A Sequential Multi-Stage One-Class Classification Model in Network Intrusion Detection Systems

Abstract

One-class classification has been a promising direction in capturing the properties of a target class. Under multiclass classification problems with severe imbalance in target labels, research proposes the decomposition of a given problem into multiple sub-problems trained as separate one-class classifiers. We propose a sequential multi-stage one-class classification model to detect anomalies found in a multiclass classification context - a network intrusion detection system. We experiment with the model and test its performance using the NSL-KDD dataset, a modified version of the KDD’99 dataset. The model consists of several stages; we start with an initial classifier to detect the presence of an anomaly, followed by a sequence of per class one-class classifiers that will classify the intrusion based on the current class or otherwise pass to the next classifier trained on a less common attack type. Finally, we provide the analysis of our contribution compared to multiclass models trained over the dataset observations, and treated with an imbalanced learning approach.