الفهرس 
COVEROnly 14 pages are availabe for public view
 |  | from | 121 |  |  |
| | | from | 121 | | |
Abstract
In this work an Enhanced Hybrid Multi-Level Intrusion Detection System was developed. The proposed system consists of three detection levels. The network data are introduced to the module of the first level which aims to differentiate between normal and attack. The first level has dual protection phase. In the first phase of level one the data is passed through C5 Model which identifies whether the coming record is normal or attack. Records that are classified as normal are passed to an MLP Model which reclassifies these records. Thus some attacks that are bypassed by C5 Decision Tree model are detected by the MLP Model consequently achieving higher detection level. If the input record was identified as an attack then the administrator would be alarmed that the coming record is suspicious and then this suspicious record would be introduced to the second level which specifies the class of this attack (DOS, probe, R2L or U2R). The third detection level consists of four modules one module for each class type to identify attacks of this class. Finally the administrator would be alarmed of the expected attack type.
We examined each module using different machine learning models (MLP, RBF, C5, CRT, QUEST & Exhaustive Prune). Each module is implemented with the most promising classifier that gave highest correct classification rate. Therefore, Hybrid model will improve the performance to detect intrusions. The experimental results showed that the designed multi-level system has detection rate equal to 98% for both (known and unknown attacks). The first level is implemented by C5 decision tree & MLP Neural Network which showed significant detection rate for both known and unknown attacks. The drawback of using C5 decision tree is the high false alarm rate that it produces. The second level is implemented by C5. As for the third level DOS & Probe modules are implemented by MLP, R2L module is implemented by C5 decision tree and U2R module is implemented by Exhaustive prune Neural Network.While the neural networks are very interesting for generalization and very poor for new attacks attack detection, the decision trees have proven their efficiency in both generalization and new attacks detection. Besides the C5 has less training time than the MLP. However, none of the machine learning classifier algorithms evaluated was able to perform detection of user-to-root attack categories significantly (no more than 54% detection for U2R category).