See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/220637927

The Use of Artificial Intelligence based Techniques for Intrusion Detection - A

Review

Article  in  Artificial Intelligence Review · December 2010

DOI: 10.1007/s10462-010-9179-5 · Source: DBLP

CITATIONS READS

124 6,367

3 authors:

Dr. Gulshan Kumar Ahuja Krishan Kumar Saluja

Shaheed Bhagat Singh State University, Ferozepur University Institute of Engineering & Technology, Panjab University, Chndiagarh
66 PUBLICATIONS   882 CITATIONS    176 PUBLICATIONS   2,757 CITATIONS   

SEE PROFILE SEE PROFILE

Monika Sachdeva
Shheed Bhagat Singh State Technical Campus
52 PUBLICATIONS   1,218 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

A deep learning approach for network based intrusion detection View project

PhD Dissertation View project

All content following this page was uploaded by Dr. Gulshan Kumar Ahuja on 18 August 2016.

The user has requested enhancement of the downloaded file.

Artif Intell Rev
DOI 10.1007/s10462-010-9179-5

The use of artificial intelligence based techniques

for intrusion detection: a review

Gulshan Kumar · Krishan Kumar · Monika Sachdeva

© Springer Science+Business Media B.V. 2010

Abstract The Internet connects hundreds of millions of computers across the world
running on multiple hardware and software platforms providing communication and com-
mercial services. However, this interconnectivity among computers also enables malicious
users to misuse resources and mount Internet attacks. The continuously growing Internet
attacks pose severe challenges to develop a flexible, adaptive security oriented methods.
Intrusion detection system (IDS) is one of most important component being used to detect
the Internet attacks. In literature, different techniques from various disciplines have been uti-
lized to develop efficient IDS. Artificial intelligence (AI) based techniques plays prominent
role in development of IDS and has many benefits over other techniques. However, there is no
comprehensive review of AI based techniques to examine and understand the current status
of these techniques to solve the intrusion detection problems. In this paper, various AI based
techniques have been reviewed focusing on development of IDS. Related studies have been
compared by their source of audit data, processing criteria, technique used, dataset, classifier
design, feature reduction technique employed and other experimental environment setup.
Benefits and limitations of AI based techniques have been discussed. The paper will help the
better understanding of different directions in which research has been done in the field of
IDS. The findings of this paper provide useful insights into literature and are beneficial for
those who are interested in applications of AI based techniques to IDS and related fields.
The review also provides the future directions of the research in this area.

Keywords Artificial intelligence · Ensemble system · Hybrid system ·

Intrusion detection system · Intrusion · Network security

G. Kumar (B)
Department of Computer Application, Malout Institute of Management
& Information Technology, Malout, Punjab, India
e-mail: gulshanahuja@gmail.com

K. Kumar · M. Sachdeva
Department of Computer Science & Engineering, SBS College of Engineering & Technology,
Ferozepur, Punjab, India

123
 G. Kumar et al.

1 Introduction

The Internet has become a part of daily life and is widely used in various areas like
business, communication, entertainment, education and personnel day to day activities, etc.
In particular, Internet has been used as an important component of business transactions to
access the information. Information access through Internet provides various ways of attack-
ing a computer system. More and more organizations have become vulnerable to Internet
attacks/intrusions. An intrusion or attack can be defined as “any set of actions that attempt to
compromise the security objectives”. The important security objectives include Availability,
Integrity, Confidentiality, Accountability and Assurance (Stoneburner 2001). Various intru-
sions can be classified into four classes namely Probing, Denial of Service (DoS), User to
root (U2R), and Remote to user (R2L) attacks (MIT Lincoln Laboratory 2001).
To block large number of Internet attacks, a number of anti intrusion systems have been
designed. Halme and Bauer (1995) have identified IDS as one of six anti intrusion systems
namely prevention, preemption, deterrence, deflection, detection, and countermeasures. Out
of these components, the perfect detection of an intrusion is the most important.
In literature, many IDS have been developed implementing AI based techniques as
described in Sect. 2. Some IDS have been developed based on single classification technique
while other IDSs (called hybrid/ensemble IDS), implemented more than one classification
techniques. However, there exists no comprehensive review of these techniques for intrusion
detection (ID).
The objective of this paper is three fold. First objective is to give the introduction to IDS,
architecture of IDS and classification of IDS in brief. Second objective of the paper is to
provide the review of various studies of AI based techniques for ID by examining source of
audit data, processing criteria, and classification technique used, classifier design, dataset,
feature reduction and other experimental environment setup. The scope of this paper is on the
core methods in AI which encompasses Decision Tree, Rule Based, Support Vector Machine
(SVM), Neural Network (NN), Fuzzy Logic, Data Mining, Genetic Algorithm, Bayesian
Network, Markov model and clustering techniques. Third objective is to define existing
research challenges and to highlight future research directions.
The rest of paper is organized as follows. Section 2 describes the intrusion detection
architecture and classification of IDS briefly based on source of audit data, processing crite-
ria, response generation components. The section also highlights the various existing IDSs.
Section 3 highlights various techniques used for ID. Section 4 gives the details of AI based
techniques employed for ID. Section 5 emphasizes the hybrid/ensemble approach used in ID.
Section 6 gives the comparison of various studies of AI based techniques based on source
of audit data, processing criteria, technique used, classifier design, dataset, feature reduc-
tion technique employed and classification classes. Finally Sect. 7 concludes the paper and
discusses the future directions.

2 Intrusion detection system

An intrusion detection system (IDS) defined as “an effective security technology, which can
detect, prevent and possibly react to the computer attacks” is one of the standard components
in security infrastructures. It monitors target sources of activities, such as audit and network
traffic data in computer or network systems and deploys various techniques in order to provide
security services. The main objective of IDS is to detect all intrusions in an efficient man-
ner. The implementation of IDS allows network administrators to detect security objective

123
The use of artificial intelligence based techniques for intrusion detection

Response
Network to
monitor Network Security
Administrator

Signal
Data collection
& storage
Data analysis &
processing criteria

Fig. 1 Architecture of IDS

violations. These security objective violations range from external attackers trying to gain
unauthorized access to network security infrastructure or making resources unavailable to
insiders abusing their access of the system resources.
With passage of time and growth of computer attacks, several IDSs architecture has been
proposed. Axelsson (1999) proposed a common architecture for IDS as depicted in Fig. 1.
According to Axelsson (1999), common components for IDS consist of followings: Net-
work to monitor is the identity to be monitored for intrusions. This can be a single host or
a network; Data collection & storage unit is responsible for collecting the data of various
events and converts them in proper format and store to disk; Data analysis & processing
unit is the brain of IDS. It contains the whole functionality to find the suspicious behavior of
attack traffic. On detecting attack, a signal is generated. Based on the type of IDS, action can
be raised by the system itself to alleviate the problem or signal is passed to network admin-
istrator to take appropriate the action; Signal: This part of the system handles all output from
IDS. The output may be either an automated response to an intrusion or alert of malicious
activity for a network security administrator.
IDSs can be categorized into various classes depending upon different modules. Based
upon data collection & storage unit, IDS can be divided into two classes:
Host based IDS: Host based IDS collects the data from a host to be protected. They
collects the data generally from system calls, operating system log files, NT events log file,
CPU utilization, application log files, etc. Advantage of Host based IDS is that they are
operating system dependent & are very efficient to detect attacks like buffer overflow. These
systems become inefficient in case of encrypted data and switched network. The available
host based IDS are MIDAS (Sebring et al. 1988), Haystack (Smaha 1988), Intrusion Detec-
tion Expert System (IDES) (Lunt et al. 1992), Tripwire (Kim and Spafford 1997), OSSEC
HIDS (Hay et al. 2008, Samhain (Samhain labs 2010).
Network based IDS: Network based IDS collects the data from network directly in form
of packets. These IDS are operating system independent and easy to deploy to various sys-
tems. The available network based IDS are NSM (Heberlein et al. 1990), NADIR-Network
Anomaly Detector and Intrusion Reporter (Hochberg et al. 1993), EMERLARD (Porras and
Neumann 1997), Bro (Paxson 1998), Snort (Beale et al. 2004), Cisco Secure (CiscoSecure
2010).
Based upon criteria adapted for data analysis & processing unit, IDS can be divided into
two classes:
Misuse or signature based IDS: Signature based IDSs maintain a database of known attack
signatures. The detection of attack involves comparison of data from data collection unit and
data stored in database. If the match occurs then attack signal get generated. Difficult and
challenging task is to keep the database of signatures up to date. Signature based IDS perform

123
 G. Kumar et al.

well for attacks whose signatures are in database but they are inefficient to detect zero day
attacks. They also have very low false alarm rate. Most of commercially available IDS belong
to this category. The available signatures based IDS are ASAX (Habra et al. 1992), USTAT
(Ilgun et al. 1995), IDIOT (Crosbie et al. 1996), GrIDS (Chen et al. 1996), Tripwire (Kim
and Spafford 1997), Bro (Paxson 1998), RealSecure (Internet Security Systems (ISS) 2010).
Anomaly based IDS: Anomaly based IDS reacts to anomalous behavior as defined by
some history of monitored systems, previous behavior or some previously defined profile
of that system. The system matches the current profile with previous profile, if there is any
significant deviation, then that activity is notified as an attack. These systems are capable
of detecting zero day attack. The available anomaly based IDS are IDES (Lunt et al. 1992),
W & S (Vaccaro and Liepins 1989), Comp Watch (Dowell et al. 1990), AAFID-Autonomous
Agents for Intrusion Detection (Spafford and Zamboni 2000), NADIR-Network Anomaly
Detector and Intrusion Reporter (Hochberg et al. 1993).
Depending upon criteria adapted for generating the response, IDS can be divided into two
classes:
Passive IDS: Passive IDS respond to attacks by generating signal for network administra-
tor or user to act. They do not themselves try to mitigate the damage done, or actively seek
to harm or hamper the attacker. The available IDS in this class are IDES (Lunt et al. 1992),
GrIDS (Chen et al. 1996), NIDES (Anderson et al. 1995).
Active IDS: Active IDS respond to attacks by initiating certain action. The action can be
against two entities, which further classifies Active IDS into sub classes. Those entities can
be: Attacking system: In this class, the IDS try to control the attacking system. The IDS try to
attack the attacker system to remove his platform of operation. Attacked system: in this class,
the IDS try to control the attacked system. They modified the state of attacked system to mit-
igate the attack. They can terminate the network connections, increase the security logging
or kill the concerned processes, etc. The available active IDS are EMERLARD (Porras and
Neumann 1997), Janus (Goldberg et al. 1996), OSSEC HIDS (Hay et al. 2008), RealSecure
(Internet Security Systems (ISS) 2010). The discussion can be summarized in Table 1.

3 Intrusion detection techniques

In literature, different types of techniques from various disciplines have been applied to detect
the intrusions. The major techniques are Statistical techniques, Knowledge based techniques
and artificial intelligence (AI) based techniques. In Statistics based IDS, the behavior of the
system is represented from a random viewpoint. On the other hand, knowledge based IDS
techniques try to capture the claimed behavior from available system data (protocol specifica-
tions, network traffic instances, etc.). Finally, AI based IDS techniques involves establishment
of an explicit or implicit model that allows the patterns to be categorized (Garcia-Teodoro
et al. 2009).

4 Artificial intelligence (AI) based techniques

Ponce has listed many advantages of using AI based techniques over other conventional
approach (Ponce 2004). The major advantages include Flexibility (vs. threshold definition of
conventional technique); Adaptability (vs. specific rules of conventional technique); Pattern
recognition (and detection of new patterns); Fast computing (faster than humans, actually)

123
The use of artificial intelligence based techniques for intrusion detection

Table 1 Summary of various IDS

Name of system Processing Source of Type of

criteria audit data response

NSM (Heberlein et al. 1990) Hybrid N/w Passive

Bro (Paxson 1998) Signature N/w Passive
MIDAS (Sebring et al. 1988) Hybrid Host Passive
Haystack (Smaha 1988) Hybrid Host Passive
IDES (Lunt et al. 1992) Anomaly Host Passive
W & S (Vaccaro and Liepins 1989) Anomaly Host Passive
Comp Watch (Dowell et al. 1990) Anomaly Host Passive
ASAX (Habra et al. 1992) Signature Host Passive
USTAT (Ilgun et al. 1995) Signature Host Passive
IDIOT (Crosbie et al. 1996) Signature Host Passive
GrIDS (Chen et al. 1996) Hybrid Hybrid Passive
NIDES (Anderson et al. 1995) Hybrid Host Passive
EMERLARD (Porras and Neumann 1997) Hybrid Hybrid Active
Janus (Goldberg et al. 1996) Signature Host Active
Tripwire (Kim and Spafford 1997) Signature Host Passive
OSSEC HIDS (Hay et al. 2008) Hybrid Host Active
Snort (Beale et al. 2004) Hybrid N/w Active
AAFID (Spafford and Zamboni 2000) Anomaly Host Active
NAIDR (Hochberg et al. 1993) Anomaly N/w Passive
OSSEC HIDS (Hay et al. 2008) Hybrid Host Active
RealSecure (Internet Security Systems (ISS) 2010) Signature Hybrid Active

and Learning abilities. Many authors (Novikov et al. 2006; Mukkamala and Sung 2003a) have
divided AI based techniques into different classes. The major classes include the following:

4.1 Decision tree based techniques

Decision trees are powerful and popular tools for classification and prediction. A decision
tree is a tree that has three main components: nodes, arcs and leaves. Each node is labeled
with a feature attribute which is most informative among the attributes not yet considered in
the path from the root, each arc out of a node is labeled with a feature value for the node’s
feature and each leaf is labeled with a category or class. A decision tree can then be used to
classify a data point by starting at the root of the tree and moving through it until a leaf node
is reached. The leaf node would then provide the classification of the data point.
Levin has created a set of locally optimal decision trees from which optimal subset of trees
is selected for predicting new cases (Levin 2000). 10% of KDD Cups database is used for
training and testing. Data is randomly sampled from the entire training data set. Multi-class
detection approach is used to detect different attack categories in the KDD data set. Just
like Agarwal and Joshi (Agarwal and Joshi 2000), Levin has tried to classify the data into
five different classes: Normal, Probing, DOS, U2R, and R2L. The final trees give very high
detection rates for all classes including the R2L in the entire training data set. Table 2 shows
the results.

123
 G. Kumar et al.

Table 2 Summary of results

Normal (%) Probe (%) DoS (%) U2R (%) R2L (%)
(Levin 2000)
DA 99.42 84.52 97.5 11.8 7.32
DA detection accuracy, FPR false FPR – 21.6 73.1 36.4 1.7
positive rate

ID3 and C4.5 developed by Quinlan are the most popular implementations of the Decision
Tree (Quinlan 1993).

4.2 Rule based techniques

Rule based techniques typically involve the application of a set of association rules and fre-
quent episode patterns to classify the audit data. In this context, if a rule states that “if event
X occurs, then event Y is likely to occur”, then events X and Y can be described as sets of
(variable, value)-pairs where the aim is to find the sets X and Y such that X “implies” Y. In
the domain of classification, we fix Y and attempt to find sets of X which are good predictors
for the right classification. The advantage of using rules is that they tend to be simple and
intuitive, unstructured and less rigid. But, drawback is that rules are difficult to maintain,
and in some cases, are inadequate to represent different types of information. A number of
inductive rule generation algorithms have been proposed in literature. Some of them first
construct a decision tree and then extract a set of classification rules from the decision tree.
Other algorithms directly induce rules from the data by employing a divide and conquer
approach.
Agarwal and Joshi (2000) have proposed a two-stage general-to-specific framework for
learning a rule-based model (PNrule) to learn classifier models on a data set. They have
widely used different class distributions in training data. They utilized KDD Cups database
for training and testing their system. The system has classified traffic into five different
classes. Following results have been proved (Table 3).
The RIPPER System is the most popular representative of rule based classification (Cohen
1995). RIPPER is a rule learning program. RIPPER is fast and is known to generate concise
rule sets. It is stable and has proved to be consistently one of the best algorithms in past
experiments (Stolfo et al. 1997). The system utilizes association rules and frequent patterns
that can be applied to the network traffic to classify accurately. Major benefit of this technique
is that it generates a set of rules is easy to understand and hence can be verified easily by
security experts.

4.3 Data mining techniques

Data mining can be defined as being concerned with uncovering patterns, associations,
changes, anomalies, and statistically significant structures and events in data (Patcha and
Park 2007). Or alternatively, data mining is the ability to take the data as input and extract the
patterns and deviations which may not be possible with simple techniques. Data mining aims
to eliminate the manual and ad-hoc elements used for designing IDS. Various data mining

Table 3 Summary of results

Normal (%) Probing (%) DoS (%) U2R (%) R2L (%)
(Agarwal and Joshi 2000)
DA 99.5 73.2 96.9 6.6 10.7
FPR 27 7.5 0.05 89.5 12

123
The use of artificial intelligence based techniques for intrusion detection

technique have been developed and used extensively in designing IDS. Major data mining
techniques include the following:

4.3.1 Fuzzy logic techniques

Fuzzy logic techniques have been in use in the area of computer and network security espe-
cially in intrusion detection for two main reasons. Firstly, several quantitative parameters that
are used in the context of intrusion detection, e.g., CPU usage time, connection interval, etc.,
can potentially be viewed as fuzzy variables. Secondly, the concept of security itself is fuzzy.
In other words, the concept of fuzziness helps to smooth out the abrupt separation of normal
behavior from abnormal behavior. That is, a given data point falling outside/inside a defined
“normal interval”, will be considered anomalous/normal to the same degree regardless of its
distance from/within the interval.
Dickerson and Dickerson (2000) has applied the fuzzy logic and data mining techniques
to detect intrusions in network. They have proposed FIRE (Fuzzy Intrusion Recognition
Engine) that uses fuzzy logic to assess whether malicious activity is taking place on a net-
work. They have used simple data mining techniques to process the network input data and
generate fuzzy sets for every observed feature. The fuzzy sets are then used to define fuzzy
rules to detect individual attacks. The limitation here is that Fuzzy rules are formed with the
help of experts that is very labor intensive. Idris and Shanmugam (2005) have proposed a
modified FIRE system. They have proposed a mechanism to automate the fuzzy rules gener-
ation process and reduce the human intervention by using Al techniques. But the proposed
model is at preliminary stage. No experimental results have been produced.
Luo (1999) has tried to classify the data using Fuzzy logic rules integrated with asso-
ciation rules and frequency episodes. He has added a normalization step to the procedure
for mining fuzzy association rules developed by Kuok et al. (1998) in order to prevent one
data instance from contributing more than others. He has also proposed a modification to
the procedure suggested by Mannila and Toivone (1996) for mining frequency episodes to
learn fuzzy frequency episodes. The author has utilized fuzzy association rules and fuzzy
frequency episodes to extract patterns for temporal statistical measurements at a higher level
than the data level.

4.3.2 Genetic algorithm based techniques

Genetic algorithms, a search technique used to find approximate solutions to optimization

and search problems. These techniques have been extensively employed in domain of ID to
differentiate normal network traffic from anomalous one. The major advantages of genetic
algorithm are flexibility and robustness as a global search method. In addition, a genetic
algorithm search converges to a solution from multiple directions and is based on probabi-
listic rules instead of deterministic ones. The disadvantage of genetic algorithm is the high
resource consumption. In domain of network intrusion detection, genetic algorithms have
been used in a number of ways. Some researcher have used genetic algorithms directly to
derive classification rules, while others use genetic algorithms to select appropriate features
or determine optimal parameters of related functions, while different data mining techniques
are then used to acquire the rules.
Crosbie and Spafford (1995) have utilized a genetic algorithm for sparse trees to detect
anomalies. They have tried to minimize the occurrence of false positives by utilizing human
input in a feedback loop. Balajinath and Raghavan (2001) have utilized Genetic algorithm

123
 G. Kumar et al.

for ID to learn the individual user behavior and detect abnormal user activities. The user
behavior is described by a 3-tuple <Match index, Entropy index, Newness index>. Further,
these values of a sample command in user session are compared with the baseline to find out
anomalies.
Dasgupta and Gonzalez (2001) have used a genetic algorithm for examining host-based
IDSs. They have used genetic algorithm for the meta-learning step, on labeled vectors of
statistical classifiers. Each of the statistical classifiers was a 2-bit binary encoding of the
abnormality of a particular feature, ranging from normal to dangerous.
Chittur (2001) have applied a genetic algorithm and used a decision tree to represent the
data. They used the “Detection rate minus the false positive rate” as their preference criterion
to distinguish among the data.

4.4 Machine learning techniques

Machine learning can be defined as the ability of a computer programs to learn and enhance
the performance on a set of tasks over time. Machine learning techniques focus on building
a system model that enhances its performance based on previous results. Or alternatively it
can be said that system based upon machine learning have ability to manipulate execution
strategy based upon new inputs. The machine learning has been successfully implemented
in intrusion detection. Major machine learning techniques include the following:

4.4.1 Neural network (NN)

Here, the NN learns to predict the behavior of the various users and daemons in the system.
If properly designed and implemented, NN have the potential to address many of the prob-
lems encountered by rule-based approaches. The main advantage of NN is their tolerance
to imprecise data and uncertain information and their ability to infer solutions from data
without having prior knowledge of the regularities in the data. This in combination with their
ability to generalize from learned data has made them an appropriate approach to ID. In
order to apply this approach to ID, we would have to introduce data representing attacks and
non-attacks to the NN to adjust automatically coefficients of this Network during the training
phase. NN can be used in following ways:
Unsupervised model: Cunningham and Lippmann (2000a) of MIT Lincoln Laboratory
have conducted a number of tests employing Neural Networks to misuse detection
(Cunningham and Lippmann 2000a,b). The system was searching for attack-specific key-
words in the network traffic. A Multi Layer Perceptron has been used for detection UNIX
host attacks, and attacks to obtain root-privilege on a server. The system was trying to detect
the presence of an attack by classifying the inputs into 2 (two) outputs (normal and attack).
The system was able to detect 85% of attacks—17 out of 20 attacks were identified. The
main achievement of this system was its ability to detect old as well as new attacks. The new
attacks were not included in the training data. They have used DARPA intrusion detection
evaluation dataset.
Supervised model: Self-Organizing Maps (SOM) has been proved to be effective in nov-
elty detection, automated clustering, and visual organization (Ypma and Duin 1998). Bivens
et al. (2002) have detected the intrusions based on network user behavior (Bivens et al. 2002).
They have analyzed the user behavior based on time window using neural networks. After
supervised learning of neural network, the network data has been classified and clustered by
using Self Organizing Map (SOM) neural network in different time intervals. These clusters
are used to detect the attack in network. The approach has used DRAPA TCP dump data

123
The use of artificial intelligence based techniques for intrusion detection

for training of neural network. Kayacik et al. (2003) have utilized KDD Cups data set for
the experiments. They have created three layer of employment: First, individual SOM are
associated with each basic TCP feature. This provides a concise summary of the interesting
properties of each basic feature, as derived over a suitable temporal horizon. Second layer
integrates the views provided by the first level SOM into a single view of the problem. At this
point, they have used training set labels associated with each pattern to label the respective
best matching unit in the second layer. Third, final layer is built for those neurons, which win
for both attack and normal behaviors. These results in third layer SOMs being associated
with specific neurons in the second layer. Moreover, the hierarchical nature of the architecture
means that the first layer may be trained in parallel and the third layer SOMs are only trained
over a small fraction of the data set.
Hybrid neural network model: Many researchers have tried to combine Multi-Layer
Perceptron model (MLP) and Self-Organizing Map (SOM) for intrusion detection. They
have attempted to create an Intrusion Detection System using MLP and SOM for misuse
detection (Novikov et al. 2006). They have used a feed-forward network with back-propa-
gation learning, which contained 4 fully connected layers, 9 input nodes and 2 output nodes
(normal and attack). The network has been trained for a certain number of attacks. The
network has succeeded in identifying attacks it was trained for.

4.4.2 Bayesian network

A Bayesian Network (BN) is a model that encodes probabilistic relationships among vari-
ables of interest. This technique is generally used for intrusion detection in combination with
statistical schemes. It has several advantages including the capability of encoding interdepen-
dencies between variables and of predicting events, as well as the ability to incorporate both
prior knowledge and data (Heckerman 1995). But a major disadvantage is that the results are
comparable to statistical techniques but it requires extra computation efforts.
Kruegel et al. (2003) have proposed a multisensory fusion approach using BN based
classifier for classification and suppression of false alarms that the outputs of different IDS
sensors were aggregated to produce single alarm. Johansen and Lee (2003) have suggested
that a BN system provides a sound mathematical foundation to make straightforward a seem-
ingly difficult problem. They have proposed that BN based IDS should differentiate between
attacks and the normal network activity by comparing metrics of each network traffic sample.

4.4.3 Markov model

There are two types of approaches in this class:

Markov chains: A Markov chain is a set of states that are interconnected through cer-
tain transition probabilities, which determine the topology and the capabilities of the model.
During training phase, the probabilities associated to the transitions are estimated from the
normal behavior of the target system. The detection of anomalies is then carried out by com-
paring the anomaly score (associated probability) obtained for the observed sequences with
a fixed threshold.
Hidden Markov models: In the case of a hidden Markov model, the system of interest is
assumed to be a Markov process in which states and transitions are hidden. Only productions
are observable.
In literature, several methods have been presented that address the problem of detecting
anomalies in the usage of network protocols by inspecting packet headers. The common

123
 G. Kumar et al.

denominator of all of them is the systematic application of learning techniques to auto-

matically obtain profiles of normal behavior for protocols at different layers. Mahoney and
Chan (2001) experimented with anomaly detection over the DARPA network data by range
matching network packet header fields (Mahoney and Chan 2001). There exist many systems
that uses markov model. The examples include PHAD (Packet Header Anomaly Detector)
(Mahoney and Chan 2001), LERAD (LEarning Rules for Anomaly Detection) (Mahoney
and Chan 2002a) and ALAD (Application Layer Anomaly Detector) (Mahoney and Chan
2002b).

4.4.4 Support vector machine

Support vector machine (SVM) is a technique used for solving a variety of learning, classifi-
cation and prediction problems. SVM originated as an implementation of Vapnik’s structural
risk minimization (SRM) principle, which minimizes the generalization error, i.e., true error
on unseen examples (Vapnik 1998). The basic SVM deals with two-class problems—in which
data is separated by a hyper plane defined by a number of support vectors. Support vectors
are a subset of training data used to define the boundary between the two classes. In situa-
tions, where SVM cannot separate two classes, it solves this problem by mapping input data
into high-dimensional feature spaces using a kernel function. In high-dimensional space,
it is possible to create a hyper plane that allows linear separation (which corresponds to a
curved surface in the lower-dimensional input space). Accordingly, the kernel function plays
an important role in SVM. In practice, various kernel functions can be used, such as linear,
polynomial or Gaussian. One remarkable property of SVM is its learning ability that is inde-
pendent of the feature space dimensionality. This means that SVM can generalize well in the
presence of many features. Mukkamala and Sung (2003b) have proved many advantages of
SVM over other techniques. SVMs outperform ANNs in the important respects of scalability,
training time and running time and prediction accuracy. Sung and Mukkamala (2003) has
also applied SVM for extracting the features for intrusion detection of KDD dataset. They
have empirically proved that features selected with help of SVM leads to similar results as
use of full feature set. This reduction in number of features improves computational effort.
Chen et al. (2005) have also proved that SVM is superior to NN. The superior performance
of SVMs over ANNs is due to the following three reasons:
• SVMs implement the structural risk minimization principle which minimizes an upper
bound for the generalization error rather than minimizing the training error. However,
ANNs implement the empirical risk minimization principle, which might lead to worse
generalization than SVM.
• An NN may not converge to global solutions due to its inherent algorithm design. In con-
trast, finding solutions in SVMs is equivalent to solving a linearly constrained quadratic
programming problem, which leads to a global optimal solution.
• In choosing parameters, SVMs are less complex than ANNs. The parameters that must
be determined in SVMs are the kernel bandwidth and the margin C. However, in ANNs,
the number of hidden layers, number of hidden nodes, transfer functions and so on must
be determined. Improper parameter selection might cause the over-fitting problem.

4.5 Clustering techniques

Clustering techniques work by grouping the observed data into clusters, according to a given
similarity or distance measure. The candidate methods for distance measurement are Euclid-
ean distance and Mahalanobis distance. Similarity can be measured by using cosine formula,

123
The use of artificial intelligence based techniques for intrusion detection

binary weighted cosine formula proposed by Rawat (2005) and many more. The procedure
most commonly used for clustering involves selection of a representative point for each
cluster. Then, each new data point is classified as belonging to a given cluster according
to the proximity to the corresponding representative point (Liao and Vemuri 2002). There
exist at least two approaches to clustering based anomaly detection. In the first approach, the
anomaly detection model is trained using unlabelled data that consists of both normal as well
as attack traffic. In the second approach, the model is trained using only normal data and a
profile of normal activity is created. The idea behind the first approach is that anomalous or
attack data forms a small percentage of the total data. If this assumption holds, anomalies
and attacks can be detected based on cluster sizes—large clusters correspond to normal data,
and the rest of the data points, which are outliers, correspond to attacks. Liao and Vemuri
(2002) have used Euclidean distance based k-NN (k-Nearest Neighbor) approach to define
the membership of data points to a given cluster (Liao and Vemuri 2002). Minnesota Intrusion
Detection System (MINDS) is network-based anomaly detection approach that utilizes data
mining techniques & clustering techniques (Ertoz et al. 2004).
Leung and Leckie (2005) has proposed an approach in unsupervised anomaly detection
in the application of network intrusion detection (Leung and Leckie 2005). The proposed
algorithm, called “fpMAFIA”, is a density based and grid-based high dimensional clustering
algorithm for large data sets. The major advantage of the algorithm is that it can produce
clusters of any arbitrary shapes and cover over 95% of the data set with appropriate values
of parameters. Detailed complexity analysis has been provided by the author. The author has
proved that the algorithm scales linearly with the number of records in the data set. They
have evaluated the accuracy of the new proposed algorithm and showed that it achieves a
reasonable detection rate while maintaining a low positive rate.

5 Hybrid/ensemble classifiers

Many researchers have suggested that the monitoring capability of current IDS can be
improved by taking a hybrid approach that consists of both anomaly as well as signature
detection techniques (Lunt et al. 1992; Anderson et al. 1995; Porras and Neumann 1997;
Hwang et al. 2007; Fortuna et al. 2007). The anomaly detection techniques aid in the detec-
tion of new or unknown zero day attacks while the signature detection techniques detect
known attacks.
Multi classier based ensemble and/or hybrid techniques has been advocated by many
researchers in literature (Mukkamala and Sung 2003b; Sabhnani and Serpen 2003; Gharibian
and Ghorbani 2007; Panda and Patra 2008; Mukkamala et al. 2005; Chebrolu et al. 2005;
Peddabachigari et al. 2007; Zainal et al. 2009; Tsai et al. 2009). Sabhnani and Serpen (2003)
and Panda and Patra (2008) have proved that no single classification technique is capable
enough to detect all classes of attacks to acceptable false alarm rate and detection accuracy
(Sabhnani and Serpen 2003; Panda and Patra 2008). Sabhnani and Serpen (2003) have utilized
different classifiers to classify the intrusions by using KDD 1998 dataset. The classifiers used
are Gaussian classifier (Duda and Hart 1973), K-means clustering (Duda and Hart 1973),
Nearest cluster algorithm (Duda and Hart 1973), Leader algorithm (Hartigan 1975), Hyper-
sphere algorithm (Lee 1989), Fuzzy ARTMAP (Carpenter et al. 1992) and Neural Network
based classifier. They have proved empirically that certain classifiers outperforms for certain
class of attacks only.
Many researchers have proved that hybrid or ensemble classification technique can
improve detection accuracy (Mukkamala et al. 2005; Chebrolu et al. 2005; Peddabachigari

123
 G. Kumar et al.

et al. 2007). A hybrid approach involves integration of different learning or decision-making

models. Each learning model works in a different manner and exploits different set of features.
Integrating different learning models gives better performance than the individual learning or
decision-making models by reducing their individual limitations and exploiting their different
mechanisms. A significant benefit for combining redundant and complementary classifica-
tion techniques is to increase robustness, accuracy and better overall generalization in most
applications (Peddabachigari et al. 2007).
Different methods for combining different classification techniques have been proposed
in literature (Witten and Frank 2005; Menahem et al. 2009). Common objective of ensemble
methods is to construct some combination of some models, instead of using a single model to
improve the results. Mukkamala et al. (2005) have proved that by using of ensemble classifiers
best accuracy for each category of attack patterns can be achieved (Mukkamala et al. 2005).
Ensemble approach of different classier tries to improve the predictive performance of learnt
model. Chebrolu et al. (2005) utilized CART-BN approach for intrusion detection (Chen
et al. 2005). CART performed best for Normal, Probe and U2R and the ensemble approach
worked best for R2L and DoS. Zainal et al. (2009) proposed the ensemble of Linear Genetic
Programming (LGP), Adaptive Neural Fuzzy Inference System (ANFIS) and Random For-
est (RF) for ID (Zainal et al. 2009). They have empirically proved that by assigning proper
weights to classifiers in ensemble approach improves the detection accuracy of all classes
of network traffic than individual classifier. Menahem et al. (2009) have utilized multiple
different classifiers and have tried to exploit their strengths. They have used C4.5 Decision
Tree (Quinlan 1993), Naïve Bayes (John and Langley 1995), k-NN clustering (Kibler 1991),
VFI-Voting Feature Intervals (Guvenir 1997) and OneR (Holte 1993) classifiers as based
classifiers over five malware datasets. Each classifier belongs to different family of classifi-
ers. For example, C4.5 related to Decision Trees, k-NN belongs to Lazy classifiers, OneR to
Rules, Naïve-Bayes to Bayes classifiers and VFI to general. They have suggested an ensem-
ble method that will combine the results of the individual classifiers into one final result to
achieve overall higher detection accuracy.
The success of an ensemble method depends upon many factors, including the training
sample size; the choice of a base classifier; the exact way in which the training set is mod-
ified; the choice of the combination method; and, finally, on the data distribution and the
potential ability of the chosen base classifier to solve the problem (Rokach 2010). Hwang
et al. (2007) has proposed a 3 tier hybrid approach to detect intrusions. First tier of system
is signature based approach to filter the known attacks using black list concept. Second tier
of system is anomaly detector that uses the white list concept to distinguish the normal and
attacks traffic that has by passed first tier. Third tier component of system uses the SVM to
classify the unknown attack traffic into five classes i.e. normal, probing, DoS, U2R and R2L.
KDD dataset was used to train and test the system. The results are summarized in following
Table 4.

Table 4 Summary of results

Class/detection Old attacks (%) New attack (%) Total detection (%)
(Hwang et al. 2007)
accuracy

Probing 99.92 98.16 99.16

DoS 99.99 18.03 97.65
U2R 20.57 87.83 76.32
R2L 79.84 26.94 46.53

123
The use of artificial intelligence based techniques for intrusion detection

Table 5 Summary of results

Normal (%) Probing (%) DoS (%) U2R (%) R2L (%)
(Fortuna et al. 2007)
DA 98.3 74.8 96.7 7.1 0.8
TPR 71.1 82.8 99.6 29.4 55.6
TPR true positive rate

The same concept is also implemented by Fortuna et al. (2007) using files and KDD data-
set. They have used different algorithms of SVM i.e. 1-v-1, 1-v-all and 1-v-all 3 category.
The best results for 1-v-all 3 category are summarized in Table 5.
The available hybrid systems are EMERALD (Porras and Neumann 1997), NIDES
(Anderson et al. 1995), and Common Intrusion Detection Framework (CIDF) (Staniford-
Chen et al. 1998).

6 Comparison of related studies

The intrusion detection related studies are compared based upon Source of audit data
(Host/Network/Hybrid), Processing criteria (Misuse/Anomaly/Hybrid), Technique used,
Classifier design (Single/Hybrid/Ensemble/Multi-classifiers), Dataset, feature reduction
technique employed and classes used for classification of attacks. The IDS can receive the
data from host, network or hybrid (both host and network). The host data contains the data
taken from operating system etc. and network data is data sniffed from network packets. IDS
can utilize various processing criteria to detect the intrusions namely misuse based, anom-
aly based or hybrid. IDS can employ various types of classification techniques like Neural
Network, SVM, Bayesian network etc. The IDS architecture can be based upon single classi-
fication technique (single classifier) or more than one classification technique (hybrid and/or
ensemble classifier). The dataset is the benchmarked dataset used for validation of IDS.
Before applying the classification technique, the data may be reduced by employing vari-
ous feature reduction techniques. The reduction of data for IDS processing results in timely
attack detection and increase detection accuracy. Tables 6 and 7 summarize the comparison
of various AI based techniques and comparison of various hybrid/ensemble techniques in
domain of ID respectively.

7 Conclusion and future directions

Though briefly, this paper has reviewed various intrusion detection systems (IDS) and their
classification based on various modules. A comprehensive review of various AI based tech-
niques used in intrusion detection (ID) is presented. A multi classifier based technique
(hybrid/ensemble approach) is discussed that results into detection of known and unknown
attacks with high accuracy. Various studies of artificial intelligence (AI) based techniques
in ID are compared by considering many parameters like source of audit data, processing
criteria, technique used, classifier design, dataset, feature reduction technique employed and
classification classes. It can be observed that by considering appropriate base classification
techniques, training sample size & combination method, detection accuracy of hybrid and/or
ensemble approach can be improved. But hybrid/ensemble approach has increased the com-
putational overhead. In future, there is acute need to research following issues related to AI
based techniques in ID.

123
123
Table 6 Comparative summary of various AI based techniques for ID

Techniques used Study Source of Processing Classifier Dataset Feature reduction Classification classes/
audit data criteria design Technique employed categories

NN Ryan et al. (1997) Host Miuse Single – No –

NN Ghosh et al. (1998) Host Anomaly Single – No –
NN Han and Cho (2006) Host Anomaly Single DARPA98 No –
NN Kayacik et al. (2003) N/w Anomaly Single KDD99 No –
NN, SVM Chen et al. (2005) Host Anomaly Single BSM-DARPA 99 No –
SVM, clustering Khan et al. (2007) N/w Anomaly Single DARPA 1998 No Normal, DoS, Probe, U2R, R2L
Rule based Agarwal and Joshi (2000) N/w Anomaly Single KDD 99 No Normal, DoS, Probe, U2R, R2L
DT Levin (2000) N/w Misuse Single KDD99 No Normal, DoS, Probe, U2R, R2L
FL, NN Idris and Shanmugam (2005) Hybrid Hybrid Single – No –
Clustering Portnoy et al. (2001) N/w Anomaly Single KDD99 No Normal, DoS, Probe, U2R, R2L
FL, GA Gomez and Dasgupta (2001) N/w Anomaly Single KDD99 No Normal, Abnormal
GA Li (2004) N/w Anomaly Single – No –
BN Kruegel et al. (2003) Host Anomaly Single DARPA 99 No Normal, Abnormal
N/w network, NN neural network, DT decision tree, SVM support vector machine, FL fuzzy logic, GA genetic algorithm, BN Bayesian network
G. Kumar et al.
 Table 7 Comparative summary of various hybrid/ensemble techniques for ID

Techniques used Study Source of Processing Classifier Dataset Feature reduction Classification classes/
audit data criteria design Technique employed categories

Hybrid/Ensemble classifiers
NN, GAU, KM, Sabhnani and Serpen (2003) N/w Misuse Multi-classifier KDD99 No Normal, DoS, Probe, U2R, R2L
NEA, LEA,
HYP, ART, C4.5
DT
CART, BN Chebrolu et al. (2005) N/w Misuse Ensemble KDD99 BN-MB Normal, DoS, Probe, U2R, R2L
NN, SVM, MARS Mukkamala et al. (2005) N/w Anomaly Ensemble DARPA98 No Normal, DoS, Probe, U2R, R2L
DT, SVM Peddabachigari et al. (2007) N/w Anomaly Ensemble KDD99 No Normal, DoS, Probe, U2R, R2L
LGP, ANFIS, RF Zainal et al. (2009) N/w Anomaly Ensemble KDD99 RST Normal, DoS, Probe, U2R, R2L
C4.5 DT, Naïve Menahem et al. (2009) Host Hybrid Ensemble – Document –
Bayes, k-NN,
VFI, oneR
frequency
The use of artificial intelligence based techniques for intrusion detection

NN, clustering Bivens et al. (2002) N/w Anomaly Hybrid DARPA 99 TCP No Normal, Abnormal
Dump
DT Stein et al. (2005) N/w Hybrid Hybrid KDD99 GA Normal, DoS, Probe, U2R, R2L
SVM, NN Wang et al. (2010) N/w Anomaly Hybrid KDD 99 No Normal, Abnormal

NN neural network, GAU Gaussian classifier, KM K-means clustering, NEA nearest cluster algorithm, LEA leader algorithm, HYP hypersphere algorithm, ART fuzzy ARTMAP,
CART classification and regression tree, SVM support vector machine, MARS multivariate adaptive regression splines, LGP linear genetic programming, ANFIS adaptive neuro
fuzzy inference system, RF random forest, MB Markov blanket (Chebrolu et al. 2005), RST rough set theory (Pawlak 1982)

123
 G. Kumar et al.

• Computationally efficient base classification techniques to adapt constantly changing

environment automatically.
• Combination methods for hybrid/ensemble approach.
• Computationally efficient feature reduction techniques for real time traffic analysis.
• Computationally efficient techniques to handle large volume of data from high speed
network without losing real time capability analysis.
• Computationally Efficient techniques to handle low intensity attacks.

References

Agarwal R, Joshi M (2000) PNrule: a new framework for learning classifier models in data mining. Technical
Report TR 00-015
Anderson D, Lunt T, Javitz H, Ann T, Valdes A (1995) Next generation intrusion detection expert system
(NIDES). Technical report, SRI International USA
Axelsson S (1999) Research in intrusion detection system—a survey. CMU/SEI Technical Report
Balajinath B, Raghavan SV (2001) Intrusion detection through learning behavior model. Comput Commun
24(12):1202–1212
Beale J, Caswell B, Poor M (2004) Snort 2.1 intrusion detection, 2nd edn. Syngress Publishing, ISBN:
1931836043
Bivens A, Chandrika P, Smith R, Szymanski B (2002) Network-based intrusion detection using neural net-
works. In: Proceeding of ANNIE 2002 conference, ASME Press, pp 10–13
Carpenter GA, Grossberg S, Markuzon N, Reynolds JH, Rosen DB (1992) Fuzzy ARTMAP: a neural network
architecture for incremental supervised learning of analog multidimensional maps. IEEE Trans Neural
Netw 3:698–713
Chebrolu S, Abraham A, Thomas JP (2005) Feature deduction and ensemble design of intrusion detection
systems. Int J Comput Secur 24(4):295–307
Chen S Staniford, Cheung S, Crawford R, Dilger M, Frank J, Hoagland J, Levitt K, Wee C, Yip R, Zerkle D
(1996) GrIDS—a graph-based intrusion detection system for large networks. In: Proceedings of 19th
national information systems security conference
Chen W-H, Hsu S-H, Shen H-P (2005) Application of SVM and ANN for intrusion detection. Comput Oper
Res 32:2617–2634
Chittur A (2001) Model generation for an intrusion detection system using genetic algorithms. High School
Honors Thesis, Ossining High School. In cooperation with Columbia University
CiscoSecure (2010) Cisco Secure IDS http://www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/index.shtml.
Accessed 4 August 2010
Cohen WW (1995) Fast effective rule induction. In: Proceedings of the 12th international conference on
machine learning. Tahoe City, Morgan Kaufmann, CA, pp 115–123
Crosbie M, Dole B, Ellis T, Krsul I, Spafford E (1996) IDIOT—users guide. Technical report TR-96-050.
Purdue University, COAST Laboratory
Crosbie M, Spafford EH (1995) Active defense of a computer system using autonomous agents. Technical
report CSD-TR- 95-008. Purdue University, West Lafayette
Cunningham R, Lippmann R (2000a) Detecting computer attackers: recognizing patterns of malicious stealthy
behavior. MIT Lincoln Laboratory—presentation to CERIAS,
Cunningham R, Lippmann R (2000b) Improving intrusion detection performance using keyword selection
and neural networks. Comput Netw 34(4):597–603
Dasgupta D, Gonzalez FA (2001) An intelligent decision support system for intrusion detection and response.
In: Proceedings of international workshop on mathematical methods, models and architectures for com-
puter networks security (MMM-ACNS), St. Petersburg. Springer
Dickerson JE, Dickerson JA (2000) Fuzzy network profiling for intrusion detection. In: Proceedings of NAFIPS
19th international conference of the North American fuzzy information processing society, Atlanta
Dowell C, Ramstedt P (1990) The computerwatch data reduction tool. In: Proceedings of the 13th national
computer security conference, Washington, DC
Duda RO, Hart PE (1973) Pattern classification and scene analysis. Wiley, New York
Ertoz L, Eilertson E, Lazarevic A, Tan P, Srivastava J, Kumar V, Dokas P (2004) The MINDS—Minnesota
intrusion detection system. Next generation data mining. MIT Press, Cambridge
Fortuna C, Fortuna B, Mohorcic M (2007) Anomaly detection in computer networks using linear SVMs.
SiKDD 2007, Ljubljana, Slovenia

123
The use of artificial intelligence based techniques for intrusion detection

Garcia-Teodoro P, Diaz-Verdejo J, Macia-Fernandez G, Vazquez E (2009) Anomaly-based network intrusion

detection: techniques, systems and challenges. Comput Secur 28:18–28
Gharibian F, Ghorbani AA (2007) Comparative study of supervised machine learning techniques for intrusion
detection. In: Proceedings of fifth annual conference on communication networks and services research
(CNSR’07), pp 350–358
Ghosh AK, Wanken J, Charron F (1998) Detecting anomalous and unknown intrusions against programs. In:
Proceedings of the 14th annual computer security applications conference, IEEE, pp 259–267
Goldberg L, Wagner D, Thomans R (1996) A secure environment for untrusted helper applications: confining
the Wily Hacker. In: Sixth USENIX security symposium
Gomez J, Dasgupta D (2001) Evolving fuzzy classifiers for intrusion detection. IEEE workshop on information
assurance, United States Military Academy, NY
Guvenir GD (1997) Classification by voting feature intervals. In: Proceedings of the European conference on
machine learning, pp 85–92
Habra J, Charlier le B, Mounji A, Mathieu I (1992) ASAX: software architecture and rule based language
for universal audit trail analysis. In: Computer security, proceedings of ESORICS 92, 648 of LNCS,
pp 435–440
Halme LR, Bauer RK (1995) AINT misbehaving: a taxonomy of anti-intrusion techniques. In: Proceedings
of the 18th national information systems security conference. Baltimore, MD
Han S-J, Cho S-B (2006) Evolutionary neural networks for anomaly detection based on the behaviour of a
program. IEEE Trans Syst Man Cybern
Hartigan JA (1975) Clustering algorithms. Wiley, New York
Hay A, Cid D, Bray R (2008) OSSEC host-based intrusion detection guide. Syngress Publishing,
ISBN:159749240X
Heberlein LT, Dias GV, Levitt KN, Mukherjee B, Wood J, Wolber D (1990) A network security monitor. In:
Symposium on research in security and privacy. Oakland, CA, pp 296–304
Heckerman D (1995) A tutorial on learning with Bayesian networks. Microsoft research, technical report
MSRTR-95-06
Hochberg J, Jackson K, Stallings C, McClary J, DuBois D, Ford J (1993) NADIR: an automated system for
detecting network intrusions and misuse. Comput Secur 12(3):248–253
Holte R (1993) Very simple classification rules perform well on most commonly used datasets. Mach Learn
11:63–91
Hwang TS, Lee T-J, Lee Y-J (2007) A three-tier IDS via data mining approach. Workshop on mining network
data (MineNet)
Idris NB, Shanmugam B (2005) Artificial intelligence techniques applied to intrusion detection. In: IEEE
Indicon 2005 conference, Chennai, India, pp 52–55
Ilgun K, Richard AK, Phillip AP (1995) State transition analysis: a rule-based intrusion detection. IEEE Trans
Softw Eng 21(3):181–199
Internet Security Systems (ISS) (2010) Real Secure http://www.iss.net. Accessed 4 August 2010
Johansen K, Lee S (2003) CS424 network security: Bayesian Network Intrusion Detection (BINDS). http://
citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.83.8479
John GH, Langley P (1995) Estimating continuous distributions in Bayesian classifiers. In: Proceedings of the
conference on uncertainty in artificial intelligence, pp 338–345
Kayacik G, Zincir-Heywood N, Heywood M (2003) On the capability of an SOM based intrusion detection
system. In: Proceedings of the 2003 IEEE IJCNN, Portland, USA
Khan L, Awad M, Thuraisingham B (2007) A new intrusion detection system using support vector machines
and hierarchical clustering. VLDB J 16
Kibler DA (1991) Instance-based learning algorithms. Mach Learn 37–66
Kim GH, Spafford EH (1997) Tripwire: a case study in integrity monitoring in internet beseiged: countering
cyberspace scofflaws. Addison-Wesley, pp 175–210. ISBN 0-201-30820-7
Kruegel C, Mutz D, Robertson W, Valeur F (2003) Bayesian event classification for intrusion detection. In:
Proceedings of 19th annual computer security applications conference, IEEE, pp 14–23
Kuok CM, Fu AW-C, Wong MH (1998) Mining fuzzy association rules in databases. SIGMOD Rec 27(1):
41–46
Lee Y (1989) Classifiers: adaptive modules in pattern recognition systems. MIT, Department of Electrical
Engineering and Computer Science, Cambridge
Leung K, Leckie C (2005) Unsupervised anomaly detection in network intrusion detection using clusters.
In: Proceedings of twenty-eighth Australasian computer science conference (ACSC2005). Newcastle,
Australia, pp 333–342
Levin I (2000) KDD-99 classifier learning contest LLSoft’s results overview. SIGKDD Explor 1(2):67–75

123
 G. Kumar et al.

Li W (2004) Using genetic algorithm for network intrusion detection. C. S. G. Department of Energy, Ed,
pp 1–8
Liao Y, Vemuri VR (2002) Use of K-nearest neighbor classifier for intrusion detection. Comput Secur 21:
439–448
Lunt T, Tamaru A, Gilham F, Jagannathan R, Jalali C, Neumann PG, Javitz HS, Valdes A, Garvey TD (1992)
A real time intrusion detection expert system (IDES)—final report, SRI International, Menlo Park, CA
Luo J (1999) Integrating fuzzy logic with data mining methods for intrusion detection. Masters thesis, Mis-
sissippi State University
Mahoney MV, Chan PK (2001) PHAD: packet header anomaly detection for identifying hostile network traf-
fic. Department of Computer Sciences, Florida Institute of Technology, Melbourne, FL, USA, Technical
Report CS-2001-4
Mahoney MV, Chan PK (2002a) Learning models of network traffic for detecting novel attacks. Computer
Science Department, Florida Institute of Technology CS-2002-8
Mahoney MV, Chan PK (2002b) Learning non stationary models of normal network traffic for detecting novel
attacks. In: Proceedings of eighth ACM SIGKDD international conference on knowledge discovery and
data mining. Edmonton, Canada, pp 376–385
Mannila H, Toivone H (1996) Discovering generalized episodes using minimal occurrences. In: Proceedings
of the second international conference on knowledge discovery and data mining
Menahem E, Shabtai A, Rokach L, Elovici Y (2009) Improving malware detection by applying multi-inducer
ensemble. Comput Stat Data Anal 53(4):1483–1494
MIT Lincoln Laboratory (2001) 1999 DARPA intrusion detection evaluation design and procedure. DARPA
technical report
Mukkamala S, Sung AH (2003a) Artificial intelligent techniques for intrusion detection. IEEE Int Conf Syst
Man Cybern
Mukkamala S, Sung AH (2003b) A comparative study of techniques for intrusion detection. In: Proceedings
of the 15th IEEE international conference on tools with artificial intelligence (ICTAI’03)
Mukkamala S, Sung AH, Abraham A (2005) Intrusion detection using an ensemble of intelligent paradigms.
J Netw Comput Appl 28:167–182
Novikov D, Yampolskiy RV, Reznik L (2006) Artificial intelligence approaches for intrusion detection. Sys-
tems, applications and technology conference, LISAT 2006. IEEE Long Island 5(5):1–8
Panda M, Patra MR (2008) A comparative study of data mining algorithms for network intrusion detection. In:
Proceedings of first international conference on emerging trends in engineering and technology, IEEE
computer society
Patcha A, Park JM (2007) An overview of anomaly detection techniques: existing solutions and latest tech-
nological trends. Comput Netw. doi:10.1016/j.comnet.2007.02.001
Pawlak Z (1982) Rough sets. Int J Comput Inf Sci 11:341–356
Paxson V (1998) Bro: a system for detecting network intruders in real-time. In: Proceedings of the 7th USENIX
security symposium. San Antonio, TX
Peddabachigari S, Abraham A, Grosan C, Thomas J (2007) Modeling intrusion detection system using hybrid
intelligent systems. J Netw Comput Appl 30:114–132
Ponce (2004) Intrusion detection system with artificial intelligence. In: FIST conference—edition-1/28 Uni-
versidad Pontificia Comillas de Madrid
Porras PA, Neumann PG (1997) EMERLAD. In: Proceedings of 20th national information systems security
conference, USA, pp 353–365
Portnoy L, Eskin E, Stolfo SJ (2001) Intrusion detection with unlabeled data using clustering. In: Proceedings
of the ACM workshop on data mining applied to security
Quinlan JR (1993) C4.5 Programs for machine learning. Morgan Kaufmann San Mateo Ca
Rawat Sanjay (2005) Efficient data mining algorithms for intrusion detection. Ph.D. thesis, University of
Hyderabad, Hyderabad
Rokach Lior (2010) Ensemble-based classifiers. Artif Intell Rev 33(1–2):1–39
Ryan J, Lin M-J, Risto M (1997) Intrusion detection with neural networks. Adv Neural Inf Process Syst MIT
943–949
Sabhnani M, Serpen G (2003) Application of machine learning algorithms to KDD intrusion detection dataset
within misuse detection context. EECS, University of Toledo
Samhain labs (2010) The SAMHAIN file integrity/intrusion detection system. http://la-samhna.de/samhain/.
Accessed 27 Aug 2010
Sebring MM, Sellhouse E, Hanna ME, Whitehurst RA (1988) Expert system in intrusion detection: a case
study. In: Proceedings of the 11th national computer security conference, Baltimore, MD, pp 74–81
Smaha SE (1988) Haystack: an intrusion detection system. In: The fourth aerospace computer security appli-
cations conference, Orlando, FL

123
The use of artificial intelligence based techniques for intrusion detection

Spafford EH, Zamboni D (2000) Intrusion detection using autonomous agents. Comput Netw 34(4):547–570
Staniford-Chen S, Tung B, Schnackenberg D (1998) The common intrusion detection framework (CIDF).
Information survivability workshop, Orlando, FL
Stein G, Chen B, Wu AS, Hua KA (2005) Decision tree classifier for network intrusion detection with
GA-based feature selection. In: Proceedings of the 43rd annual southeast regional conference ACM
vol 2, pp 136–141
Stolfo S, Prodromidis AL, Chan PK (1997) JAM: Java agents for meta-learning over distributed databases.
In: Proceedings of the third international conference on knowledge discovery and data mining
Stoneburner G (2001) Underlying models for information technology security. NIST Special Publication
800-33
Sung H, Mukkamala S (2003) Feature selection for intrusion detection using neural networks and support
vector machines. In: 82nd annual meeting of the transportation research board of the national academies,
Washington DC, USA
Tsai C-F, Hsu Y-F, Lin C-Y, Lin W-Y (2009) Intrusion detection by machine learning: a review. Expert Syst
Appl 36(10):11994–12000
Vaccaro HS, Liepins GE (1989) Detection of anomalous computer session activity. In: Proceedings of IEEE
symposium on security and privacy, pp 280–289
Vapnik V (1998) Statistical learning theory. Wiley, New York
Wang F, Qian Y, Dai Y, Wang Z (2010) A model based on hybrid support vector machine and self-organizing
map for anomaly detection. In: International conference on communications and mobile computing, cmc
2010, vol 1. Shenzhen, China, pp 97–101
Witten IH, Frank E (2005) Data mining-practical machine learning tools and techniques, 2nd ed. Morgan
Kaufmann ISBN 0-12-088407-0
Ypma A, Duin R (1998) Novelty detection using self-organizing maps. Progress in connectionist-based infor-
mation systems, 2
Zainal A, Maarof MA, Shamsuddin SM (2009) Ensemble classifiers for network intrusion detection system.
J Inf Assur Secur 4:217–225

123
View publication stats