Skip to main content
SpringerLink
Log in

An intrusion detection and alert correlation approach based on revising probabilistic classifiers using expert knowledge

  • Published:
Applied Intelligence Aims and scope Submit manuscript

Abstract

Bayesian networks are important knowledge representation tools for handling uncertain pieces of information. The success of these models is strongly related to their capacity to represent and handle dependence relations. Some forms of Bayesian networks have been successfully applied in many classification tasks. In particular, naive Bayes classifiers have been used for intrusion detection and alerts correlation. This paper analyses the advantage of adding expert knowledge to probabilistic classifiers in the context of intrusion detection and alerts correlation. As examples of probabilistic classifiers, we will consider the well-known Naive Bayes, Tree Augmented Naïve Bayes (TAN), Hidden Naive Bayes (HNB) and decision tree classifiers. Our approach can be applied for any classifier where the outcome is a probability distribution over a set of classes (or decisions). In particular, we study how additional expert knowledge such as “it is expected that 80 % of traffic will be normal” can be integrated in classification tasks. Our aim is to revise probabilistic classifiers’ outputs in order to fit expert knowledge. Experimental results show that our approach improves existing results on different benchmarks from intrusion detection and alert correlation areas.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Algorithm 1
Algorithm 2

Similar content being viewed by others

Notes

  1. Dependable Anomaly Detection with Diagnosis, http://www.rennes.supelec.fr/DADDi/.

  2. Probabilistic graphical models and Logics for Alarm Correlation in Intrusion Detection, http://placid.insarouen.fr/.

  3. The Intrusion Detection Message Exchange Format.

  4. http://www.snort.org/.

  5. http://bro-ids.org/.

References

  1. Ahn JJ, Byun HW, Oh KJ, Kim TY (2012) Bayesian forecaster using class-based optimization. Appl Intell 36(3):553–563

    Article  Google Scholar 

  2. An X, Jutla D, Cercone N (2006) Privacy intrusion detection using dynamic Bayesian networks. In: Proceedings of the 8th international conference on electronic commerce, session: privacy, security and trust track. ACM international conference proceeding series, vol 156, pp 208–215

    Google Scholar 

  3. Altendorf EE, Restificar AC, Dietterich TG (2005) Learning from sparse data by exploiting monotonicity constraints. In: Proceedings of the 21th annual conference on uncertainty in artificial intelligence (UAI-05), Arlington, Virginia, pp 18–26

    Google Scholar 

  4. Anderson J (1980) Computer security threat monitoring and surveillance

  5. Ben Amor N, Benferhat S, Elouedi Z (2004) Naive Bayes vs decision trees in intrusion detection systems. In: ACM symposium on applied computing, SAC 04, March, p 1417

    Google Scholar 

  6. Boutilier C, Friedman N, Goldszmidt M, Koller D (1996) Context-specific independence in Bayesian networks. In: Proceedings of 12th UAI, pp 115–123

    Google Scholar 

  7. Benferhat S, Kenaza T, Mokhtari A (2008) False alert filtering and detection of high severe alerts using Naive Bayes. In: Computer security conference (CSC 08), South Carolina, April 2008

    Google Scholar 

  8. Benferhat S, Sedki K, Tabia K (2007) Reprocessing rough network traffic for intrusion detection purposes. In: IADIS: international conference telecommunications, networks and systems, Portugal

    Google Scholar 

  9. Benferhat S, Sedki K (2008) Alert correlation based on a logical handling of administrator preferences and knowledge. In: International conference on security and cryptography (SECRYPT’08), Porto, Portugal, July 2008, pp 50–56

    Google Scholar 

  10. Ben Messaoud M, Leray P, Ben Amor N (2011) SemCaDo: a serendipitous strategy for learning causal Bayesian networks using ontologies. In: Proceedings of symbolic and quantitative approaches to reasoning with uncertainty. Springer, Berlin/Heidelberg, pp 182–193

    Chapter  Google Scholar 

  11. Chickering D, Geiger D, Heckerman D (1994) Learning Bayesian networks is NP-hard. Technical report MSR-TR-94-17, Microsoft Research Technical Report

  12. Chickering D (1996) Learning Bayesian networks is NP-Complete. In: Fisher D, Lenz H (eds) Learning from data: artificial intelligence and statistics, vol V. Springer, Berlin, pp 121–130

    Chapter  Google Scholar 

  13. Chow CK, Liu CN (1968) Approximating discrete probability distributions with dependence trees. IEEE Trans Inf Theory 14:462–467

    Article  MATH  Google Scholar 

  14. Chow C (1970) On optimum recognition error and reject tradeoff. IEEE Trans Inf Theory 16:41–46

    Article  MATH  Google Scholar 

  15. Cohen I, Goldszmidt M (2004) Properties and benefits of calibrated classifiers. HP Laboratories, Palo Alto

    Google Scholar 

  16. Cooper GF (1990) Computational complexity of probabilistic inference using Bayes belief networks. Artif Intell 42:393–405

    Article  MATH  Google Scholar 

  17. Cuppens F, Miege A (2002) Alert correlation in a cooperative intrusion detection framework. In: Proceedings, 2002 IEEE symposium on security and privacy. IEEE Press, New York, pp 202–215

    Chapter  Google Scholar 

  18. Darwiche A (2009) Modeling and reasoning with Bayesian networks, vol I-XII. Cambridge University Press, Cambridge, pp 1–548

    Book  MATH  Google Scholar 

  19. Debar H, Becker M, Siboni D (1992) A neural network component for an intrusion detection system. In: Proceedings of the 1992 IEEE symposium on security and privacy, SP’92, pp 240–250

    Chapter  Google Scholar 

  20. Debar H, Dacier M, Wespi A (1999) Towards a taxonomy of intrusion-detection systems. Comput Netw 31(8):805–822

    Article  Google Scholar 

  21. Debar H, Wespi A (2001) Aggregation and correlation of intrusion-detection alerts, recent advances in intrusion detection Springer, London, pp 85–103

    Book  Google Scholar 

  22. Denning DE (1987) An intrusion-detection model. IEEE Trans Softw Eng SE-13:222–232

    Article  Google Scholar 

  23. Domotor Z (1980) Probability kinematics and representation of belief change. Philos Sci 47(3):384–403

    Article  MathSciNet  Google Scholar 

  24. Faour A, Leray P (2006) A SOM and Bayesian network architecture for alert filtering in network intrusion detection systems. In: RTS—conference on real-time and embedded systems, pp 1161–1166

    Google Scholar 

  25. Feelders AJ, van der Gaag LC (2005) Learning Bayesian network parameters with prior knowledge about context-specific qualitative influences. In: Proceedings of the twenty-first conference annual conference on uncertainty in artificial intelligence (UAI-05), Arlington. AUAI Press, Berkeley, pp 193–200

    Google Scholar 

  26. Feelders AJ, van der Gaag LC (2006) Learning Bayesian network parameters under order constraints. Int J Approx Reason 42:37–53

    Article  MATH  Google Scholar 

  27. Friedman N, Getoor L, Koller D, Pfeffer A (1999) Learning probabilistic relational models. In: Proceedings of 16th IJCAI, pp 1300–1307

    Google Scholar 

  28. Friedman N, Geiger D, Goldszmidt M (1997) Bayesian network classifiers. Mach Learn 29(2–3):131–163

    Article  MATH  Google Scholar 

  29. Geiger D, Heckerman D (1997) A characterization of the Dirichlet distribution through global and local parameter independence. Ann Stat 25:1344–1369

    Article  MathSciNet  MATH  Google Scholar 

  30. Gerven MV, Peter JFL (2004) Using background knowledge to construct Bayesian classifiers for data-poor domains. In: Proceedings of AI-2004, the twenty-fourth SGAI international conference on innovative techniques and applications of artificial intelligence, queens’. Queens’ College, Cambridge, pp 13–15

    Google Scholar 

  31. Hamine V, Helman P (2004) Learning optimal augmented Bayes networks. Dept of Computer Science, University of New Mexico, Albuquerque, New Mexico 87131 USA

  32. Hooper P (2004) Dependent Dirichlet priors and optimal linear estimators for belief net parameters. In: Proceedings of the 20th annual conference on uncertainty in artificial intelligence (UAI-04). AUAI Press, Berkeley, pp 251–259

    Google Scholar 

  33. Huijuan L, Jianguo C, Wei W (2008) Two stratum Bayesian network based anomaly detection model for intrusion detection system. In: Proceedings of the 2008 international symposium on electronic commerce and security (ISECS), pp 482–487

    Chapter  Google Scholar 

  34. Ingham KL, Inoue H (2007) Comparing anomaly detection techniques for HTTP. In: RAID: recent advances in intrusion detection, pp 42–62

    Chapter  Google Scholar 

  35. Ingham KL, Inoue H (2007) Web attack data set. http://www.i-pi.com/HTTP-attacks-JoCN-2006

  36. Jacobson V, Leres C, McCanne S (2012) TCPDump. http://www.tcpdump.org/

  37. Jeffrey RC (1965) The logic of decision. McGraw-Hill, New York

    Google Scholar 

  38. Jensen F (1996) An introduction to Bayesian networks. Springer, Berlin

    Google Scholar 

  39. John G (1997) Enhancements to the data mining process. PhD thesis, Stanford University

  40. Kdd cup 99 intrusion detection dataset task description. University of California Department of Information and Computer Science (1999). http://kdd.ics.uci.edu/databases/kddcup99/task.html

  41. Kenaza T, Tabia K, Benferhat S (2010) On the use of Naive Bayesian classifiers for detecting elementary and coordinated attacks. Fundam Inform 105(4):435–466

    MathSciNet  Google Scholar 

  42. Khor KC, Ting CY, Amnuaisuk SP (2008) A probabilistic approach for network intrusion detection. In: Proceedings of the 2008 second Asia international conference on modelling and simulation (AMS), pp 463–468

    Chapter  Google Scholar 

  43. Khor KC, Ting CY, Amnuaisuk SP (2012) A cascaded classifier approach for improving detection rates on rare attack categories in network intrusion detection. Appl Intell 36(2):320–332

    Article  Google Scholar 

  44. Koller D, Pfeffer A (1997) Object oriented Bayesian networks. In: Proceedings of 13th UAI, pp 302–313

    Google Scholar 

  45. Kruegel C, Mutz D, Robertson W, Valeur F (2003) Bayesian event classification for intrusion detection. Reliable Software Group, University of California, Santa Barbara

  46. Langley P, Iba W, Thompson K (1992) An analysis of Bayesian classifiers. In: Proceedings of the tenth national conference on artificial intelligence. AAAI Press and MIT Press, Menlo Park, Cambridge, pp 223–228

    Google Scholar 

  47. Lee LH, Wan CH, Rajkumar R, Isa D (2012) An enhanced support vector machine classification framework by using Euclidean distance function for text document categorization. Appl Intell 37(1):80–99

    Article  Google Scholar 

  48. Lee LH, Rajkumar R, Isa D (2012) Automatic folder allocation system using Bayesian-support vector machines hybrid classification approach. Appl Intell 36(2):295–307

    Article  Google Scholar 

  49. MIT Lincoln Laboratories (2000) DARPA intrusion detection specific dataset. http://www.ll.mit.edu/IST/ideval/2000/2000_data_index.html

  50. Mukkamala S, Janoski G, Sung A (2002) Intrusion detection using neural networks and support vector machines. In: Proceedings of the 2002 international joint conference on neural networks, IJCNN’02, pp 1702–1707

    Google Scholar 

  51. Mutz D, Valeur F, Vigna G, Kruegel C (2006) Anomalous system call detection. ACM Trans Inf Syst Secur 9:61–93

    Article  Google Scholar 

  52. Niculescu RS, Mitchell T, Rao RB (2005) Parameter related domain knowledge for learning in graphical models. In: Proceedings of SIAM data mining conference

    Google Scholar 

  53. Ning P, Cui Y, Reeves DS (2002) Constructing attack scenarios through correlation of intrusion alerts. In: 9th ACM conference on computer and communications security. ACM Press, New York, pp 245–254

    Google Scholar 

  54. Pearl J (1988) Probabilistic reasoning in intelligent systems. Morgan Kaufmann, San Francisco

    Google Scholar 

  55. Quinlan JR (1986) Induction of decision trees. Mach Learn 1(1):81–106

    Google Scholar 

  56. Quinlan JR (1993) C4.5: programs for machine learning. Morgan Kaufmann, San Francisco

    Google Scholar 

  57. Rao RB, Sandilya S, Niculescu RS, Germond C, Rao H (2003) Clinical and financial outcomes analysis with existing hospital patient records. In: Proceedings of the ninth ACM SIGKDD international conference on knowledge discovery and data mining, pp 416–425

    Chapter  Google Scholar 

  58. Robinson RW (1977) Counting unlabeled acyclic digraphs. In: Little CHC (ed) Combinatorial mathematics V. Lecture notes in mathematics, vol 622. Springer, Berlin, pp 28–43

    Chapter  Google Scholar 

  59. Rokach L (2009) Taxonomy for characterizing ensemble methods in classification tasks: a review and annotated bibliography. In: Proceedings of computational statistics & data analysis, corrected proof (in press)

  60. Segal E, Pe’er D, Regev A, Koller D, Friedman N (2003) Learning module networks. In: Proceedings of 19th UAI, pp 525–534

    Google Scholar 

  61. Shahrul Y, Lakhmi J (2012) An insect classification analysis based on shape features using quality threshold ARTMAP and moment invariant. Appl Intell 37(1):12–30

    Article  Google Scholar 

  62. Tabia K, Benferhat S (2008) On the use of decision trees as behavioral approaches in intrusion detection. In: Proceeding of seventh international conference on machine learning and applications, ICMLA’08, San Diego, USA, pp 665–670

    Chapter  Google Scholar 

  63. Tabia K, Leray P (2010) Handling IDS’ reliability in alert correlation—a Bayesian network-based model for handling IDS’s reliability and controlling prediction/false alarm rate tradeoffs. In: SECRYPT, pp 14–24

    Google Scholar 

  64. Tjhai GC, Papadaki M, Furnell S, Clarke NL (2008) Investigating the problem of IDS false alarms: an experimental study using snort. In: 23rd international information security conference SEC 2008, pp 253–267

    Google Scholar 

  65. Tylman W (2008) Anomaly-based intrusion detection using Bayesian networks. In: Proceedings of the 2008 third international conference on dependability of computer systems (DepCoS-RELCOMEX), pp 211–218

    Chapter  Google Scholar 

  66. Valdes A, Skinner K (2000) Adaptive model-based monitoring for cyber attack detection. In: Proceedings of recent advances in intrusion detection (RAID 2000), Toulouse, France, pp 80–92

    Chapter  Google Scholar 

  67. Valdes A, Skinner K (2001) Probabilistic alert correlation, recent advances in intrusion detection. Springer, London, pp 54–68

    Book  Google Scholar 

  68. Wallenta C, Kim J, Bentley P, Hailes S (2010) Detecting interest cache poisoning in sensor networks using an artificial immune algorithm. Appl Intell 32(1):1–26

    Article  Google Scholar 

  69. Wang J, Byrnes J, Valtorta M, Huhns M (2012) On the combination of logical and probabilistic models for information analysis. Appl Intell 36(2):472–497

    Article  Google Scholar 

  70. Zhang H, Ling CX, Zhao Z (2005) Hidden Naive Bayes. In: Proceedings of Canadian artificial intelligence conference. AAAI Press, Menlo Park, pp 432–441

    Google Scholar 

  71. Zeng J, Liu X, Li T, Li G, Li H, Zeng J (2011) A novel intrusion detection approach learned from the change of antibody concentration in biological immune response. Appl Intell 35(1):41–62

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Univ. Lille Nord de France, 59000, Lille, France

    Salem Benferhat, Abdelhamid Boudjelida & Karim Tabia

  2. UArtois, CRIL UMR CNRS 8188, 62300, Lens, France

    Salem Benferhat, Abdelhamid Boudjelida & Karim Tabia

  3. Université des Sciences et de la Technologie Houari Boumediene, BP 32, El-Alia, Bab-Ezzouar, Algiers, Algeria

    Habiba Drias

Authors
  1. Salem Benferhat
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Abdelhamid Boudjelida
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Karim Tabia
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Habiba Drias
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Salem Benferhat.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Benferhat, S., Boudjelida, A., Tabia, K. et al. An intrusion detection and alert correlation approach based on revising probabilistic classifiers using expert knowledge. Appl Intell 38, 520–540 (2013). https://doi.org/10.1007/s10489-012-0383-7

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10489-012-0383-7

Keywords

Search

Navigation