An Incremental-Learning Method for Supervised Anomaly Detection by Cascading Service Classifier and ITI Decision Tree Methods

  • Wei-Yi Yu
  • Hahn-Ming Lee
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5477)


In this paper, the incremental learning method to cascade Service Classifier and ITI (incremental tree inducer) methods for supervised anomaly detection, called “SC+ITI”, is proposed for classifying anomalous and normal instances in a computer network. Since the ITI method can not handle new instances with new service value, the SC+ITI cascading method is proposed to avoid this. Two steps are in SC+ITI cascading methods. First, the Service Classifier method partitions the training instances into n service clusters according to different service value. Second, in order to avoid handling instances with new service value, the ITI method is trained with instances with the same service value in the cluster. In 2007, Gaddam et al. showed KMeans+ID3 cascading method which mitigates two problems 1) the Forced Assignment problem and 2) the Class Dominance problem. His method with Nearest Neighbor (NN) combination rule outperforms the other three methods (i.e., K-Means, ID3 and KMeans+ID3 with Nearest Consensus rule) over the 1998 MIT-DARPA data set. Since the KDD’99 data set was also extracted from the 1998 MIT-DARPA data set, Nearest Neighbor combination rule within K-Means+ITI and SOM+ITI cascading methods is used in our experiments. We compare the performance of SC+ITI with the K-Means, SOM, ITI, K-Means+ITI and SOM+ITI methods in terms of the Detection Rate and False Positive Rate (FPR) over the KDD’99 data set. The results show that the ITI method have better performance than the K-Means, SOM, K-Means+ITI and SOM+ITI methods in terms of the overall Detection Rate. Our method, the Service Classifier and ITI cascading method outperforms the ITI method in terms of the Detection Rate and FPR and shows better Detection Rate as compared to other methods. Like the ITI method, our method also provides the additional options of handling missing values data and incremental learning.


anomaly detection system (ADS) K-Means clustering Kohonens’ self-organizing maps (SOM) ITI (incremental tree inducer) KDD’99 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Fawcett, T.: An introduction to ROC analysis. Pattern Recognition Letters 27(8), 861–874 (2006)MathSciNetCrossRefGoogle Scholar
  2. 2.
    Fayyad, U.M., Irani, K.B.: On the handling of continuous-valued attributes in decision tree generation. Machine Learning 8(1), 87–102 (1992)zbMATHGoogle Scholar
  3. 3.
    Gaddam, S.R., Phoha, V.V., Balagani, K.S.: K-Means+ID3: A novel method for supervised anomaly detection by cascading k-Means clustering and ID3 decision tree learning methods. IEEE Transactions on Knowledge and Data Engineering 19(3), 345–354Google Scholar
  4. 4.
    Hartigan, J.A., Wong, M.A.: A K-Means clustering algorithm. Applied Statistics 28(1), 100–108 (1979)CrossRefzbMATHGoogle Scholar
  5. 5.
    Kohonen, T.: The self-organizing map. Neurocomputing 21(1-3), 1–6 (1998)CrossRefzbMATHGoogle Scholar
  6. 6.
    Lee, W., Stolfo, S.J., Mok, K.W.: Adaptive Intrusion Detection: A Data Mining Approach. Artificial Intelligence Review 14(6), 533–567 (2000)CrossRefzbMATHGoogle Scholar
  7. 7.
    McHugh, J.: Testing intrusion detection systems: A critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln laboratory. ACM Transactions on Information and System Security 3(4), 262–294 (2000)CrossRefGoogle Scholar
  8. 8.
    Quinlan, J.R.: Induction of decision trees. Machine Learning 1(1), 81–106 (1986)Google Scholar
  9. 9.
    Sarasamma, S.T., Zhu, Q.A.: Min-Max Hyperellipsoidal Clustering for Anomaly Detection in Network Security. IEEE Transactions on systems, man, and cybernetics-part B: Cybernetics 36(4), 887–901 (2006)CrossRefGoogle Scholar
  10. 10.
    Utgoff, P.E., Berkman, N.C., Clouse, J.A.: Decision Tree Induction Based on Efficient Tree Restructuring. Machine Learning 29, 5–44 (1997)CrossRefzbMATHGoogle Scholar
  11. 11.
    Kohonen, T., Hynninen, J., Kangas, J., Laaksonen, J.: SOM_PAK: The Self-Organizing Map Porgram Package,
  12. 12.
    Stolfo, S., et al.: The Third International Knowledge Discovery and Data Mining Tools Competition (2002),

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Wei-Yi Yu
    • 1
  • Hahn-Ming Lee
    • 1
  1. 1.Department of Computer Science and Information Engineering National TaiwanUniversity of Science and TechnologyTaipeiTaiwan R.O.C.

Personalised recommendations