Applying Genetic Programming to Evolve Learned Rules for Network Anomaly Detection

  • Chuanhuan Yin
  • Shengfeng Tian
  • Houkuan Huang
  • Jun He
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3612)


The DARPA/MIT Lincoln Laboratory off-line intrusion detection evaluation data set is the most widely used public benchmark for testing intrusion detection systems. But the presence of simulation artifacts attributes would cause many attacks in this dataset to be easily detected. In order to eliminate their influence on intrusion detection, we simply omit these attributes in the processes of both training and testing. We also present a GP-based rule learning approach for detecting attacks on network. GP is used to evolve new rules from the initial learned rules through genetic operations. Our results show that GP-based rule learning approach outperforms the original rule learning algorithm, detecting 84 of 148 attacks at 100 false alarms despite the absence of several simulation artifacts attributes.


False Alarm Intrusion Detection Network Traffic Anomaly Detection Intrusion Detection System 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Anderson, J.P.: Computer Security Threat Monitoring and Surveillance. Technical Report, Fort Washington, PA (1980)Google Scholar
  2. 2.
    Roesch, M.: Snort: Lightweight intrusion detection for networks. In: Proc. of USENIX Large Installation System Administration Conference (1999)Google Scholar
  3. 3.
    Koza, J.R.: Genetic Programming. MIT Press, Cambridge (1992)zbMATHGoogle Scholar
  4. 4.
    Mahoney, M.V., Chan, P.K.: Learning Rules for Anomaly Detection of Hostile Network Traffic. In: Proc. of International Conference on Data Mining (2003)Google Scholar
  5. 5.
    Mahoney, M.V., Chan, P.K.: An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 220–237. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  6. 6.
    Barbara, D., Couto, J., Jajodia, S., Popyack, L., Wu, N.: ADAM: Detecting Intrusions by Data Mining. In: Proc. of IEEE Workshop on Information Assurance and Security, pp. 11–16 (2001)Google Scholar
  7. 7.
  8. 8.
    Mahoney, M.V.: A Machine Learning Approach to Detecting Attacks by Identifying Anomalies in Network Traffic. Ph.D. dissertation, Florida Institute of Technology (2003)Google Scholar
  9. 9.
    Mahoney, M.V., Chan, P.K.: Learning Non-stationary Models of Normal Network Traffic for Detecting Novel Attacks. In: Proc. of ACM Special Interest Group on Knowledge Discovery in Data and Data Mining, pp. 376–385 (2002)Google Scholar
  10. 10.
    Mahoney, M.V.: Network Traffic Anomaly Detection Based on Packet Bytes. In: Proc. of ACM Symposium on Applied Computing (2003)Google Scholar
  11. 11.
    Paxson, V., Floyd, S.: Wide area traffic: the failure of Poisson modeling. IEEE/ACM Transactions on Networking 3, 226–244 (1995)CrossRefGoogle Scholar
  12. 12.
    Lippmann, R., Haines, J.W., Fried, D.J., Korba, J., Das, K.: The 1999 DARPA Off-Line Intrusion Detection Evaluation. Computer Networks 34, 579–595 (2000)CrossRefGoogle Scholar
  13. 13.
    Crosbie, M., Spafford, G.: Applying Genetic Programming to Intrusion Detection. In: Proc. of AAAI Fall Symposium on Genetic Programming (1995)Google Scholar
  14. 14.
    Su, P.R., Li, D.Q., Feng, D.G.: A Host-Based Anomaly Intrusion Detection Model Based on Genetic Programming. Chinese Journal of Software 14, 1120–1126 (2003)zbMATHGoogle Scholar
  15. 15.
    Lu, W., Traore, I.: Detecting New Forms of Network Intrusion Using Genetic Programming. Computational Intelligence 20 (2004)Google Scholar
  16. 16.
    Yao, X.: Evolutionary Computation: Theory and Applications. World Scientific, Singapore (1999)Google Scholar
  17. 17.
    Tan, K.C., Lim, M.H., Yao, X., Wang, L.P. (eds.): Recent Advances in Simulated Evolution and Learning. World Scientific, Singapore (2004)zbMATHGoogle Scholar
  18. 18.
    Wong, M.L., Leung, K.S.: Data Mining Using Grammar based Genetic Programming and Applications. Kluwer Academic Publishers, Dordrecht (2000)zbMATHGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Chuanhuan Yin
    • 1
  • Shengfeng Tian
    • 1
  • Houkuan Huang
    • 1
  • Jun He
    • 1
  1. 1.School of Computer and Information TechnologyBeijing Jiaotong UniversityBeijingChina

Personalised recommendations