼지 및 지능시스템학회 243-246, 2003

8 이승태, "의사결정나무를 이용한 생물의행동 패턴 구분과 인식" 15 (15): 225-228, 2005

9 이종혁, "신경망을 적용한 침입탐지시스템의 설계" 11 (11): 1-4, 2004

10 이현욱, "비대칭 오류비용을 고려한 분류기준값 최적화와 SVM에 기반한 지능형 침입탐지모형" 한국지능정보시스템학회 17 (17): 157-173, 2011

11 안현철, "데이터마이닝을 활용한 인터넷 쇼핑몰의상품 추천 시스템 개발" 한국과학기술원 2002

12 홍태호, "데이터마이닝 기법을 활용한 침입탐지시스템에 관한 연구" 2004

13 홍태호, "데이터 마이닝의 비대칭 오류비용을 이용한 지능형 침입탐지시스템 개발" 한국정보시스템학회 15 (15): 211-224, 2006

14 김수영, "다변량 판별분석과 로지스틱 회귀분석, 인공신경망 분석을 이용한 호텔 도산 예측" 한국관광학회 30 (30): 53-75, 2006

15 Chen, R.-C, "Using Rough Set and Support Vector Machine for Network Intrusion Detection System" 465-470, 2009

16 홍태호, "Using Estimated Probability from Support Vector Machines for Credit Rating in IT Industry" 509-515, 2005

17 Osuna, E, "Training support vector machines : an application to face detection" 130-136, 1997

18 한인구, "The neural network models for IDS based on the asymmetric costs of false negative errors and false positive errors" PERGAMON-ELSEVIER SCIENCE LTD 25 (25): 69-75, 200307

19 이세열, "The network model for detection systems based on data miningand the false errors" 한국지능시스템학회 6 (6): 173-176, 2006

20 Joachims, T, "Text categorization with support vector machines" 137-142, 1998

21 Hearst, M. A, "Support vector machines" 13 (13): 18-28, 1998

22 박정민, "Support Vector Machine을 이용한 기업부도예측" 한국과학기술원 2003

23 안현철, "Support Vector Machine을 이용한 고객구매예측모형" 한국지능정보시스템학회 11 (11): 69-81, 2005

24 김선웅, "Support Vector Machines와 유전자 알고리즘을 이용한 지능형 트레이딩 시스템 개발" 한국지능정보시스템학회 16 (16): 71-92, 2010

25 손태식, "Support Vector Machine 기반 TCP/IP 헤더의 은닉채널 탐지에 관한 연구" 한국정보보호학회 14 (14): 35-45, 2004

26 Kim, K.-j, "Stock market prediction using artificial neural networks with optimal feature transformation" 13 (13): 255-260, 2004

27 Vapnik, V., "Statistical Learning Theory" Wiley 1998

28 엄남경, "SVM과 의사결정트리를 이용한 혼합형 침입탐지 모델" 한국정보처리학회 14 (14): 1-6, 2007

29 엄남경, "SVM과 데이터마이닝을이용한 혼합형 침입탐지 모델" 16 (16): 283-286, 2006

30 김한성, "SVM 기반의 효율적인 신분위장기법 탐지" 한국정보보호학회 13 (13): 91-104, 2003

31 Platt, J., "Probabilistic outputs for support vector machines and comparison to regularized like lihood methods, In Advances in Large Margin Classifiers" MIT Press 2000

32 Tay, F. E. J, "Modified support vector machines in financial time series forecasting" 48 : 847-861, 2002

33 이수용, "Fuzzy 이론과 SVM을 이용한 KOSPI 200 지수 패턴분류기" 787-809, 2002

34 Fletcher, D, "Forecasting with Neural networks and Application using Bankruptcy Data" 24 : 159-167, 1993

35 Kim, K.-j, "Financial time series forecasting using support vector machines" 55 (55): 307-319, 2003

36 Berry, M. J. A., "Data Mining Techniques : For Marketing, Sales and Customer Support" Wiley Computer Publishing 1997

37 Breiman, L., "Classification and Regression Trees. Champman and Hall" NY 1984

38 Quinlan, J. R, "C4.5 : Programs for Machine Learning" Morgan Kaufmann Publishers 1993

39 Sollich, P, "Bayesian Methods for Support Vector Machines : Evidence and Predictive Class Probabilities" 46 (46): 21-52, 2002

40 Chen, W.-H, "Application of SVM and ANN for intrusion detection" 32 : 2617-2634, 2005

41 Kass, G. V, "An Exploratory Technique for Investigating Large Quantities of Categorical Data" 29 (29): 119-127, 1980

42 Debar, H, "A Neural Network Component for an Intrusion Detection System" 240-250, 1992

43 한국인터넷진흥원, "2010 해킹․바이러스 현황 및대응" 2011