PDF(446 KB)
Local outlier factor and stronger one class classifier based hierarchical model for detection of attacks in network intrusion detection dataset
Alampallam Ramaswamy VASUDEVAN, Subramanian SELVAKUMAR
PDF(446 KB)
PDF(446 KB)
Local outlier factor and stronger one class classifier based hierarchical model for detection of attacks in network intrusion detection dataset
Identification of attacks by a network intrusion detection system (NIDS) is an important task. In signature or rule based detection, the previously encountered attacks are modeled, and signatures/rules are extracted. These rules are used to detect such attacks in future, but in anomaly or outlier detection system, the normal network traffic is modeled. Any deviation from the normal model is deemed to be an outlier/ attack. Data mining and machine learning techniques are widely used in offline NIDS. Unsupervised and supervised learning techniques differ the way NIDS dataset is treated. The characteristic features of unsupervised and supervised learning are finding patterns in data, detecting outliers, and determining a learned function for input features, generalizing the data instances respectively. The intuition is that if these two techniques are combined, better performance may be obtained. Hence, in this paper the advantages of unsupervised and supervised techniques are inherited in the proposed hierarchical model and devised into three stages to detect attacks in NIDS dataset. NIDS dataset is clustered using Dirichlet process (DP) clustering based on the underlying data distribution. Iteratively on each cluster, local denser areas are identified using local outlier factor (LOF) which in turn is discretized into four bins of separation based on LOF score. Further, in each bin the normal data instances are modeled using one class classifier (OCC). A combination of Density Estimation method, Reconstruction method, and Boundary methods are used for OCC model. A product rule combination of the threemethods takes into consideration the strengths of each method in building a stronger OCC model. Any deviation from this model is considered as an attack. Experiments are conducted on KDD CUP’99 and SSENet-2011 datasets. The results show that the proposed model is able to identify attacks with higher detection rate and low false alarms.
hierarchical model / DP clustering / LOF / Discretizer / one class classifier / NIDS
| [1] |
Corona I, Giacinto G, Roli FAdversarial attacks against intrusion detection systems: taxonomy, solutions and open issues. Information Sciences, 2013, 239 (1): 201–225
CrossRef
Google scholar
|
| [2] |
Sharma A. Cyber wars: a paradigm shift from means to ends. Strategic Analysis, 2010, 34 (1): 62–73
CrossRef
Google scholar
|
| [3] |
Denning D E. An intrusion-detection model. IEEE Transactions on Software Engineering, 1987, 13 (2): 222–232
CrossRef
Google scholar
|
| [4] |
Bhuyan M H, Bhattacharyya D K, Kalita J K. Network anomaly detection: methods, systems and tools. IEEE Communications Surveys & Tutorials, 2014, 16(1): 303–336
CrossRef
Google scholar
|
| [5] |
Davis J J, Clark A J. Data preprocessing for anomaly based network intrusion detection: a review. Computers & Security, 2011, 30(6): 353–375
CrossRef
Google scholar
|
| [6] |
Wu S Y, Yen E. Data mining-based intrusion detectors. Expert Systems with Applications, 2009, 36(3): 5605–5612
CrossRef
Google scholar
|
| [7] |
Jiang S Y, Song X, Wang H, Han J J, Li Q H. A clustering-based method for unsupervised intrusion detections. Pattern Recognition Letters, 2006, 27(7): 802–810
CrossRef
Google scholar
|
| [8] |
Helali R G M. Data mining based network intrusion detection system: a survey. In: Sobh T, Elleithy K,MahmoodA, eds. Novel Algorithms and Techniques in Telecommunications and Networking.Springer Netherlands, 2010, 501–505
CrossRef
Google scholar
|
| [9] |
Mukkamala S, Sung A H, Abraham A, Ramos , V. Intrusion detection systems using adaptive regression spines. In: Seruca I, Cordeiro J, Hammoudi S, Filipe J. Enterprise Information Systems VI, 2006, 211–218
CrossRef
Google scholar
|
| [10] |
Tajbakhsh A, Rahmati M, Mirzaei A. Intrusion detection using fuzzy association rules. Applied Soft Computing, 2009, 9(2): 462–469
CrossRef
Google scholar
|
| [11] |
Su M Y, Yu G J, Lin C Y. A real-time network intrusion detection system for large-scale attacks based on an incremental mining approach. Computers & Security, 2009, 28(5): 301–309
CrossRef
Google scholar
|
| [12] |
Sangkatsanee P, Wattanapongsakorn N, Charnsripinyo C. Practical real-time intrusion detection using machine learning approaches. Computer Communications, 2011, 34(18): 2227–2235
CrossRef
Google scholar
|
| [13] |
Sinclair C, Pierce L, Matzner S. An application of machine learning to network intrusion detection. In: Proceedings of the 15th Annual Conference on Computer Security Applications. 1999, 371–377
CrossRef
Google scholar
|
| [14] |
Sommer R, Paxson V. Outside the closed world: on using machine learning for network intrusion detection. In: Proceedings of IEEE Symposium on Security and Privacy. 2010, 305–316
CrossRef
Google scholar
|
| [15] |
Jain A K. Data clustering: 50 years beyond K-means. Pattern Recognition Letters, 2010, 31(8): 651–666
CrossRef
Google scholar
|
| [16] |
Mukkamala S, Janoski G, Sung A. Intrusion detection using neural networks and support vector machines. In: Proceedings of the 2002 International Joint Conference on Neural Networks. 2002, 1702–1707
CrossRef
Google scholar
|
| [17] |
Altwaijry H. Bayesian based intrusion detection system. Lecture Notes in Electrical Engineering, 2012, 170: 29–44
CrossRef
Google scholar
|
| [18] |
Wuu L C, Hung C H, Chen S F. Building intrusion pattern miner for Snort network intrusion detection system. Journal of Systems and Software, 2007, 80(10): 1699–1715
CrossRef
Google scholar
|
| [19] |
Sanders C, Smith J. Applied Network Security Monitoring Collection, Detection, and Analysis. Elsevier, 2013
|
| [20] |
Estevez-Tapiador J M, Garcia-Teodoro P, Diaz-Verdejo J E. Anomaly detection methods in wired networks: a survey and taxonomy. Computer Networks, 2004, 27(16): 1569–1584
CrossRef
Google scholar
|
| [21] |
Grossman R L. Data Mining: Challenges and Opportunities for Data Mining During the Next Decade, http://www.lac.uic.edu, 1997
|
| [22] |
Zhang J. Advancements of outlier detection: a survey. ICST Transactions on Scalable Information Systems, 2013, 13(1): 1–26
CrossRef
Google scholar
|
| [23] |
Freedman D, Pisani R. R. Purves: Statistics. New York: Norton & Co., 1978
|
| [24] |
Guttõrmsson S E, Marks R J, El-Sharkawi M A, Kerszenbaum I. Elliptical novelty grouping for on-line short-turn detection of excited running rotors. IEEE Transactions on Energy Conversion, 1999, 14(1): 16–22
CrossRef
Google scholar
|
| [25] |
Aggarwal C C. OnAbnormality Detection in Spuriously Populated Data Streams. In: Proceedings of the 2005 SIAM International Conference on Data Mining. 2005
CrossRef
Google scholar
|
| [26] |
Abraham B, Box G E P. Bayesian analysis of some outlier problems in time series. Biometrika, 1979, 66(2): 229–236
CrossRef
Google scholar
|
| [27] |
Anderson D, Frivold T, Valdes A. Next Generation Intrusion Detection Expert System (NIDES): A Summary. Menio Park, CA: SRI International, Computer Science Laboratory, 1995
|
| [28] |
Fawcett T, Provost F. Activity monitoring: noticing interesting changes in behavior. In: Proceedings of the 5th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. 1999, 53–62
CrossRef
Google scholar
|
| [29] |
Bishop C. Novelty detection and neural network validation. IEE Proceedings — Vision, Image and Signal Processing, 1994, 141(4): 217–222
CrossRef
Google scholar
|
| [30] |
Yeung D Y, Chow C. Parzen-window network intrusion detectors. In: Proceedings of the 16th International Conference on Pattern Recognition. 2002, 385–388
|
| [31] |
Knorr E M, Ng R T. Algorithms for mining distancebased outliers in large datasets. In: Proceedings of the 24th International Conference on Very Large Data Bases. 1998, 392–403
|
| [32] |
Knorr E M, Ng R T. Finding Intentional Knowledge of Distance-based Outliers. In: Proceedings of the 25th International Conference on Very Large Data Bases. 1999, 211–222
|
| [33] |
Knorr E M, Ng R T, Tucakov V. Distance-based outliers: algorithms and applications. The VLDB Journal — The International Journal on Very Large Data Bases, 2000, 8(3-4): 237–253
|
| [34] |
Ramaswamy S, Rastogi R, Shim K. Efficient algorithms for mining outliers from large data sets. ACM SIGMOD Record, 2000, 29(2): 427–438
CrossRef
Google scholar
|
| [35] |
Breunig M M, Kriegel H P, Ng R T, Sander J. LOF: identifying densitybased local outliers. ACM SIGMOD Record, 2000, 29(2): 93–104
CrossRef
Google scholar
|
| [36] |
Kriegel H P, Kröger P, Schubert E, Zimek A. LoOP: Local Outlier Probabilities. Proceedings of the 18th ACM conference on Information and knowledge management. 2009, 1649–1652
CrossRef
Google scholar
|
| [37] |
Papadimitriou S, Kitagawa H, Gibbons P B, Faloutsos C. LOCI: fast outlier detection using the local correlation integral. In: Proceedings of the 19th IEEE International Conference on Data Engineering. 2003, 315–326
CrossRef
Google scholar
|
| [38] |
Kaufman L, Rousseeuw P J. Finding Groups in Data: An Introduction to Cluster Analysis. New York: John Wiley & Sons, 1990
CrossRef
Google scholar
|
| [39] |
Ng R T, Han J. Efficient and effective clustering methods for spatial data mining. In: Proceedings of the 20th International Conference on Very Large Data Bases. 1994, pp. 144–155
|
| [40] |
Guha S, Rastogi R, Shim K. CURE: an efficient clustering algorithm for large databases. In: Proceedings of the 1998 ACM SIGMOD International Conference on Management of Data. 1998, 73–84
CrossRef
Google scholar
|
| [41] |
Khan L, Awad M, Thuraisingham B. A new intrusion detection system using support vector machines and hierarchical clustering. The VLDB Journal — The International Journal on Very Large Data Bases, 2007, 16(4): 507–521
|
| [42] |
Karypis G, Han E H, Kumar V. CHAMELEON: ahierarchical clustering algorithm using dynamic modeling. Computer, 1999, 32(8): 68–75
CrossRef
Google scholar
|
| [43] |
Sheikholeslami G, Chatterjee S, Zhang A. WaveCluster: a waveletbased clustering approach for spatial data in very large databases. The VLDB Journal—The International Journal on Very Large Data Bases, 2000, 8(3-4): 289–304
|
| [44] |
Wang W, Yang J, Muntz R. STING: astatistical information grid approach to spatial data mining. In: Proceedings of the 23rd International Conference on Very Large Data Bases. 1997, 186–195
|
| [45] |
Zhang J, Hsu W, Lee M L. Clustering in dynamic spatial databases. Journal of Intelligent Information Systems, 2005, 24(1): 5–27
CrossRef
Google scholar
|
| [46] |
lachos A, Korhonen A, Ghahramani Z. Unsupervised and constrained Dirichlet process mixture models for verb clustering. In: Proceedings of the Workshop on Geometrical Models of Natural Language Semantics. 2009, 74–82
|
| [47] |
Fan W, Bouguila N, Sallay H. Anomaly intrusion detection using incremental learning of an infinite mixture model with feature selection. Lecture Notes in Computer Science, 2013, 8171: 364–373
CrossRef
Google scholar
|
| [48] |
Vasudevan , A. R, Selvakumar S. Evolution of a hybrid model using Dirichlet process clustering technique and naive Bayes cassifier for an effective perimeter security device. Technical Report. 2013
|
| [49] |
Lazarevic A, Ertöz L, Kumar V, Ozgur A, Srivastava J. A comparative study of anomaly detection schemes in network intrusion detection. In: Proceedings of the 2003 SIAM International Conference on Data Mining. 2003, 25–36
CrossRef
Google scholar
|
| [50] |
Zimek A, Campello R J G B, Sander J. Ensembles for unsupervised outlier detection: challenges and research questions a position paper. ACM SIGKDD Explorations Newsletter, 2013, 15(1): 11–22
CrossRef
Google scholar
|
| [51] |
Garcia S, Luengo J, Sáez J A, López V, Herrera F. A survey of discretization techniques: Taxonomy and empirical analysis in supervised learning. IEEE Transactions on Knowledge and Data Engineering, 2013, 25(4): 734–750
CrossRef
Google scholar
|
| [52] |
Fayyad U M, Irani K B. Multi-interval discretization of continuousvalued attributes for classification learning. In: Proceedings of the 13th International Joint Conference on Artificial Intelligence. 1993, 1022–1027
|
| [53] |
Dougherty J, Kohavi R, Sahami M. Supervised and unsupervised discretization of continuous features. In: Proceedings of the 12th International Conference on Machine Learning. 1995, 194–202
CrossRef
Google scholar
|
| [54] |
Moya M M, Koch M W, Hostetler L D. One-class classifier networks for target recognition applications. In: Proceedings of World Congress on Neural Networks, 1993, 797–801
|
| [55] |
Tax D M J, Duin R P W. Combining one-class classifiers. Lecture Notes in Computer Science, 2001, 2096: 299–308
CrossRef
Google scholar
|
| [56] |
Tax D M J. One-class classification, concept learning in the absence of counter examples. Dissertation for the Doctoral Degree. Delft: Delft University of Technology, 2001,
|
| [57] |
Mazhelis O. One-class classifiers: a review and analysis of suitability in the context of mobile-masquerader detection. South African Computer Journal, 2006, 36: 29–48
|
| [58] |
Hempstalk K, Frank E, Witten I H. One-class classification by combining density and class probability estimation. Lecture Notes in Computer Science, 2008, 5211: 505–519
CrossRef
Google scholar
|
| [59] |
Giacinto G, Perdisci R, Del Rio M, Roli F. Intrusion detection in computer networks by a modular ensemble of one-class classifiers. Information Fusion, 2008, 9(1): 69–82
CrossRef
Google scholar
|
| [60] |
Vasudevan A R, Harshini E, Selvakumar S. SSENet-2011: a network intrusion detection system dataset and its comparison with KDD CUP 99 dataset. In: Proceedings of the 2nd IEEE Asian Himalayas International Conference on Internet (AH-ICI 2011). 2011, 1–5
CrossRef
Google scholar
|
/
| 〈 |
|
〉 |
AI Summary
