Classifying Network Attack Data Using Random Forest

摘要

Network intrusion Detection Systems (NIDS) have become an important component in protecting industry and government network infrastructure. Various approaches to intrusion detection are currently being used, however most are rule based systems such as SNORT™ whose performance depend on their rule sets. While these rule based systems are highly effective in detecting known intrusions, they are less effective at discovering novel attacks for which no signatures exist. This paper explores the use of the Random Forest (RF) algorithm to build an anomaly based NIDS which can detect novel attacks. Utilizing the KDD'99 data mining training set, we built predictive classification models using the RF algorithm to evaluate the ability to identify attacks from a supplied test set. We explored how the time to build models vary with the number of trees in the forest, learned the optimal number of decision trees for the forest, looked at the role the number of features with respect to the number of decision trees played in the accuracy and also explored the role feature selection had on the accuracy of the trees. Our results indicate adequate results can be obtained using a reduced feature set. This is significant in that a reduced feature set may improve computation cost and may enhance the prediction accuracy by improving the signal to noise ratio.