TELKOM
NIKA Indonesia
n
Journal of
Electrical En
gineering
Vol. 13, No. 2, Februa
ry 20
15, pp. 223 ~ 231
DOI: 10.115
9
1
/telkomni
ka.
v
13i2.704
5
223
Re
cei
v
ed
No
vem
ber 1
8
, 2014; Re
vi
sed
Jan
uar
y 8, 20
15; Accepted
Jan
uary 25, 2
015
A Novel and Advanced Data Mining Model Based
Hybrid Intrusion Detection Framework
K. Rajas
ekar
an*
1
, K. Nirm
ala
2
Bharath
i
ar Un
i
v
ersit
y
, Co
imb
a
tore
Quiad-E-Mi
ll
ath Coll
eg
e for W
o
men 2, Che
nna
i
*Corres
p
o
ndi
n
g
author, e-ma
i
l
: krs.salem@g
m
ail.com
1
, nimi
mca@gma
il.co
m
2
A
b
st
r
a
ct
An Intrusio
n
can b
e
defi
n
ed as
any pr
actice or
act that attempt to
crack the integrity
,
confid
enti
a
lity
or avai
la
bility o
f
a re
source. This may co
ntai
n of a de
lib
erat
e una
uthor
i
z
e
d
attempt to acc
e
ss
the i
n
formatio
n
,
ma
nip
u
l
a
te t
he
data, or
make
a syst
e
m
unre
lia
ble
or
u
nusa
b
le. With
the ex
pans
io
n
of
computer
netw
o
rks at
an
al
armi
ng r
a
te
duri
ng th
e p
a
st
d
e
c
ade,
s
e
curity has beco
m
e o
ne of
the
seri
o
u
s
issues
of co
mputer syste
m
s.
IDS, is a det
e
c
tion
mec
han
i
s
m for d
e
tecti
ng the
intrus
iv
e activiti
es hi
d
den
amon
g the
n
o
r
ma
l activ
i
ties.
T
he r
e
vol
u
tio
nary
est
abl
ish
m
e
n
t of IDS
has
attracted
ana
lysts to w
o
rk
ded
icate
d
ly en
abli
ng th
e system to d
e
a
l
w
i
th techn
o
lo
gica
l
advanc
e
m
e
n
ts. Hence, in th
is regar
d, vario
u
s
ben
eficia
l sch
emes a
nd
mo
dels
hav
e b
e
e
n
pro
pos
ed
in
order
to ac
hi
eve e
n
h
anc
ed
IDS. T
h
is pa
pe
r
prop
oses
a no
vel hy
brid
mo
del for
intrusi
o
n detecti
on. T
he pr
op
osed f
r
amew
ork in t
h
is p
aper
may
be
expecte
d as a
nother ste
p
tow
a
rds adva
n
c
e
ment of
IDS. T
he framew
or
k utili
z
e
s the c
r
ucial
data
mi
n
i
n
g
classificati
on a
l
gorit
hms
ben
e
f
icial for intrus
i
on detec
ti
on.
The Hybri
d
framew
or
k w
oul
d
hence forth,
w
ill
lea
d
to effective, adaptiv
e an
d intel
lig
ent intr
usio
n detecti
on
.
Ke
y
w
ords
:
dat
a mi
ni
ng, intrus
ion d
e
tectio
n, classificati
on, K
2
, T
A
N, REP,
KDDCu
p
’
9
9
, n
eura
l
netw
o
rk
Copy
right
©
2015 In
stitu
t
e o
f
Ad
van
ced
En
g
i
n
eerin
g and
Scien
ce. All
rig
h
t
s reser
ve
d
.
1.
Introduc
tion
With the
de
velopment
of network te
chniqu
es and
sci
en
ce te
ch
nologi
es, inf
o
rmatio
n
indu
stry ha
s expand
edg
reatly. Both orga
nizati
on
s su
ch g
o
vernment, ente
r
prises,fina
nce
,
telegra
phy et
c., and
p
e
rso
nal u
s
e
r
s h
a
ve de
pen
ded
on n
e
two
r
ks
more
an
d m
o
re. At the
sa
me
time, it has b
r
oug
ht lots of
informatio
n se
curity
t
r
o
u
b
l
es.
N
e
t
w
o
r
k
se
curit
y
is i
n
cre
a
si
ngly
pa
id
attention to
and
con
c
e
r
n
ed ab
out, so
it is a crit
ical pro
b
lem
h
o
w to p
r
ote
c
t the se
cu
rity of
netwo
rks an
d
information
system.
Intrusio
n
De
tection i
s
a
necessa
ry
sup
p
leme
nt of tradition
al se
cu
rity protection
measures
su
ch a
s
firewall
s an
d data
e
n
cryptio
n
,
be
cau
s
e
it can
provide re
al-t
ime
protectio
n
again
s
t intern
al attacks, ex
ternal atta
cks and mi
sop
e
rations. Intrusi
on Detectio
n
belon
gs to th
e
cla
ssifi
cation
and recogni
tion pro
b
lem
s
with
a l
a
rg
e numb
e
r of
non-li
nea
r condition
s, wh
ich
make it e
s
se
ntial to study non-li
nea
r int
egrate
d
app
roache
s to sol
v
e the proble
m
[1, 2]. Artificial
Neu
r
al
Network
(ANN), often just call
ed "neu
ral
n
e
twork" (NN), is a mathe
m
atical m
o
d
e
l o
r
comp
utationa
l model ba
sed on biolo
g
i
cal neu
ral n
e
tworks. It consi
s
ts of an
interco
nne
ct
ed
grou
p of
arti
ficial n
euron
s a
nd
pro
c
e
s
ses informa
t
ion u
s
ing
a
co
nne
ctioni
st ap
pro
a
ch
to
comp
utation.
In mo
st case
s a
n
A
N
N is
an a
daptive system
that ch
ange
s
it
s stru
cture
b
a
se
d on
external
or i
n
ternal
info
rmation that fl
ows th
roug
h
the net
work
durin
g the
le
arnin
g
p
h
a
s
e
.
In
more pra
c
tica
l
terms neu
ral
netwo
rks are
non
-linea
r statistical data modelin
g
tool
s.
They can b
e
use
d
to m
ode
l com
p
lex rel
a
tionship
s
be
tween
input
s
and o
u
tputs o
r
to find
patte
rns in
data. T
he
ability to learn and a
dapt
to the uncert
a
inties of
A
N
N are ju
st su
itable to solv
e the intru
s
io
n
detectio
n
pro
b
lem.
Ho
wever, an
ANN ea
sily d
r
op
s into a lo
cal minim
u
m, so it may not sea
r
ch the
global
optimum [3].
For thi
s
d
e
fect
, the pap
er wi
ll pro
p
o
s
e
an
anomaly i
n
tru
s
ion
dete
c
tio
n
mod
e
l b
a
se
d
on G
enetic Neural
Netwo
r
k (GNN), whi
c
h
com
b
ine
s
the goo
d gl
ob
al searchi
ng
ability of gen
etic
algorith
m
wit
h
the a
c
curat
e
local se
arching featu
r
e o
f
BP Networks to optimi
z
e
the initial wei
ghts
ofneural
n
e
tworks.
T
he practice can overcome
t
he
shortcomin
gs in the BP al
g
o
rithm
su
ch
as
slo
w
converg
ence, ea
sily drop
ping i
n
to
local
mi
nimu
m and
wea
k
n
e
ss in gl
obal
sea
r
ching. A
nd
we will
carry out simulation experim
ent
s to
verify the validity of
the practi
ce.
Evaluation Warning : The document was created with Spire.PDF for Python.
ISSN: 23
02-4
046
TELKOM
NI
KA
Vol. 13, No. 2, Februa
ry 2015 : 223 – 231
224
Intrusio
n
Det
e
ction
Syste
m
is a
mech
anism
t
hat i
s
bein
g
u
s
e
d
t
o
p
r
ote
c
t org
anization
from attac
ks from different s
o
urc
e
s
.
Intrus
i
on
dete
c
tion i
s
d
e
fin
ed by the S
y
sadmin, Au
dit,
Networking
and Se
curity
(SANS) in
st
itute as t
he
act of dete
c
t
i
ng actio
n
s t
hat attempt to
comp
romi
se t
he co
nfidenti
a
lity, integrity or avail
ability of a resou
r
ce. It is obligatory that IDS can
handl
e huge
quantitie
s of informatio
n without affe
ctin
g perfo
rman
ce and with
ou
t loss of dat
a
and can dete
c
t intru
s
ion
s
reliably withou
t giving false alarm
s
.
IDS are b
r
oa
dly classified
as:
a) Misus
e
Ba
sed Sy
stem
In misu
se
ba
sed
IDS, dete
c
tion i
s
d
one
by
se
archin
g for
the exploit
a
tion
of kno
w
n
we
ak
points in the system, whi
c
h can
be de
scribe
d by a spe
c
ific patte
rn or sequ
en
ce of events
or
data. That mean
s these systems
can d
e
tect onl
y kn
own atta
cks for whi
c
h they
have a defin
ed
sign
ature.
b) Anom
aly
Bas
e
d Sy
stem
In anomaly b
a
se
d IDS, detection is pe
rf
orme
d by detecting
chan
g
e
s in the pattern
s of
utilization o
r
behavio
r of the system.
2. Related Works
Some
imp
o
rt appli
c
ation
s
of
soft comp
u
t
ing
techniqu
es fo
r
Network Intru
s
io
n
Detection
is described i
n
this
section. Several
Genetic
Al
gorith
m
s
(GA
s
) an
d Ge
netic Progra
mming
(GP)
has be
en
used fo
r d
e
tecti
ng int
r
u
s
ion
detectio
n
of
different kin
d
s
in
different scena
rio
s
.
S
o
me
use
s
GA for derivin
g
cla
ssifi
cation
rul
e
s [5
-8]. Ga
s u
s
e
d
to
se
lect requi
red
feature
s
an
d to
determi
ne th
e optimal an
d minimal p
a
r
amete
r
s
of some
co
re f
unctio
n
s in
whi
c
h differe
nt AI
method
s were used to d
e
rive a
c
qui
sit
i
on of rules
[9-11]. The
r
e
are
seve
ral
pape
rs [12-15]
related to IDS
which ha
s a certai
n level of impact in n
e
twork
securi
ty.
The
effort of
usi
ng
GAs for i
n
tru
s
ion
detectio
n
ca
n be
referred
ba
ck to
199
5, wh
en
Cro
s
bi
e an
d
Spafford [16]
applie
d the
multiple ag
e
n
t techn
o
log
y
and GP to
detect n
e
twork
anomali
e
s [1
9]. For both
agent
s, they
use
d
GP
to
determi
ne
an
omalou
s net
work be
havio
urs
and ea
ch a
gent ca
n monitor on
e p
a
ram
e
ter of
the network audit data
.
The propo
sed
methodol
ogy
ha
s the
adv
antage
when
many
smal
l
auton
omou
s age
nts
are
use
d
, but it
has
probl
em
s wh
en
commu
ni
cating
amo
n
g
the a
gent
s and
also if
the ag
ents
are
not p
r
op
erly
initialized the
training p
r
o
c
e
ss
can b
e
time con
s
umi
ng.
Li [6] de
scrib
ed a
method
usin
g GA to
d
e
tect a
nomal
ous network i
n
trusi
on [1
9,
20]. The
approa
ch in
clude
s both q
uantitative and cate
gori
c
al
feature
s
o
f
network da
ta for derivin
g
cla
ssifi
cation
rule
s. However, the i
n
clu
s
ion of
q
uantit
ative feature
can i
n
cre
a
se
the dete
c
tio
n
rate, but no
experim
ental
results a
r
e a
v
ailable.
Goy
a
l and Kum
a
r [18] de
scrib
ed a GA ba
sed
algorith
m
to classify all typ
e
s of smu
r
f attack u
s
in
g the training dat
aset with false positive rat
e
is
very low (at 0
.
2%) and det
ection rate is
almost 10
0% [20].
Lu an
d Trao
re [7] used
histori
c
al
net
work d
a
taset usin
g GP to derive
a
set of
cla
ssifi
cation
[19]. They use
d
supp
ort-confid
en
ce frame
w
o
r
k as the fitn
ess fun
c
tion
and
accurately cl
assified
seve
ral net
wo
rk i
n
trusio
ns
. But
their u
s
e of g
enetic
pro
g
ra
mming ma
de
the
impleme
n
tation p
r
o
c
ed
ure
very difficult
and
also fo
r trainin
g
p
r
o
c
edure m
o
re
data a
nd tim
e
is
requi
re
d
Xiao et al. [1
7] use
d
GA t
o
dete
c
t ano
malo
u
s
net
work be
haviou
r
s ba
se
d on
in
formation
theory [1
9, 2
0
]. Some n
e
twork features ca
n b
e
id
enti
f
ied with
net
work attacks
based
on
mu
tual
informatio
n b
e
twee
n network fe
atures
and type of
i
n
trusi
o
n
s
an
d
then usi
ng t
hese feature
s
a
linear st
ru
ctu
r
e
rule
and
a
l
so
a GA i
s
derived.
The
approa
ch of usin
g
mutu
al
inform
ation and
resulting line
a
r rul
e
see
m
s very effe
ctive
becau
se of the red
u
ce
d co
mple
xity and higher
detectio
n
rate
. The only pro
b
lem is it
con
s
ide
r
ed o
n
ly the discrete feature
s
.
Gong
et al.
[19] pre
s
e
n
te
d an im
plem
entat
ion of
GA ba
sed
a
ppro
a
ch to
Network
Intrusio
n Detection u
s
in
g GA and sho
w
ed software impleme
n
tatio
n
. The app
ro
ach d
e
rive
d a
set
of classification rule
s an
d utilize
s
a su
p
port-co
nfiden
ce fram
ework to judge fitness fun
c
tion.
Abdullah
et a
l
. [20] sho
w
e
d
a GA ba
se
d per
fo
rma
n
ce evaluation
algorith
m
to
netwo
rk
intrusi
on dete
c
tion. The ap
proa
ch u
s
e
s
i
n
form
atio
n theory for filteri
ng the traffic
data.
Min Yang
et al [31] discu
s
sed
a mod
e
l
bas
ed o
n
contiguo
us
expert voting al
gorithm.
Although ea
rly methods
detect mo
st
anomalie
s,
unsu
c
ce
ssf
ul match d
o
e
sn
‟
t mean
an
abno
rmity, a
s
n
o
rm
al rul
e
s
may not
cover all
no
rmal data.
Th
e Detectio
n rate in thi
s
i
s
not
comm
end
abl
e but it has vast future
sco
pe for improvement.
Evaluation Warning : The document was created with Spire.PDF for Python.
TELKOM
NIKA
ISSN:
2302-4
046
A Novel a
nd
Advan
c
e
d
Da
ta Mining Mo
del Base
d Hybrid Intru
s
io
n Dete
ction… (K.Rajasekara
n
)
225
3. Neural Netw
o
r
ks
for Intrusion De
te
c
t
ion
A limited am
o
unt of research
ha
s be
en
con
d
u
c
ted o
n
the ap
plication of n
e
u
r
al
netwo
rks
to detectin
g
compute
r
intru
s
ion
s
. Artifici
al neu
ral
net
works offer th
e potential to
resolve
a nu
m
ber
of the proble
m
s en
cou
n
te
red by
the othercu
rre
nt ap
proa
ch
es to
intrusi
on dete
c
tion. Artificia
l
neural net
wo
rks have
bee
n pro
p
o
s
ed
as alte
rnativ
es to the
s
tati
stical
analy
s
i
s
compo
nent
of
anomaly det
ection sy
ste
m
s, [5-6], [10, 23, 26].
Statistical Analysis inv
o
lves statisti
cal
comp
ari
s
o
n
o
f
cu
rre
nt eve
n
ts to
a p
r
e
d
e
termin
ed
set
of ba
seli
ne
criteria.
The
te
chni
que
is m
o
st
often employ
ed in the d
e
tection
of deviations
from typical be
havi
o
r an
d dete
r
mination of t
he
simila
rly of events to th
ose
whi
c
h
a
r
e indi
cative
of an attack [8]. Neu
r
al
netwo
rks
were
spe
c
ifically propo
se
d to identify the typical
ch
ara
c
teri
stics of syst
em u
s
e
r
s and ide
n
tify
statistically si
gnifica
nt variations fr
o
m
the use
r
'
s
esta
blish
ed beh
a
v
ior.
A Ne
ural
net
work ap
pro
a
ch for intrusio
n dete
c
tion
o
ne p
r
omi
s
in
g
re
se
arch
in I
n
trusi
o
n
detectio
n
con
c
erns the
ap
plicatio
n of th
e Neu
r
al
Net
w
ork techniq
ues, fo
r th
e
misu
se
dete
c
tion
model an
d the anomaly d
e
tection mo
d
e
l. Perform
a
n
c
e evalu
a
tion
s pre
s
e
n
ted i
n
this pape
r
all
refer to th
e
DARPA Intrusi
on Data Ba
se Ne
ural
Net
w
ork
app
roa
c
h an a
r
tificial
Neu
r
al
Netwo
r
k
con
s
i
s
ts of a
c
olle
ction
of treatme
nts to
transfo
rm
a set of inputs t
o
a setof se
a
r
ch
ed o
u
tput
s,
throug
h a
se
t of simple p
r
ocessin
g
uni
ts, or
no
de
s and conn
ecti
ons betwe
en
them.
Subsets
ofthe units are input node
s, output nod
es,
and no
de
s between in
put and outp
u
t form hidde
n
layers; th
e conne
ction
bet
wee
n
two
uni
ts ha
s
some
weig
ht, use
d
to determi
ne
how
mu
ch o
ne
unit will affect
the other. Two types ofarchitectu
re of Neural
Networks
can b
e
dist
ingui
shed.
Supervi
sed training al
gorit
hms: where in t
he learnin
g
pha
se, the
netwo
rk le
arns the
desi
r
ed
outp
u
t for a give
n input or
pa
ttern. The
we
ll kno
w
n a
r
ch
itecture
of su
pervised n
e
u
r
al
netwo
rk i
s
the Multi-Level
Perce
p
tron
(MLP);
the MLP is empl
oyed for Pattern Recogniti
on
probl
em
s.
Un
sup
e
rvised
trainin
g
alg
o
rithm
s
: wh
e
r
e in
th
e lea
r
ning
pha
se,
the net
work learns
without spe
c
ifying desi
r
ed
output.
N
e
ur
a
l
N
e
two
r
ks (N
Ns)
ha
ve
a
ttr
ac
te
d mo
re
attention
com
pared
to oth
e
r techniqu
es.
That is mainl
y
due to the
stron
g
discri
minati
on an
d
generalizatio
n abilities of Neu
r
al Networks
that utilized f
o
r
classificati
on purp
oses
[19]. Artificial
Neural
Netw
ork i
s
a
syst
em
simulation of
the neuron
s in the human
brain [20]. It is com
p
o
s
ed
of a large nu
mber of highl
y intercon
ne
cted
pro
c
e
ssi
ng
e
l
ements (neu
ron
s
) workin
g with
ea
ch
othe
r to
so
lve sp
ecifi
c
probl
em
s. E
a
ch
pro
c
e
ssi
ng el
ement i
s
ba
si
cally a
summ
ing elem
ent
f
o
llowed by a
n
active fu
nct
i
on. The
outp
u
t
of each
neu
ron (after
appl
ying the weig
ht param
eter
asso
ciated
wi
th the con
n
e
c
tion) i
s
fed
as
the input to
all of the
neuron
s in t
he next la
ye
r. The le
arni
ng process i
s
e
s
sentially
an
optimizatio
n
pro
c
e
s
s in
wh
ich the
pa
ram
e
ters of t
he b
e
st set
of con
nectio
n
coefficient
s
(wei
ght
s)
for solving a
probl
em are found [21].
An increa
sing
amount of re
sea
r
ch in the
la
st few years ha
s invest
i
gated the ap
plicatio
n
of Ne
ural
Networks to i
n
trusi
on
dete
c
tion.
If pro
perly d
e
si
gn
ed an
d impl
emented,
Ne
ural
Networks h
a
v
e the poten
tial to addre
ss m
any of
the probl
em
s enco
untered
by rule-b
ased
approa
che
s
. Neu
r
al Networks we
re
sp
ecifically
pr
o
posed to lea
r
n the typical
cha
r
a
c
teri
stics of
system’
s
u
s
e
r
s a
nd ide
n
tify statistically
signifi
c
ant va
riation
s
from
their e
s
tabli
s
hed be
havior.
In
orde
r to appl
y this approa
ch to Intru
s
io
n Dete
ction, I would h
a
ve to introdu
ce
d
a
ta rep
r
e
s
ent
ing
attacks
and
non-attacks t
o
the
Neural
Net
w
o
r
k
to
adju
s
t auto
m
atically co
e
fficients of
t
h
is
Network duri
ng the trai
ni
ng phase. I
n
other
words, it w
ill be necessary
to collect data
rep
r
e
s
entin
g norm
a
l
a
nd a
bnormal beh
avior and
tr
ai
n the
Ne
ural
Network
on t
hose d
a
ta. After
training i
s
accompli
sh
ed, a certai
n nu
mber of pe
rforma
nce test
s with re
al n
e
twork traffic and
attacks
sho
u
l
d be cond
u
c
ted [22]. Instead
of
pro
c
e
ssi
ng p
r
og
ram in
stru
cti
on se
que
ntia
lly,
Neu
r
al
Net
w
o
r
k ba
sed
mo
dels on
sim
u
l
t
aneou
sly ex
plore
r
seve
ral
hypothe
se
s
make
the
u
s
e
of
several comp
utational inte
rco
nne
cted
e
l
ements
(ne
u
r
on
s); this
pa
rallel p
r
o
c
e
s
sing may imply
time saving
s in malicio
us traffic analysi
s
.
4. Proposed
Metho
d
The propo
se
d system
(sh
o
wn in Fi
gure 1)
is a
hybrid intrusi
o
n
detection framework
based on th
e combi
natio
n of two cla
ssifie
r
s
i.e. T
r
ee Augm
ent
ed Naïve Ba
yes (TAN) a
n
d
Red
u
ced Error Pru
n
ing
(REP). The T
A
N cla
s
sifier
is used a
s
a
base cla
s
sifie
r
whil
e the REP
cla
ssifie
r
is u
s
ed a
s
a Met
a
cla
ssifie
r
. T
he Meta cl
assificatio
n
is the lea
r
ning t
e
ch
niqu
e whi
c
h
learn
s
from t
he Meta data
and judge th
e corre
c
tne
s
s of the classi
fication of ea
ch insta
n
ce by
Evaluation Warning : The document was created with Spire.PDF for Python.
ISSN: 23
02-4
046
TELKOM
NI
KA
Vol. 13, No. 2, Februa
ry 2015 : 223 – 231
226
base cla
ssifie
r
. The judge
ment from ea
ch cl
assifier
f
o
r ea
ch cl
ass is treated a
s
a feature, and
then buil
d
s
a
nother cla
s
sif
i
er, i.e. a met
a
-cl
a
ssifie
r, to ma
ke the fi
nal de
ci
sion [
11]. Hen
c
e it
can
be sai
d
that the Meta-cla
ssificatio
n re
-cl
a
ssifies
the cl
assificatio
n
ju
dgment
s mad
e
by
clas
sif
i
er
s.
The wo
rking
of hybrid fram
ewo
r
k
can b
e
under
stoo
d in followin
g
algorithmi
c
ste
p
s:
Step 1: Input dataset
Step 2: Perform pre
p
rocessing of the da
taset
Step 3: Select TAN as the base cla
s
sification algo
rith
m
Step 4: Choo
se REP alg
o
ri
th
m for Meta c
l
as
s
i
fic
a
tion
Step 5: Perform cla
s
sificati
on on ba
se
cl
assifier for M
e
ta Rule
s
Step 6: Set th
e obtaine
d Meta rule
s as i
nput for Meta
classification
Step 7: Perform re
-cl
a
ssifi
c
ation u
s
in
g Meta cla
ssifie
r
The m
a
in i
dea
of usi
n
g this techn
i
que i
s
to i
m
prove
the
overall
cl
a
ssifi
cation
perfo
rman
ce
resulting i
n
b
e
tter out
com
e
s tha
n
a
n
y other
existing
techni
que. T
h
e two
cl
assif
i
ers
indulg
ed in th
e prop
osed system ca
n be
understoo
d a
s
:
4.1. Detailed
Des
c
ription
of the
H
y
brid IDS Frame
w
o
r
k
This
se
ction
descri
b
e
s
ab
out all the m
odule
s
in
co
rp
orated i
n
the
Hybrid I
D
S framework
sho
w
n in Fig
u
re 1. Follo
wi
ng is the bri
e
f discussio
n
a
b
out ea
ch mo
dule:
Figure 1 Cla
s
s-wise co
mpa
r
iso
n
of accu
racy in K2 and
TAN
4.2. KD
D Cu
p 99 Da
ta Se
t Des
c
ription
Since 1
999,
KDD’9
9
[3] h
a
s b
een th
e
most
wildly u
s
ed
data
set for the
evalua
tion of
anomaly
dete
c
tion m
e
thod
s. Thi
s
data
set is prepa
r
ed by Stolfo
et al. [5] and
is built
ba
sed
on
the data ca
ptured in
DARPA’98 ID
S evaluation p
r
og
ram [6]. DARPA’98 is abo
ut 4 gigabyte
s of
comp
re
ssed
raw
(bin
ary) t
c
p dum
p data
of 7 wee
ks
of netwo
rk traf
fi
c
,
w
h
ic
h ca
n
b
e
pr
oc
es
se
d
into
about
5 million connection reco
rds,
each with about
100 bytes. The two
weeks oftest
data
have a
r
ou
nd
2 million
co
nne
ction
re
cord
s. KDD
training data
set
con
s
i
s
ts o
f
approximatel
y
4,900,00
0 sin
g
le co
nne
ctio
n vectors
ea
ch of which co
ntains 4
1
feature
s
and i
s
la
beled a
s
eith
er
norm
a
l or an
attack, with e
x
actly onespe
ci
fi
c
attack
type.
In the prep
ro
ce
ssi
ng mod
u
le the cla
s
s label
present
s in the 42n
d
fe
ature of KddCup’99
dataset is re
cast intofive
m
a
jor
cate
go
rie
s
fo
r
the
sake
of de
crea
sin
g
complexity
of perf
o
rma
n
c
e
evaluation of
the pro
p
o
s
ed
model.As th
e origi
nal
Kd
dCu
p
’99 d
a
ta
set having
22
types of attack
label
s, it was very in
co
nve
n
ient to
asse
ss t
he
pe
rformance of
the
cla
s
sificatio
n
mod
e
l. Hen
c
e
Evaluation Warning : The document was created with Spire.PDF for Python.
TELKOM
NIKA
ISSN:
2302-4
046
A Novel a
nd
Advan
c
e
d
Da
ta Mining Mo
del Base
d Hybrid Intru
s
io
n Dete
ction… (K.Rajasekara
n
)
227
the attack lab
e
ls a
r
e mo
dified to their
re
spe
c
tive
cate
gorie
s for th
e
ease
of anal
ysis. Finally five
major
cla
s
ses are form
ed a
s
the cla
s
s la
bel i.e. DoS, Probe, R2L, U2
Ran
d
No
rmal.
4.3. Data
se
t Splitter
The Data
set
Splitter module partition
s the dataset
into two parts received from the
prep
ro
ce
ssin
g mo
dule. T
o
pa
rtition the
dataset
into t
w
o
part
s
a m
e
thod
name
d
hold
out i
s
u
s
ed.
In this metho
d
, the given d
a
ta are rand
o
m
ly par
titione
d into two ind
epen
dent sets, a trainin
g
set
and
a te
st set [17]. The
66
% of the d
a
ta
isall
o
cat
ed t
o
the trainin
g
set a
nd th
e remainin
g 4
4
% of
the dataset is allo
cated t
o
the testing
set. T
he tra
i
ning set is use
d
to deri
v
e the propo
sed
frame
w
ork
while the te
st
set i
s
u
s
ed
to a
sse
ss the
accu
ra
cy of
the de
rived
model.
Whe
n
the
KddCu
p
’99
d
a
taset p
a
sse
d
thro
ugh th
e data
splitti
ng mo
dule t
hen it g
e
ts
divided into
the
training
set whi
c
h co
nsi
s
t
s
of 32605
4 instan
ce
s and
the testing set which
con
s
ist
s
of 1679
67
inst
an
ce
s.
4.4. Learnin
g
Phase
The lea
r
ni
ng
pha
se involv
es two ste
p
s
for ge
ner
atin
g the cl
assification rules. In
the first
step, the le
arning ofb
a
se classifier i.e. T
A
N u
s
ing the
training
data
s
et is a
c
hieve
d
. The o
u
tco
m
e
of this b
a
se classifier i
s
a
s
sume
d a
s
th
e input
data (kno
wn
as Me
ta data) fo
r t
he second
st
ep.
This meta
-le
v
el training
set is comp
ose
d
by usi
ngthe ba
se
cla
ssifie
r
s' predictio
ns o
n
the
validation set as attrib
ute
values, a
nd the true
cl
a
ss as the ta
rget
[18]. From these predi
ctions,
the meta-l
ea
rne
r
ad
apts
the ch
aracte
ristics and p
e
rform
a
n
c
e of
the ba
se
cla
ssifie
r
a
n
d
comp
utes a
meta-cla
ssifie
r
which i
s
a
model
of t
he
origin
al trai
ni
ng d
a
ta
set. T
h
is m
e
ta-cla
ssifier
in se
cond
step fetche
s the pre
d
ictio
n
s
from t
he b
a
se
cla
ssifie
r
for classifying an unla
b
e
led
instan
ce, an
d
then make
s t
he final cla
s
si
fication de
ci
si
on.
4.5. Testing
Phase
The
cla
ssifi
cation rule
s t
hat a
r
e
gen
erated
in
Le
arnin
g
Ph
ase a
r
e
stored
for th
e
perfo
rman
ce
evaluation of hybrid
i
n
tru
s
i
on
dete
c
ti
on
frame
w
ork. I
n
this
pha
se,
the Te
sting
Se
t
gene
rated in
Data Splitting
module i
s
u
s
ed as in
put to asse
ss the
perfo
rman
ce.
The outcom
e
of
this modul
e is further forwa
r
ded to next
module
i.e.Cl
assifier Perfo
r
man
c
e Evalu
a
tor mod
u
le.
4.6. Classifie
r
Performan
ce Ev
aluator
Table 1
T
r
ue class
H
y
poth
e
sized
|
class
V
Pos Neg
Yes
TP
FP
No FN
TN
P=TP+FN
N=FP+TN
a)
Accu
ra
cy
= (
T
P+T
N
)/(P
+N
)
b)
Preci
s
io
n = T
P
/(TP+FP)
c)
Re
call/
TP
rat
e
= TP
/
P
d)
FP Rate =
FP/N
e)
RO
C Analysi
s
move
s the t
h
re
shol
d bet
wee
n
the p
o
sitive and ne
g
a
tive cla
ss f
r
om a
small FP rate
to a large
o
ne. It plots the
value of th
e Re
call a
gai
nst that of the FP
Rate at eac
h
FP Rate c
o
nsidered.
4.7. Visualization
The result g
enerated in
the Perfo
r
ma
nce
Evalu
a
tion ph
ase ca
n be visuali
z
ed in the
visuali
z
ation module.
Th
ese
results can be
in the form
of text or gra
ph etc.
Evaluation Warning : The document was created with Spire.PDF for Python.
ISSN: 23
02-4
046
TELKOM
NI
KA
Vol. 13, No. 2, Februa
ry 2015 : 223 – 231
228
5. Experimental An
aly
s
is
This
se
ction
descri
b
e
s
th
e expe
riment
al out
come
s
of the develo
ped hyb
r
id i
n
trusio
n
detectio
n
fra
m
ewo
r
k an
d i
t
s compa
r
i
s
o
n
with va
riou
s other techniq
ues present
i
n
the
scena
ri
o. It
has
bee
n n
o
ticed th
at the out
com
e
s of the hy
brid IDS fram
ewo
r
k excelled mo
st of
the
algorith
m
s i
n
re
spe
c
t of
p
e
rform
a
n
c
e
(promi
nently
accuracy
). F
o
llowin
g
T
abl
e 2 a
nd
3 i
s
th
e
comp
ari
s
o
n
o
f
the two algorithm
s i.e. TAN and
REP
utilized in th
e hybrid IDS
frame
w
ork wi
th
respe
c
t to the frequently preferr
ed baye
s
net base
d
K2 algorith
m
.
Table 2. Perf
orma
nce Co
mpari
s
o
n
of TAN, REP, HYBRID and K2
Class
TAN K2
REP
HY
BRI
D
TPR
FPR
TPR
FPR
TPR
FPR
TPR
FPR
DoS
0.997
0.000
0.989
0.000
1.001
0.001
1.000
0.001
Probe
0.989
0.000
0.979
0.005
0.979
0.000
0.988
0.000
R2L
0.968
0.000
0.959
0.001
0.984
0.000
0.973
0.000
U2R
0.859
0.000
0.813
0.005
0.668
0.000
0.835
0.000
Normal
0.998
0.001
0.986
0.002
0.999
0.000
0.998
0.000
Next the Table 2 sho
w
s the compa
r
i
s
on of
the d
e
velope
d fra
m
ewo
r
k with
the K2
algorith
m
s p
r
oving its effectivenes
s with
improve
d
re
sults in ca
se of
each type of attacks.
Figure 2. Cla
s
s-wi
se
com
p
arison of accura
cy
in K2 and RE
P
Figure 3. Cla
s
s-wi
se
com
p
arison of accura
cy
in REP and Hybrid
Whe
n
the d
e
v
eloped fram
ewo
r
k i
s
com
pare
d
with th
e re
spe
c
tive
variou
s avail
able d
a
ta
mining
tech
ni
que
s fo
r int
r
u
s
ion
dete
c
tio
n
, the
re
sulta
n
t obtain
ed
shows th
e fav
o
rabl
e o
p
inio
n to
opt as the hy
brid techniq
u
e
. The lead m
a
y be unde
rst
ood from the
above compa
r
iso
n
graph.
Evaluation Warning : The document was created with Spire.PDF for Python.
TELKOM
NIKA
ISSN:
2302-4
046
A Novel a
nd
Advan
c
e
d
Da
ta Mining Mo
del Base
d Hybrid Intru
s
io
n Dete
ction… (K.Rajasekara
n
)
229
Figure 4. Accura
cy com
parison
s of
vario
u
s data mini
n
g
-ba
s
e
d
IDS Model
s
6. Conclusio
n
In
this pap
er,
I
have de
scribed an overview
of
so
me
of the
cu
rre
n
t and
pa
st i
n
trusi
on
detectio
n
technolo
g
ies
wh
ich a
r
e bei
ng
utilized fo
r t
he dete
c
tion
of intrusive a
c
tivities agai
nst
comp
uter
sy
stem
s or n
e
tworks. The i
n
trusi
on
cl
a
s
sifier b
a
sed
on multiple a
ttribute sel
e
ction
algorith
m
s h
a
s
bee
n pro
p
o
s
ed in thi
s
pa
per. The n
e
w
system ha
s si
x combinatio
ns with different
rep
r
e
s
entativ
e attribute
selectio
n alg
o
r
ithms an
d d
i
fferent cl
assi
fication
algo
rithms. Th
rou
gh
comp
ari
ng wi
th classification pe
rform
a
nce a
nd real
time, the advantage o
r
disa
dvantag
e
o
f
different
com
b
ination
s
co
mes
out. It is po
sitive si
g
n
ifican
ce fo
r
deploying
different
algo
rith
m
combi
nations based on the concre
te
context. In the future, we
will try to apply the intrusion
cla
ssifie
r
in the field of wireless sen
s
or
netwo
rk
s. So
me co
re cod
e
of intrusio
n
classifier
sh
ould
be simplifie
d. The cla
s
sifier will be impro
v
ed to
be the next module
of the lightwei
ght detectio
n
.
Ackn
o
w
l
e
dg
ements
I would like t
o
extend my
sin
c
ere than
ks
and g
r
atefu
l
ness to our college staff m
e
mbe
r
s
of
DB Jain College, Che
n
nai.India
fo
r his kind
hel
p, moral
supp
o
r
t and
guid
a
n
c
e in
prepa
ri
ng
this
artic
l
e.
Referen
ces
[1]
M Bahro
l
ol
um,
M Khal
eg
hi. A
noma
l
y Intrusi
o
n De
tecti
on S
ystem Usin
g Hi
erarchic
al Ga
u
ssian M
i
xture
Mode
l.
IJCSNS Internatio
nal
Journ
a
l of Co
mputer Scie
nce
and N
e
tw
ork Security
.20
08; 8
(
8).
[2]
Jiank
un H
u
, Xi
ngh
uo. A Simp
le an
d Efficient
Hidd
en Mark
o
v
Model Sc
he
me for Host-Ba
s
ed An
omal
y
Intrusion D
e
tec
t
ion.
IEEE Network Journal.
2
009; 23(
10).
[3]
R Nakk
eera
n
,
T
.
Aruldoss Al
bert an
d R.Ezu
m
alai.
A
gent B
a
sed Effici
ent
Anoma
l
y Intrus
ion
Detectio
n
S
y
stem in A
d
-h
oc net
w
o
rks.
IACSIT
Internation
a
l Jour
na
l of Engin
eeri
ng a
nd T
e
chn
o
l
ogy
. 2010; 2(1).
[4]
Jion
g Z
hang,
Mohamm
ad Z
u
lkerni
ne.
Ano
m
aly Base
d Net
w
ork Intrusion Detectio
n w
i
th Unsu
pervis
e
d
Outlier Detecti
on.
IEEE International Conferen
ce on Communications. 2006.
[5]
Ahmed A
w
a
d
E. Ahmed, I
ssaT
r
aore.
Anomaly Intrus
io
n Detecti
on
b
a
sed
on B
i
o
m
etrics
. IEEE
W
o
rkshop o
n
Informatio
n
Assuranc
e. 200
5.
[6]
Vija
y B
huse, A
j
a
y
Gupta. A
n
o
m
al
y Intr
usi
on Detectio
n
in
W
i
reless Sens
or Net
w
orks.
ACM Jo
u
r
na
l
of
High S
pee
d Ne
tw
ork
s, 2006.
[7]
Hossei
n
M S
h
i
r
azi. An
omal
y
Intrusion
Dete
ct
ion S
y
stem
Using
Informat
i
on T
heor
y, K-
NN a
nd K
M
C
Algorit
hms.
Australia
n Journ
a
l
of Basic and A
ppli
ed Sci
enc
e
s
.
2009; 3(3): 2
581-
259
7.
[8]
Da
yu
Ya
ng, A
l
e
x
a
nder
Us
yn
in, J W
e
s
l
e
y
Hines.
Anom
al
y-Bas
e
d
Intrus
ion
Detecti
o
n
for SCADA
S
y
stems.
IAEA Technical Me
e
t
ing on Cy
ber Security of NPP I&C and Informati
on syste
m
s
, Idaho F
a
ll
,
ID. 2006
0
20
40
60
80
100
120
A
ccurary
(%)
IDS's
Mo
del
Accuracy
compari
s
ons
of
various
data
mining
‐
based
IDS
Models
Evaluation Warning : The document was created with Spire.PDF for Python.
ISSN: 23
02-4
046
TELKOM
NI
KA
Vol. 13, No. 2, Februa
ry 2015 : 223 – 231
230
[9]
M T
hangave
l
, Dr P T
hangar
a
j
, K Sarav
ana
n
.
Defend
ag
ai
n
s
t Anomal
y I
n
trusio
n Det
e
ctio
n usi
ng SW
T
Mechanism.
IACSIT.
2010.
[10]
Miao W
a
ng, C
hen
g Z
h
a
ng, Ji
ngji
ng.
N
a
tive
API Based W
i
n
dow
s Ano
m
a
l
y
Intrusion
Dete
ction Meth
o
d
Using
SVM
. IEEE International Conferenc
e on Sens
or
Net
w
orks, Ub
iquitous, and
T
r
ust
w
ort
h
y
Comp
uting. 2
0
06.
[11]
Manik
opo
ul
os C, Papav
assil
i
ou S. Net
w
o
r
k In
trusion
an
d F
ault D
e
tection: A Statisti
cal An
omal
y
Appro
a
ch
. IEEE Communication
s. 200
2.
[12]
Je
yanth
i
Hal
l
, Michel Bar
b
eau, Eva
nge
lo
sKranak
is.
Usi
ng Mob
ility P
r
ofiles for An
omaly-b
a
se
d
Intrusion D
e
tec
t
ion in Mo
bil
e
Netw
orks
. IEEE Confere
n
ce.
200
5.
[13]
Hazem M El-B
akr
y
, N
i
kos Ma
storakisA. Re
al
-T
im
e Intrusion Detectio
n Alg
o
rithm for Net
w
ork Securit
y
.
WSEAS Transactions on comm
unic
ations
. 2
008; 12(
7).
[14]
Deb
a
r H,
Daci
er M, Wespi
A
.
A Rev
i
sed
Taxo
n
o
m
y
of I
n
trusion-D
e
tecti
on S
y
stems.
Anna
les
de
s
T
e
lecommunic
a
tions. 20
00; 5
5
(7–
8
): 361
–37
8
[15]
Alle
n J, Christie A, F
i
then W
,
McHug
h
J, Pickel J, Stoner E. State of
the practice of intrus
ion d
e
tectio
n
techno
lo
gies. T
e
chnical Re
port
CMU/SEI
-99T
R-
028, Carn
egi
e-Mel
l
o
n
U
n
ivers
i
t
y
-
Soft
w
a
r
e
Engi
neer
in
g Institute. 2000.
[16]
Roesc
h
M
. Sn
ort - Li
ghtw
e
ig
ht Intrusio
n D
e
tection for
Net
w
orks
. 13th U
SENIX
Co
nfer
ence
on
S
y
ste
m
Administr
a
tion,
USENIX Asso
ciatio
n. 199
9; 229–
23
8.
[17]
Sourcefir
e
: Snort Net
w
o
r
k Intrusio
n Detect
io
n S
y
stem
w
e
b
site. URL http://
w
w
w
.
s
nort.org
. 1999.
[18]
W
ang K, Stolf
o
SJ. Anom
al
ous Pa
yl
o
ad-B
a
s
ed
Net
w
o
r
k
Intrusion
Det
e
ction.
7th S
y
mposi
u
m o
n
Rece
nt Advanc
es in Intrusio
n Detectio
n, Volu
me 322
4 of LN
CS,
Spring
er-V
erla
g.
200
4; 20
3–2
22.
[19]
Bolzo
n
i D, Z
a
mbon E,
Etall
e
S, Hartel P.
POSEIDON:
a 2-tier An
omaly bas
ed N
e
tw
ork Intrusi
o
n
Detection System
. IEEE Inter
natio
nal Works
hop
on Inform
at
ion Ass
u
ranc
e, IEEE Comp
uter Soci
e
t
y
Press. 2006; 1
44– 1
56.
[20]
B Pfahring
e
r. W
i
nnin
g
the K
DD99 C
l
ass
i
fic
a
ti
on C
up: Bag
ged Bo
ostin
g
. SIGKDD Exp
l
o
r
ations. 20
00.
[21]
I Levin. KDD-9
9
Classifi
er Le
arni
ng Co
ntest: LL Soft
‟
s Results Overvie
w
.
SIGKDD Exp
l
o
r
ations. 20
00.
[22]
V Miheev, Vopilov A, Shaba
lin.I. T
he MP13 Appr
oach to the KDD
‟
9
9
Classifi
er L
ear
nin
g
C
ontest
.
SIGKDD Explo
r
ations
. 20
00.
[23]
Y F
r
eund, Schap
ire R.
Experi
m
e
n
ts w
i
th a new
boo
sting al
gorith
m
. T
h
irteenth
Internation
a
l
Confer
ence
on
Machin
e Le
arnin
g
, Ital
y
. 19
9
6
.
[24]
Q Yang,
Li, F
.
Supp
ort Vect
or Mac
h
in
e fo
r
Intrusio
n D
e
t
e
ction
Bas
ed
on
LSI F
eatur
e Se
lectio
n
.
Intelli
gent C
ont
rol an
d Automa
tion, W
C
ICA. 2006.
[25]
JC Platt. Sequential m
i
nim
a
l
optimization:
A fast algor
ithm for
training support v
e
ct
or mac
h
ines.
Advanc
es in K
e
rne
l
Metho
d
: Supp
ort Vector
Learn
i
ng
. 19
98
.
[26]
FE Osuna R, Girosi F. Imp
r
oved trai
nin
g
alg
o
rithm for supp
ort vector machi
nes. IEEE NNSP
‟
97
,
199
7.
[27]
Y Yao, We
i Y,
Gao, FX, Y
u
G
.
Anoma
l
y Intr
u
s
ion Detecti
on Appro
a
ch Usin
g
H
y
br
id
M
L
P/
CNN Neur
a
l
Net
w
ork. Si
xth
Internation
a
l
Confer
ence o
n
Inte
llig
ent S
y
stems Design
and Ap
plic
atio
ns (ISDA'06)
W
a
shin
gton, D
C
, USA 2006.
[28]
A Z
a
knic. Introducti
on to th
e modifi
ed pr
oba
bil
i
stic ne
u
r
al net
w
o
rk for gener
al sig
n
a
l proc
essin
g
app
licati
ons.
IEEE Transactions on Signal Processing
. 19
98
; 46.
[29]
DF
Specht. Proba
bil
i
stic Neu
r
al Net
w
ork. Int
e
r
nati
ona
l Jour
nal of Ne
ural
N
e
t
w
o
r
ks. 199
0; 3: 109-1
18
[30]
L Kha
n
, M A
w
ad, B T
huraisi
ngh
am. A ne
w intrus
i
on
dete
c
tion s
y
stem u
s
ing s
upp
ort v
e
ctor mach
ine
s
and h
i
erarc
h
ic
al cluster
i
ng
. T
he Internati
o
n
a
l
Journ
a
l on V
e
ry Large D
a
ta Bases
. 200
7; 1
5
(4).
[31]
Min Yan
g
, Da-
pen
g Ch
en,
Xi
ao-So
ng Z
h
a
n
g
. Anoma
l
y
De
tection Bas
ed
On Conti
guo
us
Exp
e
rt Votin
g
Algorit
hm.
IEEE
. 2009.
[32]
Vasilis
A S
o
tiri
s, Peter W T
s
e, Mich
ael
G
Pecht. Anom
al
y
Detecti
on T
h
roug
h a
Ba
ye
s
i
an
Sup
por
t
Vector Machine.
IEEE Transactions on R
e
li
a
b
ility.
20
10.
[33]
Z
heng
ho
ng
Xi
ao,
Chu
l
i
ng Li
u, Chaoti
an C
hen.
An An
o
m
aly Detecti
on
Sche
me Bas
e
d on Mac
h
in
e
Lear
nin
g
for W
S
N
. IEEE Internatio
nal C
onfer
ence o
n
Info
rm
ation Sci
enc
e and En
gi
neer
in
g. 2009.
[34]
Yunl
u Gong, M
abu S, Ci C
h
e
n
,
Yifei W
ang,
Hirasa
w
a
K. Intrusio
n det
ecti
o
n
s
y
stem com
b
inin
g misus
e
detectio
n
an
d anom
al
y det
ection us
ing Ge
ne
tic Net
w
o
r
k Pro
g
rammin
g
. ICC
AS-SICE. 2009
.
[35]
Li-li
Li
u
and
Yu
an
Liu.
MQPS
O Based
on
W
a
vel
e
t Ne
ural
Netw
ork for Ne
tw
ork Anomaly
Detecti
o
n
. 5th
Internatio
na
l C
onfere
n
ce o
n
W
i
reless Com
m
unic
a
tions, N
e
t
w
o
r
ki
ng an
d
Mobil
e
Com
put
ing. 20
09.
[36]
Jian
Xu Jin
g
Yo
u F
eng
yu
L
i
u.
A fuzz
y
r
u
les
b
a
sed
ap
proac
h
for performa
nc
e an
omal
y
det
ection.
IEEE
.
200
5.
[37]
D Dasg
upta. Artificial Immun
e
S
y
stem
s an
d T
heir Applicati
ons. Sprin
ger. 199
9.
[38]
SA Hofmey
r,
S Forrest. Architectu
re
for
a
n
artifici
al
imm
une
s
y
stem.
IEEE Trans. on Evolutionar
y
Co
mp
utation.
2
000; 8(N
4
): 44
3-47
3
[39]
Sokolov
AM.
In
t. Res. & T
r
aining Ce
nter of Informat
i
o
n
a
l Te
chno
l. & Syst.,
Kiev, Ukrain
e,
Procee
din
g
s
of the Internati
ona
l Joint C
onf
er
enc
e on N
e
u
r
al Net
w
orks. 2
003.
[40]
E Hart, P Ross, J Nelson. Produci
ng ro
bus
t sched
ul
e
s
via an artifi
cial immu
ne s
y
stem.
IEEE
Internatio
na
l C
onfere
n
ce
o
n
Evoluti
onary C
o
mp
utin
g
. 199
8; 464-4
69.
Evaluation Warning : The document was created with Spire.PDF for Python.
TELKOM
NIKA
ISSN:
2302-4
046
A Novel a
nd
Advan
c
e
d
Da
ta Mining Mo
del Base
d Hybrid Intru
s
io
n Dete
ction… (K.Rajasekara
n
)
231
[41]
D Das
gupt
a. An artifici
al
immune s
y
st
em as
a
multi
a
g
ent d
e
cisio
n
su
pp
ort s
y
stem. IEEE
Internatio
n
a
l
Confer
ence
on
S
y
stems, Man
and
C
y
b
e
rn
eti
cs. 1998: 38
16
-382
0.
[42]
A Gardner, A
Krieger, G Vachtsevanos, B Litt.
One-class novelt
y
detection for seiz
ure
analy
sis from
intracra
nia
l
EEG. J. Machine
Lear
nin
g
Re
s
e
arch (JMLR). 2
006; 7: 10
25–
1
044.
[43]
D Barb
ar´a,
C
Dome
nic
oni,
J
Rog
e
rs. D
e
tecting
outl
i
ers
usin
g tra
n
sd
u
c
tion
and
stati
s
tical testi
n
g
.
ACM SIGKDD Intern
ation
a
l C
onfer
enc
e
on
Know
le
d
ge D
i
scov
e
ry
an
d D
a
ta
Minin
g
(KD
D
)
.
Phil
ade
lp
hia, P
A
. 2003.
[44]
J Ma, S Perk
ins.
Onlin
e no
velty detectio
n
on temp
ora
l
sequ
enc
es
. ACM SIGKDD International
Confer
ence
on
Kno
w
l
edg
e Di
scover
y
an
d D
a
ta Mini
ng (KD
D
), W
a
shingto
n
, DC. 2003.
[45]
A Ihler, J Hutchins, P Sm
y
t
h.
Adaptive ev
e
n
t
det
ection
w
i
th time-var
yi
ng
Poiss
o
n
proc
esses. A
C
M
SIGKDD Int. C
onf. on Kno
w
l
e
dge D
i
scover
y
and D
a
ta Mini
n
g
(KDD), Phil
a
del
phi
a, PA. 2006.
[46]
A Mun
o
z
and
J Mog
uerza.
E
s
timation
of
hi
gh-
d
ensit
y
r
e
g
i
ons usin
g on
e
-
class nei
gh
bo
r
machi
nes.
IEEE Transactions on Patter
n
Analys
is and M
a
chi
ne Intel
lig
e
n
ce
. 200
6; 28(
3): 476–
48
0.
[47]
LN d
e
Castro,
F
J
Von Z
ube
n. Lear
nin
g
a
nd
Op
timizatio
n
U
s
ing th
e Cl
on
al
Selecti
on Pri
n
ciple.
IE
EE
T
r
ansactio
n
s o
n
Evoluti
o
n
a
ry Co
mp
utation
. 2
002; 6(3): 2
39-
251
[48]
Je
yanth
i
Ha
ll, Michel B
a
rb
ea
u, Evang
elosK
r
anak
is. Anom
al
y-b
a
sed
intru
s
ion d
e
tectio
n
usin
g mob
ilit
y
profil
es of pu
blic trans
porta
tion users.
IEEE Wireless and Mo
bil
e
C
o
mputi
ng, Net
w
orking an
d
Co
mmun
icati
o
ns.
2005.
[49]
Ramkumar
C
h
inc
han
i,
Aarthie Muthukr
i
shna
n, Madh
us
ud
ha
nan C
han
drasek
ara
n
,
Shamb
h
u
U
p
ad
hy
ay
a.
RACOON: Rapi
dly Gener
atin
g User Co
mma
nd D
a
ta for Anomaly D
e
tection fr
o
m
C
u
stom
i
z
ab
le
Te
m
p
l
a
te
s
. 20t
h Confer
enc
e of IEEE Computer Societ
y
.
2
004.
[50]
W
e
i W
ang,
Xi
aoh
on
g Gua
n
, Xia
ngl
ian
g
Z
h
ang.
Pr
ofili
ng progr
am
a
nd user beh
avi
o
rs
for
a
nom
a
l
y
intrusi
on det
ection b
a
se
d on n
on-n
egativ
e m
a
trix
fact
or
izati
on. 43rd IEEE
Confer
ence
on
Decisio
n
an
d
Contro
l. 200
4; 1: 99-10
4.
[51]
T
i
chPhuoc T
r
a
n
, Pohsia
ng T
s
ai, T
o
n
y
Jan. A Mu
lti-e
x
p
e
rt Classificati
on F
r
a
m
e
w
ork
w
i
th T
r
ansfera
b
l
e
Vo
ti
n
g
fo
r In
tru
s
i
o
n
D
e
te
ctio
n
.
Se
ven
t
h
In
te
rn
a
t
i
o
n
a
l
C
o
n
f
e
r
e
n
c
e
on
Ma
ch
in
e
Le
a
r
ni
n
g
and
Appl
icatio
ns Publis
her.
IEEE Com
p
uter Society
. 2008.
[52]
Anders
on D, F
r
ivold T
,
Val
des
A. Nextge
ner
a
t
ion Intrusio
n D
e
te
ction E
x
p
e
rt
S
y
stem (NIDE
S
). 1995.
[53]
Cramer M, et. Al.
New Methods of Intrusion
Detectio
n usi
n
g Co
ntrol-L
oop
Measure
m
ent
.
Procee
din
g
s
of the T
e
chnol
og
y in Informat
i
on Sec
u
rit
y
Co
nferenc
e (I'
I
SC). 1995: 1-1
0
.
[54]
Deb
a
r H, Bec
k
e M, Sibon
i
D. A Neura
l
Net
w
ork C
o
m
pon
ent for an
Intrusion D
e
tection S
y
stem.
Procee
din
g
s of
the IEEE Computer Soci
et
y
S
y
mp
osi
u
m on
Rese
arch in S
e
curit
y
an
d Pri
v
ac
y
.
1
992.
[55]
Deb
a
r H, Dor
i
zzi B. An Applic
atio
n Rec
u
rr
ent Net
w
o
r
k to an Intrusion D
e
tectio
n
S
y
stem. In
Procee
din
g
s of
the Internati
o
n
a
l Joi
n
t Confer
ence o
n
Ne
ural
Net
w
o
r
ks. 199
2; (11): 478-4
8
3
.
[56]
Denning, Dor
o
thy
.
An Intrus
ion-DetectionM
odel. IEEE
T
r
a
n
sactions on S
o
ft
w
a
r
e
E
ngineer
ing. 1987;
SE-13(2).
[57]
F
o
x,
Kev
i
n L, Hen
n
in
g,
Rh
on
da R,
Re
ed, Jo
natha
n H.
A
N
eura
l
N
e
tw
ork. Appro
a
ch tow
a
rds Intrusi
o
n
Detectio
n
. In Procee
din
g
s of the 13th N
a
tio
n
a
l
Com
puter S
e
curit
y
Co
nfere
n
ce. 199
0.
[58]
F
r
ank,
Jerem
y
.
Artifici
al In
tellig
enc
e a
n
d
Intrusion
De
tection: Curr
e
n
t an
d Futur
e
Dir
ections
.
Procee
din
g
s of
the 17th Nati
o
nal C
o
mputer Securit
y
Co
nfe
r
ence.
19
94.
[59]
Helma
n
P, Lie
p
ins G. Statistical fou
ndati
o
n
s
of audit trail
anal
ys
is for
the detecti
on o
f
computer
misuse.
IEEE Trans. on Softwar
e Engineer
ing.
199
3; 19(9)
: 886-90
1.
[60]
Kumar S, Spaf
ford E.
A Pattern Matching
Model for
Misu
se Intrusio
n D
e
tection.
Proc
e
edi
ngs of th
e
17
th
Nation
al C
o
mputer Sec
u
ri
t
y
Co
nferenc
e. 199
4; 11-2
1
.
[61]
Kumar S, Spafford E.
Software Arch
itectur
e
to Su
pp
ort Misuse Intrus
i
on D
e
tectio
n.
D
e
pa
rtme
n
t
of
Comp
uter Scie
nces, Purdu
e
Univers
i
t
y
; CS
D-T
R
-95-009
[62]
Lunt T
F
. Real-
T
im
e Intrusion Detectio
n.
Co
mp
uter Secur
i
ty Journa
l
. 198
9; VI: 9-14.
[63]
R
y
an J, Li
n, M, Miikkulai
n
e
n
R.
Intrusion
Detectio
n w
i
th Neura
l
Netw
o
r
ks.
AI Approa
ches to F
r
au
d
Detectio
n an
d Risk Man
agem
ent: MAl W
o
rkshop (P
rov
i
de
nc
e, Rhod
e Islan
d
). 1997; 7
2
-79
.
[64]
Sebri
ng M, Shell h
ouse E, H
ann
a M, W
h
itehurst R. Exp
e
r
t
Sy
stem
s i
n
In
trusion D
e
tecti
on: Stanford-
Che
n
, S. Using
T
humbpri
n
ts to T
r
ace Intruders. UC Davis. 1988.
[65]
T
an
K.
T
he Applic
atio
n of N
eura
l
Netw
or
k
s
to UNIX C
o
mp
uter Sec
u
rit
y
.
Proceed
in
gs
of the IEEE
Internatio
na
l C
onfere
n
ce o
n
Neur
al Net
w
o
r
ks. 1995; 47
6-
481.
Evaluation Warning : The document was created with Spire.PDF for Python.