Testing Ensembles for Intrusion Detection: On the Identification of Mutated Network Scans

  • Silvia González
  • Javier Sedano
  • Álvaro Herrero
  • Bruno Baruque
  • Emilio Corchado
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6694)


In last decades there have been many proposals from the machine learning community in the intrusion detection field. One of the main problems that Intrusion Detection Systems (IDSs) - mainly anomaly-based ones - have to face are those attacks not previously seen (zero-day attacks). This paper proposes a mutation technique to test and evaluate the performance of several classifier ensembles incorporated to network-based IDSs when tackling the task of recognizing such attacks. The technique applies mutant operators that randomly modifies the features of the captured packets to generate situations that otherwise could not be provided to learning IDSs. As an example application for the proposed testing model, it has been specially applied to the identification of network scans and related mutations.


Network Intrusion Detection Computational Intelligence Machine Learning IDS Performance Classifiers 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Computer Security Threat Monitoring and Surveillance. Technical Report. James P. Anderson Co. (1980)Google Scholar
  2. 2.
    Denning, D.E.: An Intrusion-Detection Model. IEEE Transactions on Software Engineering 13(2), 222–232 (1987)CrossRefGoogle Scholar
  3. 3.
    Chih-Fong, T., Yu-Feng, H., Chia-Ying, L., Wei-Yang, L.: Intrusion Detection by Machine Learning: A Review. Expert Systems with Applications 36(10), 11994–12000 (2009)CrossRefGoogle Scholar
  4. 4.
    Abraham, A., Grosan, C., Martin-Vide, C.: Evolutionary Design of Intrusion Detection Programs. International Journal of Network Security 4(3), 328–339 (2007)Google Scholar
  5. 5.
    Julisch, K.: Data Mining for Intrusion Detection: A Critical Review. In: Applications of Data Mining in Computer Security. AIS, pp. 33–62. Kluwer Academic Publishers, Dordrecht (2002)CrossRefGoogle Scholar
  6. 6.
    Giacinto, G., Roli, F., Didaci, L.: Fusion of Multiple Classifiers for Intrusion Detection in Computer Networks. Pattern Recognition Letters 24(12), 1795–1803 (2003)CrossRefzbMATHGoogle Scholar
  7. 7.
    Chebrolu, S., Abraham, A., Thomas, J.P.: Feature Deduction and Ensemble Design of Intrusion Detection Systems. Computers & Security 24(4), 295–307 (2005)CrossRefGoogle Scholar
  8. 8.
    Kim, H.K., Im, K.H., Park, S.C.: DSS for Computer Security Incident Response Applying CBR and Collaborative Response. Expert Systems with Applications 37(1), 852–870 (2010)CrossRefGoogle Scholar
  9. 9.
    Tajbakhsh, A., Rahmati, M., Mirzaei, A.: Intrusion Detection using Fuzzy Association Rules. Applied Soft Computing 9(2), 462–469 (2009)CrossRefGoogle Scholar
  10. 10.
    Sarasamma, S.T., Zhu, Q.M.A., Huff, J.: Hierarchical Kohonenen Net for Anomaly Detection in Network Security. IEEE Transactions on Systems Man and Cybernetics, Part B 35(2), 302–312 (2005)CrossRefGoogle Scholar
  11. 11.
    Herrero, Á., Corchado, E., Gastaldo, P., Zunino, R.: Neural Projection Techniques for the Visual Inspection of Network Traffic. Neurocomputing 72(16-18), 3649–3658 (2009)CrossRefGoogle Scholar
  12. 12.
    Zhang, C., Jiang, J., Kamel, M.: Intrusion Detection using Hierarchical Neural Networks. Pattern Recognition Letters 26(6), 779–791 (2005)CrossRefGoogle Scholar
  13. 13.
    Marchette, D.J.: Computer Intrusion Detection and Network Monitoring: A Statistical Viewpoint. In: Information Science and Statistics. Springer, New York (2001)Google Scholar
  14. 14.
    Roesch, M.: Snort–Lightweight Intrusion Detection for Networks. In: 13th Systems Administration Conference (LISA 1999), pp. 229–238 (1999)Google Scholar
  15. 15.
    Ranum, M.J.: Experiences Benchmarking Intrusion Detection Systems. NFR Security Technical Publications (2001)Google Scholar
  16. 16.
    Corchado, E., Herrero, Á., Sáiz, J.M.: Testing CAB-IDS Through Mutations: On the Identification of Network Scans. In: Gabrys, B., Howlett, R.J., Jain, L.C. (eds.) KES 2006. LNCS (LNAI), vol. 4252, pp. 433–441. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  17. 17.
    Corchado, E., Herrero, Á.: Neural Visualization of Network Traffic Data for Intrusion Detection. Applied Soft Computing 11(2), 2042–2056 (2011)CrossRefGoogle Scholar
  18. 18.
    Abdullah, K., Lee, C., Conti, G., Copeland, J.A.: Visualizing Network Data for Intrusion Detection. In: Sixth Annual IEEE Information Assurance Workshop - Systems, Man and Cybernetics, pp. 100–108 (2005)Google Scholar
  19. 19.
    Sharkey, A.J.C., Sharkey, N.E.: Combining Diverse Neural Nets. Knowledge Engineering Review 12(3), 231–247 (1997)CrossRefGoogle Scholar
  20. 20.
    Polikar, R.: Ensemble Based Systems in Decision Making. IEEE Circuits and Systems Magazine 6(3), 21–45 (2006)CrossRefGoogle Scholar
  21. 21.
    Ruta, D., Gabrys, B.: An Overview of Classifier Fusion Methods. Computing and Information Systems 7(1), 1–10 (2000)Google Scholar
  22. 22.
    Bailey, T., Jain, A.: A Note on Distance-Weighted k-Nearest Neighbor Rules. IEEE Transactions on Systems, Man and Cybernetics 8(4), 311–313 (1978)CrossRefzbMATHGoogle Scholar
  23. 23.
    Breiman, L., Friedman, J.H., Olshen, R.A., Stone, C.J.: Classification and Regression Trees, p. 358. Wadsworth Inc., Belmont (1984)zbMATHGoogle Scholar
  24. 24.
    Zhao, Y., Zhang, Y.: Comparison of Decision Tree Methods for Finding Active Objects. Advances in Space Research 41(12), 1955–1959 (2008)CrossRefGoogle Scholar
  25. 25.
    Moody, J., Darken, C.J.: Fast Learning in Networks of Locally-tuned Processing Units. Neural Computation 1(2), 281–294 (1989)CrossRefGoogle Scholar
  26. 26.
    Allwein, E.L., Schapire, R.E., Singer, Y.: Reducing Multiclass to Binary: a Unifying Approach for Margin Classifiers. Journal of Machine Learning Research 1, 113–141 (2001)MathSciNetzbMATHGoogle Scholar
  27. 27.
    Breiman, L.: Bagging Predictors. Machine Learning 24(2), 123–140 (1996)zbMATHGoogle Scholar
  28. 28.
    Freund, Y., Schapire, R.E.: Experiments with a New Boosting Algorithm. In: International Conference on Machine Learning, pp. 148–156 (1996)Google Scholar
  29. 29.
    Breiman, L.: Random Forests. Machine Learning 45(1), 5–32 (2001)CrossRefzbMATHGoogle Scholar
  30. 30.
    Friedman, J., Hastie, T., Tibshirani, R.: Additive Logistic Regression: a Statistical View of Boosting. The Annals of Statistics 28(2), 337–407 (2000)MathSciNetCrossRefzbMATHGoogle Scholar
  31. 31.
    Seewald, A.K.: How to Make Stacking Better and Faster While Also Taking Care of an Unknown Weakness. In: Nineteenth International Conference on Machine Learning. Morgan Kaufmann Publishers Inc., San Francisco (2002)Google Scholar
  32. 32.
    Corchado, E., Herrero, Á., Sáiz, J.M.: Detecting Compounded Anomalous SNMP Situations Using Cooperative Unsupervised Pattern Recognition. In: Duch, W., Kacprzyk, J., Oja, E., Zadrożny, S. (eds.) ICANN 2005. LNCS, vol. 3697, pp. 905–910. Springer, Heidelberg (2005)Google Scholar
  33. 33.
    Hall, M., Frank, E., Holmes, G., Pfahringer, B., Reutemann, P., Witten, I.H.: The WEKA Data Mining Software: An Update. ACM SIGKDD Explorations Newsletter 11(1), 10–18 (2009)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Silvia González
    • 1
  • Javier Sedano
    • 1
  • Álvaro Herrero
    • 2
  • Bruno Baruque
    • 2
  • Emilio Corchado
    • 3
  1. 1.Instituto Tecnológico de Castilla y LeónBurgosSpain
  2. 2.Department of Civil EngineeringUniversity of BurgosBurgosSpain
  3. 3.Departamento de Informática y AutomáticaUniversidad de SalamancaSalamancaSpain

Personalised recommendations