An Anomaly Detection Model for Network Intrusions Using One-Class SVM and Scaling Strategy

  • Ming ZhangEmail author
  • Boyi Xu
  • Dongxia Wang
Conference paper
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 163)


Intrusion detection acts as an effective countermeasure to solve the network security problems. Support Vector Machine (SVM) is one of the widely used intrusion detection techniques. However, the commonly used two-class SVM algorithms are facing difficulties of constructing the training dataset. That is because in many real application scenarios, normal connection records are easy to be obtained, but attack records are not so. We propose an anomaly detection model for network intrusions by using one-class SVM and scaling strategy. The one-class SVM adopts only normal network connection records as the training dataset. The scaling strategy guarantees that the variability of feature values can reflect their importance, thus improving the detection accuracy significantly. Experimental results on KDDCUP99 dataset show that compared to Probabilistic Neural Network (PNN) and C-SVM, our one-class SVM based model achieves higher detection rates and yields average better performance in terms of precision, recall and F-value.


Intrusion detection Anomaly detection One-class SVM Scaling strategy 



The work of this paper is supported by the National Natural Science Foundation of China Project under grant No. 61271252.


  1. 1.
    Symantec Enterprise.: Internet Security Threat Report 2014. accessed 15 April 2015
  2. 2.
    Cenzic.: Application Vulnerability Trends Report 2014. accessed 15 April 2015
  3. 3.
    Anderson, J.P.: Computer security threat monitoring and surveillance. vol. 17. Technical report, James P. Anderson Company, Fort Washington, Pennsylvania (1980)Google Scholar
  4. 4.
    Axelsson, S.: Intrusion detection systems: A survey and taxonomy. vol. 99. Technical report, 2000Google Scholar
  5. 5.
    Kruegel, C., Tóth, T.: Using decision trees to improve signature-based intrusion detection. In: Vigna, G., Kruegel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 173–191. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  6. 6.
    Patcha, A., Park, J.-M.: An overview of anomaly detection techniques: existing solutions and latest technological trends. Comput. Netw. 51(12), 3448–3470 (2007)CrossRefGoogle Scholar
  7. 7.
    Li, Y., Li, W., Wu, G.: An intrusion detection approach using SVM and multiple kernel method. Int. J Adv. Comput. Technol. IJACT 4(1), 463–469 (2012)Google Scholar
  8. 8.
    Li, Y., et al.: An efficient intrusion detection system based on support vector machines and gradually feature removal method. Expert Syst. Appl. 39(1), 424–430 (2012)CrossRefGoogle Scholar
  9. 9.
    Taylor, C., Alves-Foss, J.: Low cost network intrusion detection (2000)Google Scholar
  10. 10.
    Barbara, D., Wu, N., Jajodia, S.: Detecting novel network intrusions using Bayes estimators. In: SDM (2001)Google Scholar
  11. 11.
    Shyu, M.-L., et al.: A novel anomaly detection scheme based on principal component classifier. Miami Univ Coral Gables FL Dept of Electrical and Computer Engineering (2003)Google Scholar
  12. 12.
    Qin, M., Hwang, K.: Frequent episode rules for intrusive anomaly detection with internet datamining. In: USENIX Security Symposium (2004)Google Scholar
  13. 13.
    Denning, D.E.: An intrusion-detection model. IEEE Trans. Softw. Eng. 2, 222–232 (1987)CrossRefGoogle Scholar
  14. 14.
    Wang, G., et al.: A new approach to intrusion detection using artificial neural networks and fuzzy clustering. Expert Syst. Appl. 37(9), 6225–6232 (2010)CrossRefGoogle Scholar
  15. 15.
    Sinclair, C., Pierce, L., Matzner, S.: An application of machine learning to network intrusion detection. In: 15th Annual Computer Security Applications Conference (ACSAC 1999) Proceedings. IEEE (1999)Google Scholar
  16. 16.
    Tsai, C.-F., et al.: Intrusion detection by machine learning: a review. Expert Syst. Appl. 36(10), 11994–12000 (2009)CrossRefGoogle Scholar
  17. 17.
    Ryan, J., Lin, M.-J., Miikkulainen, R.: Intrusion detection with neural networks. In: Advances in neural information processing systems 943–949 (1998)Google Scholar
  18. 18.
    Kim, D.S., Park, J.S.: Network-based intrusion detection with support vector machines. In: Kahng, H.-K. (ed.) ICOIN 2003. LNCS, vol. 2662, pp. 747–756. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  19. 19.
    Sung, A.H., Mukkamala, S.: Identifying important features for intrusion detection using support vector machines and neural networks. In: 2003 Symposium on Applications and the Internet, Proceedings, pp. 209–216. IEEE (2003)Google Scholar
  20. 20.
    Mukkamala, S., Janoski, G., Sung, A.: Intrusion detection using neural networks and support vector machines. In: Proceedings of the 2002 International Joint Conference on Neural Networks, IJCNN 2002. vol. 2. IEEE (2002)Google Scholar
  21. 21.
    Ambwani, T.: Multi class support vector machine implementation to intrusion detection. In: Proceedings of the International Joint Conference on Neural Networks, vol. 3. IEEE (2003)Google Scholar
  22. 22.
    Khan, L., Awad, M., Thuraisingham, B.: A new intrusion detection system using support vector machines and hierarchical clustering. Int. J. Very Large Data Bases 16(4), 507–521 (2007)Google Scholar
  23. 23.
    Horng, S.-J., et al.: A novel intrusion detection system based on hierarchical clustering and support vector machines. Expert Syst. Appl. 38(1), 306–313 (2011)Google Scholar
  24. 24.
    Schölkopf, B., et al.: Estimating the support of a high-dimensional distribution. Neural Comput. 13(7), 1443–1471 (2001)zbMATHCrossRefGoogle Scholar
  25. 25.
    Platt, J.: Sequential minimal optimization: a fast algorithm for training support vector machines (1998)Google Scholar
  26. 26.
    UCI KDD Archive.: KDDCUP99 dataset. accessed 15 April 2015
  27. 27.
    MIT Lincoln Laboratory.: DARPA Intrusion Detection Data Sets. accessed 15 April 2015
  28. 28.
    Specht, D.F.: Probabilistic neural networks. Neural Netw. 3(1), 109–118 (1990)CrossRefGoogle Scholar
  29. 29.
    Cortes, C., Vapnik, V.: Support-vector networks. Mach. Learn. 20(3), 273–297 (1995)zbMATHGoogle Scholar
  30. 30.
    Chang, C.-C., Lin, C.-J.: LIBSVM : a library for support vector machines. ACM Trans. Intell. Syst. Technol. 2, 27:1–27:27 (2011).

Copyright information

© Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2016

Authors and Affiliations

  1. 1.National Key Laboratory of Science and Technology on Information System SecurityBeijing Institute of System EngineeringBeijingChina

Personalised recommendations