Feature Selection for Intrusion Detection with Neural Networks and Support Vector Machines

Computational intelligence (CI) methods are increasingly being used for problem solving, and CI-type learning machines are being used for intrusion detection. Intrusion detection is a problem of general interest to transportation infrastructure protection, since one of its necessary tasks is to protect the computers responsible for the infrastructure’s operational control, and an effective intrusion detection system (IDS) is essential for ensuring network security. Two classes of learning machines for IDSs are studied: artificial neural networks (ANNs) and support vector machines (SVMs). SVMs are shown to be superior to ANNs in three critical respects of IDSs: SVMs train and run an order of magnitude faster; they scale much better; and they give higher classification accuracy. A related issue is ranking the importance of input features, which is itself a problem of great interest. Since elimination of the insignificant (or useless) inputs leads to a simplified problem and possibly faster and more accurate detection, feature selection is very important in intrusion detection. Two methods for feature ranking are presented: the first one is independent of the modeling tool, while the second method is specific to SVMs. The two methods were applied to identify the important features in the 1999 Defense Advanced Research Projects Agency intrusion data set. It was shown that the two methods produce results that are largely consistent. Experimental results indicated that SVM-based IDSs with a reduced number of features can deliver enhanced or comparable performance. An SVM-based IDS for class-specific detection is proposed.