Intrusion Detection Using Cost-Sensitive Classification.pdf

Intrusion Detection Using Cost-Sensitive Classification Aikaterini Mitrokotsa1*, Christos Dimitrakakis2 and Christos Douligeris3 1 Computer Systems Group,Vrije University Amsterdam, De Boelelaan 1081a, 1081 HV Amsterdam, Netherlands mitrokat@unipi.gr 2 Chair of Information Technology, University of Leoben, Erzherzog-Johann-Strasse 3, A-8700 Leoben, Austria, christos.dimitrakakis@mu-leoben.at 3 Department of Informatics, University of Piraeus, Karaoli Dimitriou Str. 80, 18534 Piraeus, Greece, cdoulig@unipi.gr Abstract. Intrusion Detection is an invaluable part of computer networks defense. An important consideration is the fact that raising false alarms carries a significantly lower cost than not detecting at- tacks. For this reason, we examine how cost-sensitive classification methods can be used in Intrusion Detection systems. The perform- ance of the approach is evaluated under different experimental con- ditions, cost matrices and different classification models, in terms of expected cost, as well as detection and false alarm rates. We find that even under unfavourable conditions, cost-sensitive classifica- tion can improve performance significantly, if only slightly. Keywords: Intrusion Detection, Cost-Sensitive Classification. * Work done while Aikaterini Mitrokotsa was with the University of Piraeus. 1 Introduction Standard classification problems require making the classification decision that minimizes the probability of error. However, for many problem do- mains, the requirement is not merely to predict the most probable class la- bel, since different types of errors carry different costs. Instances of such problems include authentication, where the cost of allowing unauthorized access can be much greater than that of wrongly denying access to author- ized individuals, and intrusion detection, where raising false alarms has a substantially lower cost than allowing an undetect