Improvement of Detection Ability According to Optimum Selection of Measures Based on Statistical Approach

  • Gil-Jong Mun
  • Yong-Min Kim
  • DongKook Kim
  • Bong-Nam Noh
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3822)


A selection of useful measures and a generation of rules for detecting attacks from network data are very difficult. Expert’s experiences are commonly required to generate the detection rules. If the rules are generated automatically, we will reduce man-power, management expense, and complexity of intrusion detection systems. In this paper, we propose two methods for generating the detection rules. One method is the statistical method based on relative entropy that uses for selecting the useful measures for generating the accurate rules. The other is decision tree algorithm based on entropy theory that generates the detection rules automatically. Also we propose a method of converting the continuous measures into categorical measures because continuous measures are hard to analyze. As the result, the detection rules for attacks are automatically generated without expert’s experiences. Also, we selected the useful measures by the proposed method.


Intrusion Detection Relative Entropy Anomaly Detection Intrusion Detection System Decision Tree Algorithm 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Denning, D.E.: An Intrusion-Detection Model. IEEE Trans. on Software Engineering (2) (1987)Google Scholar
  2. 2.
    The third international Knowledge discovery and data mining tools competition dataset KDD99 CUP (1998),
  3. 3.
    Mahoney, M., Chan, P.: PHAD: Packet Header Anomaly Detection for Identifying Hostile Network Traffic. Florida Institute of Tech. Technical Report CS-2001-4 (2001)Google Scholar
  4. 4.
    Mahoney, M., Chan, P.: Learning Models of Network Traffic for Detecting Novel Attacks. Florida Institute of Tech. Technical Report CS-2002-08 (2002)Google Scholar
  5. 5.
    Templeton, S., Levitt, K.: Detecting Spoofed Packets. In: Proc. of the DARPA Information Survivability Conferences and Exposition (2003)Google Scholar
  6. 6.
    Bykova, M.: Detecting Network Intrusions via a Statistical Analysis of Network Packet Characteristics. In: the 33rd Southeastern Symposium on System Theory(SSST 2001), Ohio Univ, pp. 18–20 (2001)Google Scholar
  7. 7.
    Bykova, M., Ostermann, S.: Statistical Analysis of Malformed Packets and Their Origins in the Modern Internet. In: 2nd IMW 2002 (2002)Google Scholar
  8. 8.
    Feinstein, L., Schnackenberg, D., Balupari, R., Kindred, D.: statistical Approaches to DDos Attack Detection and Response. In: Proc. of the DARPA Information Survivability Conferences and Exposition, DISCEX 2003 (2003)Google Scholar
  9. 9.
    Mukkamala, S., Sung, A.: Identifying Significant Features for Network Forensic Analysis Using Artificial Intelligent Techniques. Intl. of Digital Evidence 1 (2003)Google Scholar
  10. 10.
    Chris, S., Lyn, P., Sara, M.: An Application of Machine Learning to Network Intrusion Detection. In: 54th Annual Computer Security application Conference (1999)Google Scholar
  11. 11.
    Bigus, J.: Data Mining with Neural Networks. McGraw-Hill, New York (1996)Google Scholar
  12. 12.
    Pearl, J.: Probabilistic Reasoning in Intelligent System, 2nd edn. Networks of Plausible Inference. Morgan Kaufmann, San Francisco (1997)Google Scholar
  13. 13.
    Barbara, D., Wu, N., Jajodia, S.: Detecting Novel Network Intrusions using Bayes Estimators. In: 1st SIA International Conf. on Data Mining (2001)Google Scholar
  14. 14.
    Ross Quinlan, J.: C4.5:Programs for Machine Learning. Morgan Kaufmann, San Mateo (1993)Google Scholar
  15. 15.
    Mitchell, T.: Machine Learning. McGraw-Hill, New York (1997)zbMATHGoogle Scholar
  16. 16.
    Richard, P., David Freid, J.: Evaluating Intrusion Detection System: The, DARPA off-line Intrusion Detection Evaluation (1998)Google Scholar
  17. 17.
    Lee, W., Xiang, D.: Information-Theoretic Measures for Anomaly Detection. In: IEEE Symposium on Security and Privacy (2001)Google Scholar
  18. 18.
    Yoh-Han, P.: Adaptive Pattern Recognition and Neural Networks. Addison-Wesley, Reading (1989)zbMATHGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Gil-Jong Mun
    • 1
  • Yong-Min Kim
    • 2
  • DongKook Kim
    • 3
  • Bong-Nam Noh
    • 3
  1. 1.Interdisciplinary Program of Information SecurityChonnam National UniversityGwangjuKorea
  2. 2.Div. of Information TechnologyYeosu National UnviersityYeosuKorea
  3. 3.Div. of Electronics Computer & Information EngineeringChonnam National UniversityGwangjuKorea

Personalised recommendations