Skip to main content
SpringerLink
Log in

Assessing degree of intrusion scope (DIS): a statistical strategy for anomaly based intrusion detection

  • Original Research
  • Published:
CSI Transactions on ICT Aims and scope Submit manuscript

Abstract

Intrusion detection system (IDS) is a type of security management system which analyzes information gathered from various areas within a computer or a network to identify possible security breaches. In the last decades an unprecedented increase in the volume and sophistication of network attacks are witnessed. As the quality of the training data greatly influences the quality of the learned models it is difficult to collect high quality training data. New attacks leveraging newly discovered security vulnerabilities emerge quickly and frequently, and also it is not possible to collect data related to these new attacks to train a detection model before the attacks are discovered and understood. The exponential growth of zero-day attacks emphasizes the need of defence mechanisms that can accurately detect previously unseen attacks in real-time. In this regard, a meta-heuristic assessment model called assessing degree of intrusion scope, which is aimed to estimate the degree of intrusion scope threshold from optimal features of given network transaction for training. In order to evaluate the proposed approach, widely used dataset for evaluation of IDS, NSL-KDD data set is used which reflects the network traffic and provides considerable and consistent accuracy improvements in detecting the new and existing attacks. The experimental results indicating that the feature correlation is having significant impact towards minimizing the computational and time complexity of measuring Intrusion Impact Scale.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5

Similar content being viewed by others

References

  1. Sharifi AA, Noorollahi BA, Farokhmanesh F (2014) Intrusion detection and prevention systems (IDPS) and security issues. Int J Comput Sci Netw Secur (IJCSNS) 14(11):80–84

    Google Scholar 

  2. Kannathal SM (2014) Intrusion detection system based on enhanced PLS feature extraction with hybrid classification method. Int J Sci Eng Technol Res (IJSETR) 3(6):1655–1663

    Google Scholar 

  3. Ali MQ, Al-Shaer E, Khan H, Khayam SA (2013) Automated anomaly detector adaptation using adaptive threshold tuning. ACM Trans Inf Syst Secur 15(4), Article 17

  4. Ali MQ, Khan H, Sajjad A, Khayam SA (2009) On achieving good operating points on an ROC plane using stochastic anomaly score prediction. In: Proceedings of the 16th ACM conference on computer and communications security (CCS’09). ACM, New York, pp 314–323

  5. Ide T, Kashima H (2004) Eigenspace-based anomaly detection in computer systems. In: Proceedings of the 10th ACM SIGKDD international conference on knowledge discovery and data mining (KDD’04), ACM, New York, pp 440–449

  6. Jung J, Paxson V, Berger AW, Balakrishnan H (2004) Fast portscan detection using sequential hypothesis testing. In: Proceedings of the IEEE symposium on security and privacy (SP’04). IEEE Computer Society, Los Alamitos, CA

  7. Lakhina A, Crovella M, Diot C (2005) Mining anomalies using traffic feature distributions. In: Proceedings of the conference on applications, technologies, architectures, and protocols for computer communications (SIGCOMM’05). ACM, New York, pp 217–228

  8. Yu Z, Tsai JP, Weigert T (2007) An automatically tuning intrusion detection system. IEEE Trans Syst Man Cybern, Part B (Cybern) 37:373–384

    Article  Google Scholar 

  9. Yu Z, Sai T, Weigert T (2008) An adaptive automatically tuning intrusion detection system. ACM Trans Auton Adapt Syst 3(3):10:1–10:25

  10. Gu G, Fogla P, Dagon D, Lee W, Skoric B (2006) Towards an information-theoretic framework for analyzing intrusion detection systems. In: Proceedings of the 11th European symposium on research in computer security (ESORICS’06)

  11. Masud MM, Chen Q, Khan L, Aggarwal C, Gao J, Han J, Thuraisingham B (2010) Addressing concept-evolution in concept-drifting data streams. In: Proceedings of the IEEE international conference on data mining (ICDM’10), IEEE Computer Society, Los Alamitos, CA, pp 929–934

  12. Masud MM, Gao J, Khan L, Han J, Thuraisingham BM (2011) Classification and novel class detection in concept-drifting data streams under time constraints. IEEE Trans Knowl Data Eng 23(6):859–874

    Article  Google Scholar 

  13. Cretu-Ciocarlie GF, Stavrou A, Locasto ME, Stolfo SJ, Adaptive anomaly detection via self-calibration and dynamic updating. In: Proceedings of the 12th international symposium on recent advances in intrusion detection (RAID’09). Springer, Berlin, pp 41–60

  14. Lee W, Stolfo S (2000) A framework for constructing features and models for intrusion detection systems. ACM Trans Inf Syst Secur 3(4):227–261

    Article  Google Scholar 

  15. KDD data set (1999) http://kdd.ics.uci.edu/databases/-kddcup99/kddcup99.html

  16. Tavallaee M, Bagheri E, Lu W, Ghorbani AA (2009) A detailed analysis of the KDD cup 99 data set. In Proceedings of IEEE symposium on computational intelligence in security and defence applications, CISDA 2009, pp 53–58

  17. Revathi S, Malathi A (2013) A detailed analysis on NSL-KDD dataset using various machine learning techniques for intrusion detection. Int J Eng Res Technol (IJERT) 2(12):1848–1853

    Google Scholar 

  18. Dhanabal L, Shantharajah SP (2015) A study on NSL-KDD dataset for intrusion detection system based on classification algorithms. Int J Adv Res Comput Commun Eng 4(6):446–452

    Google Scholar 

  19. Aggarwala P, Sharmab SK (2015) Analysis of KDD dataset attributes-class wise for intrusion detection. In: Proceedings of 3rd international conference on recent trends in computing 2015, ICRTC-2015. In Procedia Computer Science, vol 7, Elsevier, Amsterdam pp 842–851

  20. Hardoon David R, Szedmak S, Shawe-Taylor J (2004) Canonical correlation analysis: an overview with application to learning methods. Neural Comput 16:2639–2664

    Article  MATH  Google Scholar 

  21. Borga M (2001) Canonical correlation: a tutorial. Linkoping University, Linkoping. Available at http://www.imt.liu.se/magnus/cca/tutorial/

  22. Akaho S (2001) A kernel method for canonical correlation analysis. International Meeting of Psychometric Society, IMPS2001

  23. Hyvarinen A, Karhunen J, Oja E (2001) Independent component analysis. Wiley, New York

    Book  Google Scholar 

  24. Akaho S (2001) A kernel method for canonical correlation analysis. International Meeting of Psychometric Society (IMPS2001)

  25. http://www.statsoft.com/textbook/anova-manova. Accessed 16 Mar 2018

  26. Jyothsna V, Rama Prasad VV (2015) Anomaly based Network Intrusion Detection through assessing Feature Association Impact Scale (FAIS). Indersci Int J Inf Comput Secur (IJICS) (in forthcoming article)

  27. Jyothsna V, Rama Prasad VV (2016) FCAAIS: anomaly based network intrusion detection through feature correlation analysis and association impact scale, ICT Express, The Korean Institute of Communications Information Sciences, Elsevier, Amsterdam, August 2016 (in press)

Download references

Author information

Authors and Affiliations

  1. JNTUH, Hyderabad, India

    V. Jyothsna

  2. Sree Vidyanikethan Engineering College, Tirupati, India

    V. V. Rama Prasad

Authors
  1. V. Jyothsna
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. V. V. Rama Prasad
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to V. Jyothsna.

Appendix

Appendix

See Tables 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13 and 14.

Table 3 Canonical correlation of the fields of PROBE category under divergent labels against normal data
Full size table
Table 4 Optimal features of PROBE category (less than the mean of the CC value)
Full size table
Table 5 Canonical correlation of the fields of DOS category under divergent labels against normal data
Full size table
Table 6 Optimal features of DOS category (less than the mean of the CC value)
Full size table
Table 7 canonical correlation of the fields of U2R category under divergent labels against normal data
Full size table
Table 8 Optimal FEATURES of U2R category (less than the mean of the CC value)
Full size table
Table 9 Canonical correlation of the fields of R2L category under divergent labels against normal data
Full size table
Table 10 Optimal Features of R2L Category (less than the mean of the CC value)
Full size table
Table 11 Canonical correlation of the features of NORMAL category under divergent labels against PROBE attacks (optimal features are highlighted in bold)
Full size table
Table 12 Canonical correlation of the features of NORMAL category under divergent labels against DOS attacks (optimal features are highlighted in bold)
Full size table
Table 13 Canonical correlation of the features of NORMAL category under divergent labels against U2R attacks (optimal features are highlighted in bold)
Full size table
Table 14 Canonical correlation of the features of NORMAL category under divergent labels against R2L attacks (optimal features are highlighted in bold)
Full size table

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Jyothsna, V., Rama Prasad, V.V. Assessing degree of intrusion scope (DIS): a statistical strategy for anomaly based intrusion detection. CSIT 6, 99–127 (2018). https://doi.org/10.1007/s40012-018-0188-x

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s40012-018-0188-x

Keywords

Search

Navigation