Evolving High-Speed, Easy-to-Understand Network Intrusion Detection Rules with Genetic Programming

  • Agustin Orfila
  • Juan M. Estevez-Tapiador
  • Arturo Ribagorda
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5484)


An ever-present problem in intrusion detection technology is how to construct the patterns of (good, bad or anomalous) behaviour upon which an engine have to make decisions regarding the nature of the activity observed in a system. This has traditionally been one of the central areas of research in the field, and most of the solutions proposed so far have relied in one way or another upon some form of data mining–with the exception, of course, of human-constructed patterns. In this paper, we explore the use of Genetic Programming (GP) for such a purpose. Our approach is not new in some aspects, as GP has already been partially explored in the past. Here we show that GP can offer at least two advantages over other classical mechanisms: it can produce very lightweight detection rules (something of extreme importance for high-speed networks or resource-constrained applications) and the simplicity of the patterns generated allows to easily understand the semantics of the underlying attack.


Genetic Programming False Alarm Rate Transmission Control Protocol Intrusion Detection Anomaly Detection 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abraham, A., Grosan, C., Martin-Vide, C.: Evolutionary design of intrusion detection programs. International Journal of Network Security 4(3), 328–339 (2007)Google Scholar
  2. 2.
    Crosbie, M., Spafford, E.H.: Applying genetic programming to intrusion detection. In: Working Notes for the AAAI Symposium on GP (1995)Google Scholar
  3. 3.
    Elkan, C.: Results of the KDD 1999 classifier learning contest (September 1999),
  4. 4.
    Faraoun, K., Boukelif, A.: Genetic programming approach for multi-category pattern classification applied to network intrusions detection. The International Arab Journal of Information Technology 4(3), 237–246 (2007)Google Scholar
  5. 5.
    Koza, J.R.: Genetic Programming: On the Programming of Computers by Means of Natural Selection. MIT Press, Cambridge (1992)zbMATHGoogle Scholar
  6. 6.
    Lippmann, R., Haines, J.W., Fried, D.J., Korba, J., Das, K.: The 1999 DARPA off-line intrusion detection evaluation. Computer Networks 34(4), 579–595 (2000)CrossRefGoogle Scholar
  7. 7.
    Mahoney, M.V., Chan, P.K.: An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 220–237. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  8. 8.
    Pang, R., Allman, M., Bennett, M., Lee, J., Paxson, V., Tierney, B.: A first look at modern enterprise traffic. In: Proceedings of the 5th ACM SIGCOMM conference on Internet measurement, IMC 2005, pp. 1–14. ACM, New York (2005)Google Scholar
  9. 9.
    Song, D., Heywood, M.I., Zincir-Heywood, A.N.: Training genetic programming on half a million patterns: an example from anomaly detection. IEEE Transactions on Evolutionary Computation 9(3), 225–239 (2005)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Agustin Orfila
    • 1
  • Juan M. Estevez-Tapiador
    • 1
  • Arturo Ribagorda
    • 1
  1. 1.Universidad Carlos III de MadridLeganesSpain

Personalised recommendations