Neural Computing and Applications

, Volume 21, Issue 6, pp 1185–1190 | Cite as

Intrusion detection using reduced-size RNN based on feature grouping

Original Article


Intrusion detection is well-known as an essential component to secure the systems in Information and Communication Technology (ICT). Based on the type of analyzing events, two kinds of Intrusion Detection Systems (IDS) have been proposed: anomaly-based and misuse-based. In this paper, three-layer Recurrent Neural Network (RNN) architecture with categorized features as inputs and attack types as outputs of RNN is proposed as misuse-based IDS. The input features are categorized to basic features, content features, time-based traffic features, and host-based traffic features. The attack types are classified to Denial-of-Service (DoS), Probe, Remote-to-Local (R2L), and User-to-Root (U2R). For this purpose, in this study, we use the 41 features per connection defined by International Knowledge Discovery and Data mining group (KDD). The RNN has an extra output which corresponds to normal class (no attack). The connections between the nodes of two hidden layers of RNN are considered partial. Experimental results show that the proposed model is able to improve classification rate, particularly in R2L attacks. This method also offers better Detection Rate (DR) and Cost Per Example (CPE) when compared to similar related works and also the simulated Multi-Layer Perceptron (MLP) and Elman-based intrusion detectors. On the other hand, False Alarm Rate (FAR) of the proposed model is not degraded significantly when compared to some recent machine learning methods.


Partial connection Recurrent neural network Intrusion detection Feature grouping 


  1. 1.
    Sabhnani M, Serpen G (2004) Why machine learning algorithms fail in misuse detection on KDD intrusion detection data set. J Intelli Data Anal 6:1–13Google Scholar
  2. 2.
    Shon T, Moon J (2007) A hybrid machine learning approach to network anomaly detection. J Infor Sci 177:3799–3821CrossRefGoogle Scholar
  3. 3.
    Chen Y, Abraham A, Yang B (2007) Hybrid flexible neural-tree-based intrusion detection systems. Int J Intell Syst 22:337–352MATHCrossRefGoogle Scholar
  4. 4.
    Ye N, Emran SM, Chen Q, Vilbert S (2002) Multivariate statistical analysis of audit Trials for host-based intrusion detection. IEEE Trans Comput 51:810–820CrossRefGoogle Scholar
  5. 5.
    Garcia-Teodoro P, Diaz-Verdejo J, Macia-Fernandez G, Vazquez E (2009) Anomaly-base network intrusion detection: techniques, systems and challenges. J Comput Secur 28:18–28CrossRefGoogle Scholar
  6. 6.
    Kruegel C, Mutz D, Robertson W, Valeur F (2003) Bayesian event classification for intrusion detection. In: The proceedings of the annual computer security applications conference, pp 14–23Google Scholar
  7. 7.
    Yeung DY, Ding Y (2003) Host-based intrusion detection using dynamic and static behavioral models. J Pattern Recognit 36:229–243MATHCrossRefGoogle Scholar
  8. 8.
    Cansian AM, Moreira E, Carvalho A, Bonifacio JM (1997) Network intrusion detection using neural networks. In: The proceedings of the international conference on computational intelligence and multimedia applications, pp 276–280Google Scholar
  9. 9.
    Ramadas M, Ostermann S, Tjaden B (2003) Detecting anomalous network traffic with self-organizing maps. Recent advances in intrusion detection, RAID, Lecture notes in computer science (LNCS) 2820:36–54Google Scholar
  10. 10.
    Dickerson JE (2000) Fuzzy network profiling for intrusion detection. In: The proceedings of the North American fuzzy information processing society (NAFIPS) international conference, pp 301–306Google Scholar
  11. 11.
    Gomez J, Dasgupta D (2002) Evolving fuzzy classifiers for intrusion detection. In: The proceedings of the IEEE workshop on information assurance, pp 68–75Google Scholar
  12. 12.
    Song D, Heywood MI, Zincir-Heywood AN (2005) Training genetic programming on half a million patterns: an example from anomaly detection. IEEE Trans Evol Comput 9:225–239CrossRefGoogle Scholar
  13. 13.
    Sequeira K, Zaki M (2002) ADMIT: anomaly-based data mining for intrusions. In: The proceedings of the ACM SIGKDD international conference on knowledge discovery and data mining, pp 386–395Google Scholar
  14. 14.
    Biermann E, Cloeteand E, Venter LM (2001) A comparison of intrusion detection systems. J Comput Secur 20:676–683CrossRefGoogle Scholar
  15. 15.
    Han SJ, Cho SB (2003) Detecting intrusion with rule-based integration of multiple models. J Comput Secur 22:613–623CrossRefGoogle Scholar
  16. 16.
    Novikov D, Yampolskiy RV, Reznik L (2006) Artificial intelligence approaches for intrusion detection. In: The proceedings of the IEEE conference on systems, applications and technology, pp 1–8Google Scholar
  17. 17.
    Joshi MV, Agrawal RC, Kumar V (2001) Mining needless in a haystack: classifying rare classes via two-phase rule induction. In: The proceedings of the ACM SIGMOD conference on management of data, pp 91–102Google Scholar
  18. 18.
    Debar H, Dorizzi B (1992) An application of recurrent network to an intrusion detection system. In: The proceedings of the international joint conference on neural networks, pp 478–483Google Scholar
  19. 19.
    Kayacik G, Zincir-Heywood N, Heywood M (2003) On the capability of an SOM-based intrusion detection system. In: The proceedings of the international joint conference on neural networks, pp 1808–1813Google Scholar
  20. 20.
    Golovko V, Vaitsekhovich L, Kochurko P, Rubanau U (2007) Dimensionality reduction and attack recognition using neural network approaches. In: The proceedings of the international joint conference on neural networks, pp 2734–2739Google Scholar
  21. 21.
    Beghdad R (2008) Critical study of neural networks in detecting intrusions. J Comput Secur 27:168–175CrossRefGoogle Scholar
  22. 22.
    Sheikhan M, Sha’bani AA (2009) Fast neural intrusion detection system based on hidden weight optimization algorithm and feature selection. World Appl Sci J 7(Special Issue of Computer & IT):45–53Google Scholar
  23. 23.
    Lin Y, Chen K, Liao X (2004) A genetic clustering method for intrusion detection. J Pattern Recognit 37:924–927Google Scholar
  24. 24.
    Denning DE (1987) An intrusion-detection model. IEEE Trans Softw Eng 13:222–232CrossRefGoogle Scholar
  25. 25.
    Pfahringer B (2000) Winning the KDD 99 classification cup: bagged boosting. J SIGKDD Explor 1:65–66CrossRefGoogle Scholar
  26. 26.
    Levin I (2000) KDD classifier learning contest: LLSoft’s results overview. J SIGKDD Explor 1:67–75CrossRefGoogle Scholar
  27. 27.
    Mukkamala S, Janoski G, Sung AH (2002) Intrusion detection using neural networks and support vector machines. In: The proceedings of the international joint conference on neural networks, pp 1702–1707Google Scholar
  28. 28.
    Abadeh MS, Habibi J, Lucas C (2005) Intrusion detection using a fuzzy genetic–based learning algorithm. J Netw Comput Appl 30:414–428CrossRefGoogle Scholar
  29. 29.
    Tajbakhsh A, Rahmati M, Mirzaei A (2009) Intrusion detection using fuzzy association rules. J Appl Soft Comput 9:462–469CrossRefGoogle Scholar
  30. 30.
    Sheikhan M, Jadidi Z (2009) Misuse detection using hybrid of association rule mining and connectionist modelling. World Appl Sci J 7(Special Issue of Computer & IT):31–37Google Scholar
  31. 31.
    KDD Cup 1999 Data. Accessed July 2008
  32. 32.
    Agrawal R, Joshi MV (2000) PNrule: a new framework for learning classifier models in data mining (a case-study in network intrusion detection). IBM research division, report no. RC-21719Google Scholar
  33. 33.
    Beghdad R (2007) Training all the KDD data set to classify and detect attacks. Neural Netw World 17:81–91Google Scholar

Copyright information

© Springer-Verlag London Limited 2010

Authors and Affiliations

  1. 1.Department of Communication Engineering, Faculty of EngineeringIslamic Azad University, South Tehran BranchTehranIran
  2. 2.Department of Electronic EngineeringIslamic Azad University, South Tehran BranchTehranIran

Personalised recommendations