Abstract
The Internet connects hundreds of millions of computers across the world running on multiple hardware and software platforms providing communication and commercial services. However, this interconnectivity among computers also enables malicious users to misuse resources and mount Internet attacks. The continuously growing Internet attacks pose severe challenges to develop a flexible, adaptive security oriented methods. Intrusion detection system (IDS) is one of most important component being used to detect the Internet attacks. In literature, different techniques from various disciplines have been utilized to develop efficient IDS. Artificial intelligence (AI) based techniques plays prominent role in development of IDS and has many benefits over other techniques. However, there is no comprehensive review of AI based techniques to examine and understand the current status of these techniques to solve the intrusion detection problems. In this paper, various AI based techniques have been reviewed focusing on development of IDS. Related studies have been compared by their source of audit data, processing criteria, technique used, dataset, classifier design, feature reduction technique employed and other experimental environment setup. Benefits and limitations of AI based techniques have been discussed. The paper will help the better understanding of different directions in which research has been done in the field of IDS. The findings of this paper provide useful insights into literature and are beneficial for those who are interested in applications of AI based techniques to IDS and related fields. The review also provides the future directions of the research in this area.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Agarwal R, Joshi M (2000) PNrule: a new framework for learning classifier models in data mining. Technical Report TR 00-015
Anderson D, Lunt T, Javitz H, Ann T, Valdes A (1995) Next generation intrusion detection expert system (NIDES). Technical report, SRI International USA
Axelsson S (1999) Research in intrusion detection system—a survey. CMU/SEI Technical Report
Balajinath B, Raghavan SV (2001) Intrusion detection through learning behavior model. Comput Commun 24(12): 1202–1212
Beale J, Caswell B, Poor M (2004) Snort 2.1 intrusion detection, 2nd edn. Syngress Publishing, ISBN: 1931836043
Bivens A, Chandrika P, Smith R, Szymanski B (2002) Network-based intrusion detection using neural networks. In: Proceeding of ANNIE 2002 conference, ASME Press, pp 10–13
Carpenter GA, Grossberg S, Markuzon N, Reynolds JH, Rosen DB (1992) Fuzzy ARTMAP: a neural network architecture for incremental supervised learning of analog multidimensional maps. IEEE Trans Neural Netw 3: 698–713
Chebrolu S, Abraham A, Thomas JP (2005) Feature deduction and ensemble design of intrusion detection systems. Int J Comput Secur 24(4): 295–307
Chen S Staniford, Cheung S, Crawford R, Dilger M, Frank J, Hoagland J, Levitt K, Wee C, Yip R, Zerkle D (1996) GrIDS—a graph-based intrusion detection system for large networks. In: Proceedings of 19th national information systems security conference
Chen W-H, Hsu S-H, Shen H-P (2005) Application of SVM and ANN for intrusion detection. Comput Oper Res 32: 2617–2634
Chittur A (2001) Model generation for an intrusion detection system using genetic algorithms. High School Honors Thesis, Ossining High School. In cooperation with Columbia University
CiscoSecure (2010) Cisco Secure IDS http://www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/index.shtml. Accessed 4 August 2010
Cohen WW (1995) Fast effective rule induction. In: Proceedings of the 12th international conference on machine learning. Tahoe City, Morgan Kaufmann, CA, pp 115–123
Crosbie M, Dole B, Ellis T, Krsul I, Spafford E (1996) IDIOT—users guide. Technical report TR-96-050. Purdue University, COAST Laboratory
Crosbie M, Spafford EH (1995) Active defense of a computer system using autonomous agents. Technical report CSD-TR- 95-008. Purdue University, West Lafayette
Cunningham R, Lippmann R (2000a) Detecting computer attackers: recognizing patterns of malicious stealthy behavior. MIT Lincoln Laboratory—presentation to CERIAS
Cunningham R, Lippmann R (2000b) Improving intrusion detection performance using keyword selection and neural networks. Comput Netw 34(4): 597–603
Dasgupta D, Gonzalez FA (2001) An intelligent decision support system for intrusion detection and response. In: Proceedings of international workshop on mathematical methods, models and architectures for computer networks security (MMM-ACNS), St. Petersburg. Springer
Dickerson JE, Dickerson JA (2000) Fuzzy network profiling for intrusion detection. In: Proceedings of NAFIPS 19th international conference of the North American fuzzy information processing society, Atlanta
Dowell C, Ramstedt P (1990) The computerwatch data reduction tool. In: Proceedings of the 13th national computer security conference, Washington, DC
Duda RO, Hart PE (1973) Pattern classification and scene analysis. Wiley, New York
Ertoz L, Eilertson E, Lazarevic A, Tan P, Srivastava J, Kumar V, Dokas P (2004) The MINDS—Minnesota intrusion detection system. Next generation data mining. MIT Press, Cambridge
Fortuna C, Fortuna B, Mohorcic M (2007) Anomaly detection in computer networks using linear SVMs. SiKDD 2007, Ljubljana, Slovenia
Garcia-Teodoro P, Diaz-Verdejo J, Macia-Fernandez G, Vazquez E (2009) Anomaly-based network intrusion detection: techniques, systems and challenges. Comput Secur 28: 18–28
Gharibian F, Ghorbani AA (2007) Comparative study of supervised machine learning techniques for intrusion detection. In: Proceedings of fifth annual conference on communication networks and services research (CNSR’07), pp 350–358
Ghosh AK, Wanken J, Charron F (1998) Detecting anomalous and unknown intrusions against programs. In: Proceedings of the 14th annual computer security applications conference, IEEE, pp 259–267
Goldberg L, Wagner D, Thomans R (1996) A secure environment for untrusted helper applications: confining the Wily Hacker. In: Sixth USENIX security symposium
Gomez J, Dasgupta D (2001) Evolving fuzzy classifiers for intrusion detection. IEEE workshop on information assurance, United States Military Academy, NY
Guvenir GD (1997) Classification by voting feature intervals. In: Proceedings of the European conference on machine learning, pp 85–92
Habra J, Charlier le B, Mounji A, Mathieu I (1992) ASAX: software architecture and rule based language for universal audit trail analysis. In: Computer security, proceedings of ESORICS 92, 648 of LNCS, pp 435–440
Halme LR, Bauer RK (1995) AINT misbehaving: a taxonomy of anti-intrusion techniques. In: Proceedings of the 18th national information systems security conference. Baltimore, MD
Han S-J, Cho S-B (2006) Evolutionary neural networks for anomaly detection based on the behaviour of a program. IEEE Trans Syst Man Cybern
Hartigan JA (1975) Clustering algorithms. Wiley, New York
Hay A, Cid D, Bray R (2008) OSSEC host-based intrusion detection guide. Syngress Publishing, ISBN:159749240X
Heberlein LT, Dias GV, Levitt KN, Mukherjee B, Wood J, Wolber D (1990) A network security monitor. In: Symposium on research in security and privacy. Oakland, CA, pp 296–304
Heckerman D (1995) A tutorial on learning with Bayesian networks. Microsoft research, technical report MSRTR-95-06
Hochberg J, Jackson K, Stallings C, McClary J, DuBois D, Ford J (1993) NADIR: an automated system for detecting network intrusions and misuse. Comput Secur 12(3): 248–253
Holte R (1993) Very simple classification rules perform well on most commonly used datasets. Mach Learn 11: 63–91
Hwang TS, Lee T-J, Lee Y-J (2007) A three-tier IDS via data mining approach. Workshop on mining network data (MineNet)
Idris NB, Shanmugam B (2005) Artificial intelligence techniques applied to intrusion detection. In: IEEE Indicon 2005 conference, Chennai, India, pp 52–55
Ilgun K, Richard AK, Phillip AP (1995) State transition analysis: a rule-based intrusion detection. IEEE Trans Softw Eng 21(3): 181–199
Internet Security Systems (ISS) (2010) Real Secure http://www.iss.net. Accessed 4 August 2010
Johansen K, Lee S (2003) CS424 network security: Bayesian Network Intrusion Detection (BINDS). http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.83.8479
John GH, Langley P (1995) Estimating continuous distributions in Bayesian classifiers. In: Proceedings of the conference on uncertainty in artificial intelligence, pp 338–345
Kayacik G, Zincir-Heywood N, Heywood M (2003) On the capability of an SOM based intrusion detection system. In: Proceedings of the 2003 IEEE IJCNN, Portland, USA
Khan L, Awad M, Thuraisingham B (2007) A new intrusion detection system using support vector machines and hierarchical clustering. VLDB J 16
Kibler DA (1991) Instance-based learning algorithms. Mach Learn 37–66
Kim GH, Spafford EH (1997) Tripwire: a case study in integrity monitoring in internet beseiged: countering cyberspace scofflaws. Addison-Wesley, pp 175–210. ISBN 0-201-30820-7
Kruegel C, Mutz D, Robertson W, Valeur F (2003) Bayesian event classification for intrusion detection. In: Proceedings of 19th annual computer security applications conference, IEEE, pp 14–23
Kuok CM, Fu AW-C, Wong MH (1998) Mining fuzzy association rules in databases. SIGMOD Rec 27(1): 41–46
Lee Y (1989) Classifiers: adaptive modules in pattern recognition systems. MIT, Department of Electrical Engineering and Computer Science, Cambridge
Leung K, Leckie C (2005) Unsupervised anomaly detection in network intrusion detection using clusters. In: Proceedings of twenty-eighth Australasian computer science conference (ACSC2005). Newcastle, Australia, pp 333–342
Levin I (2000) KDD-99 classifier learning contest LLSoft’s results overview. SIGKDD Explor 1(2): 67–75
Li W (2004) Using genetic algorithm for network intrusion detection. C. S. G. Department of Energy, Ed, pp 1–8
Liao Y, Vemuri VR (2002) Use of K-nearest neighbor classifier for intrusion detection. Comput Secur 21: 439–448
Lunt T, Tamaru A, Gilham F, Jagannathan R, Jalali C, Neumann PG, Javitz HS, Valdes A, Garvey TD (1992) A real time intrusion detection expert system (IDES)—final report, SRI International, Menlo Park, CA
Luo J (1999) Integrating fuzzy logic with data mining methods for intrusion detection. Masters thesis, Mississippi State University
Mahoney MV, Chan PK (2001) PHAD: packet header anomaly detection for identifying hostile network traffic. Department of Computer Sciences, Florida Institute of Technology, Melbourne, FL, USA, Technical Report CS-2001-4
Mahoney MV, Chan PK (2002a) Learning models of network traffic for detecting novel attacks. Computer Science Department, Florida Institute of Technology CS-2002-8
Mahoney MV, Chan PK (2002b) Learning non stationary models of normal network traffic for detecting novel attacks. In: Proceedings of eighth ACM SIGKDD international conference on knowledge discovery and data mining. Edmonton, Canada, pp 376–385
Mannila H, Toivone H (1996) Discovering generalized episodes using minimal occurrences. In: Proceedings of the second international conference on knowledge discovery and data mining
Menahem E, Shabtai A, Rokach L, Elovici Y (2009) Improving malware detection by applying multi-inducer ensemble. Comput Stat Data Anal 53(4): 1483–1494
MIT Lincoln Laboratory (2001) 1999 DARPA intrusion detection evaluation design and procedure. DARPA technical report
Mukkamala S, Sung AH (2003a) Artificial intelligent techniques for intrusion detection. IEEE Int Conf Syst Man Cybern
Mukkamala S, Sung AH (2003b) A comparative study of techniques for intrusion detection. In: Proceedings of the 15th IEEE international conference on tools with artificial intelligence (ICTAI’03)
Mukkamala S, Sung AH, Abraham A (2005) Intrusion detection using an ensemble of intelligent paradigms. J Netw Comput Appl 28: 167–182
Novikov D, Yampolskiy RV, Reznik L (2006) Artificial intelligence approaches for intrusion detection. Systems, applications and technology conference, LISAT 2006. IEEE Long Island 5(5): 1–8
Panda M, Patra MR (2008) A comparative study of data mining algorithms for network intrusion detection. In: Proceedings of first international conference on emerging trends in engineering and technology, IEEE computer society
Patcha A, Park JM (2007) An overview of anomaly detection techniques: existing solutions and latest technological trends. Comput Netw. doi:10.1016/j.comnet.2007.02.001
Pawlak Z (1982) Rough sets. Int J Comput Inf Sci 11: 341–356
Paxson V (1998) Bro: a system for detecting network intruders in real-time. In: Proceedings of the 7th USENIX security symposium. San Antonio, TX
Peddabachigari S, Abraham A, Grosan C, Thomas J (2007) Modeling intrusion detection system using hybrid intelligent systems. J Netw Comput Appl 30: 114–132
Ponce (2004) Intrusion detection system with artificial intelligence. In: FIST conference—edition-1/28 Universidad Pontificia Comillas de Madrid
Porras PA, Neumann PG (1997) EMERLAD. In: Proceedings of 20th national information systems security conference, USA, pp 353–365
Portnoy L, Eskin E, Stolfo SJ (2001) Intrusion detection with unlabeled data using clustering. In: Proceedings of the ACM workshop on data mining applied to security
Quinlan JR (1993) C4.5 Programs for machine learning. Morgan Kaufmann San Mateo Ca
Rawat Sanjay (2005) Efficient data mining algorithms for intrusion detection. Ph.D. thesis, University of Hyderabad, Hyderabad
Rokach Lior (2010) Ensemble-based classifiers. Artif Intell Rev 33(1–2): 1–39
Ryan J, Lin M-J, Risto M (1997) Intrusion detection with neural networks. Adv Neural Inf Process Syst MIT 943–949
Sabhnani M, Serpen G (2003) Application of machine learning algorithms to KDD intrusion detection dataset within misuse detection context. EECS, University of Toledo
Samhain labs (2010) The SAMHAIN file integrity/intrusion detection system. http://la-samhna.de/samhain/. Accessed 27 Aug 2010
Sebring MM, Sellhouse E, Hanna ME, Whitehurst RA (1988) Expert system in intrusion detection: a case study. In: Proceedings of the 11th national computer security conference, Baltimore, MD, pp 74–81
Smaha SE (1988) Haystack: an intrusion detection system. In: The fourth aerospace computer security applications conference, Orlando, FL
Spafford EH, Zamboni D (2000) Intrusion detection using autonomous agents. Comput Netw 34(4): 547–570
Staniford-Chen S, Tung B, Schnackenberg D (1998) The common intrusion detection framework (CIDF). Information survivability workshop, Orlando, FL
Stein G, Chen B, Wu AS, Hua KA (2005) Decision tree classifier for network intrusion detection with GA-based feature selection. In: Proceedings of the 43rd annual southeast regional conference ACM vol 2, pp 136–141
Stolfo S, Prodromidis AL, Chan PK (1997) JAM: Java agents for meta-learning over distributed databases. In: Proceedings of the third international conference on knowledge discovery and data mining
Stoneburner G (2001) Underlying models for information technology security. NIST Special Publication 800-33
Sung H, Mukkamala S (2003) Feature selection for intrusion detection using neural networks and support vector machines. In: 82nd annual meeting of the transportation research board of the national academies, Washington DC, USA
Tsai C-F, Hsu Y-F, Lin C-Y, Lin W-Y (2009) Intrusion detection by machine learning: a review. Expert Syst Appl 36(10): 11994–12000
Vaccaro HS, Liepins GE (1989) Detection of anomalous computer session activity. In: Proceedings of IEEE symposium on security and privacy, pp 280–289
Vapnik V (1998) Statistical learning theory. Wiley, New York
Wang F, Qian Y, Dai Y, Wang Z (2010) A model based on hybrid support vector machine and self-organizing map for anomaly detection. In: International conference on communications and mobile computing, cmc 2010, vol 1. Shenzhen, China, pp 97–101
Witten IH, Frank E (2005) Data mining-practical machine learning tools and techniques, 2nd ed. Morgan Kaufmann ISBN 0-12-088407-0
Ypma A, Duin R (1998) Novelty detection using self-organizing maps. Progress in connectionist-based information systems, 2
Zainal A, Maarof MA, Shamsuddin SM (2009) Ensemble classifiers for network intrusion detection system. J Inf Assur Secur 4: 217–225
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Kumar, G., Kumar, K. & Sachdeva, M. The use of artificial intelligence based techniques for intrusion detection: a review. Artif Intell Rev 34, 369–387 (2010). https://doi.org/10.1007/s10462-010-9179-5
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10462-010-9179-5