A three-tier IDS via data mining approach

Tsong Song Hwang*, Tsung Ju Lee, Yuh-Jye Lee

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

19 Scopus citations


We introduced a three-tier architecture of intrusion detection system which consists of a blacklist, a whitelist and a multi-class support vector machine classifier. The first tier is the blacklist that will filter out the known attacks from the traffic and the whitelist identifies the normal traffics. The rest traffics, the anomalies detected by the whitelist, were then be classified by a multi-class SVM classifier into four categories: PROBE, DoS, R2L and U2R. Many data mining and machine learning techniques were applied here. We design this three-tier IDS based on the KDD'99 benchmark dataset. Our system has 94.71% intrusion detection rate and 93.52% diagnosis rate. The averag cost for each connection is 0.1781. All of these results are better than those of KDD'99 winner's. Our three-tier architecture design also provides the flexibility for the practical usage. The network system administrator can add the new patterns into the blacklist and allows to do fine tuning of the whitelist according to the environment of their network system and security policy.

Original languageEnglish
Title of host publicationMineNet'07
Subtitle of host publicationProceedings of the Third Annual ACM Workshop on Mining Network Data
Number of pages6
StatePublished - 31 Aug 2007
EventMineNet'07: 3rd Annual ACM Workshop on Mining Network Data - San Diego, CA, United States
Duration: 12 Jun 200712 Jun 2007

Publication series

NameMineNet'07: Proceedings of the Third Annual ACM Workshop on Mining Network Data


ConferenceMineNet'07: 3rd Annual ACM Workshop on Mining Network Data
CountryUnited States
CitySan Diego, CA


  • Activity profile
  • Blacklist
  • False alarm rate
  • Intrusion detection system
  • KDD'99
  • Multiclass SVMs
  • Whitelist

Fingerprint Dive into the research topics of 'A three-tier IDS via data mining approach'. Together they form a unique fingerprint.

Cite this