Kok-Chin Khor

A cascaded classifier approach for improving detection rates on rare attack categories in network intrusion detection

Network intrusion detection research work that employed KDDCup 99 dataset often encounter challenges in creating classifiers that could handle unequal distributed attack categories. The accuracy of a classification model could be jeopardized if the distribution of attack categories in a training dataset is heavily imbalanced where the rare categories are less than 2% of the total population. In such cases, the model could not efficiently learn the characteristics of rare categories and this will result in poor detection rates. In this research, we introduce an efficient and effective approach in dealing with the unequal distribution of attack categories. Our approach relies on the training of cascaded classifiers using a dichotomized training dataset in each cascading stage. The training dataset is dichotomized based on the rare and non-rare attack categories. The empirical findings support our arguments that training cascaded classifiers using the dichotomized dataset provides higher detection rates on the rare categories as well as comparably higher detection rates for the non-rare attack categories as compared to the findings reported in other research works. The higher detection rates are due to the mitigation of the influence from the dominant categories if the rare attack categories are separated from the dataset.

A Feature Selection Approach for Network Intrusion Detection

Processing huge amount of collected network data to identify network intrusions needs high computational cost. Reducing features in the collected data may therefore solve the problem. We proposed an approach for obtaining optimal number of features to build an efficient model for intrusion detection system (IDS). Two feature selection algorithms were involved to generate two feature sets. These two features sets were then utilized to produce a combined and a shared feature set, respectively. The shared feature set consisted of features agreed by the two feature selection algorithms and therefore considered important features for identifying intrusions. Human intervention was then conducted to find an optimal number of features in between the combined (maximum) and shared feature sets (minimum). Empirical results showed that the proposed feature set gave equivalent results compared to the feature sets generated by the selected feature selection methods, and combined feature sets.

Forming an optimal feature set for classifying network intrusions involving multiple feature selection methods

High computational cost has always been a constraint in processing huge network intrusion data. This problem can be mitigated through feature selection to reduce the size of the network data involved. In this research work, we first consider existing feature selection methods that are computationally feasible for processing huge network intrusion datasets. Each of the feature selection methods was treated as an expert capable of identifying useful features from the datasets. A feature that is selected by these experts implies its importance in detecting network intrusions. The important features were subsequently grouped to form feature sets based on the frequency of selection. One such feature set was able to produce classification results comparable to feature sets generated by single feature selection methods and was also comparable to classification results of the winner of KDD CUP competition.

A Probabilistic Approach for Network Intrusion Detection

This study aims to propose a probabilistic approach for detecting network intrusions using Bayesian networks (BNs). Three variations of BN, namely, naive Bayesian network (NBC), learned BN, and handcrafted BN, were evaluated and from which, an optimal BN was obtained. A standard dataset containing 494020 records, a category for normal network traffics, and four major attack categories (denial of service, probing, remote to local, user to root and normal), were used in this study. The dataset went through an 80-20 split to serve the training and testing phases. 80% of the dataset were treated with a feature selection algorithm to obtain a set of features, from which the three BNs were constructed. During the evaluation phase, the remaining 20% of the dataset were used to obtain the classification accuracies of the BNs. The results show that the hand-crafted BN, in general, has outperformed NBC and Learned BN.

Comparing Single and Multiple Bayesian Classifiers Approaches for Network Intrusion Detection

A general strategy for improving the performance of classifiers is to consider multiple classifiers approach. Previous research works have shown that combination of different types of classifiers provided a good classification results. We noticed a raising interest to incorporate single Bayesian classifier into the multiple classifiers framework. In this light, this research work explored the possibility of employing multiple classifiers approach, but limited to variations of Bayesian technique, namely Naïve Bayes Classifier, Bayesian Networks, and Expert-elicited Bayesian Network. Empirical evaluations were conducted based on a standard network intrusion dataset and the results showed that the multiple Bayesian classifiers approach gave insignificant increase of performance in detecting network intrusions as compared to a single Bayesian classifier. Naives Bayes Classifier should be considered in detecting network intrusions due to its comparable performance with multiple Bayesian classifiers approach. Moreover, time spent for building a NBC was less compared to others.

StockProF: a stock profiling framework using data mining approaches

Analysing stock financial data and producing an insight into it are not easy tasks for many stock investors, particularly individual investors. Therefore, building a good stock portfolio from a pool of stocks often requires Herculean efforts. This paper proposes a stock profiling framework, StockProF, for building stock portfolios rapidly. StockProF utilizes data mining approaches, namely, (1) Local Outlier Factor (LOF) and (2) Expectation Maximization (EM). LOF first detects outliers (stocks) that are superior or poor in financial performance. After removing the outliers, EM clusters the remaining stocks. The investors can then profile the resulted clusters using mean and 5-number summary. This study utilized the financial data of the plantation stocks listed on Bursa Malaysia. The authors used 1-year stock price movements to evaluate the performance of the outliers as well as the clusters. The results showed that StockProF is effective as the profiling corresponded to the average capital gain or loss of the plantation stocks.

Features and Bayesian Network Model of Conceptual Change for INQPRO

Predicting conceptual change in scientific inquiry learning environment is not trivial due to the challenges that stemmed when eliciting a student’s implicit properties. The challenges could be more complicated when such learning environment employs exploratory learning approach. One plausible approach to tackle the challenges is by employing data mining approach. In this study, 129 interaction logs were firstly preprocessed and subsequently transformed into structured dataset fits for mining purpose. Feature selection algorithms were performed considering that fact the dataset consists of large number of attributes. The dimension of feature set was reduced via two feature selection algorithms and elicitation of domain expert, resulting in M_ORA, M_RFE, and M_DOM, respectively. The feature sets were compared using Naïve Bayesian Networks (M_NB_DOM, M_NB_RFE, M_NB_ORA). The second phase of empirical study aimed to investigated the optimal BN model for capturing knowledge about conceptual change. To do that, a machine-learned Bayesian Network (M_LBN) was constructed and its performance was compared to M_NB_DOM. Findings from empirical studies suggested that (i) classifiers constructed using M_DOM outperformed M_ORA and M_RFE and (ii) the classifier M_LBN outperformed M_NB_DOM in predicting conceptual change, suggesting that M_LBN is a better classifier than M_NB_DOM in capturing knowledge about conceptual change in INQPRO, a scientific inquiry learning environment developed in this research work.

An Improvement to StockProF: Profiling Clustered Stocks with Class Association Rule Mining

Using StockProF developed in our previous work, we are able to identify outliers from a pool of stocks and form clusters with the remaining stocks based on their financial performance. The financial performance is measured using financial ratios obtained directly or derived from financial reports. The resulted clusters are then profiled manually using mean and 5-number summary calculated from the financial ratios. However, this is time consuming and a disadvantage to novice investors who are lacking of skills in interpreting financial ratios. In this study, we utilized class association rule mining to overcome the problems. Class association rule mining was used to form rules by finding financial ratios that were strongly associated with a particular cluster. The resulted rules were more intuitive to investors as compared with our previous work. Thus, the profiling process became easier. The evaluation results also showed that profiling stocks using class association rules helps investors in making better investment decisions.

Roles of Affect in Conceptual Change Modeling

Incorporating affect into conceptual change modeling for a computer-based scientific inquiry learning environment is difficult. The challenges mainly stemmed from three perspectives: first, to identify the appropriate variables of affect that influence conceptual change, second, to determine the causal dependencies between the variables of affect and the variables of conceptual change, third, to perform assessment on the evolving states of affect as a student interacts with computer-based learning activities. This research work employed Bayesian Networks as an attempt to tackle the challenges. Three Bayesian Network models of conceptual change were proposed and integrated into INQPRO, a educational program developed in this research work. The first model has only nodes of conceptual change, while the second and the third model have nodes of affect component. Two phases of empirical study were conducted involving a total of 143 students and the findings suggested that the third model that has nodes of affect had outperformed those models without them.

Feature extraction and model construction for predicting scientific inquiry skills acquisition

Assessing scientific inquiry skills in INQPRO, a scientific inquiry learning environment developed in this research work, presents two major challenges: (i) identifying a set of important features from a series of student interactions for assessment of scientific inquiry skills is difficult. Such difficulty stemmed not only because there exists ways a student interacts with the scientific inquiry learning environment, but more challengingly defining the causal dependencies between the extracted features is not a trivial task; (ii) constructing a classification model from large number of features and can handle uncertainty in assessing scientific inquiry skills is not a trivial task. To overcome these challenges, feature selection approach was firstly employed, using the preprocessed dataset from interaction logs of 130 students. A Bayesian Network was subsequently constructed to handle the uncertainty inherent in assessing scientific inquiry skills. Both quantitative and qualitative portions of the Bayesian Network were elicited from a domain expert. Empirical study concluded that (i) expert elicited features outperformed features selected by feature selection algorithms; (ii) Machine-learned Bayesian Network can better encode knowledge about patterns of scientific inquiry skills acquisition as compared to Naïve Bayesian Network.