Network Security Situation Factor Extraction Based on

Random Forest of Information Gain

Yongcheng Duan
College of Information Technology and Network Security,
People’s Public Security University of China
Beijing 100038, China
443130851@qq.com
Xue Yang
College of Information Technology and Network Security,
People’s Public Security University of China
Beijing 100038, China
812334777@qq.com
Xin Li*
College of Information Technology and Network
Security, People’s Public Security University of China
Beijing 100038, China
ndlixin@sina.com
Le Yang
College of Information Technology and Network
Security, People’s Public Security University of China
Beijing 100038, China
yl0x00@icloud.com

ABSTRACT
Aiming at the problem of situational element extraction, a method
based on random forest of information gain for network security
situation factor extraction is proposed. First, the importance of the
attribute is determined by the information gain. After the
threshold is set, the attribute is reduced and the redundant attribute
is deleted. Secondly, the processed data is classified using the
random forest classifier. Finally, in order to verify the efficiency
of the algorithm, the improved method is tested by the intrusion
detection data set. Compared with the traditional method, the
experimental results show that the algorithm effectively improves
the accuracy and achieves efficient extraction of network security
situation elements.
CCS Concepts
• Security and privacy ➝Intrusion/anomaly detection and
malware mitigation ➝Intrusion detection systems •
Computing methodologies ➝Machine learning ➝Machine
learning approaches ➝Classification and regression trees.
Keywords
Situational awareness; situational extraction; random-forest;
information gain.
1. INTRODUCTION
In recent years, the network security field has developed rapidly.
With the continuous expansion of the network scale, the topology
structure has become increasingly complex, and the attack
behavior has also increased rapidly. It is increasingly necessary to
Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are
not made or distributed for profit or commercial advantage and that
copies bear this notice and the full citation on the first page. Copyrights
for components of this work owned by others than ACM must be
honored. Abstracting with credit is permitted. To copy otherwise, or
republish, to post on servers or to redistribute to lists, requires prior
specific permission and/or a fee.
Request permissions from Permissions@acm.org.
ICBDC 2019, May 10–12, 2019, Guangzhou, China
© 2019 Association for Computing Machinery
ACM ISBN 978-1-4503-6278-8/19/05…$15.00
http://doi.org/10.1145/3335484.3335486
master the entire network security situation. In order to cope with
the increasingly complex and hidden network threats and grasp
the security status of the entire network in a macroscopic way,
network security situation awareness has received more and more
attention. Network security situation awareness is a cognitive
process for the security state of network systems [1], including
situation factor extraction, situation assessment, and situation
prediction. The extraction of situation factors is the basis of
network security situation awareness and an important part of the
whole situation awareness. The quality of the situation factors
directly affects the performance of the entire security system. The
main purpose of situation factor extraction is to delete redundant
data, extract high-potential situation elements, and provide data
foundation for situation assessment and situation prediction.
At present, there are two research hotspots for the extraction of
situation factors at home and abroad [1]. The method based on
prior knowledge is based on expert experience and knowledge to
define the knowledge base, such as the scene-based method, and
the method based on prior knowledge is passed. Data mining,
machine learning and other techniques analyze the relationship
between behaviors, such as similarity methods, causal association
methods and cross-correlation methods. BASS [2] proposed the
concept of network security situation awareness in 1999, the
purpose of which is to correlate IDS detection results to analyze
and analyze attack information for evaluation of network security.
The National Center for Advanced Security Systems Research [3]
developed a system of security event fusion tools that combines
security data with professional cognitive capabilities to provide a
secure visualization of the network. The Lawrence Berkeley
National Laboratory developed the "The Spinning Cube of
Potential Doom" system in 2003 [4], which uses points in three-
dimensional space to represent the analysis of network
connectivity to achieve network security situation feature
extraction. Domestically, we mainly study the extraction of
situation factors from the aspect of intrusion detection, which not
only can remove redundant features, but also effectively detect
attacks. Li Dongyin [5] proposed a situation feature extraction
model based on particle swarm optimization and logistic
regression, neighborhood rough set and MapReduce distributed
framework. The global optimization ability of improved particle
swarm optimization algorithm is used to calculate the parameters
of Logistic regression model, to improve the accuracy of factor
acquisition. Wang Huiqiang [6] proposed a method based on

194
neural network combined with evolutionary strategy, optimized
neural network parameters through evolutionary strategy, and then
used neural network to extract situation elements, greatly
improving classification accuracy. In view of the problem that
network security situation information cannot be uniformly
described, shared and reused, Si Cheng [7] proposed a solution
based on ontology-based network security situation factor
knowledge base model, first classifying and extracting situation
elements, followed by the principle of ontology construction
builds the knowledge ontology model of network security
situation factors. Liu Xiaowu [8] proposed a fusion-based network
security situation awareness control model, which combines the
deduction of security event threat level and threat element
relationship with multi-source fusion algorithm, which overcame
the shortcomings of dealing with complex affiliation between
network components in the process of acquiring situation
elements.
The above method requires a large amount of prior knowledge in
the process of extracting situation factors, and has strong
subjectivity. It has some effects for specific fields, but when the
sample base is too large, the subjective analysis method will lose
its effect. Therefore, this paper proposes a method based on
random forest of information gain for situation feature extraction,
which introduces information gain into the network security
situation factor extraction, uses information gain to calculate
attribute weights, selects attributes with higher importance, and
deletes redundant attributes. Random forest classification is
carried out, which effectively improves the accuracy.
2. EXTRACTION OF SITUATION
FACTORS BASED ON RANDOM FOREST
OF INFORMATION GAIN
2.1 Information Gain
The primary task of situation factor extraction is to accurately
discover abnormal behaviors in a complex network environment.
The essence is the process of screening the situation feature sets.
By reducing the dimensions of attributes, deleting redundant
attributes, and selecting key situation elements [9].In a complex
network environment, network situation element information has
the characteristics of large data volume and diverse attribute types
[10]. Therefore, reducing the dimension, cutting down redundancy,
and extracting the key situation feature sets became an important
process for the extraction of situation elements for a large number
of situation element information. The current attribute reduction
algorithms include principal component analysis (PCA) method
[11], singular value decomposition (SVD) method, rough set (RS)
[12, 13] and information gain. The information-based attribute
reduction process is shown in Figure 1.
Figure 1. Situation element extraction process based on
information gain.
Information gain is a feature selection algorithm. The information
gain represents the information of the known feature X, so that the
195
uncertainty of the information of the class Y is reduced. Different
features have different information gains, and features with large
information gain have stronger classification capabilities. The
information gain is used to analyze the correlation of the data, and
the information gain of each attribute is calculated as the size of
the impact on the classification result. The information gain size is
used to measure the impact of each attribute on the class label.
Its calculation formula is as follows: Gain(S, A) = H(S) −
𝐶𝑖 𝐶𝑖
H(S|A), H(S) = − ∑𝑚 𝑖=1 𝐷 log 2 𝐷 ,, H(S) is the information
entropy of the sample set S, H(S|A) represent the information
entropy after the sample set S is divided by the feature A, among
them, S represents a collection of samples, 𝐶𝑖 represents the
number of samples in the i-th category(i=1,2, … … ,m),D
represents the number of samples in the sample set S.
2.2 Random Forest
The random forest is an integrated learning algorithm based on
decision tree based on the basic subspace method of Leo Breiman
based on Bagging integrated learning theory [14].Decision trees
are a simple but widely used classification technique [15]. Each
node of the decision tree is continuously classified by the splitting
criterion before the conditions for the decision tree to terminate
growth are reached. The most important step in the process of
constructing a decision tree is to determine the optimal splitting
feature based on the splitting criteria. Common decision tree
algorithms are ID3 decision tree algorithm [16], C4.5 decision tree
algorithm [17], CART decision tree algorithm [18], in which ID3
decision tree algorithm is based on Shannon information theory
information gain [19], C4. The decision tree algorithm is based on
the gain ratio, while the CART decision tree algorithm is based on
Gini impureness.
A random forest is equivalent to a combination of multiple
decision trees. The random forest uses the bootstrap method to
extract the same size samples from the original data set to form M
sub-data sets, and then construct the corresponding M decision
tree to form the decision forest, but there is no correlation between
each decision tree. When each node splits, the decision tree
randomly extracts a feature subset (usually log2K) from all K
features, and then selects an optimal split feature from the subset
to build the tree. When a new sample is entered, each decision tree
in the forest is judged, and the final classification result is
determined by the output of the M decision trees. Random forests
are less likely to fall into overfitting than ordinary decision trees,
and have good noise immunity, fast training speed, and the ability
to process very high dimensional data. Figure 2 is a schematic
diagram of the classification of random forests.
Figure 2. Is a schematic diagram of the classification of
random forests.
2.3 Situation Factor Extraction Method Based
on Random Forest of Information Gain
The importance of different attributes and the role of classification
are different, so the use of traditional random forests without
feature dimensionality reduction and noise reduction data will
have an impact on the classification effect.Through the
information gain, the large-scale data can be reduced in dimension,
so as to reduce the amount of data while retaining the key
information in the data, and the noise in the data can be deleted.
Therefore, this paper proposes a method based on random forest
of information gain to extract situation elements. Combine
information gain with random forests to improve accuracy.The
method is shown in Figure 3.
The steps of the situation element extraction algorithm proposed
in this paper are as follows:
Step 1 The raw data is subjected to a pre-processing process such
as continuous attribute discretization to form a set of situation
elements.
Step 2 Calculate the information gain for each attribute and set the
threshold.
Step 2 Reducing the attributes that are less than the threshold,
delete the redundant attributes, and determine the optimized
subset of the situation elements.
Step 3 Using the random forest classifier to classify the optimized
subset of situation elements, and obtain a random forest classifier
for the extraction of situation elements.
Step 4 Testing the random forest classifier and get the test results.

3. EXPERIMENT AND ANALYSIS

3.1 Experimental Data
The KDD-99 dataset is the most classic intrusion detection dataset
in many publicly available datasets and is currently recognized as
the most influential intrusion detection dataset. The NSL-KDD
data set is the version that removes redundant data records. The
data set contains 41 feature attributes and 1 tag attribute. The tag
attributes are divided into five categories: Normal, Probe, DoS,
Figure 3. random forest situation factor extraction method User to Root (U2R) and Remote to Local (R2L).Table 1 shows
based on information gain. the overall distribution of the NSL-KDD data set.
Table 1. Data Distribution of NSL-KDD
Data set Normal Dos Probe U2R R2L
Training set 67343 45927 11656 52 995

Test set 9711 7456 2421 200 2756

The optimal threshold obtained from Table 2 was set at 0.5. After
3.2 Experimental Methods and Results the attribute selection, you can change the attribute category from
Analysis 41 to 14 respectively: protocol, service, flag,src_byte, wrongfrag,
The experiment uses Weka 2.7.2, an open source machine count,rerror,srverror,login.src_bytes,service,diff_srv_rate,flag,dst
learning tool, which is widely used in data mining and other fields. _bytes,same_srv_rate,dst_host_diff_srv_rate,count,dst_host_srv_c
This paper experiments with a CART decision tree to construct a ount,dst_host_same_srv_rate,dst_host_serror_rate,serror_rate,dst_
random forest. There is a lot of data in the NSL-KDD data set that host_srv_serror_rate, srv_serror_rate.
is continuous, so it is necessary to discretize continuous data. Table 3 shows the comparison results of the classification of the
Calculating the information gain of each attribute on the NSL-KDD dataset using the traditional random forest
discretized data, such as Gain(service)=0.8601,Gain(flag)=0.7057. classification model and the information forest-based random
The threshold for the design is set to 0.5 When the redundancy forest classification model.
attribute is removed, the data is imported into the traditional Table 3. Comparison of classification effects
random forest classification model and the improved random
forest classification model, and the improved threshold is Classification Random forest Random forest of
debugged to select the best threshold. The effect of the threshold information gain
on the classification effect is shown in Table 2. Normal 0.927 0.97
Table 2. The effect of threshold on classification Probe 0.617 0.663
Threshold 0 0.25 0.5 0.75 1 Dos 0.766 0.819
Accuracy 0.744 0.761 0.769 0.747 0.716 U2R 0.02 0.035
rate R2L 0.099 0.068
Error rate 0.256 0.239 0.231 0.253 0.284 Weighted Avg 0.731 0.769

196
It can be seen from the experiment that the random forest
algorithm based on information gain on the NSL-KDD data set is
superior to the traditional random forest algorithm in the accuracy
of the four classifications.
Table 4. Comparison of classification effects
Classification Naive Bayes KNN SVM Random forest IG- Naive Bayes IG-KNN
Accuracy rate 0.715 0.742 0.741 0.744
Error rate 0.285 0.258 0.259 0.256
It can be seen from Table 4 that compared with the traditional
algorithm, the classification accuracy of the random forest
classifier is the highest; compared with the classifier after the
information gain attribute reduction, the accuracy of the
information gain random forest classifier is also the highest.
In summary, based on the experimental results, we can conclude
that the information forest-based random forest algorithm
proposed in this paper can effectively improve the accuracy and
achieve efficient extraction of network security situation elements.
4. CONCLUSION
In this paper, combining information gain with random forest, an
algorithm based on random forest of information gain for situation
extraction is proposed. Firstly, the information gain is used to
reduce the dimensionality of the set of situation elements, the
redundant situation elements are deleted, and then the set of
situation elements after reduction is trained by using random
forest classifier to extract important situation elements.The
experimental results show that compared with the traditional
random forest algorithm, the algorithm improves the accuracy
effectively ,realizes the efficient extraction of network security
situation elements, and provides data basis for situation
assessment and situation prediction, but there is still optimization
space, improving the efficiency of the algorithm and reducing the
demand for storage space is the next research focus.
5. ACKNOWLEDGMENT
Support by National Key R&D Program of China (No.
2017YFC0803700) and Construction and development of key
laboratory of the Ministry of Public Security
6. REFERENCES
[1] Gong J, Zang XD, Su Q, Hu XY, Xu J. Survey of Network
Security Situation Awareness[J]. Journal of Software, 2017,
28(4): 1010-1026(in
Chinese).DOI=http://www.jos.org.cn/1000-9825/5142.htm.
[2] Bass T, Gruber D. A glimpse into the future of id[J]. login::
the magazine of USENIX & SAGE, 1999, 24:págs. 40-45.
[3] Yurcik W. Visualizing NetFlows for security at line speed:
the SIFT tool suite[C]// Conference on Systems
Administration. DBLP, 2005:169-176.
[4] Lau S. The Spinning Cube of Potential Doom.[J]. Comm
Acm, 2004, 47(6):págs. 25-26.
[5] Li D, Liu Z. Situation element extraction of network security
based on Logistic Regression and Improved Particle Swarm
Optimization[C]//Natural Computation (ICNC), 2013 Ninth
International Conference on. IEEE, 2013: 569-573.
[6] Huiqiang Wang, Ying Liang, Haizhi Ye. An Extraction
Method of situation Factors for Network Security situation
197
Table 4 shows the detection of NSL-KDD datasets using
traditional naive Bayes, KNN, SVM, random forest classifiers,
and naive Bayes, KNN, SVM, and random forest classifiers after
attribute reduction. The classification effect is compared with the
result.
IG-SVM IG- Random forest
0.703 0.759 0.743 0.769
0.297 0.241 0.257 0.231
Awareness[P]. Internet Computing in Science and
Engineering, 2008. ICICSE '08. International Conference
on,2008.
[7] Si Cheng,Zhang Hongqi,Wang Yongwei,Yang
Yingjie.Research on Knowledge Base Model of Network
Security Situational Elements Based on
Ontology[J].Computer Science,2015,42(05):173-177.
[8] LIU Xiao-Wu, WANG Hui-Qiang,LüHong-Wu,YU Ji-
Guo,ZHANG Shu-Wen Fusion-Based Cognitive Awareness-
Control Model for Network Security Situation[J]. Journal of
Software, 2016, 27(8): 2099-2114(in
Chinese).DOI=http://www.jos.org.cn/1000-9825/4611.htm.
[9] 9Guo Jian. Research on the acquisition technology of
situational factors in network security situational
awareness[D]. Northeastern University, 2011.
[10] 10Lai Jibao,Wang Ying,Wang Huiqiang,Zheng
Fengbin,Zhou Bing.Research on the Structure of Network
Security Situation Awareness System Based on Multi-source
Heterogeneous Sensors[J].Computer
Science,2011,38(03):144-149+158.
[11] LIN Weining, CHEN Mingzhi, ZHAN Yunqing, et al.
Research on an Intrusion Detection Algorithm Based on PCA
and Random-forest Classification[J].Netinfo
Security,2017(11):50-54.
[12] Liang Ying,Wang Huiqiang,Lai Jibao.A Network Security
Situational Awareness Method Based on Rough Set
Theory[J].Computer Science,2007(08):95-97+147.
[13] Li Hong. Research on Extraction of Network Security
Situation Factors Based on Rough Sets[D].Hebei Normal
University, 2017.
[14] Kwok SW, Carter C. Multiple decision trees[EB/OL].[2018-
01-31].https://arxiv.org/abs/1304.2363
[15] Ho TK. The random subspace method for constructing
decision forests[J]. IEEE transactions on pattern analysis and
machine intelligence, 1998, 20(8):832-44
[16] Quinlan JR. Induction of decision trees[J]. Machine learning,
1986, 1(1):81-106
[17] Quinlan JR. C4. 5: programs for machine
learning[M].Elsevier, 2014
[18] Breiman L,Friedman J,Stone C J,et al.Classification and
Regression Trees[M]. CRC press, 1984
[19] QI Ben, WANG Mengdi. A Method Using Information Gain
and Naive Bayes to Extract Network Situation Information
[J]. Netinfo Security, 2017(9):54-57