Using Decision Tree Analysis for Intrusion Detection: A How-To Guide

As cyber threats grow in sophistication, network defenders need to use every tool in the defensive arsenal to protect their networks. Data mining techniques, such as decision tree analysis, offer a semi-automated approach to detect adversary threats. This paper presents a repeatable process to implement the decision tree technique on a small set of network data. Using this process, a security team can gather data, build a decision tree model, and incorporate the firewall rules, and custom-built detection scripts. The process presented in this paper can serve as a preliminary test to determine the value of data mining techniques before deciding whether or not to incorporate the techniques across the enterprise. Alternatively, the proposed methodology can be used to implement ad-hoc decision tree analysis as the security data is available. Either approach allows corporations or security teams to quickly, easily, and inexpensively implement decision tree analysis and gain unique security insights based on the corporation's network data.