Skip to main content
Erschienen in: Neural Computing and Applications 6/2012

01.09.2012 | Original Article

Intrusion detection using reduced-size RNN based on feature grouping

verfasst von: Mansour Sheikhan, Zahra Jadidi, Ali Farrokhi

Erschienen in: Neural Computing and Applications | Ausgabe 6/2012

Einloggen

Aktivieren Sie unsere intelligente Suche um passende Fachinhalte oder Patente zu finden.

search-config
loading …

Abstract

Intrusion detection is well-known as an essential component to secure the systems in Information and Communication Technology (ICT). Based on the type of analyzing events, two kinds of Intrusion Detection Systems (IDS) have been proposed: anomaly-based and misuse-based. In this paper, three-layer Recurrent Neural Network (RNN) architecture with categorized features as inputs and attack types as outputs of RNN is proposed as misuse-based IDS. The input features are categorized to basic features, content features, time-based traffic features, and host-based traffic features. The attack types are classified to Denial-of-Service (DoS), Probe, Remote-to-Local (R2L), and User-to-Root (U2R). For this purpose, in this study, we use the 41 features per connection defined by International Knowledge Discovery and Data mining group (KDD). The RNN has an extra output which corresponds to normal class (no attack). The connections between the nodes of two hidden layers of RNN are considered partial. Experimental results show that the proposed model is able to improve classification rate, particularly in R2L attacks. This method also offers better Detection Rate (DR) and Cost Per Example (CPE) when compared to similar related works and also the simulated Multi-Layer Perceptron (MLP) and Elman-based intrusion detectors. On the other hand, False Alarm Rate (FAR) of the proposed model is not degraded significantly when compared to some recent machine learning methods.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Literatur
1.
Zurück zum Zitat Sabhnani M, Serpen G (2004) Why machine learning algorithms fail in misuse detection on KDD intrusion detection data set. J Intelli Data Anal 6:1–13 Sabhnani M, Serpen G (2004) Why machine learning algorithms fail in misuse detection on KDD intrusion detection data set. J Intelli Data Anal 6:1–13
2.
Zurück zum Zitat Shon T, Moon J (2007) A hybrid machine learning approach to network anomaly detection. J Infor Sci 177:3799–3821CrossRef Shon T, Moon J (2007) A hybrid machine learning approach to network anomaly detection. J Infor Sci 177:3799–3821CrossRef
3.
Zurück zum Zitat Chen Y, Abraham A, Yang B (2007) Hybrid flexible neural-tree-based intrusion detection systems. Int J Intell Syst 22:337–352MATHCrossRef Chen Y, Abraham A, Yang B (2007) Hybrid flexible neural-tree-based intrusion detection systems. Int J Intell Syst 22:337–352MATHCrossRef
4.
Zurück zum Zitat Ye N, Emran SM, Chen Q, Vilbert S (2002) Multivariate statistical analysis of audit Trials for host-based intrusion detection. IEEE Trans Comput 51:810–820CrossRef Ye N, Emran SM, Chen Q, Vilbert S (2002) Multivariate statistical analysis of audit Trials for host-based intrusion detection. IEEE Trans Comput 51:810–820CrossRef
5.
Zurück zum Zitat Garcia-Teodoro P, Diaz-Verdejo J, Macia-Fernandez G, Vazquez E (2009) Anomaly-base network intrusion detection: techniques, systems and challenges. J Comput Secur 28:18–28CrossRef Garcia-Teodoro P, Diaz-Verdejo J, Macia-Fernandez G, Vazquez E (2009) Anomaly-base network intrusion detection: techniques, systems and challenges. J Comput Secur 28:18–28CrossRef
6.
Zurück zum Zitat Kruegel C, Mutz D, Robertson W, Valeur F (2003) Bayesian event classification for intrusion detection. In: The proceedings of the annual computer security applications conference, pp 14–23 Kruegel C, Mutz D, Robertson W, Valeur F (2003) Bayesian event classification for intrusion detection. In: The proceedings of the annual computer security applications conference, pp 14–23
7.
Zurück zum Zitat Yeung DY, Ding Y (2003) Host-based intrusion detection using dynamic and static behavioral models. J Pattern Recognit 36:229–243MATHCrossRef Yeung DY, Ding Y (2003) Host-based intrusion detection using dynamic and static behavioral models. J Pattern Recognit 36:229–243MATHCrossRef
8.
Zurück zum Zitat Cansian AM, Moreira E, Carvalho A, Bonifacio JM (1997) Network intrusion detection using neural networks. In: The proceedings of the international conference on computational intelligence and multimedia applications, pp 276–280 Cansian AM, Moreira E, Carvalho A, Bonifacio JM (1997) Network intrusion detection using neural networks. In: The proceedings of the international conference on computational intelligence and multimedia applications, pp 276–280
9.
Zurück zum Zitat Ramadas M, Ostermann S, Tjaden B (2003) Detecting anomalous network traffic with self-organizing maps. Recent advances in intrusion detection, RAID, Lecture notes in computer science (LNCS) 2820:36–54 Ramadas M, Ostermann S, Tjaden B (2003) Detecting anomalous network traffic with self-organizing maps. Recent advances in intrusion detection, RAID, Lecture notes in computer science (LNCS) 2820:36–54
10.
Zurück zum Zitat Dickerson JE (2000) Fuzzy network profiling for intrusion detection. In: The proceedings of the North American fuzzy information processing society (NAFIPS) international conference, pp 301–306 Dickerson JE (2000) Fuzzy network profiling for intrusion detection. In: The proceedings of the North American fuzzy information processing society (NAFIPS) international conference, pp 301–306
11.
Zurück zum Zitat Gomez J, Dasgupta D (2002) Evolving fuzzy classifiers for intrusion detection. In: The proceedings of the IEEE workshop on information assurance, pp 68–75 Gomez J, Dasgupta D (2002) Evolving fuzzy classifiers for intrusion detection. In: The proceedings of the IEEE workshop on information assurance, pp 68–75
12.
Zurück zum Zitat Song D, Heywood MI, Zincir-Heywood AN (2005) Training genetic programming on half a million patterns: an example from anomaly detection. IEEE Trans Evol Comput 9:225–239CrossRef Song D, Heywood MI, Zincir-Heywood AN (2005) Training genetic programming on half a million patterns: an example from anomaly detection. IEEE Trans Evol Comput 9:225–239CrossRef
13.
Zurück zum Zitat Sequeira K, Zaki M (2002) ADMIT: anomaly-based data mining for intrusions. In: The proceedings of the ACM SIGKDD international conference on knowledge discovery and data mining, pp 386–395 Sequeira K, Zaki M (2002) ADMIT: anomaly-based data mining for intrusions. In: The proceedings of the ACM SIGKDD international conference on knowledge discovery and data mining, pp 386–395
14.
Zurück zum Zitat Biermann E, Cloeteand E, Venter LM (2001) A comparison of intrusion detection systems. J Comput Secur 20:676–683CrossRef Biermann E, Cloeteand E, Venter LM (2001) A comparison of intrusion detection systems. J Comput Secur 20:676–683CrossRef
15.
Zurück zum Zitat Han SJ, Cho SB (2003) Detecting intrusion with rule-based integration of multiple models. J Comput Secur 22:613–623CrossRef Han SJ, Cho SB (2003) Detecting intrusion with rule-based integration of multiple models. J Comput Secur 22:613–623CrossRef
16.
Zurück zum Zitat Novikov D, Yampolskiy RV, Reznik L (2006) Artificial intelligence approaches for intrusion detection. In: The proceedings of the IEEE conference on systems, applications and technology, pp 1–8 Novikov D, Yampolskiy RV, Reznik L (2006) Artificial intelligence approaches for intrusion detection. In: The proceedings of the IEEE conference on systems, applications and technology, pp 1–8
17.
Zurück zum Zitat Joshi MV, Agrawal RC, Kumar V (2001) Mining needless in a haystack: classifying rare classes via two-phase rule induction. In: The proceedings of the ACM SIGMOD conference on management of data, pp 91–102 Joshi MV, Agrawal RC, Kumar V (2001) Mining needless in a haystack: classifying rare classes via two-phase rule induction. In: The proceedings of the ACM SIGMOD conference on management of data, pp 91–102
18.
Zurück zum Zitat Debar H, Dorizzi B (1992) An application of recurrent network to an intrusion detection system. In: The proceedings of the international joint conference on neural networks, pp 478–483 Debar H, Dorizzi B (1992) An application of recurrent network to an intrusion detection system. In: The proceedings of the international joint conference on neural networks, pp 478–483
19.
Zurück zum Zitat Kayacik G, Zincir-Heywood N, Heywood M (2003) On the capability of an SOM-based intrusion detection system. In: The proceedings of the international joint conference on neural networks, pp 1808–1813 Kayacik G, Zincir-Heywood N, Heywood M (2003) On the capability of an SOM-based intrusion detection system. In: The proceedings of the international joint conference on neural networks, pp 1808–1813
20.
Zurück zum Zitat Golovko V, Vaitsekhovich L, Kochurko P, Rubanau U (2007) Dimensionality reduction and attack recognition using neural network approaches. In: The proceedings of the international joint conference on neural networks, pp 2734–2739 Golovko V, Vaitsekhovich L, Kochurko P, Rubanau U (2007) Dimensionality reduction and attack recognition using neural network approaches. In: The proceedings of the international joint conference on neural networks, pp 2734–2739
21.
Zurück zum Zitat Beghdad R (2008) Critical study of neural networks in detecting intrusions. J Comput Secur 27:168–175CrossRef Beghdad R (2008) Critical study of neural networks in detecting intrusions. J Comput Secur 27:168–175CrossRef
22.
Zurück zum Zitat Sheikhan M, Sha’bani AA (2009) Fast neural intrusion detection system based on hidden weight optimization algorithm and feature selection. World Appl Sci J 7(Special Issue of Computer & IT):45–53 Sheikhan M, Sha’bani AA (2009) Fast neural intrusion detection system based on hidden weight optimization algorithm and feature selection. World Appl Sci J 7(Special Issue of Computer & IT):45–53
23.
Zurück zum Zitat Lin Y, Chen K, Liao X (2004) A genetic clustering method for intrusion detection. J Pattern Recognit 37:924–927 Lin Y, Chen K, Liao X (2004) A genetic clustering method for intrusion detection. J Pattern Recognit 37:924–927
24.
Zurück zum Zitat Denning DE (1987) An intrusion-detection model. IEEE Trans Softw Eng 13:222–232CrossRef Denning DE (1987) An intrusion-detection model. IEEE Trans Softw Eng 13:222–232CrossRef
25.
Zurück zum Zitat Pfahringer B (2000) Winning the KDD 99 classification cup: bagged boosting. J SIGKDD Explor 1:65–66CrossRef Pfahringer B (2000) Winning the KDD 99 classification cup: bagged boosting. J SIGKDD Explor 1:65–66CrossRef
26.
Zurück zum Zitat Levin I (2000) KDD classifier learning contest: LLSoft’s results overview. J SIGKDD Explor 1:67–75CrossRef Levin I (2000) KDD classifier learning contest: LLSoft’s results overview. J SIGKDD Explor 1:67–75CrossRef
27.
Zurück zum Zitat Mukkamala S, Janoski G, Sung AH (2002) Intrusion detection using neural networks and support vector machines. In: The proceedings of the international joint conference on neural networks, pp 1702–1707 Mukkamala S, Janoski G, Sung AH (2002) Intrusion detection using neural networks and support vector machines. In: The proceedings of the international joint conference on neural networks, pp 1702–1707
28.
Zurück zum Zitat Abadeh MS, Habibi J, Lucas C (2005) Intrusion detection using a fuzzy genetic–based learning algorithm. J Netw Comput Appl 30:414–428CrossRef Abadeh MS, Habibi J, Lucas C (2005) Intrusion detection using a fuzzy genetic–based learning algorithm. J Netw Comput Appl 30:414–428CrossRef
29.
Zurück zum Zitat Tajbakhsh A, Rahmati M, Mirzaei A (2009) Intrusion detection using fuzzy association rules. J Appl Soft Comput 9:462–469CrossRef Tajbakhsh A, Rahmati M, Mirzaei A (2009) Intrusion detection using fuzzy association rules. J Appl Soft Comput 9:462–469CrossRef
30.
Zurück zum Zitat Sheikhan M, Jadidi Z (2009) Misuse detection using hybrid of association rule mining and connectionist modelling. World Appl Sci J 7(Special Issue of Computer & IT):31–37 Sheikhan M, Jadidi Z (2009) Misuse detection using hybrid of association rule mining and connectionist modelling. World Appl Sci J 7(Special Issue of Computer & IT):31–37
32.
Zurück zum Zitat Agrawal R, Joshi MV (2000) PNrule: a new framework for learning classifier models in data mining (a case-study in network intrusion detection). IBM research division, report no. RC-21719 Agrawal R, Joshi MV (2000) PNrule: a new framework for learning classifier models in data mining (a case-study in network intrusion detection). IBM research division, report no. RC-21719
33.
Zurück zum Zitat Beghdad R (2007) Training all the KDD data set to classify and detect attacks. Neural Netw World 17:81–91 Beghdad R (2007) Training all the KDD data set to classify and detect attacks. Neural Netw World 17:81–91
Metadaten
Titel
Intrusion detection using reduced-size RNN based on feature grouping
verfasst von
Mansour Sheikhan
Zahra Jadidi
Ali Farrokhi
Publikationsdatum
01.09.2012
Verlag
Springer-Verlag
Erschienen in
Neural Computing and Applications / Ausgabe 6/2012
Print ISSN: 0941-0643
Elektronische ISSN: 1433-3058
DOI
https://doi.org/10.1007/s00521-010-0487-0

Weitere Artikel der Ausgabe 6/2012

Neural Computing and Applications 6/2012 Zur Ausgabe