Skip to main content
SpringerLink
Log in

Intrusion Detection in Computer Systems Using Multiple Classifier Systems

  • Chapter
Supervised and Unsupervised Ensemble Methods and their Applications

Part of the book series: Studies in Computational Intelligence ((SCI,volume 126))

Summary

Multiple Classifier Systems (MCS) have been applied successfully in many different research fields, among them the detection of intrusions in computer systems. As an example, in the intrusion detection field, MCS may be motivated by the presence of different network protocols (and related services, with specific features), multiple concurrent network connections, distinct host applications and operating systems. In such a heterogeneous environment the MCS approach is particularly suitable, so that different MCS designs have been proposed. In this work we present an overview of different MCS paradigms used in the intrusion detection field, and discuss their peculiarities. In particular, MCS appear to be suited to the anomaly detection paradigm, where attacks are detected as anomalies when compared to a model of normal (legitimate) event patterns. In addition, MCS may be used to increase the robustness of Intrusion Detection System (IDS) against attacks to the IDS itself. Finally, a practical application of MCS for the designing of anomaly-based IDS is presented.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
eBook
USD 16.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 109.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Ariu D, Giacinto G, Perdisci R (2007) Sensing attacks in computers networks with hidden markov models. In: Perner P (ed) Proc the 5th Int Conf Mach Learn Data Mining in Pattern Recognition, Leipzig, Germany. Springer, Berlin/Heidelberg, pp 449–463

    Chapter  Google Scholar 

  2. Baum LE, Petrie T, Soules G, Weiss N (1970) A maximization technique occurring in the statistical analysis of probabilistic functions of Markov chains. Ann Math Stat 41:164–171

    Article  MATH  MathSciNet  Google Scholar 

  3. Cohen I, Cozman FG, Sebe N, Cirelo MC, Huang T (2004) Semi-supervised learning of classifiers: theory, algorithms and their applications to human-computer interaction. IEEE Trans Pattern Analysis and Mach Intell 26:1553–1567

    Article  Google Scholar 

  4. Cordella LP, Limongiello A, Sansone C (2004) Network intrusion detection by a multi-stage classification system. In: Roli F, Kittler J, Windeatt T (eds) Proc the 5th Int Workshop Multiple Classifier Syst, Cagliari, Italy. Springer, Berlin/Heidelberg, pp 324–333

    Google Scholar 

  5. Debar H, Becker M, Siboni D (1992) A neural network component for an intrusion detection system. In: Proc 1992 IEEE Symp Research in Security and Privacy, Oakland, CA, USA. IEEE Computer Society, Los Alamitos, pp 240–250

    Chapter  Google Scholar 

  6. Denning DE (1987) An intrusion-detection model. IEEE Trans Software Engin 13:222–232

    Article  Google Scholar 

  7. Duda RO, Hart PE, Stork DG (2000) Pattern classification. Wiley-Interscience, Hoboken

    Google Scholar 

  8. Elkan C (2000) Results of the KDD’99 classifier learning. ACM SIGKDD Explorations 1:63–64

    Article  Google Scholar 

  9. Eskin E, Arnold A, Prerau M, Portnoy L, Stolfo S (2002) A geometric framework for unsupervised anomaly detection: detecting intrusions in unlabeled data. In: Barbara D, Jajodia S (eds) Applications of Data Mining in Computer Security. Springer, Berlin/Heidelberg

    Google Scholar 

  10. Giacinto G, Roli F, Didaci L (2003) A modular multiple classifier system for the detection of intrusions in computer networks. In: Windeatt T, Roli F (eds) Proc the 4th Int Workshop Multiple Classifier Syst, Guildford, UK. Springer, Berlin/Heidelberg, pp. 346–355

    Chapter  Google Scholar 

  11. Giacinto G, Roli F, Didaci L (2003) Fusion of multiple classifiers for intrusion detection in computer networks. Pattern Recognition Letters 24:1795–1803

    Article  Google Scholar 

  12. Giacinto G, Perdisci R, Del Rio M, Roli F (2008) Intrusion detection in computer networks by a modular ensemble of one-class classifiers. Inf Fusion 9:69–82

    Article  Google Scholar 

  13. Jain AK, Dubes RC (1998) Algorithms for clustering data. Prentice-Hall, Englewood Cliffs

    Google Scholar 

  14. Javits H, Valdes A (1993) The NIDES statistical component: description and justification. SRI Annual Rep A010, Comp Sci Lab, SRI Int

    Google Scholar 

  15. Kittler J, Hatef M, Duin RPW, Matas J (1998) On combining classifiers. IEEE Trans Pattern Analysis and Mach Intell 20:226–229

    Article  Google Scholar 

  16. Kruegel K, Vigna G, Robertson W (2005) A multi-model approach to the detection of web-based attacks. Int J Comp Telecomm Networking 48:717–738

    Google Scholar 

  17. Kuncheva L, Bezdek JC, Duin RPW (2001) Decision templates for multiple classifier fusion. Pattern Recognition 34:299–314

    Article  MATH  Google Scholar 

  18. Kuncheva L (2004) Combining pattern classifiers: methods and algorithms. Wiley-Interscience, Hoboken

    Book  MATH  Google Scholar 

  19. Lee W, Stolfo S (2000) A framework for constructing features and models for intrusion detection systems. ACM Trans Inf Syst Security 3: 227-261

    Article  Google Scholar 

  20. Lee W, Xiang D (2001) Information-theoretic measures for anomaly detection. In: Proc 2001 IEEE Symp Security and Privacy, Oakland, CA, USA, IEEE Computer Society, Los Alamitos, pp 130–143

    Google Scholar 

  21. Leung K, Leckie C (2005) Unsupervised anomaly detection in network intrusion detection using clusters. In: Estivill-Castro V (ed) Proc the 28th Australasian Comp Sci Conf, Newcastle, NSW, Australia. Australian Computer Society, pp 333–342

    Google Scholar 

  22. Lippmann R, Haines JW, Fried DJ, Korba J, Das K (2000) The 1999 DARPA off-line intrusion detection evaluation. Computer Networks 34:579–595

    Article  Google Scholar 

  23. Mahoney MV, Chan PK (2003) An analysis of the 1999 DARPA/Lincoln laboratory evaluation data for network anomaly detection. In: Vigna G, Jonsson E, Krügel C (eds) Proc 6th Int Symp Recent Advances in Intrusion Detection, Pittsburgh, PA, USA. Springer, Berlin/Heidelbeg, pp 220–237

    Google Scholar 

  24. McHugh J, Christie A, Allen J (2000) Defending yourself: the role of intrusion detection systems. IEEE Software 17:42–51

    Article  Google Scholar 

  25. McHugh J (2000) Testing intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln laboratory. ACM Trans Inf Syst Security 3:262–294

    Article  Google Scholar 

  26. Mutz D, Kruegel C, Robertson W, Vigna G, Kemmerer RA (2005) Reverse engineering of network signatures. In: Clark A, Kerr K, Mohay G (eds) Proc the 4th AusCERT Asia Pacific Inf Technology Security Conf, Gold Coast, QE, Australia, pp 1–12

    Google Scholar 

  27. Patton S, Yurcik W, Doss D (2001) An Achilles’ heel in signature-based IDS: squealing false positives in SNORT. In: Lee W, Mé L, Wespi A (eds) Proc the 4th Int Symp Recent Advances in Intrusion Detection, Davis, CA, USA. Springer, Berlin/Heidelberg

    Google Scholar 

  28. Perdisci R (2006) Statistical pattern recognition techniques for intrusion detection in computer networks: challenges and solutions, PhD Thesis, University of Cagliari, Cagliari

    Google Scholar 

  29. Portnoy L, Eskin E, Stolfo S (2001) Intrusion detection with unlabeled data using clustering. In: Proc ACM CSS Workshop Data Mining Applied to Security, Philadelphia, PA, USA, pp 76–105

    Google Scholar 

  30. Proctor PE (2001) Practical intrusion detection handbook. Prentice-Hall, Upper Saddle River

    Google Scholar 

  31. Schölkopf B, Platt J, Shawe-Taylor J, Smola AJ, Williamson RC (2001) Estimating the support of a high-dimensional distribution. Neural Comp 13:1443–1471

    Article  MATH  Google Scholar 

  32. Tax DMJ, Duin RPW (2001) Combining one-class classifiers. In: Kittler J, Roli F (eds) Proc the 2nd Multiple Classifier Syst, Cambridge, UK. Springer, Berlin/Heidelberg, pp 299–308

    Google Scholar 

  33. Tax DMJ (2001) One-class classification: concept learning in the absence of counter examples. PhD Thesis, Delft University of Technology, Delft

    Google Scholar 

  34. Vapnik V (1998) Statistical learning theory. Wiley, Hoboken

    MATH  Google Scholar 

  35. Vigna G, Robertson W, Balzarotti D (2004) Testing network-based intrusion detection signatures using mutant exploits. In: Atluri V, Pfitzmann B, McDaniel PD (eds) Proc the 11th ACM Conf Comp and Communications Security, Washington DC, USA. ACM, New York, pp 21–30

    Chapter  Google Scholar 

  36. Wang K, Stolfo SJ (2004) Anomalous payload-based network intrusion detection. In: Jonsson E, Valdes A, Almgren M (eds) Proc the 7th Int Symp Recent Advances on Intrusion Detection, Sophia Antipolis, France. Springer, Berlin/Heidelberg, pp 203–222

    Google Scholar 

  37. Yurcik W (2002) Controlling intrusion detection systems by generating false positives: squealing proof-of-concept. In: Proc the 27th Annual IEEE Conf Local Comp Networks, Tampa, FL, USA. IEEE Computer Society, Los Alamitos, pp 134–135

    Google Scholar 

  38. Xu L, Krzyzak A, Suen CY (1992) Methods of combining multiple classifiers and their applications to handwriting recognition. IEEE Trans Syst Man Cybern 22:418–435

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Electrical and Electronic Engineering, University of Cagliari, Italy, Piazza d’Armi, 09123, Cagliari, Italy

    Igino Corona, Giorgio Giacinto & Fabio Roli

Authors
  1. Igino Corona
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Giorgio Giacinto
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Fabio Roli
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Machine Vision Group, Infotech Oulu, Finland

    Oleg Okun

  2. Department of Electrical and Information Engineering, University of Oulu, P.O. Box 4500, FI-90014, Oulu, Finland

    Oleg Okun

  3. Dipartimento di Scienze dell’Informazione, Universita degli Studi di Milano, Via Comelico 39, 20135, Milano, Italy

    Giorgio Valentini

Rights and permissions

Reprints and permissions

Copyright information

© 2008 Springer-Verlag Berlin Heidelberg

About this chapter

Cite this chapter

Corona, I., Giacinto, G., Roli, F. (2008). Intrusion Detection in Computer Systems Using Multiple Classifier Systems. In: Okun, O., Valentini, G. (eds) Supervised and Unsupervised Ensemble Methods and their Applications. Studies in Computational Intelligence, vol 126. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-78981-9_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-78981-9_5

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-78980-2

  • Online ISBN: 978-3-540-78981-9

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation