Clustering and Neural Visualization for Flow-Based Intrusion Detection

  • Raúl Sánchez
  • Álvaro Herrero
  • Emilio Corchado
Conference paper
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 369)


To secure a system, potential threats must be identified and therefore, attack features are understood and predicted. Present work aims at being one step towards the proposal of an Intrusion Detection System (IDS) that faces zero-day attacks. To do that, MObile VIsualisation Connectionist Agent-Based IDS (MOVICAB-IDS), previously proposed as a hybrid-intelligent visualization-based IDS, is being upgraded by adding clustering methods. To check the validity of the proposed clustering extension, it faces a realistic flow-based dataset in present paper. The analyzed data come from a honeypot directly connected to the Internet (thus ensuring attack-exposure) and is analyzed by clustering and neural tools, individually and in conjunction. Through the experimental stage, it is shown that the combination of clustering and neural projection improves the detection capability on a continuous network flow.


Network intrusion detection Network flow Neural projection Clustering 


  1. 1.
    Quittek, J., Zseby, T., Claise, B., Zander, S.: Requirements for IP flow information export (IPFIX)Google Scholar
  2. 2.
    Sperotto, A., Schaffrath, G., Sadre, R., Morariu, C., Pras, A., Stiller, B.: An overview of IP flow-based intrusion detection. IEEE Commun. Surv. Tutor. 12, 343–356 (2010)CrossRefGoogle Scholar
  3. 3.
    Sperotto, A., Pras, A.: Flow-based intrusion detection. In: IFIP/IEEE International Symposium on Integrated Network Management (IM), 2011, pp. 958–963 (2011)Google Scholar
  4. 4.
    Corchado, E., Herrero, Á.: Neural visualization of network traffic data for intrusion detection. Appl. Soft Comput. 11, 2042–2056 (2011)CrossRefGoogle Scholar
  5. 5.
    Yorn-Tov, E., Inbar, G.F.: Selection of relevant features for classification of movements from single movement-related potentials using a genetic algorithm. In: 23rd Annual International Conference of the IEEE Engineering in Medicine and Biology Society, 2001, vol. 2, pp. 1364–1366 (2001)Google Scholar
  6. 6.
    Sánchez, R., Herrero, Á., Corchado, E.: Clustering extension of MOVICAB-IDS to identify SNMP community searches. Logic J. IGPL 23, 121–140 (2015)CrossRefGoogle Scholar
  7. 7.
    Sánchez, R., Herrero, Á., Corchado, E.: Visualization and clustering for SNMP intrusion detection. Cybern. Syst. Int. J. 44, 505–532 (2013)CrossRefGoogle Scholar
  8. 8.
    Sperotto, A., Sadre, R., Vliet, F.v., Pras, A.: A Labeled Data Set For Flow-based Intrusion Detection, pp. 39–50. IP Operations and Management, Berlin (2009)Google Scholar
  9. 9.
    Zheng, Q.H., Xuan, Y.G., Hu, W.H.: An IDS alert aggregation method based on clustering. In: Zhang, H., Shen, G., Jin, D. (eds.): Advanced Research on Information Science, Automation and Material System, Pts 1-6, vol. 219–220, pp. 156–159. Trans Tech Publications Ltd, Stafa-Zurich (2011)Google Scholar
  10. 10.
    Qiao, L.B., Zhang, B.F., Lai, Z.Q., Su, J.S.: IEEE: Mining of Attack Models in IDS Alerts from Network Backbone by a Two-stage Clustering Method. In: 2012 IEEE 26th International Parallel and Distributed Processing Symposium Workshops & Phd Forum, pp. 1263–1269. IEEE, New York (2012)Google Scholar
  11. 11.
    Jiang, S., Song, X., Wang, H., Han, J.-J., Li, Q.-H.: A clustering-based method for unsupervised intrusion detections. Pattern Recogn. Lett. 27, 802–810 (2006)CrossRefGoogle Scholar
  12. 12.
    Cui, K.Y.: IEEE: Research on Clustering Technique in Network Intrusion Detection. IEEE Computer Society, Los Alamitos (2012)Google Scholar
  13. 13.
    Ge, L., Zhang, C.Q.: The application of clustering algorithm in intrusion detection system. In: Jin, D., Lin, S. (eds.) Advances in Future Computer and Control Systems, vol. 159, pp. 77–82. Springer, Berlin (2012)CrossRefGoogle Scholar
  14. 14.
    Friedman, J.H., Tukey, J.W.: A projection pursuit algorithm for exploratory data-analysis. IEEE Trans. Comput. 23, 881–890 (1974)CrossRefzbMATHGoogle Scholar
  15. 15.
    Corchado, E., MacDonald, D., Fyfe, C.: Maximum and minimum likelihood hebbian learning for exploratory projection pursuit. Data Min. Knowl. Disc. 8, 203–225 (2004)CrossRefMathSciNetGoogle Scholar
  16. 16.
    Corchado, E., Fyfe, C.: Connectionist techniques for the identification and suppression of interfering underlying factors. Int. J. Pattern Recognit. Artif.Intell. 17, 1447–1466 (2003)CrossRefGoogle Scholar
  17. 17.
    Seung, H.S., Socci, N.D., Lee, D.: The rectified Gaussian distribution. Adv. Neural Inf. Process. Syst. 10, 350–356 (1998)Google Scholar
  18. 18.
    Jain, A.K., Murty, M.N, Flynn, P.J.: Data clustering: a review. ACM Comput. Surv. 31 (1999)Google Scholar
  19. 19.
    Xu, R., Wunsch, D.C.: Clustering. Wiley, New York (2009)Google Scholar
  20. 20.
    Andreopoulos, B., An, A., Wang, X., Schroeder, M.: A roadmap of clustering algorithms: finding a match for a biomedical application. Brief Bioinform 10, 297–314 (2009)CrossRefGoogle Scholar
  21. 21.
    Zhuang, W.W., Ye, Y.F., Chen, Y., Li, T.: Ensemble clustering for Internet security applications. IEEE Trans. Syst. Man Cybern. Part C-Appl. Rev. 42, 1784–1796 (2012)Google Scholar
  22. 22.
    Pouget, F., Dacier, M.: Honeypot-based forensics. In: Proceedings of the AusCERT Asia Pacific Information Technology Security Conference 2004 (AusCERT2004), 23–27 May 2004, Brisbane, Australia (2004)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Raúl Sánchez
    • 1
  • Álvaro Herrero
    • 1
  • Emilio Corchado
    • 2
  1. 1.Department of Civil EngineeringUniversity of BurgosBurgosSpain
  2. 2.Departamento de Informática y AutomáticaUniversidad de SalamancaSalamancaSpain

Personalised recommendations