Network Intrusion Logit Detection Model with IO Port Cross-Classification

Abstract

Recently, information networks are becoming a significant part of daily life, so keeping the system’s security is necessary for security tools, such as firewalls and encryption. However, because of the weaknesses of the existing tools, the Intrusion Detection System (IDS) has been implemented to solve the problem. In the application of IDS, feature classification and data analysis are the two most important steps. In this paper, by using the Logit regression model, we attempt to search for the optimal cutting value based on the relationship between cutting value and accuracy index and put forward an input-output port crossed (IOPC) classification for IDS to distinguish the new intrusion features. First, we discuss whole features and propose a taxonomy of IOPC classification for CIC-IDS2017 that is different from other former studies, which can reduce the data space. Second, we compute the distribution curve of cutting values varied with the accuracy index, the purpose of which is to search for the optimal cutting values. Finally, utilizing IOPC classification, the difference between the distribution of the cutting values under the attacks of distributed denial of service (DDoS) and PortScan in CIC-IDS2017 is discussed, which highlights the characteristic that cutting values besieged the attack by PortScan has a conditional distribution compared with DDoS.