Combining Genetic-Based Misuse and Anomaly Detection for Reliably Detecting Intrusions in Computer Networks

  • I. Finizio
  • C. Mazzariello
  • C. Sansone
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3617)


When addressing the problem of detecting malicious activities within network traffic, one of the main concerns is the reliability of the packet classification. Furthermore, a system able to detect the so-called zero-day attacks is desirable. Pattern recognition techniques have proven their generalization ability in detecting intrusions, and systems based on multiple classifiers can enforce the detection reliability by combining and correlating the results obtained by different classifiers.

In this paper we present a system exploiting genetic algorithms for deploying both a misuse-based and an anomaly-based classifier. Hence, by suitably combining the results obtained by means of such techniques, we aim at attaining a highly reliable classification system, still with a significant degree of new attack prediction ability. In order to improve classification reliability, we introduce the concept of rejection: instead of emitting an unreliable verdict, an ambiguous packet can be logged for further analysis. Tests of the proposed system on a standard database for benchmarking intrusion detection systems are also reported.


False Alarm False Alarm Rate Intrusion Detection Anomaly Detection Intrusion Detection System 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Vigna, G., Kemmerer, R.: Netstat: a network based intrusion detection system. Journal of Computer Security 7(1) (1999)Google Scholar
  2. 2.
    Axelsson, S.: Research in Intrusion Detection Systems: A Survey, TR 98-17, Chalmers University of Technology (1999)Google Scholar
  3. 3.
    Kumar, R., Spafford, E.H.: A Software Architecture to Support Misuse Intrusion Detection. In: Proceedings of the 18th National Information Security Conference, pp. 194–204 (1995)Google Scholar
  4. 4.
    Ghosh, A.K., Schwartzbard, A.: A Study in Using Neural Networks for Anomaly and Misuse Detection. In: Proc. 8’th USENIX Security Symposium, Washington DC, August 26-29 (1999)Google Scholar
  5. 5.
    Lane, T., Brodley, C.E.: Temporal Sequence learning and data reduction for anomaly detection. ACM Trans. on Inform. and System Security 2(3), 295–361 (1999)CrossRefGoogle Scholar
  6. 6.
    Lee, W., Stolfo, S.J.: A framework for constructing features and models for intrusion detection systems. ACM Transactions on Inform. System Security 3(4), 227–261 (2000)CrossRefGoogle Scholar
  7. 7.
    Esposito, M., Mazzariello, C., Oliviero, F., Romano, S.P., Sansone, C.: Real Time Detection of Novel Attacks by Means of Data Mining Techniques. In: Proceedings of the 7th International Conference on Enterprise Information Systems, Miami (USA), May 24-28 (2005) (in press)Google Scholar
  8. 8.
    Lee, S.C., Heinbuch, D.V.: Training a neural Network based intrusion detector to recognize novel attack. IEEE Trans. Syst, Man., and Cybernetic, Part-A 31, 294–299 (2001)CrossRefGoogle Scholar
  9. 9.
    Fugate, M., Gattiker, J.R.: Computer Intrusion Detection with Classification and Anomaly Detection, using SVMs. International Journal of Pattern Recognition and artificial Intelligence 17(3), 441–458 (2003)CrossRefGoogle Scholar
  10. 10.
    Giacinto, G., Roli, F., Didaci, L.: Fusion of multiple classifiers for intrusion detection in computer networks. Pattern Recognition Letters 24, 1795–1803 (2003)CrossRefGoogle Scholar
  11. 11.
    Giacinto, G., Roli, F., Didaci, L.: A Modular Multiple Classifier System for the Detection of Intrusions. In: Windeatt, T., Roli, F. (eds.) MCS 2003. LNCS, vol. 2709, pp. 346–355. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  12. 12.
    Cordella, L.P., Limongiello, A., Sansone, C.: Network Intrusion Detection by a Multi Stage Classification System. In: Roli, F., Kittler, J., Windeatt, T. (eds.) MCS 2004. LNCS, vol. 3077, pp. 324–333. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  13. 13.
    Axelsson, S.: The Base-Rate Fallacy and the Difficulty of Intrusion Detection. ACM Trans. on Information and System Security 3(3), 186–205 (2000)CrossRefMathSciNetGoogle Scholar
  14. 14.
    Cohen, W.W.: Fast effective rule induction. In: Proc. of the 12th International Machine Learning Conference. Morgan Kaufmann, San Francisco (1995)Google Scholar
  15. 15.
    McHugh, J.: Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory. ACM Transactions on Information and System Security 3(4), 262–294 (2000)CrossRefGoogle Scholar
  16. 16.
    Liu, Y., Chen, K., Liao, X., Zhang, W.: A genetic clustering method for intrusion detection. Pattern Recognition 37 (2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • I. Finizio
    • 1
  • C. Mazzariello
    • 1
  • C. Sansone
    • 1
  1. 1.Dipartimento di Informatica e SistemisticaUniversità degli Studi di Napoli “Federico II”NapoliItaly

Personalised recommendations