See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/283883278

A survey on feature selection for intrusion detection

Article · January 2015

CITATIONS READS
6 1,732

2 authors, including:

Richard Zuech
Florida Atlantic University
13 PUBLICATIONS   265 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Cyberspace Situational Awareness View project

CyberPhysics View project

All content following this page was uploaded by Richard Zuech on 14 July 2017.

The user has requested enhancement of the downloaded file.

 Proceedings of the 21st ISSAT International Conference on Reliability and Quality in Design
August 6-8, 2015 - Philadelphia, Pennsylvania, U.S.A.
A Survey on Feature Selection for Intrusion Detection
Richard Zuech and Taghi M. Khoshgoftaar
Florida Atlantic University, Boca Raton, FL 33431
Email: rzuech@fau.edu and khoshgof@fau.edu
Abstract— This study examines previous research works in
applying feature selection to Intrusion Detection. Feature selection
has proven to improve or maintain similar classification accuracy
for Intrusion Detection Systems (IDSs) while improving
classification efficiency. Wrapper-based, Filter-based, and Hybrid
feature selection techniques are evaluated. Since Intrusion
Detection can face Big Data challenges, the classification efficiencies
provided by feature selection can reduce computational demands.
Previous feature selection research has been too narrowly focused
on older KDD Intrusion Detection data sets. Researchers need
access to additional high quality data sets which are publicly
available.
Keywords— Intrusion detection, IDS, Feature selection, Feature
Reduction, Cybersecurity, Security
I. INTRODUCTION
As humankind becomes increasingly dependent on computers,
the ability to defend our computers against intruders becomes
even more pervasive. Intrusion Detection plays a critical role in
the defense of our computer systems, since it is easier to defend
against an attacker once threats are discovered. One of the main
difficulties in detecting attacks is that a large amount of
information must be analyzed to detect threats. Intrusion
Detection can face Big Data challenges, and Zuech et al. [1]
discuss how myriads of vast data can pose difficulties to
cybersecurity defenses. Feature selection can help to alleviate
Big Data challenges facing Intrusion Detection by only focusing
on the most relevant data.
Feature selection is a Machine Learning technique which
reduces the amount of data to be analyzed. This is accomplished
by identifying the most important features (or attributes) of a
data set and discarding the less important ones. By reducing the
dimensionality of a data set to contain only the most important
features, Machine Learning algorithms can make classification
predictions more efficient. This efficiency is especially relevant
to Intrusion Detection which has demands for real-time
performance. According to Nassar et al. [2], merely 1Gbps of
page 150
sustained network traffic can cause Big Data challenges for
Intrusion Detection while using deep packet inspection.
A major consideration for feature selection is to not
significantly degrade the predictive accuracy of Machine
Learning algorithms. As discussed throughout this study, it is
not uncommon for classification performance to actually
improve with fewer features evaluated in a data set.
Classification performance is a measure of how well a Machine
Learning “classifier” (or learner) is correctly classifying an
instance from a data set with the proper class label. For example,
Intrusion Detection data sets could have class labels of “Attack”
for malicious instances from a data set or “Normal” for instances
that are not an attack.
One reason why fewer features (and less data) can sometimes
improve classification performance is because some features
may contain meaningless noise which do not contribute any
value to predictive accuracy, and the presence of these noisy
features can sometimes even degrade classification performance.
Another reason why reducing the number of features can
improve classification performance is that different features
from within the same data set can be highly correlated with each
other. The presence of these extraneous features can sometimes
cause more confusion than predictive value to classification
models. Feature selection can be a useful technique for Intrusion
Detection where real-time computational demands can benefit
from improved efficiency while striving to maintain similar or
even improved classification performance.
For Intrusion Detection, researchers most commonly use the
KDD Cup 1999 data set [3] (referred to as “KDD 99”
throughout this study). Researchers also use a modified version
of the KDD 99 data set called NSL-KDD created by Tavallaee et
al [4]. This study considers wrapper-based, filter-based, and
hybrid feature selection techniques.
The remainder of this paper is organized as follows. Section II
will focus on Filter-based feature selection techniques, followed
by Wrapper-based and Hybrid feature selection techniques in
Section III, and analysis and discussion in Section IV. Finally,
Section V contains our conclusions.
II. FILTER-BASED FEATURE SELECTION TECHNIQUES
Filter-based feature selection techniques utilize independent
algorithms or statistical measurements when selecting features,
and filter techniques are easily identified since they do not use
learning algorithms in the feature selection process. Filter
methods mainly use two different approaches: (1) filter-based
feature ranking or (2) filter-based subset evaluation. The feature
ranking method uses univariate statistical measurements to
independently weight the value of each feature, and then the
importance of all of the features are ranked based upon their
worthiness as deemed by their respective statistical
measurements. Many different statistical measurements can be
employed for ranking, and Saeys et al. [5] provide good
examples of these techniques. One benefit of filter-based feature
ranking techniques is they generally have faster performance
than other methods, although they typically are not efficient at
removing features that are highly correlated with one another.
Subset evaluation techniques for filters evaluate groups of
features at the same time using multivariate measurements, and
also use search algorithms to compare the worthiness of
different subsets of features. These search algorithms use
various strategies in evaluating different subsets, and Liu and Yu
give an excellent overview of various search algorithms for
subset evaluation techniques in [6].
Alazab et al. [7] applied a filter-based feature ranking
technique to the NSL-KDD Intrusion Detection data set using
Information Gain and reduced the total number of feature from
41 to 12. With the reduced feature set size, they were able to
build their Decision Tree training and testing classification
models 5 times faster. Also, their classification accuracy slightly
improved when considering the weighted performance average
across the 5 different classes for their “Area Under the Receiver
Operator Curve” (AUC) values. The AUC accuracy
measurement is useful when dealing with class imbalance since
it considers the True Positive Rate (TPR) and False Positive
Rate (FPR), and this is important for Intrusion Detection since
typically the majority class (normal) will dominate the minority
class (attack).
Similarly, Li et al. [8] used two different filter-based ranking
techniques to reduce the number of features in the KDD 99 data
set from 41 to 6 features. They used the Information Gain and
Chi-Square univariate statistical measures to assess the
“worthiness” of each feature, and found that both of these
techniques yielded the same top 6 features. While these top 6
features were sorted differently for each technique, both
techniques found very significant declines in feature
“worthiness” for the rest of the features beyond those ranked in
the top 6. The Maximum Entropy model was used as the
classifier, and the classification accuracy of the feature set with
the top 6 features was comparable to the full feature set (where
the largest loss in the accuracy value was only 0.04%). The
reduced feature set improved classification testing times by up to
47%. It would have been interesting if the authors used a metric
like AUC instead of Accuracy to account for class imbalance.
An experiment using the KDD 99 data set and two different
types of filter-based subset evaluators called Correlation-based
Feature Selection Subset Evaluator (CFSE) and Consistency
Subset Evaluator (CSE) was conducted by Khor et al [9]. These
subset evaluator techniques measure feature worthiness in terms
of entire feature subsets using a multivariate approach, and a
search algorithm is applied to iteratively compare the worthiness
of feature subsets through the defined search space (please refer
to their work for further details on these algorithms). Both of
these subset evaluators produced feature subset sizes containing
8 features (from the original 41 features). They built 3 additional
feature sets based on these two subset evaluator techniques. One
additional feature set called “Combined” (12 features) was
constructed from the 2 subset evaluator techniques by simply
combining all the unique features between them. Another
“Shared” feature set (4 features) was created by only including
features contained in both feature sets produced by the 2
different subset evaluator techniques. The third “Proposed”
feature set (7 features) was created by using the “Shared” feature
set and allowing domain experts to add features with the hopes
of improving classification performance (their rationale for
doing this was because some attack classes in the data set were
very under-represented in terms of class imbalance). To compare
the classification accuracy of these 5 different feature sets, they
used a Bayesian Network learner using the K2 search algorithm
and 10-fold cross validation. All feature sets performed
statistically similar when applying an independent-samples t-
test, except for the “Shared” feature set which performed
statistically worse. While the work of Khor et al. provides good
insights, it would have been interesting to see them use an
accuracy measure like the AUC which is more sensitive to class
imbalance (since class imbalance was one of their motivations in
building a feature set with expert supervision). Also, it would
page 151
have been interesting to see classification accuracy for the entire
feature set to compare with, and whether significant
improvements were found in classification testing times.
III. WRAPPER-BASED AND HYBRID FEATURE
SELECTION TECHNIQUES
Wrapper-based feature selection techniques use a classifier
algorithm to assess the worthiness of features. Wrappers mostly
use subset evaluation techniques, although they can also use
feature ranking. Similar to subset evaluators for filters, subset
evaluators for wrappers also use search algorithms to determine
the worthiness of different feature subsets where a wrapper’s
feature subset quality is measured by a learner. In this sense, a
search algorithm is “wrapped” around a learner to evaluate the
worthiness of a given subset. Wrappers can produce better
feature subsets versus other techniques and reduce redundant
features, but drawbacks are that wrappers can be very
computationally expensive and can also be prone to overfitting.
A hybrid feature selection technique combines wrapper-based
and filter-based approaches, and will use both an independent
measure as well as a learner to evaluate the worthiness of feature
subsets. Hybrid approaches attempt to realize some accuracy
benefits of wrappers while leveraging computing performance
efficiencies from filters.
A wrapper-based feature selection technique called the
modified Random Mutation Hill Climbing (RMHC) was
proposed by Li et al. [10]. The learner for this wrapper method
is a modified linear Support Vector Machine (SVM) method,
and their experiment utilizes the KDD 99 dataset. Their
modified RMHC method improves upon the times to perform
feature selection as compared to the original RMHC method,
and in some cases their modified RHMC method improved
feature selection processing speeds by nearly 50%. Although,
the authors did not publish a comparison of classification
performance between the 2 different RMHC approaches. The
number of features selected by the modified RMHC method
varied from 3 features to 6 features depending on the attack
type. Interestingly, the authors pre-process the data to skew the
class imbalance in favor of the attack class, and the attack class
comprises approximately 80% of the total instances (with
normal comprising the remaining 20%). For classification
accuracy the authors conclude that feature selection was still
able “to yield high detection rates”, and they provide Receiver
Operating Characteristic (ROC) Curves in their work to
illustrate this. The reduced feature subset sizes improved
classification performance times by reducing the total time taken
page 152
by 41% to 85% (depending on the feature subset). Also, they
noted significant improvements in the time it took to train the
classification models.
A new wrapper-based feature selection technique called
AUCBoostFS is proposed by Alshawabkeh et al. [11] that
modifies an existing technique called AUCBoost (which
attempts to “Boost” the AUC). The authors modify the
AUCBoost technique by accounting for class imbalance with
different costs for positive and negative samples, and they also
gauge the importance of features by using the fractional absolute
confidence that boosting provides. They compare their
AUCBoostFS technique with an existing feature selection
technique called AdaBoostFS, and find that their new technique
outperforms AdaBoostFS across all workloads and families of
attacks. However, their experiment could have benefited from
incorporating additional feature selection techniques for
additional benchmarking especially since they used their own
custom dataset. More comprehensive benchmarking would help
justify their approach, especially if AdaBoostFS just happened to
perform poorly against the particulars of their custom dataset.
The authors made no mention of classification times for their
feature selection techniques or classification models.
This experiment is different than most because Alshawabkeh
et al. generate their own dataset for evaluation, and it would
have been interesting for the authors to provide more
implementation details on how their dataset was generated since
their approach is unique in monitoring events from Virtual
Machines with an IDS that is implemented at the Virtual
Machine Monitor layer (which manages guest Virtual Machines
and their Operating Systems). In other words, their IDS is
located in the host that manages the Virtual Machines. Their
data set workloads were simulated, and a common criticism for
simulated datasets is they might not be as reliable as real-world
data for evaluating IDSs.
Four different feature selection techniques are evaluated by Li
et al. [12] using the KDD 99 dataset. The authors propose a new
wrapper-based feature selection method called the Gradually
Feature Removal (GFR) method which uses a SVM learner, and
their main motivation was to reduce the classification time for
an IDS classifier without significantly sacrificing accuracy.
Other feature selection methods in their study are: Feature
Removal Method (wrapper-based), Sole Feature Method (filter-
based), and a Hybrid Method for feature selection which
combines the previous wrapper-based and filter-based
approaches into one technique so it is referred to as a hybrid-
based feature selection technique. Refer to [12] for the details of Reference Year Data Set
the algorithms for these feature selection techniques. Their [17] 2003 KDD99
wrapper-based GFR method reduces the number of features [18] 2005 KDD99
from 41 to 19, and the three other feature selection techniques [19] 2005 KDD99
[8] 2006 KDD99
reduce the number of features to only 10 significant features.
[20] 2006 KDD99
The GFR method gives the best classification accuracy over the
[21] 2006 KDD99
other three feature selection techniques, but the GFR method [22] 2007 KDD99
had the longest classification training time along with the second [23] 2008 KDD99
longest classification testing time. GFR still improved [24] 2008 KDD99
classification testing speed by 41% with a loss of 0.05% in [9] 2009 KDD99
Accuracy. To consider class imbalance for classification [10] 2009 KDD99
performance, the authors also produced values for the Matthew [25] 2009 KDD99
[26] 2009 KDD99
Correlation Coefficient and found the subset of GFR features to
[11] 2010 private
degrade classification performance by 0.14% versus the full [27] 2010 private
feature set. Feature selection can help speed up classification [28] 2010 KDD99
testing times while maintaining similar or even better [29] 2010 KDD99
classification performance. [30] 2010 KDD99
[31] 2011 KDD99
IV. ANALYSIS AND DISCUSSION [32] 2011 KDD99
Our study finds that the KDD data sets heavily dominate [33] 2011 KDD99
[7] 2012 NSL-KDD, custom
research for applying feature selection to Intrusion Detection as
[12] 2012 KDD99
illustrated in Table 1. Out of the 28 research samples included in
[34] 2012 NSL-KDD
our study: 26 of the data sets are KDD and 2 are private. [35] 2013 NSL-KDD
Research for feature selection and Intrusion Detection is too [36] 2013 KDD99
narrowly focused on one data set. To make matters worse, these [37] 2013 KDD99
data sets are over 15 years old and recent research works are still [38] 2014 KDD99
using them. These data sets have been heavily criticized by Table 1: Data Set Sampling of Studies Applying Feature Selection to
many researchers, and Sommer and Paxson give an excellent Intrusion Detection
critique of inherent shortcomings with the KDD data sets in classes into separate data sets and independently apply feature
[13]. This suggests opportunities for applying feature selection selection to each of them, and they also consider all 4 attack
to newer data sets such as ISCX [14], Kyoto 2006+ [15], and classes at once. Surprisingly, their model only selected 4
CDX [16]. features to handle all 4 of the attacks classes concurrently and it
Due to the narrow focus on the KDD data sets, another performed reasonably well when compared to their single attack
deficiency for feature selection and Intrusion Detection is that class experiments (whose feature subsets contained from 3 to 6
the classes of attacks are also too narrowly focused and do not features). Further research is necessary to see if a saturation
accurately model the real-world. KDD only considers these point occurs once a very large number of attack types and
attacks: Denial of Service (DoS), User to Root (U2R), Remote associated class labels are generated in a data set, and whether
to Local (R2L), and Probing. Many other different attack vectors feature selection is robust enough to accommodate such a large
and attack classes exist and this presents many opportunities for number of multi-class labels for Intrusion Detection at the same
future research in applying feature selection. time. Perhaps some other approach might be possible such as
proposed by Bass [39] where various “feature selection
With regards to multiple attack classes, more research needs templates” can be checked out of a repository in an automated
to be conducted in assessing the viability of feature selection system to “intelligently” apply towards suspicious security
being able to detect a myriad of different attack classes from the events. In other words, perhaps more advanced systems could
same set of reduced features. Li et al. [10] provide good apply different Machine Learning detection algorithms (based
motivation for this issue where they preprocess 4 different attack

page 153
on different feature subsets) to threats which appear to match
specific attack patterns.
Many opportunities exist for experiments with feature
selection and Intrusion Detection to be much more
comprehensive in terms of benchmarking many different
learners and feature selection techniques (all within the same
experiment). Several comprehensive studies like this could
provide better insights into the effectiveness of various feature
selection approaches. Unfortunately, even when many studies all
share the same poor quality KDD data set, it is difficult to
discern which feature selection methods are decisively superior
due to the variations of implementation details across
experiments and lack of comprehensiveness within the
underlying experiments. Feature Stability for Intrusion Detection
is an extremely important factor that should be considered since
real-world applications demand these capabilities, and feature
stability considers how robust features are against changes in the
underlying data sets (as well as changes to the operating
environments and attack vectors).
Other research opportunities can consider applying feature
selection beyond network packets captures and utilize more
diverse sources such as: network flows, host-based events, and
even correlating across multiple IDSs or other alerting devices
such as firewalls. The work by Alshawabkeh et al. [11] on
applying feature selection to a different security layer in the
Virtual Machine host is a novel approach, and other
heterogeneous approaches like this will afford Intrusion
Detection better opportunities for success. Some work has been
done with feature selection and malware, but these works are
beyond the scope of this study due to space constraints.
V. CONCLUSION
Intrusion Detection can face Big Data challenges and feature
selection can help mitigate the real-time demands of these
challenges by removing irrelevant data (which also reduces the
load on computing resources). The goal of feature selection for
Intrusion Detection is to improve computational efficiency,
while also maintaining or improving classification accuracy.
Feature selection can successfully accomplish this goal under
controlled experiments as illustrated by numerous studies.
Previous research efforts with feature selection have been too
narrowly focused on the KDD data sets. Researchers can utilize
more modern data sets for feature selection. However, the
research community at large should go beyond merely
acknowledging the fundamental problem of lacking quality data
page 154
sets, and they should make a serious concerted effort to produce
many diverse quality data sets for Intrusion Detection (which are
also available to the public for benchmarking). This would not
only enable better research opportunities for feature selection,
but could also possibly even help revolutionize some of the
fundamental problems inherent to Intrusion Detection.
REFERENCES
[1] Zuech R, Khoshgoftaar TM, Wald R “Intrusion Detection and Big
Heterogeneous Data: a Survey.” Journal of Big Data 2015 2(3):1–41
doi:10.1186/s40537-015-0013-4
http://www.journalofbigdata.com/content/2/1/3
[2] Nassar M, al Bouna B, Malluhi Q “Secure outsourcing of network flow
data analysis.” In: Big Data (BigData Congress), 2013 IEEE International
Congress On. IEEE, Santa Clara, CA, USA. pp 431–432
[3] KDD Cup 1999 data set. Accessed 2015-01-30
http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html
[4] Tavallaee, M., Bagheri, E., Lu, W., & Ghorbani, A. A. “A detailed analysis
of the KDD CUP 99 data set.” In Proceedings of the Second IEEE
Symposium on Computational Intelligence for Security and Defence
Applications 2009.
[5] Saeys, Y., Inza, I., & Larrañaga, P. “A review of feature selection
techniques in bioinformatics.” bioinformatics, 2007 23(19), 2507-2517.
[6] Liu, H., & Yu, L. “Toward integrating feature selection algorithms for
classification and clustering.” Knowledge and Data Engineering, IEEE
Transactions on, 2005 17(4), 491-502.
[7] Alazab, A., Hobbs, M., Abawajy, J., & Alazab, M. “Using feature selection
for intrusion detection system.” In Communications and Information
Technologies (ISCIT), 2012 International Symposium on (pp. 296-301).
IEEE.
[8] Li, Y., Fang, B. X., Chen, Y., & Guo, L. “A lightweight intrusion detection
model based on feature selection and maximum entropy model.” In
Communication Technology, 2006. ICCT'06. International Conference on
(pp. 1-4). IEEE.
[9] Khor, K. C., Ting, C. Y., & Amnuaisuk, S. P. “From feature selection to
building of Bayesian classifiers: A network intrusion detection
perspective.” American Journal of Applied Sciences, 2009 6(11), 1948.
[10] Li, Y., Wang, J. L., Tian, Z. H., Lu, T. B., & Young, C. “Building
lightweight intrusion detection system using wrapper-based feature
selection mechanisms.” Computers & Security, 2009 28(6), 466-475.
[11] Alshawabkeh, M., Moffie, M., Azmandian, F., Aslam, J. A., Dy, J., &
Kaeli, D. “Effective virtual machine monitor intrusion detection using
feature selection on highly imbalanced data.” In Machine Learning and
Applications (ICMLA), 2010 Ninth International Conference on (pp. 823-
827). IEEE.
[12] Li, Y., Xia, J., Zhang, S., Yan, J., Ai, X., & Dai, K. “An intrusion detection
system based on support vector machines and gradually feature removal
method.” Expert Systems with Applications, 2012 39(1), 424-430.
[13] Sommer R, Paxson V “Outside the closed world: On using machine Computer Sciences and Convergence Information Technology, 2009.
learning for network intrusion detection.” In: Security and Privacy (SP), ICCIT'09. Fourth International Conference on. IEEE, 2009.
2010 IEEE Symposium On. IEEE, Oakland, CA, USA. pp 305–316
[27] El-Khatib, Khalil. "Impact of feature reduction on the efficiency of
[14] Shiravi, A., Shiravi, H., Tavallaee, M., & Ghorbani, A. A. “Toward wireless intrusion detection systems." Parallel and Distributed Systems,
developing a systematic approach to generate benchmark datasets for IEEE Transactions on 21.8 (2010): 1143-1149.
intrusion detection.” Computers & Security, 2012 31(3): 357-374.
[28] Ara o, Nelcileno, et al. Identifying important characteristics in the
[15] Song, J., Takakura, H., Okabe, Y., Eto, M., Inoue, D., & Nakao, K. KDD99 intrusion detection dataset by feature selection using a hybrid
“Statistical analysis of honeypot data and building of Kyoto 2006+ dataset approach." Telecommunications (ICT), 2010 IEEE 17th International
for NIDS evaluation.” In Proceedings of the First Workshop on Building Conference on. IEEE, 2010.
Analysis Datasets and Gathering Experience Returns for Security, 2011 29-
[29] Nguyen, Hai, Katrin Franke, and Slobodan Petrovic. "Improving
36. ACM.
effectiveness of intrusion detection by correlation feature selection."
[16] Sangster, B., O'Connor, T. J., Cook, T., Fanelli, R., Dean, E., Morrell, C., Availability, Reliability, and Security, 2010. ARES'10 International
and Conti, G. J. “Toward Instrumenting Network Warfare Competitions to Conference on. IEEE, 2010.
Generate Labeled Datasets.” In CSET 2009
[30] Nguyen, Hai Thanh, Katrin Franke, and Slobodan Petrovic. "Towards a
[17] Mukkamala, Srinivas, and Andrew H. Sung. "Feature selection for generic feature-selection measure for intrusion detection." Pattern
intrusion detection with neural networks and support vector machines." Recognition (ICPR), 2010 20th International Conference on. IEEE, 2010.
Transportation Research Record: Journal of the Transportation Research
[31] Amiri, Fatemeh, et al. "Mutual information-based feature selection for
Board 1822.1 (2003): 33-39.
intrusion detection systems." Journal of Network and Computer
[18] Chebrolu, Srilatha, Ajith Abraham, and Johnson P. Thomas. "Feature Applications 34.4 (2011): 1184-1199.
deduction and ensemble design of intrusion detection systems." Computers
[32] Fan, Wentao, Nizar Bouguila, and Djemel Ziou. "Unsupervised anomaly
& Security 24.4 (2005): 295-307.
intrusion detection via localized bayesian feature selection." Data Mining
[19] Gao, Hai-Hua, Hui-Hua Yang, and Xing-Yu Wang. "Ant colony (ICDM), 2011 IEEE 11th International Conference on. IEEE, 2011.
optimization based network intrusion feature selection and detection."
[33] Li, Fang, Hong Mi, and Fan Yang. "Exploring the stability of feature
Machine Learning and Cybernetics, 2005. Proceedings of 2005
selection for imbalanced intrusion detection data." Control and Automation
International Conference on. Vol. 6. IEEE, 2005.
(ICCA), 2011 9th IEEE International Conference on. IEEE, 2011.
[20] Xue-qin, Zhang, Gu Chun-hua, and Lin Jia-jin. "Intrusion detection system
[34] Mukherjee, Saurabh, and Neelam Sharma. "Intrusion detection using naive
based on feature selection and support vector machine." Communications
Bayes classifier with feature reduction." Procedia Technology 4 (2012):
and Networking in China, 2006. ChinaCom'06. First International
119-128.
Conference on. IEEE, 2006.
[35] Eid, Heba F., et al. "Linear correlation-based feature selection for network
[21] Chen, You, et al. "Survey and taxonomy of feature selection algorithms in
intrusion detection model." Advances in Security of Information and
intrusion detection system." Information Security and Cryptology. Springer
Communication Networks. Springer Berlin Heidelberg, 2013. 240-248.
Berlin Heidelberg, 2006.
[36] Yongli, Zhao, et al. "An improved feature selection algorithm based on
[22] Chou, Te-Shun, et al. "Correlation-based feature selection for intrusion
MAHALANOBIS distance for Network Intrusion Detection." Sensor
detection design." Military Communications Conference, 2007. MILCOM
Network Security Technology and Privacy Communication System (SNS
2007. IEEE. IEEE, 2007.
& PCS), 2013 International Conference on. IEEE, 2013.
[23] Sheen, Shina, and R. Rajesh. "Network intrusion detection using feature
[37] Araujo De Souza, N. V., et al. "Kappa-Fuzzy ARTMAP: A Feature
selection and Decision tree classifier." TENCON 2008 IEEE Region 10
Selection Based Methodology to Intrusion Detection in Computer
Conference. IEEE, 2008.
Networks." Trust, Security and Privacy in Computing and
[24] Zhang, Jiong, Mohammad Zulkernine, and Anwar Haque. "Random- Communications (TrustCom), 2013 12th IEEE International Conference
forests-based network intrusion detection systems." Systems, Man, and on. IEEE, 2013.
Cybernetics, Part C: Applications and Reviews, IEEE Transactions on 38.5
[38] Song, Jingping, et al. "Modified Mutual Information-based Feature
(2008): 649-659.
Selection for Intrusion Detection Systems in Decision Tree Learning."
[25] Sheikhan, Mansour, and Amir Ali Sha'bani. "Fast neural intrusion Journal of computers 9.7 (2014): 1542-1546.
detection system based on hidden weight optimization algorithm and
[39] Bass, T. “Intrusion detection systems and multisensor data fusion.”
feature selection." World Applied Sciences Journal, Special Issue of
Communications of the ACM, 2000 43(4), 99-105.
Computer & IT 7 (2009): 45-53.

[26] Bahrololum, M., E. Salahi, and M. Khaleghi. "Machine learning techniques

for feature reduction in intrusion detection systems: a comparison."

page 155

View publication stats