Improving the Performance of Intrusion Detection System by Removing the Count Attribute from KDD Cup 1999 Data

Intrusion detection encompasses a range of security techniques designed to detect (and report) malicious system and network activity or to record evidence of intrusion. To understand intrusion detection one must fully understand what intrusion is. Webster's dictionary defines an intrusion as "the act of thrusting in, or of entering into a place or state without invitation or welcome". For the purpose of this article, we will define intrusion as any unauthorized system or network activity on one (or more) computer(s) or network(s). This could be an instance of a legitimate user of a system trying to escalate his privileges so that he can gain greater access to the system that he is currently assigned, or a legitimate user trying to connect to a remote port of a server to which he is not authorized. These intrusions can originate from the outside world, a disgruntled ex-employee who was fired recently, or from your trusted staff. In this paper, one scenario of false positive is considered. The false positive is the case in which the normal data is detected as attack. We are focusing on this problem with the help of an example & proposing one solution for the same problem. The KDD CUP 1999 data set is used. The result of experiment shows that if a class has higher number of counts then this class is considered as an anomaly class. But if the true person is crossing the threshold value of count it will be count as anomaly. To detect the true person & to remove false positive, one solution is proposed.