Anomaly-based Intrusion Detection using Tree Augmented Naive Bayes

Information technology is continuously becoming a more central part of society and together with the increased connectivity and inter-dependency of devices, it is becoming more important to keep systems secure. Most modern enterprises use some form of intrusion detection in order to detect hostile cyber activity that enters the organization. One of the major challenges of intrusion detection in computer networks is to detect types of intrusions that have previously not been encountered. These unknown intrusions are generally detected by methods collectively called anomaly detection. It is nowadays popular to use various artificial intelligence schemes to enhance anomaly detection of network traffic, and many state-of-the-art models reach a detection rate of well over 99%. One such promising algorithm is the Tree Augmented Naive Bayes (TAN) Classifier. However, it is crucial to implement TAN correctly in order to benefit from its full performance. This study implements a TAN classifier for anomaly based intrusion detection of computer network traffic, and displays practical insights on how to maximize its performance. The algorithm is implemented in two data sets with data from simulated cyber attacks: NSL-KDD and UNSW-NB15. We contribute to the field by validating the usefulness of TAN for anomaly detection in computer networks, as well as providing practical insights to new practitioners who want to utilize TAN in intrusion detection systems.