Support Vector Machines(SVMs) have succeeded in many classification fields. Some researchers have tried to apply SVMs to Intrusion Detection recently and got desirable results. By analyzing C-SVM theoretically and experimentally, we found that C-SVM had some properties which showed C-SVM was not most suitable for Network Intrusion Detection. First, C-SVM has different classification error rates on different classes if the sizes of training classes are uneven. Second, C-SVM is over-dependent on every training sample, even if the samples are duplicated. Third, C-SVM does not make a difference between training samples. According to these characteristics of C-SVM and the fact that the size of network normal data is always much larger than that of intrusion data and the fact that the importance of attack data is different from each other, an extended C-SVM, termed weighted C-SVM is proposed in this paper. Weighed C-SVM introduces two parameters, class weights and sample weights. Class weights are used to adjust false negative rate and false positive rate of each intrusion class. And sample weights are used to emphasize importance of some intrusion samples. Experiments showed that Weighted C-SVM was more effective than C-SVM in network intrusion detection systems.
Jia, Yinshan; Jia, Chuanying; and Qi, Hongwei, "Application of Weighted Support Vector Machines to Network Intrusion Detection" (2004). ICEB 2004 Proceedings. 188.