Most of the neural networks-based intrusion detection systems (IDS) examine all data features to detect intrusion or misuse patterns. Some of the features may be redundant or contribute little (if anything) to the detection process. That is why the purpose of this study is to identify important KDD features which will be used to train a neural network (NN), in order to best classify and detect attacks. Four NNs were studied: Modular, Recurrent, Principal Component Analysis (PCA), and Time-Lag recurrent (TLR) NNs. We investigated the performance of combining the Fisher's filter used as a feature selection technique, with one of the previously cited NNs. Our simulations show that using Fisher's filter improves largely the performance of the four considered NNs in terms of detection rate, attack classification, and computational time.
This paper presents a neural network (NN) approach to detect intrusions. Previous works used many KDD records to train NNs for detecting intrusions. That is why; our objective here is to show that in case of the KDD data sets, we can obtain good results by training some NNs with a small data subset. To prove that, this study compares the attacks detection and classification by using two training sets: a set of only 260 records and a set of 65536 records. The testing set is composed of 65536 records randomly chosen from the KDD testing set. Our study focused on two classification types of records: a single class (normal or attack), and a multi class where the category of the attack is detected by the NN. Four different types of NNs were tested: Multi-Layer Perceptron (MLP), Modular, Jordan/Elman and Principal Component Analysis (PCA) NN. Two NN structures were used: the first one contains only one hidden layer and the second contains ten hidden layers. Our simulations show that the small data subset (260 records) can be trained to detect and classify attacks more efficiently than the second data subset.