TY - JOUR
T1 - A new dependency and correlation analysis for features
AU - Qu, Guangzhi
AU - Hariri, Salim
AU - Yousif, Mazin
N1 - Funding Information:
This work is supported in part by grants from Intel Corporation ISTG R&D Council, US National Science Foundation/NGS Contract 0305427, and US National Science Foundation/SEI(EAR) Contract 0431079.
PY - 2005/9
Y1 - 2005/9
N2 - The quality of the data being analyzed is a critical factor that affects the accuracy of data mining algorithms. There are two important aspects of the data quality, one is relevance and the other is data redundancy. The inclusion of irrelevant and redundant features in the data mining model results in poor predictions and high computational overhead. This paper presents an efficient method concerning both the relevance of the features and the pairwise features correlation in order to improve the prediction and accuracy of our data mining algorithm. We introduce a new feature correlation metric QY(X i, Xj) and feature subset merit measure e(S) to quantify the relevance and the correlation among features with respect to a desired data mining task (e.g., detection of an abnormal behavior in a network service due to network attacks). Our approach takes into consideration not only the dependency among the features, but also their dependency with respect to a given data mining task. Our analysis shows that the correlation relationship among features depends on the decision task and, thus, they display different behaviors as we change the decision task. We applied our data mining approach to network security and validated it using the DARPA KDD99 benchmark data set. Our results show that, using the new decision dependent correlation metric, we can efficiently detect rare network attacks such as User to Root (U2R) and Remote to Local (R2L) attacks. The best reported detection rates for U2R and R2L on the KDD99 data sets were 13.2 percent and 8.4 percent with 0.5 percent false alarm, respectively. For U2R attacks, our approach can achieve a 92.5 percent detection rate with a false alarm of 0.7587 percent For R2L attacks, our approach can achieve a 92.47 percent detection rate with a false alarm of 8.35 percent.
AB - The quality of the data being analyzed is a critical factor that affects the accuracy of data mining algorithms. There are two important aspects of the data quality, one is relevance and the other is data redundancy. The inclusion of irrelevant and redundant features in the data mining model results in poor predictions and high computational overhead. This paper presents an efficient method concerning both the relevance of the features and the pairwise features correlation in order to improve the prediction and accuracy of our data mining algorithm. We introduce a new feature correlation metric QY(X i, Xj) and feature subset merit measure e(S) to quantify the relevance and the correlation among features with respect to a desired data mining task (e.g., detection of an abnormal behavior in a network service due to network attacks). Our approach takes into consideration not only the dependency among the features, but also their dependency with respect to a given data mining task. Our analysis shows that the correlation relationship among features depends on the decision task and, thus, they display different behaviors as we change the decision task. We applied our data mining approach to network security and validated it using the DARPA KDD99 benchmark data set. Our results show that, using the new decision dependent correlation metric, we can efficiently detect rare network attacks such as User to Root (U2R) and Remote to Local (R2L) attacks. The best reported detection rates for U2R and R2L on the KDD99 data sets were 13.2 percent and 8.4 percent with 0.5 percent false alarm, respectively. For U2R attacks, our approach can achieve a 92.5 percent detection rate with a false alarm of 0.7587 percent For R2L attacks, our approach can achieve a 92.47 percent detection rate with a false alarm of 8.35 percent.
KW - Correlation measure
KW - Feature extraction
UR - http://www.scopus.com/inward/record.url?scp=27644496932&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=27644496932&partnerID=8YFLogxK
U2 - 10.1109/TKDE.2005.136
DO - 10.1109/TKDE.2005.136
M3 - Article
AN - SCOPUS:27644496932
SN - 1041-4347
VL - 17
SP - 1199
EP - 1206
JO - IEEE Transactions on Knowledge and Data Engineering
JF - IEEE Transactions on Knowledge and Data Engineering
IS - 9
ER -