Skip to main content
Log in

A multi-stage classification system for detecting intrusions in computer networks

  • Theoretical
  • Published:
Pattern Analysis and Applications Aims and scope Submit manuscript


A serial multi-stage classification system for facing the problem of intrusion detection in computer networks is proposed. The whole decision process is organized into successive stages, each one using a set of features tailored for recognizing a specific attack category. All the stages employ suitable criteria for estimating the reliability of the performed classification, so that, in case of uncertainty, information related to a possible attack are only logged for further processing, without raising an alert for the system manager. This permits to reduce the number of false alarms. On the other hand, in order to keep low the number of missed detections, the proposed system declares a connection as normal traffic only if all the stages do not detect an attack. The proposed multi-stage intrusion detection system has been tested on three different services (http, telnet and ftp) of a standard database used for benchmarking intrusion detection systems and also on real network traffic data. The experimental analysis highlights the effectiveness of the approach: the proposed system behaves significantly better than other multiple classifier systems performing classification in a single stage.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or Ebook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Fig. 1
Fig. 2
Fig. 3

Similar content being viewed by others




  1. Vigna G, Kemmerer R (1999) Netstat: a network based intrusion detection system. J Comput Secur 7(1)

  2. Andersson S (1995) Detecting usual program behavior using the statistical component of the next-generation intrusion detection. Technical report, Comput Sci Lab

  3. Broucek V, Turner P (2002) Bridging the divide: rising awareness of forensic issues amongst systems administrators. In: Proceedings of the 3rd international system administration and network engineering conference, Maastricht pp 27–31

  4. Axelsson S (1999) Research in intrusion detection systems: a survey. Technical report TR, Chalmers University of Technology 98–17

  5. Kumar R, Spafford EH (1995) A software architecture to support misuse intrusion detection. In: Proceedings of the 18th national information security conference pp 194–204

  6. Meier M, Schmerl S, Koenig H (2005) Improving the efficiency of misuse detection. In: Julisch K, Kruegel C (eds) LNCS vol. 3548 Proceedings of the second international conference on detection of intrusions and malware, and vulnerability assessment, Vienna, Austria July 7–8, pp 188–205

  7. Sy BK (2005) Signature-based approach for intrusion detection. In: Perner P, Imiya A (eds) LNAI vol. 3587 In: Proceedings of the 4th international conference on machine learning and data mining in pattern recognition, Leipzig July 9–11

  8. Zhang C, Jiang J, Kamel M (2005) Intrusion detection using hierarchical neural networks. Pattern Recognit Lett 26(6):779–791

    Article  Google Scholar 

  9. Ghosh AK, Schwartzbard A (1999) A study in using neural networks for anomaly and misuse detection. In: Proceedings of the 8th USENIX security symposium, Washington, Aug 26–29

  10. Lane T, Brodley CE (1999) Temporal sequence learning and data reduction for anomaly detection. ACM Trans Inform System Secur 2(3):295–261

    Article  Google Scholar 

  11. Eskin E, Arnold A, Prerau M, Portnoy L, Stolfo S (2002) A geometric framework for unsupervised anomaly detection: detecting intrusions in unlabeled data. In: Barbara D, Jajodia S (eds) Applications of data mining in computer security, Kluwer

  12. Singh S, Markou M (2003) Novelty detection: a review—part 2: neural network based approaches. Signal Process 83(12):2499–2521

    Article  MATH  Google Scholar 

  13. Mahoney MV, Chan P (2003) An Analysis of the 1999 DARPA/Lincoln laboratory evaluation data for network anomaly detection. In: Vigna G, Jonsson E, Kruegel C (eds) LNCS vol. 2820, Proceedings of RAID 2003, pp 220–238

  14. Ramadas M, Ostermann S, Tjaden B (2003) Detecting anomalous network traffic with self-organizing maps. In: Vigna G, Jonsson E, Kruegel C (eds) LNCS vol. 2820, Proceedings of RAID 2003, pp 36–54

  15. Wang K, Stolfo SJ (2004) Anomalous payload-based network intrusion detection. In: Jonsson E, Valdes A, Almgren M (eds) LNCS, vol. 3224, Proceedings of RAID 2004, pp 203–222

  16. Zanero S, Savaresi SM (2004) Unsupervised learning techniques for an intrusion detection system. In: Proceedings of the 2004 ACM symposium on applied computing, pp 412–419

  17. Kendall K (1998) A database of computer attacks for the evaluation of intrusion detection systems. Master’s Thesis, Massachusetts institute of technology

  18. Giacinto G, Roli F, Didaci L (2003) Fusion of multiple classifiers for intrusion detection in computer networks. Pattern Recognit Lett 24:1795–1803

    Article  Google Scholar 

  19. Lee SC, Heinbuch DV (2001) Training a neural network based intrusion detector to recognize novel attack. IEEE Trans Syst Man Cybern Part-A 31:294–299

    Article  Google Scholar 

  20. Fugate M, Gattiker JR (2003) Computer intrusion detection with classification and anomaly detection, using SVMs. Intern J Pattern Recognit Artif Intell 17(3):441–458

    Article  Google Scholar 

  21. Giacinto G, Roli F, Didaci L (2003) A modular multiple classifier system for the detection of intrusions. Lecture Notes Comput Sci 2709:346–355

    Article  Google Scholar 

  22. Sansone C, Vento M (2000) Signature verification: increasing performance by a multi-stage system. Pattern Anal Appl 3(2):169–181

    Article  Google Scholar 

  23. De Santo M, Percannella G, Sansone C, Vento M (2002) Cooperating experts for soundtrack analysis of MPEG movies. Inf Fusion 3(3):225–236

    Article  Google Scholar 

  24. Rajan S, Ghosh J (2004) An empirical comparison of hierarchical vs two level approaches to multiclass problems. Lecture Notes Comput Sci 3077:283–292

    Article  Google Scholar 

  25. Beale J, Foster JC (2003) Snort 2.0 intrusion detection. Syngress Publishing, Rockland

    Google Scholar 

  26. Valeur F, Vigna G, Kruegel C, Kemmerer R (2004) A comprehensive approach to intrusion detection alert correlation. IEEE Trans Dependable and Secure Comput 1(3):146–169

    Article  Google Scholar 

  27. Cuppens F, Miege A (2002) Alert correlation in a cooperative intrusion detection framework. In: Proceedings of the IEEE symposium on security and privacy, pp 202–215

  28. Kuncheva LI (2004) Classifiers ensembles for changing environments. Lecture Notes Comput Sci 3077:1–15

    Article  Google Scholar 

  29. Cordella LP, Sansone C, Tortorella F, Vento M, De Stefano C (1998) Neural networks classification reliability. In: Leondes CT (ed) Academic press theme volumes on neural network systems, Techniques and applications, Academic Press, vol. 5, pp 161–199

  30. Cordella LP, Foggia P, Sansone C, Tortorella F, Vento M (1999) Reliability parameters to improve combination strategies in multi-expert systems. Pattern Anal Appl 3(2):205–214

    Article  Google Scholar 

  31. Elkan C (2000) Results of the KDD99 classifier learning. ACM SIGKDD Explorations 1:63–64

    Article  Google Scholar 

  32. Lee W, Stolfo SJ (2000) A framework for constructing features and models for intrusion detection systems. ACM Trans Inform System Secur 3(4):227–261

    Article  Google Scholar 

  33. McHugh J (2000) Testing intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by lincoln laboratory. ACM Trans Inform System Secur 3(4):262–294

    Article  Google Scholar 

  34. Liu Y, Chen K, Liao X, Zhang W (2004) A genetic clustering method for intrusion detection. Pattern Recognit 37

  35. Kruegel C, Toth T, Kirda E (2002) Service specific anomaly detection for network intrusion detection. In: Proceedings of symposium on applied computing (SAC), Spain

  36. Kuncheva LI, Bezdek JC, Duin RPW (2001) Decision templates for multiple classifier fusion: an experimental comparison. Pattern Recognit 34(2):299–314

    Article  MATH  Google Scholar 

  37. Esposito M, Mazzariello C, Oliviero F, Romano SP, Sansone C (2006) Real time detection of novel attacks by means of data mining techniques. In: Chen C-S, Filipe J, Seruca I, Cordeiro J (eds) Enterprise information systems VII Springer, Berlin Heidelberg New York, pp 197–204

Download references


This work has been partially supported by the Ministero dell’Istruzione, dell’Università e della Ricerca (MIUR) in the framework of the FIRB Project “Middleware for advanced services over large-scale, wired- wireless distributed systems (WEB-MINDS)”, and by the Regione Campania, in the framework of the “Soft Computing for Internet Traffic Anomaly Detection (SCI-TrADe)” Project.

Author information

Authors and Affiliations


Corresponding author

Correspondence to Carlo Sansone.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Cordella, L.P., Sansone, C. A multi-stage classification system for detecting intrusions in computer networks. Pattern Anal Applic 10, 83–100 (2007).

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: