Summary
Multiple Classifier Systems (MCS) have been applied successfully in many different research fields, among them the detection of intrusions in computer systems. As an example, in the intrusion detection field, MCS may be motivated by the presence of different network protocols (and related services, with specific features), multiple concurrent network connections, distinct host applications and operating systems. In such a heterogeneous environment the MCS approach is particularly suitable, so that different MCS designs have been proposed. In this work we present an overview of different MCS paradigms used in the intrusion detection field, and discuss their peculiarities. In particular, MCS appear to be suited to the anomaly detection paradigm, where attacks are detected as anomalies when compared to a model of normal (legitimate) event patterns. In addition, MCS may be used to increase the robustness of Intrusion Detection System (IDS) against attacks to the IDS itself. Finally, a practical application of MCS for the designing of anomaly-based IDS is presented.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Ariu D, Giacinto G, Perdisci R (2007) Sensing attacks in computers networks with hidden markov models. In: Perner P (ed) Proc the 5th Int Conf Mach Learn Data Mining in Pattern Recognition, Leipzig, Germany. Springer, Berlin/Heidelberg, pp 449–463
Baum LE, Petrie T, Soules G, Weiss N (1970) A maximization technique occurring in the statistical analysis of probabilistic functions of Markov chains. Ann Math Stat 41:164–171
Cohen I, Cozman FG, Sebe N, Cirelo MC, Huang T (2004) Semi-supervised learning of classifiers: theory, algorithms and their applications to human-computer interaction. IEEE Trans Pattern Analysis and Mach Intell 26:1553–1567
Cordella LP, Limongiello A, Sansone C (2004) Network intrusion detection by a multi-stage classification system. In: Roli F, Kittler J, Windeatt T (eds) Proc the 5th Int Workshop Multiple Classifier Syst, Cagliari, Italy. Springer, Berlin/Heidelberg, pp 324–333
Debar H, Becker M, Siboni D (1992) A neural network component for an intrusion detection system. In: Proc 1992 IEEE Symp Research in Security and Privacy, Oakland, CA, USA. IEEE Computer Society, Los Alamitos, pp 240–250
Denning DE (1987) An intrusion-detection model. IEEE Trans Software Engin 13:222–232
Duda RO, Hart PE, Stork DG (2000) Pattern classification. Wiley-Interscience, Hoboken
Elkan C (2000) Results of the KDD’99 classifier learning. ACM SIGKDD Explorations 1:63–64
Eskin E, Arnold A, Prerau M, Portnoy L, Stolfo S (2002) A geometric framework for unsupervised anomaly detection: detecting intrusions in unlabeled data. In: Barbara D, Jajodia S (eds) Applications of Data Mining in Computer Security. Springer, Berlin/Heidelberg
Giacinto G, Roli F, Didaci L (2003) A modular multiple classifier system for the detection of intrusions in computer networks. In: Windeatt T, Roli F (eds) Proc the 4th Int Workshop Multiple Classifier Syst, Guildford, UK. Springer, Berlin/Heidelberg, pp. 346–355
Giacinto G, Roli F, Didaci L (2003) Fusion of multiple classifiers for intrusion detection in computer networks. Pattern Recognition Letters 24:1795–1803
Giacinto G, Perdisci R, Del Rio M, Roli F (2008) Intrusion detection in computer networks by a modular ensemble of one-class classifiers. Inf Fusion 9:69–82
Jain AK, Dubes RC (1998) Algorithms for clustering data. Prentice-Hall, Englewood Cliffs
Javits H, Valdes A (1993) The NIDES statistical component: description and justification. SRI Annual Rep A010, Comp Sci Lab, SRI Int
Kittler J, Hatef M, Duin RPW, Matas J (1998) On combining classifiers. IEEE Trans Pattern Analysis and Mach Intell 20:226–229
Kruegel K, Vigna G, Robertson W (2005) A multi-model approach to the detection of web-based attacks. Int J Comp Telecomm Networking 48:717–738
Kuncheva L, Bezdek JC, Duin RPW (2001) Decision templates for multiple classifier fusion. Pattern Recognition 34:299–314
Kuncheva L (2004) Combining pattern classifiers: methods and algorithms. Wiley-Interscience, Hoboken
Lee W, Stolfo S (2000) A framework for constructing features and models for intrusion detection systems. ACM Trans Inf Syst Security 3: 227-261
Lee W, Xiang D (2001) Information-theoretic measures for anomaly detection. In: Proc 2001 IEEE Symp Security and Privacy, Oakland, CA, USA, IEEE Computer Society, Los Alamitos, pp 130–143
Leung K, Leckie C (2005) Unsupervised anomaly detection in network intrusion detection using clusters. In: Estivill-Castro V (ed) Proc the 28th Australasian Comp Sci Conf, Newcastle, NSW, Australia. Australian Computer Society, pp 333–342
Lippmann R, Haines JW, Fried DJ, Korba J, Das K (2000) The 1999 DARPA off-line intrusion detection evaluation. Computer Networks 34:579–595
Mahoney MV, Chan PK (2003) An analysis of the 1999 DARPA/Lincoln laboratory evaluation data for network anomaly detection. In: Vigna G, Jonsson E, Krügel C (eds) Proc 6th Int Symp Recent Advances in Intrusion Detection, Pittsburgh, PA, USA. Springer, Berlin/Heidelbeg, pp 220–237
McHugh J, Christie A, Allen J (2000) Defending yourself: the role of intrusion detection systems. IEEE Software 17:42–51
McHugh J (2000) Testing intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln laboratory. ACM Trans Inf Syst Security 3:262–294
Mutz D, Kruegel C, Robertson W, Vigna G, Kemmerer RA (2005) Reverse engineering of network signatures. In: Clark A, Kerr K, Mohay G (eds) Proc the 4th AusCERT Asia Pacific Inf Technology Security Conf, Gold Coast, QE, Australia, pp 1–12
Patton S, Yurcik W, Doss D (2001) An Achilles’ heel in signature-based IDS: squealing false positives in SNORT. In: Lee W, Mé L, Wespi A (eds) Proc the 4th Int Symp Recent Advances in Intrusion Detection, Davis, CA, USA. Springer, Berlin/Heidelberg
Perdisci R (2006) Statistical pattern recognition techniques for intrusion detection in computer networks: challenges and solutions, PhD Thesis, University of Cagliari, Cagliari
Portnoy L, Eskin E, Stolfo S (2001) Intrusion detection with unlabeled data using clustering. In: Proc ACM CSS Workshop Data Mining Applied to Security, Philadelphia, PA, USA, pp 76–105
Proctor PE (2001) Practical intrusion detection handbook. Prentice-Hall, Upper Saddle River
Schölkopf B, Platt J, Shawe-Taylor J, Smola AJ, Williamson RC (2001) Estimating the support of a high-dimensional distribution. Neural Comp 13:1443–1471
Tax DMJ, Duin RPW (2001) Combining one-class classifiers. In: Kittler J, Roli F (eds) Proc the 2nd Multiple Classifier Syst, Cambridge, UK. Springer, Berlin/Heidelberg, pp 299–308
Tax DMJ (2001) One-class classification: concept learning in the absence of counter examples. PhD Thesis, Delft University of Technology, Delft
Vapnik V (1998) Statistical learning theory. Wiley, Hoboken
Vigna G, Robertson W, Balzarotti D (2004) Testing network-based intrusion detection signatures using mutant exploits. In: Atluri V, Pfitzmann B, McDaniel PD (eds) Proc the 11th ACM Conf Comp and Communications Security, Washington DC, USA. ACM, New York, pp 21–30
Wang K, Stolfo SJ (2004) Anomalous payload-based network intrusion detection. In: Jonsson E, Valdes A, Almgren M (eds) Proc the 7th Int Symp Recent Advances on Intrusion Detection, Sophia Antipolis, France. Springer, Berlin/Heidelberg, pp 203–222
Yurcik W (2002) Controlling intrusion detection systems by generating false positives: squealing proof-of-concept. In: Proc the 27th Annual IEEE Conf Local Comp Networks, Tampa, FL, USA. IEEE Computer Society, Los Alamitos, pp 134–135
Xu L, Krzyzak A, Suen CY (1992) Methods of combining multiple classifiers and their applications to handwriting recognition. IEEE Trans Syst Man Cybern 22:418–435
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Corona, I., Giacinto, G., Roli, F. (2008). Intrusion Detection in Computer Systems Using Multiple Classifier Systems. In: Okun, O., Valentini, G. (eds) Supervised and Unsupervised Ensemble Methods and their Applications. Studies in Computational Intelligence, vol 126. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-78981-9_5
Download citation
DOI: https://doi.org/10.1007/978-3-540-78981-9_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-78980-2
Online ISBN: 978-3-540-78981-9
eBook Packages: EngineeringEngineering (R0)