Biased support vector machines and kernel methods for intrusion detection

This paper describes results concerning the robustness and generalization capabilities of kernel methods in detecting intrusions using network audit trails., We use traditional support vector machines (SVM), biased support vector machine (BSVM) and leave-otie out model selection for support vector machines (looms) for model selection. We also evaluate the impact of kernel type and parameter values on the accuracy of a support vector machine (SVM) performing intrusion classification. Through a variety of comparative experiments, it is found that SVM performs the best for detecting Normal and User to Super User, BSVM performs the best for Denial of Service attacks, and looms based on BSVM performs the best for Probe and Remote to Local. We show that classification accuracy vanes with the kernel type and the parameter values; thus, with appropriately chosen parameter values, intrusions can be detected by SVMs with higher accuracy and lower rates of false alarms.