Abstract

Adaptation of Intrusion Detection Systems (IDSs) in the heterogeneous and adversarial network environments is crucial. We design an adaptive IDS that has 10% higher accuracy than the best of four different baseline IDSs. Rather than creating a new `super' IDS, we combine the outputs of the IDSs by using the online learning framework proposed by Bousquet and Warmuth [1]. The combination framework allows to dynamically determine the best IDSs performed in different segments of a dataset. Moreover, to increase the accuracy and reliability of the intrusion detection results, the fusion between outputs of the four IDSs is taken into account by a new expanded framework. We conduct the experiments on two different datasets for benchmarking Web Application Firewalls: the ECML-PKDD 2007 HTTP dataset and the CISIC HTTP 2010. Experimental results show the high adaptability of the proposed IDS.