Theoretical Foundation of Detection

  • Ali A. Ghorbani
  • Wei Lu
  • Mahbod Tavallaee
Part of the Advances in Information Security book series (ADIS, volume 47)


We have seen in previous chapters that both misuse detection and anomaly detection rely on statistical models of the two classes: normal and intrusion. Thus, in order to obtain these models, we can apply two approaches: manual definition and machine learning. Manual definition is usually used by signature-based detection, in which knowledge about the characteristics of known attacks is modeled manually. However, this approach is time-consuming and can only be performed by experienced experts, leading to high development and signature updating costs. Alternatively, machine learning can construct the required models automatically based on some given training data. A motivation for this approach is that the necessary training data is already available or that it can be at least acquired more easily compared to the effort required to define the model manually. With the growing complexity and the number of different attacks, machine learning techniques that allow building and maintaining anomaly detection system (ADS) with less human intervention seem to be the only feasible approach for realizing next generation IDSs.


Support Vector Machine Association Rule False Alarm Rate Intrusion Detection Anomaly Detection 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    A. Pescape A. Dainotti and G. Viorgio, Wavelet-based detection of dos attacks, Proceedings of IEEE Global Telecommunications Conference, 2006.Google Scholar
  2. 2.
    S.I. Amari, Mathematical foundations of neurocomputing, Proceedings of the IEEE 78 (1990), no. 9, 1443–1463.CrossRefGoogle Scholar
  3. 3.
    M. Amini and R. Jalili, Network-Based Intrusion Detection Using Unsupervised Adaptive Resonance Theory (ART), Proceedings of the 4th Conference on Engineering of Intelligent Systems (EIS), 2004.Google Scholar
  4. 4.
    B. Balajinath and SV Raghavan, Intrusion detection through learning behavior model, Computer Communications 24 (2001), no. 12, 1202–1212.CrossRefGoogle Scholar
  5. 5.
    D. Barbará, J. Couto, S. Jajodia, and N. Wu, ADAM: A testbed for exploring the use of data mining in intrusion detection, ACM SIGMOD Record 30 (2001), no. 4, 15–24.CrossRefGoogle Scholar
  6. 6.
    D. Barbara, S. Jajodia, N. Wu, and B. Speegle, The ADAM project. Google Scholar
  7. 7.
    Daniel Barbara, N. Wu, and S. Jajodia, Detecting novel network intrusions using bayes estimators, Proceedings of the First SIAM International Conference on Data Mining (SDM 2001) (Chicago, USA), April 2001.Google Scholar
  8. 8.
    Paul Barford, Jeffery Kline, David Plonka, and Amos Ron, A signal analysis of network traffic anomalies, Proceedings of the second ACM SIGCOMM Workshop on Internet measurment (Marseille, France), SIGCOMM: ACM Special Interest Group on Data Communication, ACM Press New York, NY, USA, 2002, pp. 71–82.Google Scholar
  9. 9.
    A. Bivens, C. Palagiri, R. Smith, B. Szymanski, and M. Embrechts, Network-based intrusion detection using neural networks, Rensselear Politechnic Institute, New York (2002).Google Scholar
  10. 10.
    Susan M. Bridges and M. Vaughn Rayford, Fuzzy data mining and genetic algorithms applied to intrusion detection, Proceedings of the Twenty-third National Information Systems Security Conference, National Institute of Standards and Technology, October 2000.Google Scholar
  11. 11.
    Y.-J. Shin C.-T. Huang, S. Thareja, Wavelet-based real time detection of network traffic anomalies, Proceedings of Workshop on Enterprise Network Security (WENS 2006), 2006.Google Scholar
  12. 12.
    G. A. Carpenter and S. Grossberg, The ART of Adaptive Pattern Recognition by a Self-Organizing Neural Network, Computer 21 (1988), no. 3, 77–88.CrossRefGoogle Scholar
  13. 13.
    A. Chittur, Model generation for an intrusion detection system using genetic algorithms, High School Honors Thesis, Ossining High School in cooperation with Columbia University (2001).Google Scholar
  14. 14.
    M. Crosbie and E. H. Spafford, Applying genetic programming to intrusion detection, Proceedings of the 1995 AAAI Fall Symposium on Genetic Programming, November 1995.Google Scholar
  15. 15.
    D. Dasgupta and N.S. Majumdar, Anomaly detection in multidimensional data using negative selection algorithm, Proceedings of the IEEE Conference on Evolutionary Computation, 2002, pp. 1039–1044.Google Scholar
  16. 16.
    D. Dasgupta and F. Nino, A comparison of negative and positive selection algorithms in novelpattern detection, 2000 IEEE International Conference on Systems, Man, and Cybernetics, vol. 1, 2000, pp. 125–130.Google Scholar
  17. 17.
    J. Denker, D. Schwartz, B. Wittner, S. Solla, R. Howard, L. Jackel, and J. Hopfield, Large automatic learning, rule extraction, and generalization, Complex systems 1 (1987), no. 5, 877–922.MATHMathSciNetGoogle Scholar
  18. 18.
    John E. Dickerson and Julie A. Dickerson, Fuzzy network profiling for intrusion detection, Proceedings of NAFIPS 19th International Conference of the North American Fuzzy Information Processing Society (Atlanta, USA), July 2000, pp. 301–306.Google Scholar
  19. 19.
    D. Dubois and H. Prade, Fuzzy sets and probability: misunderstandings, bridges and gaps, Second IEEE International Conference on Fuzzy Systems, 1993, pp. 1059–1068.Google Scholar
  20. 20.
    Richard O. Duda, Pattern classifcation, 2 ed., John Wiley and Sons, 2001.Google Scholar
  21. 21.
    John Durkin, Expert system design & development, Prentice Hall, 1994.Google Scholar
  22. 22.
    E. Eskin, A. Arnold, M. Prerau, L. Portnoy, and S. Stolfo, A geometric framework for unsupervised anomaly detection, Applications of Data Mining in Computer Security (2002), 77–101.Google Scholar
  23. 23.
    K.L. Fox, R.R. Henning, J.H. Reed, and R. Simonian, A neural network approach towards intrusion detection, Proceedings of the 13th National Computer Security Conference, vol. 10, 1990.Google Scholar
  24. 24.
    F. Gharibian and A.A. Ghorbani, Comparative Study of Supervised Machine Learning Techniques for Intrusion Detection, Fifth Annual Conference on Communication Networks and Services Research (CNSR), 2007, pp. 350–358.Google Scholar
  25. 25.
    J. Gómez, D. Dasgupta, O. Nasraoui, and F. Gonzalez, Complete expression trees for evolving fuzzy classifier systems with genetic algorithms, Proceedings of the North American Fuzzy Information Processing Society Conference (NAFIPS-FLINTS), 2002, pp. 469–474.Google Scholar
  26. 26.
    F. Gonzalez and D. Dasgupta, Neuro-immune and self-organizing map approaches to anomaly detection: A comparison, First International Conference on Artificial Immune Systems, 2002.Google Scholar
  27. 27.
    F.A. González and D. Dasgupta, Anomaly detection using real-valued negative selection, Genetic Programming and Evolvable Machines 4 (2003), no. 4, 383–403.CrossRefGoogle Scholar
  28. 28.
    Y. Guan, A. Ghorbani, and N. Belacel, Y-means: A clustering method for intrusion detection, Proceedings of Canadian Conference on Electrical and Computer Engineering, 2003.Google Scholar
  29. 29.
    D. Zhang H. Wang and K. G. Shin, Detecting syn flooding attacks, Proceedings of IEEE INFOCOM 2002, 2002.Google Scholar
  30. 30.
    Jiawei Han and Micheline Kamber, Data mining concepts and techniques, Academic Press, San Diego, California, 2001.Google Scholar
  31. 31.
    Trevor Hastie, The elements of statistical learning data mining inference and prediction, Springer Series in Statistics, Springer-Verlag, Heidelberg; New York, 2001.Google Scholar
  32. 32.
    Simon Haykin, Neural networks a comprehensive foundation, 2 ed., Prentice Hall, 1999.Google Scholar
  33. 33.
    R. Hecht-Nielsen, Theory of the backpropagation neural networks, Proceedings of the international joint conference on neural networks, 1989, pp. 593–605.Google Scholar
  34. 34.
    K. Hornik, M. Stinchcombe, and H. White, Multilayer feedforward networks are universal approximators, Neural networks 2 (1989), no. 5, 359–366.CrossRefGoogle Scholar
  35. 35.
    H.H. Hosmer, Security is fuzzy!: applying the fuzzy logic paradigm to the multipolicy paradigm, Proceedings of the 1992–1993 workshop on New security paradigms, ACM New York, NY, USA, 1993, pp. 175–184.Google Scholar
  36. 36.
    T.S. Hwang, T.J. Lee, and Y.J. Lee, A three-tier IDS via data mining approach, Proceedings of the 3rd annual ACM workshop on Mining network data, ACM New York, NY, USA, 2007, pp. 1–6.Google Scholar
  37. 37.
    X. Yao J. Gao, G. Hu and Rocky K. C. Chang, Anomaly detection of network traffic based on wavelet packet, Proceedings of Asia-Pacific Conference on Communication, 2006.Google Scholar
  38. 38.
    H. S. Javitz and A. Vadles, The nides statistical component: Description and justification, Tech. Report A010, SRI International, 1993.Google Scholar
  39. 39.
    J. Kim and P.J. Bentley, An evaluation of negative selection in an artificial immune system for network intrusion detection, Proceedings of GECCO, 2001, pp. 1330–1337.Google Scholar
  40. 40.
    S. S. Kim and A. L. N. Reddy, Image-Based Anomaly Detection Technique: Algorithm, Implementation and Effectiveness, IEEE Journal on Selected Areas in Communications 24 (2006), 1942–1954.CrossRefGoogle Scholar
  41. 41.
    Teuvo Kohonen, Self-organizing maps, 3 ed., Springer, 2001.Google Scholar
  42. 42.
    J.R. Koza, Genetic programming: on the programming of computers by means of natural selection, MIT press, 1992.Google Scholar
  43. 43.
    R. Krishnapuram, A. Joshi, O. Nasraoui, and L. Yi, Low-complexity fuzzy relational clustering algorithms for web mining, IEEE transactions on Fuzzy Systems 9 (2001), no. 4, 595–607.CrossRefGoogle Scholar
  44. 44.
    K. Labib and R. Vemuri, NSOM: A real-time network-based intrusion detection system using self-organizing maps, Networks and Security (2002).Google Scholar
  45. 45.
    A. Lazarevic, L. Ertoz, A. Ozgur, J. Srivastava, and V. Kumar, A comparative study of anomaly detection schemes in network intrusion detection, Proceedings of Third SIAM Conference on Data Mining (San Francisco), May 2003.Google Scholar
  46. 46.
    Wenke Lee, Salvatore J Stolfo, and Kui W Mok, Adaptive intrusion detection: A data mining framework, Artificial Inteligence Review 14 (2000), no. 6, 533–567.MATHCrossRefGoogle Scholar
  47. 47.
    E. Leon, O. Nasraoui, and J. Gomez, Anomaly detection based on unsupervised niche clustering with application to network intrusion detection, Proceedings of the IEEE Conference on Evolutionary Computation (CEC), vol. 1, 2004.Google Scholar
  48. 48.
    K. Leung and C. Leckie, Unsupervised anomaly detection in network intrusion detection using clusters, Proceedings of the Twenty-eighth Australasian conference on Computer Science-Volume 38, 2005, pp. 333–342.Google Scholar
  49. 49.
    L. Li and G. Lee, Ddos attack detection and wavelets, Proceedings of 12th International Conference on Computer Communications and Networks, 2003.Google Scholar
  50. 50.
    P. Lichodzijewski, A.N. Zincir-Heywood, and M.I. Heywood, Host-based intrusion detection using self-organizing maps, IEEE International Joint Conference on Neural Networks, 2002, pp. 1714–1719.Google Scholar
  51. 51.
    W. Lu and A.A. Ghorbani, Network anomaly detection based on wavelet analysis, EURASIP Journal on Advances in Signal Processing 2009 (2009).Google Scholar
  52. 52.
    W. Lu and I. Traore, Detecting new forms of network intrusion using genetic programming, Computational Intelligence 20 (2004), no. 3, 475–494.CrossRefMathSciNetGoogle Scholar
  53. 53.
    R. Sears-A. D. Joseph M. Barreno, B. Nelson and J. D. Tygarcan, Can machine learning be secure?, Proceedings of the 2006 ACM Symposium on Information, Computer and Communications Security, 2006.Google Scholar
  54. 54.
    J.B. MacQueen, Some methods for classification and analysis of multivariate observations, Proceedings of Fifth Berkeley Symposium on Mathematical Statistics and Probability, 1966.Google Scholar
  55. 55.
    Ludovic Me, Gassata, a genetic algorithm as an alternative tool for security audit trails analysis, Proceedings of the 1st International Symposium on Recent Advances in Intrusion Detection (RAID'98) (Louvain-la-Neuve, Belgium), September 1998.Google Scholar
  56. 56.
    S. Mukkamala, A. Sung, and B. Ribeiro, Model Selection for Kernel Based Intrusion Detection Systems, Proceedings of International Conference on Adaptive and Natural Computing Algorithms, 2005, pp. 458–461.Google Scholar
  57. 57.
    H. Nayyar and A.A. Ghorbani, Approximate autoregressive modeling for network attack detection, Journal of Computer Security 16 (2008), 165–197.Google Scholar
  58. 58.
    B.V. Nguyen, Self organizing map (som) for anomaly detection, Tech. Report CS680, School of Electrical Engineering and Computer Science, Ohio University, 2002.Google Scholar
  59. 59.
    A. Patcha and J. M. Park, An Overview of Anomaly Detection Techniques: Existing Solutions and Latest Technologies Trends, Computer Networks: The International Journal of Computer and Telecommunications Networking 51 (2007), 3448–3470.Google Scholar
  60. 60.
    L. Portnoy, E. Eskin, and S.J. Stolfo, Intrusion detection with unlabeled data using clustering, Proceedings of ACM CSS Workshop on Data Mining Applied to Security (DMSA'01), Philadelphia, PA, 2001, pp. 76–105.Google Scholar
  61. 61.
    A. Ramanarran, Wades: A tool for distributed denial of service attack detection, TAMU-ECE-2002, 2002.Google Scholar
  62. 62.
    B.C. Rhodes, J.A. Mahaffey, and J.D. Cannady, Multiple self-organizing maps for intrusion detection, Proceedings of the 23rd national information systems security conference, 2000.Google Scholar
  63. 63.
    I. Rish, An empirical study of the naive Bayes classifier, IJCAI 2001 Workshop on Empirical Methods in Artificial Intelligence, 2001, pp. 41–46.Google Scholar
  64. 64.
    A. L. N. Reddy S. S. Kim and M. Vannucci, Detecting traffic anomalies through aggregate analysis of packet header data, Proceedings of Networking 2004, 2004.Google Scholar
  65. 65.
    M. Sabhnani and G. Serpen, Analysis of a Computer Security Dataset: Why Machine Learning Algorithms Fail on KDD Dataset for Misuse Detection, Intelligent Data Analysis 8 (2004), 403–415.Google Scholar
  66. 66.
    M. Sabhnani and G. Serpen, Application of machine learning algorithms to kdd 1999 cup intrusion detection dataset within misuse detection context, International Conference on Machine Learning, Models, Technologies and Applications Proceedings, 2004, pp. 209–215.Google Scholar
  67. 67.
    R. Sadoddin and A.A. Ghorbani, A comparative study of unsupervised machine learning and data mining techniques for intrusion detection, LECTURE NOTES IN COMPUTER SCIENCE 4571 (2007), 404.CrossRefGoogle Scholar
  68. 68.
    H. Shah, J. Undercoffer, and A. Joshi, Fuzzy clustering for intrusion detection, Proceedings of the 12th IEEE International Conference on Fuzzy Systems, vol. 2, 2003.Google Scholar
  69. 69.
    G.M. Shepard, The synaptic organization of the brain, 5 ed., Oxford University Press, USA, 2003.Google Scholar
  70. 70.
    M. Tavallaee W. Lu and A.A. Ghorbani, Detecting network anomalies using different wavelet basis functions, Proceedings of Sixth Annual Conference on Communication Networks and Services Research, 2008.Google Scholar
  71. 71.
    P.J. Werbos, Beyond regression: New tools for prediction and analysis in the behavioral sciences, Ph.D. thesis, Harvard University, 1974.Google Scholar
  72. 72.
    L.A. Zadeh, Fuzzy sets, Information and Control 8 (1965), 338–353.MATHCrossRefMathSciNetGoogle Scholar
  73. 73.
    Zonghua Zhang and Hong Shen, Online training of svms for real-time intrusion detection, Proceedings of the 18th International Conference on Advanced Information Networking and Applications (AINA), vol. 1, March 2004, pp. 568–573.CrossRefGoogle Scholar
  74. 74.
    S. Zhong, T.M. Khoshgoftaar, and N. Seliya, Evaluating clustering techniques for network intrusion detection, Proceedings of 10th ISSAT International Conference on Reliability and Quality Design, 2004, pp. 149–155.Google Scholar

Copyright information

© Springer-Verlag US 2010

Authors and Affiliations

  1. 1.University of New BrunswickFrederictonCanada

Personalised recommendations