Evolutionary Intelligence

, Volume 6, Issue 3, pp 135–156 | Cite as

A fast anomaly detection system using probabilistic artificial immune algorithm capable of learning new attacks

  • Mahdi Mohammadi
  • Ahmad Akbari
  • Bijan Raahemi
  • Babak Nassersharif
  • Hassan Asgharian
Special Issue


In this paper, we propose anomaly based intrusion detection algorithms in computer networks using artificial immune systems, capable of learning new attacks. Unique characteristics and observations specific to computer networks are considered in developing faster algorithms while achieving high performance. Although these characteristics play a key role in the proposed algorithms, we believe they have been neglected in the previous related works. We evaluate the proposed algorithms on a number of well-known intrusion detection datasets, as well as two new real datasets extracted from the data networks for intrusion detection. We analyze the detection performance and learning capabilities of the proposed algorithms, in addition to performance criteria such as false alarm rate, detection rate, and response time. The experimental results demonstrate that the proposed algorithms exhibit fast response time, low false alarm rate, and high detection rate. They can also learn new attack patterns, and identify them the next time they are introduced to the network.


Network security Anomaly detection Artificial immune systems Sample reduction Parzen window estimation 


  1. 1.
    Shon T, Moon J (2007) A hybrid machine learning approach to network anomaly detection. Inf Sci 177:3799–3821CrossRefGoogle Scholar
  2. 2.
    Zhou Z, Leckie C, Karunasekera S (2010) A survey of coordinated attacks and collaborative intrusion detection. Comput Security 29:124–140CrossRefGoogle Scholar
  3. 3.
    Teodoro P, Verdejo J, Fernandez G, Va′zquez E (2009) Anomaly-based network intrusion detection: techniques, systems and challenges. Comput Secuity 28:18–28CrossRefGoogle Scholar
  4. 4.
    Axelsson S (1999) Research in intrusion detection systems: a survey. Technical Report TR 98-17. Chalmers University of Technology, Goteborg, SwedenGoogle Scholar
  5. 5.
    Debar H, Dacier M, Wespi A (2000) A revised taxonomy for intrusion detection systems. Ann Télécommun 55(7–8):361–378Google Scholar
  6. 6.
    Masri W, Podgurski A (2008) Application-based anomaly intrusion detection with dynamic information flow analysis. Comput Security 27:176–187CrossRefGoogle Scholar
  7. 7.
    Twycross J, Aickelin U (2006) Libtissue—implementing innate immunity. In: Aickelin U (ed) Proceedings of the IEEE congress on evolutionary, computation (CEC’06). Vancouver, Canada, pp 16–21Google Scholar
  8. 8.
    Luther K, Bye R, Alpcan T, Muller A, Albayrak S (2007) A cooperative ais framework for intrusion detection. In: IEEE international conference on communications (ICC’07), Glasgow, Scotland, 4–28 June 2007, pp 1409–1416Google Scholar
  9. 9.
    Kim J (2003) Integrating artificial immune algorithms for intrusion detection, PhD Thesis, Department of Computer Science, University College LondonGoogle Scholar
  10. 10.
    Kim J, Bentley P (2002) Towards an artificial immune system for network intrusion detection: an investigation of dynamic clonal selection. In: Fogel DB, El-Sharkawi MA, Yao X, Greenwood G, Iba H, Marrow P, Shackleton M (eds) Proceedings of the IEEE congress on evolutionary computation (CEC’02), vol 2, Honolulu, HI, USA, 12–17 May 2002. IEEE Press, pp 1015–1020Google Scholar
  11. 11.
    Liu F, Qu B, Chen R (2004) Intrusion detection based on immune clonal selection algorithms. In: Webb GI, Yu X (eds) AI 2004: advances in artificial intelligence, volume 3339 of lecture notes in computer science. Springer, Berlin, pp 1226–1232Google Scholar
  12. 12.
    Xian J, Lang F, Tang X (2005) A novel intrusion detection method based on clonal selection clustering algorithm. In: Proceedings of 2005 international conference on machine learning and cybernetics, vol 6, 18–21 August 2005, pp 3905–3910Google Scholar
  13. 13.
    Ye N, Emran S, Chen Q, Vilbert S (2002) Multivariate statistical analysis of audit trails for host-based intrusion detection. IEEE Trans Comput 51(7):810–820CrossRefGoogle Scholar
  14. 14.
    Kerkar R, Srinivas S (2009) Knowledge-based systems. Jones & Bartlett Publishers, SudburyGoogle Scholar
  15. 15.
    Burbeck K, Tehrani A (2004) Adwice—anomaly detection with real-time incremental clustering. Inf Security Cryptol 3506:407–424Google Scholar
  16. 16.
    Borah B, Bhattacharyya D (2008) Catsub: a technique for clustering categorical data based on subspace. J Comput Sci 2:7–20Google Scholar
  17. 17.
    Khan L, Awad M, Thuraisingham B (2007) A new intrusion detection system using support vector machines and hierarchical clustering. Int J Very Large Data Bases 16:507–552Google Scholar
  18. 18.
    Gaddam S, Phoha V, Balagani K (2007) K-means + id3: a novel method for supervised anomaly detection by cascading k-means clustering and id3 decision tree learning methods. IEEE Trans Knowl Data Eng 19(3):345–354CrossRefGoogle Scholar
  19. 19.
    Holland J (1975) Adaptation in natural and artificial systems. University of Michigan Press, Ann ArborGoogle Scholar
  20. 20.
    Glover F (1977) Heuristic for integer programming using surrogate constraints. Decis Sci 8(1):156–166CrossRefGoogle Scholar
  21. 21.
    Kirkpatrick S, Gelatt C, Vecchi M (1983) Optimization by simulated annealing. Science 220:671–680CrossRefMATHMathSciNetGoogle Scholar
  22. 22.
    Mohammadi M, Raahemi R, Akbari A, Nassersharif B, Moeinzadeh H (2011) Improving linear discriminant analysis with artificial immune system-based evolutionary algorithms. Inf Sci 189:219–232CrossRefGoogle Scholar
  23. 23.
    Zhao W, Davis W (2011) A modified artificial immune system based pattern recognition approach an application to clinical diagnostics. Artif Intell Med 52(1):1–9CrossRefGoogle Scholar
  24. 24.
    Polat K, Güneş S, Tosun S (2006) Diagnosis of heart disease using artificial immune recognition system and fuzzy weighted pre-processing. Pattern Recogn 39(11):2186–2193CrossRefGoogle Scholar
  25. 25.
    Zhou J, Dasgupta D (2004) Real-valued negative selection algorithm with variable-sized detectors, LNCS 3102. In: Proceedings of GECCO, pp 287–298Google Scholar
  26. 26.
    Bolón-Canedo V, Sánchez-Maroño N, Betanzos A (2011) Feature selection and classification in multiple class datasets: an application to KDDCup99 dataset. Expert Syst Appl 38(5):5947–5957CrossRefGoogle Scholar
  27. 27.
    Tsai C, Lin C (2010) A triangle area based nearest neighbors approach to intrusion detection. Pattern Recognit 43(1):222–229CrossRefMATHMathSciNetGoogle Scholar
  28. 28.
    Toosi AN, Kahani M (2007) A new approach to intrusion detection based on an evolutionary soft computing model using neuro-fuzzy classifiers. Comput Commun 30(10):2201–2212CrossRefGoogle Scholar
  29. 29.
    Mahbod T, Ebrahim B, Wei L, Ali AG (2009) A detailed analysis of the KDD CUP 99 data set in proceeding of computational intelligence in security and defense applicationGoogle Scholar
  30. 30.
    McHugh J (2000) Testing intrusion detection systems: a critique of the 1998 and 1999 darpa intrusion detection system evaluations as performed by Lincoln laboratory. ACM Trans Inf Syst Security 3:262–294CrossRefGoogle Scholar
  31. 31.
    Botta A, Dainotti A, Pescapè A (2012) A tool for the generation of realistic network workload for emerging networking scenarios. Comput Netw 56(15):3531–3547CrossRefGoogle Scholar
  32. 32.
    Asgharian Z, Asgharian H, Akbari A, Raahemi B (2011) A framework for SIP intrusion detection and response systems. Computer networks and distributed systems (CNDS), pp 100–105Google Scholar
  33. 33.
    Asgharian Z, Asgharian H, Akbari A, Raahemi B (2012) Detecting denial of service attacks on sip based services and proposing solutions. Intrusion Detect Response Technol Protect Netw 6:145–167Google Scholar
  34. 34.
    Nassar M, State R, Festor O (2010) Labeled VoIP data-set for intrusion detection evaluation. Conference on Networked services and applications: engineering, control and management (EUNICE’10), pp 97–106Google Scholar
  35. 35.
    Nassar M, State R, Festor O (2008) Monitoring SIP traffic using support vector machines. In: Proceedings of the 11th international symposium on recent advances in intrusion detection (RAID ‘08), pp 311–330Google Scholar
  36. 36.
    Nassar M, State R, Festor O (2009) VoIP malware: attack tool & attack scenarios, ICC ‘09. IEEE international conference on communications, pp 1–6Google Scholar
  37. 37.
    Dunn J (1973) A fuzzy relative of the isodata process and its use in detecting compact well-separated clusters. J Cybern 3:32–57CrossRefMATHMathSciNetGoogle Scholar
  38. 38.
    Mohammadi M, Raahemi B, Akbari A. Unsupervised sample reduction using clustering for intrusion detection system. Technical Report, Knowledge Discovery and Data mining Lab. University of Ottawa. http://web5.uottawa.ca/www5/braahemi/publications.htm/Sample-Reduction.pdf

Web references

  1. 39.
    NSL-KKD dataset is available at: http://iscx.ca/NSL-KDD/ last visit: May 2012
  2. 40.
    “Nmap”. http://nmap.org/download.html last visit: May 2012
  3. 41.
    “PacketStorm”. http://packetstormsecurity.org last visit: May 2012
  4. 42.
    “Libsvm,” http://www.csie.ntu.edu.tw/cjlin/libsvm/.last visit: May 2012
  5. 43.
    “DataSets”. http://nrg.iust.ac.ir/index.php/research. Last visit August 2013

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Mahdi Mohammadi
    • 1
  • Ahmad Akbari
    • 2
  • Bijan Raahemi
    • 1
  • Babak Nassersharif
    • 3
  • Hassan Asgharian
    • 2
  1. 1.University of OttawaOttawaCanada
  2. 2.Department of Computer EngineeringIran University of Science and TechnologyTehranIran
  3. 3.Electrical and Computer Engineering DepartmentK.N. Toosi University of TechnologyTehranIran

Personalised recommendations