A Hybrid Framework for Building an Efficient Incremental Intrusion Detection System

Document Type : Research Article



In this paper, a boosting-based incremental hybrid intrusion detection system is introduced. This system combines incremental misuse detection and incremental anomaly detection. We use boosting ensemble of weak classifiers to implement misuse intrusion detection system. It can identify new classes types of intrusions that do not exist in the training dataset for incremental misuse detection. As the framework has low computational complexity, it is suitable for real-time or on-line learning. We use incremental centroid-based “on-line k-Mean” clustering algorithm to implement anomaly detection system. Experimental evaluations on KDD Cup dataset have shown that the proposed framework has high clustering quality, relatively low computational complexity and fast convergence. 


[1]     D. Anderson, T. Frivold, and A. Valdes, "Next-Generation Intrusion Detection Expert System", (NIDES)-A Summary, Technical Report SRICLS-95-07, SRI, May 1995.
[2]     D. Barbarra, J. Couto, S. Jajodia, L. Popyack, and N. Wu, “ADAM: Detecting Intrusion by Data Mining”, Proceedings of the 2001 IEEE, Workshop on Information Assurance and Security T1A3 1100 United States Military Academy, West Point, NY, June 2001.
[3]     C. Amza, C.Leordeanu, V. Cristea, "Hybrid network Intrusion Detection ", IEEE International Conference on Intelligent Computer Communication and Processing (ICCP), 2011, Page(s): 503 – 510..
[4]     DARPA Intrusion detection evaluation:  http://www.ll.mit.edu/SSt/ideval/result/result_index.html.
[5]     O. Depren, M. Topallar, E. Anarim, and M. K. Ciliz, "An intelligent intrusion detection system (IDS) for anomaly and misuse detection in computer networks", Expert Systems with Applications  Volume 29, Issue 4, Pages 713-722, , November 2005.
[6]     E. Eleazar, "Anomaly Detection over Noisy Data using Learned Probability Distributions'', ICML00, Palo Alto, CA: July, 2000.
[7]     Y. Freund and R. Schapire, “A decision theoretic generalization of on-line learning and an application to boosting”, Comput. Syst. Sci., vol. 57, no. 1, pp. 119–139, 1997.
[8]     G. Giacinto, F. Roli, and L. Didaci, "Fusion of multiple classifiers for intrusion detection in computer networks", Pattern Recognition Letters, 24(12), pp. 1795-1803, 2003.
[9]     R. Heady, G. Luger, A. Maccabe, and M. Servilla. "The architecture of a network level intrusion detection system", Technical Report CS90-20, Department of Computer Science, University of New Mexico, August 1990.
[10]  W. Hu and W. Hu, "Network-based Intrusion Detection Using Adaboost Algorithm", Proceedings of the 2005 IEEE/WIC/ACM International conference on Web Intelligence(WI'05), 0-7695-2415-X/05, 2005.
[11]  K. Hwang, M. CaiY. Chen, and M. Qin, "Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episodes", IEEE Transaction on Dependable and Secure Computing , Vol. 4, No. 1,   pp. 41-55, January-March 2007.
[12]  KDD Cup 1999 Intrusion detection dataset, http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html.
[13]  K. Leung and C. Leckie, “Unsupervised Anomaly Detection in Network Intrusion Detection Using Clusters”, Australasian Computer Science Conference, Newcastle, NSW, Australia, 2005.
[14]  P. Lichodzijewski, A.N. Zincir-Heywood, and M. I. Heywood, “Host-based intrusion detection using self-organizing maps,” Proceedings of the 2002 IEEE World Congress on Computational Intelligence, 2002.
[15]  U. Lindqvist and P.A. Porras, "Detecting computer and network misuse through the production-based expert system toolset (PBEST)", Proceedings of the 1999 IEEE symposium on security and privacy, pp. 146-161, IEEE Computer Socitey, Los Alamitos, CA., 1999.
[16]  N. Littlestone and M.Warmuth, “Weighted majority algorithm”, Inform. Comput. vol. 108, pp. 212–261, 1994.
[17]  M. Locasto, K. Wang, A. Keromytis, and S. Stolfo. Flips: Hybrid adaptive intrusion prevention. In Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection (RAID), September 2005.
[18]  Mounji, B.L. Charlier, D. Zampuniéris, and N. Habra, "Distributed audit trail analysis:, Proceedings of the ISOC’95 symposium on network and distributed system security, pp. 102-112, IEEE Computer Society, Los Alamitos, CA., 1995.
[19]  S. Peddabachigaria, A. Abrahamb, I. Grosanc, and J. Thomas, "Modeling intrusion detection system using hybrid intelligent systems",  Published by Elsevier Ltd, 2005.
[20]  S. Peddabachigaria, A. H. Sung, and A. Abraham, "Intrusion detection using an ensemble of intelligent paradigms", Published by Elsevier Ltd, 2004.
[21]  R. Polikar, L. Udpa, and V. Honavar, “Learn++: An incremental learning algorithm for supervised neural networks”, IEEE Transactions on System, Man and Cybernetics (C), Special Issue on Knowledge Management, vol. 31, no. 4, pp. 497-508, 2001.
[22]  P. Porras and G. P. Neumann, "EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances", In Proceedings of 20th National Information Systems Security Conference, 1997.
[23]  S.T. Powers and J. He, "A hybrid artificial immune system and Self Organizing Map for network intrusion detection", Information Sciences 178, pp. 3024–3042, 2008.
[24]  R. Rangadurai Karthick, V.P.Hattiwale, B. Ravindran, "Adaptive network intrusion detection system using a hybrid approach", Fourth International Conference on Communication Systems and Networks (COMSNETS), 2012, Page(s): 1 – 7.
[25]  Rasoulifard and A. Ghaemi Bafghi, "Incremental Intrusion Detection Using Learn++ algorithm", 3rd conference on Information and Knowledge Technology, Ferdowsi University of Mashhad, Faculty of Engineering, IKT2007, Nov. 27-29 2007.
[26]  Rasoulifard, A. Ghaemi Bafghi, and M. kahani, "Incremental Hybrid Intrusion Detection Using Ensemble of Weak Classifiers", 13th Int'l CSI Computer Conference (CSICC'08), March 9-11, 2008.
[27]  M. Sabhnani and G. Serpen, "Application of Machine Learning Algorithms to KDD Intrusion Detection Dataset within Misuse Detection Context", EECS Dept, University of Toledo, Toledo, Ohio 43606 USA.
[28]  K. Shah, N. Dave, S. Chavan, S. Mukherjee, A. Abraham, and S. Sanyal, "Adaptive Neuro-Fuzzy Intrusion Detection System", IEEE International Conference on ITCC'04, Vol. 1, pp. 70-74, 2004.
[29]  K, Selvamani; S, Anbuchelian; S, Kanimozhi; R, Elakkiya; S, Bose; A, Kannan, "A hybrid framework of intrusion detection system for resource consumption based attacks in wireless ad-hoc networks", International Conference on Systems and Informatics (ICSAI), 2012, Page(s): 8 – 12..
[30]  T. Shon and J. Moon, "A hybrid machine learning approach to network anomaly detection", Information Sciences 177, pp.3799–3821, 2007.
[31]  E. Tombini, H. Debar, L. Mé, and M. Ducassé, "A Serial Combination of Anomaly and Misuse IDSes Applied to HTTP Traffic", In proceedings of the Annual Computer Security Applications Conference (ACSAC). December 2004.
[32]  K. Wang and S. J. Stolfo. "Anomalous Payload-based Network Intrusion Detection", In Proceedings of the 7th International Symposium on Recent Advances in Intrusion Detection (RAID), pages 203-222, September 2004.
[33]  Xiang and S.M. Lim,  "Design of Multiple-Level Hybrid Classifier for Intrusion Detection System", Proceeding of Machine Learning for Signal Processing, 2005 IEEE Workshop on Volume , Issue , 28-28 ,PP 117 – 122, Sept. 2005.
[34]  L. Xu, A. Krzyzak, and Y.Ching, "Methods of Combining Multiple Classifier and Their Application to Handwriting Recognition", IEEE TRANSACTION ON SYSTEMS, MAN AND CYBERNETICS, VOL. 22, NO. 3, MAY/JUNE 1992.
[35]  W. Yang, X.C. Yun, and L.J. Zhang, "Using Incremental Learning Method For Adaptive Network Intrusion Detection", Proceedings of the Fourth International Conference on Machine Learning and Cybernetics, Guangzhou, 18-21 August 2005.
[36]  Z. Yu and J.P. Tsai, "A Multi-Class SLIPPER System for Intrusion Detection," compsac, pp. 212-217, 28th Annual International Computer Software and Applications Conference (COMPSAC'04), 2004.
[37]  Z. Yu and J.P. Tsai, "An efficient intrusion detection system using a boosting-based learning algorithm," International Journal of Computer Applications in Technology, Vol. 27, No.4  pp. 223 – 231, 2006.
[38]  J. Zhang and M. Zulkernine, “Anomaly based network intrusion detection with unsupervised outlier detection”, The 2006 IEEE International Conference on Communications, Istanbul, Turkey, June 2006.
[39]  J. Zhang and M. Zulkernine, “A Hybrid Network Intrusion Detection Technique Using Random Forests”, Proc. of the International Conference on Availability, Reliability and Security (AReS), IEEE CS Press,  pp. 262-269, Vienna, Austria, April 2006.
[40]  S. Zhong, T. Khoshgoftaar, and N. Seliya, "Clustering-Based Network Intrusion Detection", International Journal of Reliability, Quality and Safety Engineering.