Bridging the Semantic Gap: Human Factors in Anomaly-Based Intrusion Detection Systems

  • Richard HarangEmail author
Part of the Advances in Information Security book series (ADIS, volume 55)


Anomaly-based intrusion detection has been pursued as an alternative to standard signature-based methods since the seminal work of Denning in 1987. Despite the length of time for which it has been studied, the high level of activity in this area, and the remarkable success of machine learning techniques in other areas, anomaly-based IDSs remain rarely used in practice, and none appear to have the same widespread popularity as more common misuse detectors such as Bro and Snort. We examine a potential cause of this observation, the “semantic gap” identified by Sommer and Paxson in 2010, in some detail, with reference to several common building blocks for anomaly-based intrusion detection systems. Finally, we revisit tree-based structures for rule construction similar to those first discussed by Vaccaro and Liepins in 1989 in light of modern results in ensemble learning, and suggest how such constructions could be used generate anomaly-based intrusion detection systems that retain acceptable performance while producing output that is more actionable for human analysts.


False Positive Rate Intrusion Detection Outlier Detection Anomaly Detection Outlier Detection Method 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    R. Sommer, V. Paxson, Outside the closed world: on using machine learning for network intrusion detection,” in 2010 IEEE Symposium on Security and Privacy (SP), 2010Google Scholar
  2. 2.
    P. Laskov, P. DÃŒssel, C. SchÀfer, K. Rieck, in Learning Intrusion Detection: Supervised or Unsupervised?, ed. by F. Roli, S. Vitulano (Springer, Berlin, 2005), pp. 50–57Google Scholar
  3. 3.
    M. Roesch, Snort – lightweight intrusion detection for networks, in Proceedings of the 13th USENIX Conference on System Administration, 1999, pp. 229–238Google Scholar
  4. 4.
    V. Paxson, Bro: a system for detecting network intruders in real time. Comput. Netw. 31(23–24), 2435–2463 (1999)CrossRefGoogle Scholar
  5. 5.
    J. Long, D. Schwartz, S. Stoecklin, Distinguishing false from true alerts in Snort by data mining patterns of alerts, in Proceedings of 2006 SPIE Defense and Security Symposium, 2006Google Scholar
  6. 6.
    M. Sato, H. Yamaki, H. Takakura, Unknown attacks detection using feature extraction from anomaly-based IDS alerts, in 2012 IEEE/IPSJ 12th International Symposium on Applications and the Internet (SAINT), 2012Google Scholar
  7. 7.
    Y. Song, M.E. Locasto, A. Stavrou, A.D. Keromytis, S.J. Stolfo, On the infeasibility of modeling polymorphic shellcode – Re-thinking…, in MACH LEARN, 2009Google Scholar
  8. 8.
    H. Debar, M. Dacier, A. Wespi, Towards a taxonomy of intrusion-detection systems. Comput. Netw. 31(8), 805–822 (1999)CrossRefGoogle Scholar
  9. 9.
    O. Depren, M. Topallar, E. Anarim, M.K. Ciliz, An intelligent intrusion detection system (IDS) for anomaly and misuse detection in computer networks. Expert Syst. Appl. 29(4), 713–722 (2005)CrossRefGoogle Scholar
  10. 10.
    J. Zhang, M. Zulkernine, A. Haque, Random-forests-based network intrusion detection systems. IEEE Trans. Syst. Man Cybern. C Appl. Rev. 38(5), 649–659 (2008)CrossRefGoogle Scholar
  11. 11.
    N. Abe, B. Zadrozny, J. Langford, Outlier detection by active learning, in Proceedings of the 12th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, New York, 2006Google Scholar
  12. 12.
    S. Axelsson, The base-rate fallacy and the difficulty of intrusion detection. ACM Trans. Inf. Syst. Secur. 3(3), 186–205 (2000)MathSciNetCrossRefGoogle Scholar
  13. 13.
    A. Koufakou, E.G. Ortiz, M. Georgiopoulos, G.C. Anagnostopoulos, K.M. Reynolds, A scalable and efficient outlier detection strategy for categorical data, in 19th IEEE International Conference on Tools with Artificial Intelligence, 2007. ICTAI 2007 Google Scholar
  14. 14.
    M.E. Otey, A. Ghoting, S. Parthasarathy, Fast distributed outlier detection in mixed-attribute data sets. Data Min. Knowl. Discov. 12(2–3), 203–228 (2006)MathSciNetCrossRefGoogle Scholar
  15. 15.
    X. Song, M. Wu, C. Jermaine, S. Ranka, Conditional anomaly detection. IEEE Trans. Knowl. Data Eng. 19(5), 631–645 (2007)CrossRefGoogle Scholar
  16. 16.
    C. Cortes, V. Vapnik, Support-vector networks. Mach. Learn. 20(3), 273–297 (1995)zbMATHGoogle Scholar
  17. 17.
    K. Wang, S. Stolfo, One-class training for Masquerade detection, in Workshop on Data Mining for Computer Security, 2003Google Scholar
  18. 18.
    R. Perdisci, G. Gu, W. Lee, Using an ensemble of one-class SVM classifiers to harden payload-based anomaly detection systems, in Sixth International Conference on Data Mining, 2006. ICDM’06. 2006Google Scholar
  19. 19.
    S. Mukkamala, G. Janoski, A. Sung, Intrusion detection using neural networks and support vector machines, in Proceedings of the 2002 International Joint Conference on Neural Networks, 2002Google Scholar
  20. 20.
    J. Weston, C. Watkins, Technical Report CSD-TR-98-04, Department of Computer Science, Multi-class Support Vector Machines, Royal Holloway, University of London, 1998Google Scholar
  21. 21.
    R. Chen, K. Cheng, Y. Chen, C. Hsieh, Using rough set and support vector machine for network intrusion detection system, in First Asian Conference on Intelligent Information and Database Systems, 2009Google Scholar
  22. 22.
    T. Shon, Y. Kim, C. Lee, J. Moon, A machine learning framework for network anomaly detection using SVM and GA, in Information Assurance Workshop, 2005. IAW’05. Proceedings from the Sixth Annual IEEE SMC, 2005Google Scholar
  23. 23.
    K. Wang, S. Stolfo, Anomalous payload-based network intrusion detection, in Recent Advances in Intrusion Detection, 2004Google Scholar
  24. 24.
    B. Sangster, T. O’Connor, T. Cook, R. Fanelli, E. Dean, J. Adams, C. Morrell, G. Conti, Toward instrumenting network warfare competitions to generate labeled datasets, in USENIX Security’s Workshop on Cyber Security Experimentation and Test (CSET), 2009Google Scholar
  25. 25.
    F. Pedregosa, G. Varoquaux, A. Gramfort, V. Michel, B. Thirion, O. Grisel, M. Blondel, P. Prettenhofer, R. Weiss, V. Dubourg, J. Vanderplas, A. Passos, D. Cournapeau, M. Brucher, M. Perrot, E. Duchesnay, Scikit-learn: machine learning in python. J. Mach. Learn. Res. 12, 2825–2830 (2011)MathSciNetGoogle Scholar
  26. 26.
    P. Biondi, Scapy, a powerful interactive packet manipulation program. , Scapy, 2011,
  27. 27.
    V. Frias-Martinez, J. Sherrick, S.J. Stolfo, A.D. Keromytis, A network access control mechanism based on behavior profiles, in Computer Security Applications Conference, 2009. ACSAC’09. Annual, 2009Google Scholar
  28. 28.
    L. Breiman, Random forests. Mach. Learn. 45(1), 5–32 (2001)zbMATHCrossRefGoogle Scholar
  29. 29.
    A. Criminisi, J. Shotton, E. Konukoglu, Decision Forests for Classification, Regression, Density Estimation, Manifold Learning and Semi-Supervised Learning, Microsoft Technical Report, 2011Google Scholar
  30. 30.
    D.S. Kim, S.M. Lee, J.S. Park, Building Lightweight Intrusion Detection System Based on Random Forest, ed. by J. Wang, Z. Yi, J.M. Zurada, B. Lu, H. Yin (Springer, Berlin, 2006), pp. 224–230Google Scholar
  31. 31.
    F.T. Liu, K.M. Ting, Z.-H. Zhou, Isolation-based anomaly detection. ACM Trans. Knowl. Discov. Data 6(1), 3:1–3:39 (2012)CrossRefGoogle Scholar
  32. 32.
    S.C. Tan, K.M. Ting, T.F. Liu, Fast anomaly detection for streaming data, in Proceedings of the Twenty-Second International Joint Conference on Artificial Intelligence, vol. 2, 2011Google Scholar
  33. 33.
    H.S. Vaccaro, G.E. Liepins, Detection of anomalous computer session activity, in Proceedings of 1989 IEEE Symposium on Security and Privacy, 1989Google Scholar
  34. 34.
    D.E. Denning, An intrusion-detection model. IEEE Trans. Softw. Eng. 13(2), 222–232 (1987)CrossRefGoogle Scholar
  35. 35.
    M. Mahoney, P. Chan, An analysis of the 1999 DARPA/Lincoln laboratory evaluation data for network anomaly detection, in Recent Advances in Intrusion Detection, 2003Google Scholar
  36. 36.
    J. McHugh, Testing intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory. ACM Trans. Inf. Syst. Secur. 3(4), 262–294 (2000)CrossRefGoogle Scholar
  37. 37.
    T. Lunt, A. Tamaru, F. Gilham, R. Jagannathan, C. Jalali, P. Neumann, H. Javitz, A. Valdes, T. Garvey, A real-time intrusion-detection expert system (IDES), SRI International, Computer Science Laboratory, 1992Google Scholar
  38. 38.
    M. Molina, I. Paredes-Oliva, W. Routly, P. Barlet-Ros, Operational experiences with anomaly detection in backbone networks. Comput. Secur. 31(3), 273–285 (2012)CrossRefGoogle Scholar
  39. 39.
    K.M. Tan, R.A. Maxion, “Why 6?” Defining the operational limits of stide, an anomaly-based intrusion detector, in Proceedings of the IEEE Symposium on Security and Privacy, 2001Google Scholar
  40. 40.
    L. Sassaman, M.L. Patterson, S. Bratus, A. Shubina, The Halting problems of network stack insecurity, in USENIX, 2011Google Scholar
  41. 41.
    Z. Zhou, Ensemble Methods: Foundations and Algorithms (Chapman & Hall, 2012)Google Scholar

Copyright information

© Springer Science+Business Media New York 2014

Authors and Affiliations

  1. 1.ICF InternationalWashingtonUSA

Personalised recommendations