Enhancing network intrusion classification with the Kolmogorov-Smirnovsplitting criterion

Abstract

Our investigation aims at detecting network intrusions using decision tree  algorithms. Large differences in prior class probabilities of intrusion data have been reported to hinder the performance of decision trees. We propose to replace the Shannon entropy used in tree induction algorithms with a Kolmogorov  Smirnov splitting criterion which locates a Bayes optimal cutpoint of attributes. The Kolmogorov-Smirnov distance based on the cumulative distributions is not degraded by class imbalance. Numerical test results on the KDDCup99 dataset showed that our proposals are attractive to network intrusion detection tasks. The  single decision tree gives best results for minority classes, cost metric and global  accuracy compared with the bagged boosting of trees of the KDDCup’99 winner and classical decision tree algorithms using the Shannon entropy. In contrast to the complex model of KDDCup winner, our decision tree represents inductive rules (IF-THEN) that facilitate human interpretation.