An Anomaly-based Multi-class Classifier for Network Intrusion Detection

Network intrusion detection systems (NIDS) are one of several solutions that make up a computer security system. They are responsible for inspecting network traffic and triggering alerts when detecting intrusion attempts. One of the most popular approaches in NIDS research today is the Anomaly-based technique, characterized by the ability to recognize previously unobserved attacks. Some A-NIDS systems go beyond the separation into normal and anomalous classes by trying to identify the type of detected anomalies. This is an important capability of a security system, as it allows a more effective response to an intrusion attempt. The existing systems with this ability are often subject to limitations such as high complexity and incorrect labeling of unknown attacks. In this work, we propose an algorithm to be used in NIDS that overcomes these limitations. Our proposal is an adaptation of the Anomaly-based classifier EFC to perform multi-class classification. It has a single layer, with low temporal complexity, and can correctly classify not only the known attacks, but also unprecedented attacks. Our proposal was evaluated in two up-to-date flow-based intrusion detection datasets: CIDDS-001 and CICIDS2017. We also conducted a specific experiment to assess our classifier's ability to correctly label unknown attacks. Our results show that the multi-class EFC is a promising classifier to be used in NIDS.