A Multi-Stage Classification System for Detecting Intrusions in Computer Networks

A serial multi-stage classification system for facing the problem of intrusion detection in computer networks is proposed. The whole decision process is organized into successive stages, each one using a set of features tailored for recognizing a specific attack category. All the stages employ suitable criteria for estimating the reliability of the performed classification, so that, in case of uncertainty, information related to a possible attack are only logged for further processing, without raising an alert for the system manager. This permits to reduce the number of false alarms. On the other hand, in order to keep low the number of missed detections, the proposed system declares a connection as normal traffic only if all the stages do not detect an attack. The proposed multi-stage intrusion detection system has been tested on three different services (http, telnet and ftp) of a standard database used for benchmarking intrusion detection systems and also on real network traffic data. The experimental analysis highlights the effectiveness of the approach: the proposed system behaves significantly better than other multiple classifier systems performing classification in a single stage.