Fusion of Misuse Detection with Anomaly Detection Technique for Novel Hybrid Network Intrusion Detection System

  • Jamal Hussain
  • Samuel LalmuanawmaEmail author
Conference paper
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 555)


Intrusion detection system (IDS) was designed to monitor the abnormal activity occurring in the computer network system. Many researchers concentrate their efforts on designing different techniques to build reliable IDS. However, individual technique such as misuse and anomaly techniques alone failed to provide the best possible detection rate. In this paper, we proposed a new hybrid IDS model with feature selection that integrates misuse detection technique and anomaly detection technique based on a decision rule structure. The key idea was to take the advantage of naïve Bayes (NB) feature selection, misuse detection technique based on decision tree (DT), and anomaly detection based on one-class support vector machine (OCSVM). First, misuse detection is built using single DT algorithm where the training data get decomposed into multiple subsets with the help of decision rules. Then, anomaly detection models are created for each decomposed subset based on multiple OCSVM. In the proposed model, NB and DT can find the best-selected features to ameliorate the detection accuracy by obtaining decision rules for known normal and attack anomalies. Then, the OCSVM can detect new attacks that result in an improvement in the detection accuracy of classification. The proposed new hybrid model was evaluated based on the NSL-KDD data sets, which is an upgraded version of KDD99 data set developed by DARPA. Simulation results demonstrate that the proposed hybrid model outperforms conventional models in terms of time complexity and detection rate with the much lower rate of false positives.


Hybrid IDS Feature selection Naïve Bayes classifier Decision tree One-class SVM 


  1. 1.
    Lazarevic, A., Ertoz, L., Kumar, V., Ozgur, A., Srivastava, J. (2003). A comparative study of anomaly detection schemes in network intrusion detection. In Proceedings of the 3rd SIAM Conference on Data Mining.Google Scholar
  2. 2.
    Lee, J. H., Sohn, S. G., Chang, B. H., Chung, T. M. (2009). PKG-VUL: Security vulnerability evaluation and patch framework for package-based systems. ETRI Journal, 31(5), 554–564.Google Scholar
  3. 3.
    Beauquier, J., Hu, Y. (2008). Intrusion detection based on distance combination. International Journal of Computer Science, 2(3), 178–186.Google Scholar
  4. 4.
    Kim, G., Lee, S., Kim, S. (2014). A novel hybrid intrusion detection method integrating anomaly detection with misuse detection. Expert Systems with Applications, 41(4), 1690–1700.Google Scholar
  5. 5.
    Depren, O., Topallar, M., Anarim, E., Ciliz, M. K. (2005). An intelligent intrusion detection system for anomaly and misuse detection in computer networks. Expert Systems with Applications, 29(4), 713–722.Google Scholar
  6. 6.
    Luo, B., Xia, J. (2014). A novel intrusion detection system based on feature generation with visualization strategy. Expert System with Applications, 41, 4139–4147.Google Scholar
  7. 7.
    Lin, S. W., Lee, Z. J., Chen, S. C., Tseng, T. Y. (2008). Parameter determination of support vector machines and feature selection using simulated annealing approach. Applied Soft Computing, 8(4), 1505–1512.Google Scholar
  8. 8.
    Mukherjee, S., Sharma, N. (2012). Intrusion detection using Naïve Bayes classifier with feature reduction. Procedia Technology, 4, 119–128.Google Scholar
  9. 9.
    Lin, S. W., Ying, K. C., Lee, C. Y., Lee, Z. J. (2012). An intelligent algorithm with feature selection and decision rules applied to anomaly intrusion detection. Applied Soft Computing, 12(10), 3285–3290.Google Scholar
  10. 10.
    Wu, X., Kumar, V., Quinlan, J. R., Ghosh, J., Yang, A., Motoda, Y., McLachlan, G. J., Ng, A., Liu, B., Yu, P.S. (2008). Top 10 algorithms in data mining. Knowledge and Information System, 14(1), 1–37.Google Scholar
  11. 11.
    Yang, J., Olafsson, S. (2006). Optimization-based feature selection with adaptive instance sampling. Computer & Operation Research, 33(11), 3088–3106.Google Scholar
  12. 12.
    Tavallaee, M., Bagheri, E., Lu, W., Ghorbani, A.A. (2009). A detailed analysis of the KDD Cup data sets. In Prococeedings of the 2nd IEEE Symposium on computational intelligence in security and defense applications (pp. 53–58).Google Scholar
  13. 13.
  14. 14.
    Quinlan, J. R. (1986). Introduction of decision trees. Machine Learning, 1, 81–106.Google Scholar
  15. 15.
    Quinlan, J. R. (1987). Decision trees as probabilistic classifiers. In Proceedings of the 4th International Workshop Machine Learning (pp. 31–37).Google Scholar
  16. 16.
    Quinlan, J. R. (1993). C 4.5: programs for machine learning. San Mateo: Morgan Kaufmann Publishers.Google Scholar
  17. 17.
    Quinlan, J. R. (1996). Learning decision tree classifier. ACM Computing Surveys (CSUR), 28(1), 71–72.Google Scholar
  18. 18.
    Chang, C., Lin, C. (2011). LIBSVM: A library for support vector machines. ACM Transactions on Intelligent Systems and Technology, 2(3), 27:1–27:27. Software available at
  19. 19.
    Vapnik, V. (1995). The Nature of Statistical Learning Theory. Springer-Verlag, New York.Google Scholar
  20. 20.
    Schölkopf, B., Platt, J. C., Taylor, J. S., Smola, A. J., Williamson, R. C. (2001). Estimating the support of a high-dimensional distribution. Neural Computation, 13(7), 1443–1471.Google Scholar
  21. 21.
    Perdisci, R., Gu, G., Lee, W. (2006). Using an ensemble of one-class SVM classifiers to harden payload-based anomaly detection systems. In Proceedings of the 6th International Conference on data mining (pp. 488–498).Google Scholar
  22. 22.
    Hall, M., Frank, E., Holmes, G., Pfahringer, B., Reutemann, P., Witten, I. H. (2009). The WEKA data mining software: An update. ACM SIGKDD Explorations Newsletter, 11(1), 10–18.Google Scholar
  23. 23.
    Song, J., Takakura, H., Okabe, Y., Kwon, Y. (2009). Unsupervised anomaly detection based on clustering and multiple one-class SVM. IEICE Transactions on Communications, E92-B (6), 1982–1990.Google Scholar

Copyright information

© Springer Nature Singapore Pte Ltd. 2017

Authors and Affiliations

  1. 1.Mathematics and Computer Science DepartmentMizoram UniversityAizawlIndia

Personalised recommendations