Worth the wait? Time window feature optimization for intrusion detection

Time as a variable for generating features has been widely overlooked in Intrusion Detection System (IDS) research. Computer and network attacks are time series, where time is an important factor that may affect feature generation, and as a result, classification. Nevertheless, there has been little exploration on how to calibrate time for IDSs and attack classification techniques. In this paper we explore time windows as a technique for generating more effective and descriptive features for attack classification. We suggest a framework for feature generation and selection that uses Recursive Feature Elimination (RFE) and time window exploration. Our initial results when applying this framework indicate that there is up to 47% improvement of F1 scores in attack classification when attack features are generated over a variety of time windows, compared to a single, global time window. We find that features calculated over longer lengths of time may be more useful for detecting attacks than over shorter lengths of time. Our methods seem to be most effective at detecting DDoS attacks, particularly those that occur over medium or long durations of time.

1

2019 IEEE International Workshop on Big Data Analytics for Cyber Threat Hunting