Abstract
This article introduces an approach to anomaly intrusion detection based on a combination of supervised and unsupervised machine learning algorithms. The main objective of this work is an effective modeling of the TCP/IP network traffic of an organization that allows the detection of anomalies with an efficient percentage of false positives for a production environment. The architecture proposed uses a hierarchy of Self-Organizing Maps for traffic modeling combined with Learning Vector Quantization techniques to ultimately classify network packets. The architecture is developed using the known SNORT intrusion detection system to preprocess network traffic. In comparison to other techniques, results obtained in this work show that acceptable levels of compromise between attack detection and false positive rates can be achieved.
Chapter PDF
Similar content being viewed by others
5 References
CSI, Computer Security Institute. 2004 CS//FBI Computer Crime and Security Survey. (2004); http://www.gocsi.com/.
C. Kruegel, F. Valeur, and G. Vigna, Intrusion Detection and Correlation-Challenges and Solutions (Springer Verlag, New York, 2005).
CERT Coordination Center, CERT/CC Statistics (1988–2005); http://www.cert.org/stats/.
E. Carter. Cisco Secure Intrusion Detection System (Cisco Press, 2001).
T.M. Mitchell. Machine Learning (McGraw-Hill, 1997).
D.S. Kim, H.-N. Nguyen, and J.S. Park, Genetic algorithm to improve SVM based network intrusion detection system, 19th International Conference on Advanced Information Networking and Applications, Vol. 2, (2005), pp.155–158.
M. Markou, and S. Singh, Novelty Detection: A Review, Part II: Neural Network Based Approaches. Signal Processing, Vol. 83 (2003), pp. 2499–2521.
E. Eskin, A. Arnold, M. Prerau, L. Portnoy, and S Stolfo, A Geometric Framework for Unsupervised Anomaly Detection: Detecting intrusions in unlabeled data, In D. Barbara and S. Jajodia, editors, Applications of Data Mining in Computer Security (Kluwer, 2002).
T. Kohonen. Self Organizing Maps, Third Extended Edition (Springer, 2001).
H.G. Kayacik. Hierarchical Self Organizing Map Based IDS on KDD Benchmark. Master’s thesis, Dalhousie University (2003).
P. Lichodzijewski, A.N. Zincir-Heywood, and M.I. Heywood, Host-based Intrusion Detection Using Self-Organizing Maps, IEEE World Congress on Computational Intelligence, International Joint Conference on Neural Networks, IJCNN (2002).
Bro. Intrusion detection system (2005); http://www.bro-ids.org/
Snort. open source network intrusion prevention and detection system (2005); http://www.snort.org.
A. S. Tanenbaum. Computer Networks (2nd Edition, Prentice-Hall, 1989).
MIT Lincoln Laboratory (1998); http://www.ll.mit.edu/IST/ideval/data/data index.html.
SOM PAK, Helsinki University of Technology, Laboratory of Computer and Information Science (2005); http://www.cis.hut.fi/research/som_lvq_pak.shtml.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 International Federation for Information Processing
About this paper
Cite this paper
Carrascal, A., Couchet, J., Ferreira, E., Manrique, D. (2006). Anomaly Detection using prior knowledge: application to TCP/IP traffic. In: Bramer, M. (eds) Artificial Intelligence in Theory and Practice. IFIP AI 2006. IFIP International Federation for Information Processing, vol 217. Springer, Boston, MA . https://doi.org/10.1007/978-0-387-34747-9_15
Download citation
DOI: https://doi.org/10.1007/978-0-387-34747-9_15
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-34654-0
Online ISBN: 978-0-387-34747-9
eBook Packages: Computer ScienceComputer Science (R0)