Detecting Compounded Anomalous SNMP Situations Using Cooperative Unsupervised Pattern Recognition

  • Emilio Corchado
  • Álvaro Herrero
  • José Manuel Sáiz
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3697)


This research employs unsupervised pattern recognition to approach the thorny issue of detecting anomalous network behavior. It applies a connectionist model to identify user behavior patterns and successfully demonstrates that such models respond well to the demands and dynamic features of the problem. It illustrates the effectiveness of neural networks in the field of Intrusion Detection (ID) by exploiting their strong points: recognition, classification and generalization. Its main novelty lies in its connectionist architecture, which up until the present has never been applied to Intrusion Detection Systems (IDS) and network security. The IDS presented in this research is used to analyse network traffic in order to detect anomalous SNMP (Simple Network Management Protocol) traffic patterns. The results also show that the system is capable of detecting independent and compounded anomalous SNMP situations. It is therefore of great assistance to network administrators in deciding whether such anomalous situations represent real intrusions.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Debar, H., Becker, M., Siboni, D.: A Neural Network Component for an Intrusion Detection System. In: IEEE Symposium on Research in Computer Security and Privacy (1992)Google Scholar
  2. 2.
    Corchado, E., Herrero, A., Baruque, B., Sáiz, J.M.: Intrusion Detection System Based on a Cooperative Topology Preserving Method. In: International Conference on Adaptive and Natural Computing Algorithms. Springer Computer Science. Springer, NewYork (2005)Google Scholar
  3. 3.
    Hätönen, K., Höglund, A., Sorvari, A.: A Computer Host-Based User Anomaly Detection System Using the Self-Organizing Map. In: International Joint Conference of Neural Networks (2000)Google Scholar
  4. 4.
    Zanero, S., Savaresi, S.M.: Unsupervised Learning Techniques for an Intrusion Detection System. In: ACM Symposium on Applied Computing, pp. 412–419 (2004)Google Scholar
  5. 5.
    Ghosh, A., Schwartzbard, A., Schatz, A.: Learning Program Behavior Profiles for Intrusion Detection. In: Workshop on Intrusion Detection and Network Monitoring (1999)Google Scholar
  6. 6.
    Friedman, J., Tukey, J.: A Projection Pursuit Algorithm for Exploratory Data Analysis. IEEE Transaction on Computers 23, 881–890 (1974)CrossRefzbMATHGoogle Scholar
  7. 7.
    Hyvärinen, A.: Complexity Pursuit: Separating Interesting Components from Time Series. Neural Computation 13, 883–898 (2001)CrossRefzbMATHGoogle Scholar
  8. 8.
    Corchado, E., MacDonald, D., Fyfe, C.: Maximum and Minimum Likelihood Hebbian Learning for Exploratory Projection Pursuit. In: Data Mining and Knowledge Discovery, vol. 8(3), pp. 203–225. Kluwer Academic Publishing, Dordrecht (2004)Google Scholar
  9. 9.
    Fyfe, C., Corchado, E.: Maximum Likelihood Hebbian Rules. In: European Symposium on Artificial Neural Networks (2002)Google Scholar
  10. 10.
    Corchado, E., Han, Y., Fyfe, C.: Structuring Global Responses of Local Filters using Lateral Connections. Journal of Experimental and Theoretical Artificial Intelligence 15(4), 473–487 (2003)CrossRefzbMATHGoogle Scholar
  11. 11.
    Corchado, E., Fyfe, C.: Connectionist Techniques for the Identification and Suppression of Interfering Underlying Factors. International Journal of Pattern Recognition and Artificial Intelligence 17(8), 1447–1466 (2003)CrossRefGoogle Scholar
  12. 12.
    Corchado, E., Corchado, J.M., Sáiz, L., Lara, A.: Constructing a Global and Integral Model of Business Management Using a CBR System. In: 1st International Conference on Cooperative Design, Visualization and Engineering (2004)Google Scholar
  13. 13.
    Herrero, A., Corchado, E., Sáiz, J.M.: A Cooperative Unsupervised Connectionist Model Applied to Identify Anomalous Massive SNMP Data Sending. In: 1st International Conference on Natural Computation (2005) (in press)Google Scholar
  14. 14.
    Herrero, A., Corchado, E., Sáiz, J.M.: Identification of Anomalous SNMP Situations Using a Cooperative Connectionist Exploratory Projection Pursuit Model. In: Gallagher, M., Hogan, J.P., Maire, F. (eds.) IDEAL 2005. LNCS, vol. 3578, pp. 187–194. Springer, Heidelberg (2005) (in press)CrossRefGoogle Scholar
  15. 15.
    Seung, H.S., Socci, N.D., Lee, D.: The Rectified Gaussian Distribution. Advances in Neural Information Processing Systems 10, 350–356 (1998)Google Scholar
  16. 16.
    Myerson, J.M.: Identifying Enterprise Network Vulnerabilities. International Journal of Network Management 12 (2002)Google Scholar
  17. 17.
    Cisco Secure Consulting: Vulnerability Statistics Report (2000)Google Scholar
  18. 18.
    Case, J., Fedor, M.S., Schoffstall, M.L., Davin, C.: Simple Network Management (SNMP). RFC-1157 (1990)Google Scholar
  19. 19.
    Oja, E.: Neural Networks, Principal Components and Subspaces. International Journal of Neural Systems 1, 61–68 (1989)CrossRefMathSciNetGoogle Scholar
  20. 20.
    Aldwairi, M., Conte, T., Franzon, P.: Configurable string matching hardware for speeding up intrusion detection. In: ACM SIGARCH Computer Architecture News, vol. 33(1) (2005)Google Scholar
  21. 21.
    Foster, I., Kesselman, C.: The Grid: Blueprint for a New Computing Infrastructure, 1st edn. Morgan Kaufmann Publishers, San Francisco (1998)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Emilio Corchado
    • 1
  • Álvaro Herrero
    • 1
  • José Manuel Sáiz
    • 1
  1. 1.Department of Civil EngineeringUniversity of BurgosSpain

Personalised recommendations