Intrusion Detection Based on Behavior Mining and Machine Learning Techniques

  • Srinivas Mukkamala
  • Dennis Xu
  • Andrew H. Sung
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4031)


This paper describes results concerning the classification capability of unsupervised and supervised machine learning techniques in detecting intrusions using network audit trails. In this paper we investigate well known machine learning techniques: Frequent Pattern Tree mining (FP-tree), classification and regression tress (CART), multivariate regression splines (MARS) and TreeNet. The best model is chosen based on the classification accuracy (ROC curve analysis). The results show that high classification accuracies can be achieved in a fraction of the time required by well known support vector machines and artificial neural networks. TreeNet performs the best for normal, probe and denial of service attacks (DoS). CART performs the best for user to super user (U2su) and remote to local (R2L).


Support Vector Machine Intrusion Detection Frequent Pattern Terminal Node Intrusion Detection System 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Mukkamala, S., Janowski, G., Sung, A.H.: Intrusion Detection Using Neural Networks and Support Vector Machines. In: Proceedings of IEEE International Joint Conference on Neural Networks 2002, pp. 1702–1707. IEEE press, Los Alamitos (2002)Google Scholar
  2. 2.
    Fugate, M., Gattiker, J.R.: Computer Intrusion Detection with Classification and Anomaly Detection, Using SVMs. International Journal of Pattern Recognition and Artificial Intelligence 17(3), 441–458 (2003)CrossRefGoogle Scholar
  3. 3.
    Hu, W., Liao, Y., Vemuri, V.R.: Robust Support Vector Machines for Anamoly Detection in Computer Security. In: International Conference on Machine Learning, pp. 168–174 (2003)Google Scholar
  4. 4.
    Heller, K.A., Svore, K.M., Keromytis, A.D., Stolfo, S.J.: One Class Support Vector Machines for Detecting Anomalous Window Registry Accesses. In: Proceedings of IEEE Conference Data Mining Workshop on Data Mining for Computer Security (2003)Google Scholar
  5. 5.
    Lazarevic, A., Ertoz, L., Ozgur, A., Srivastava, J., Kumar, V.: A Comparative Study of Anomaly Detection Schemes in Network Intrusion Detection. In: Proceedings of Third SIAM Conference on Data Mining (2003)Google Scholar
  6. 6.
    Mukkamala, S., Sung, A.H.: Feature Selection for Intrusion Detection Using Neural Networks and Support Vector Machines. Journal of the Transportation Research Board of the National Academics, Transportation Research Record No: 1822, 33–39 (2003)Google Scholar
  7. 7.
    Stolfo, S.J., Wei, F., Lee, W., Prodromidis, A., Chan, P.K.: Cost-based Modeling and Evaluation for Data Mining with Application to Fraud and Intrusion Detection. Results from the JAM Project (1999)Google Scholar
  8. 8.
    Mukkamala, S., Ribeiro, B., Sung, A.H.: Model Selection for Kernel Based Intrusion Detection Systems. In: Proceedings of International Conference on Adaptive and Natural Computing Algorithms (ICANNGA), pp. 458–461. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  9. 9.
    Han, J., Pei, J., Yin, Y.: Mining Frequent Patterns Without Candidate Generation. In: Proceedings of ACM SIGMOD International Conference on Management of Data (SIGMOD 2000), pp. 1–12 (2000)Google Scholar
  10. 10.
    Hastie, T., Tibshirani, R., Friedman, J.H.: The elements of statistical learning: Data mining, inference, and prediction. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  11. 11.
    Breiman, L., Friedman, J.H., Olshen, R.A., Stone, C.J.: Classification and regression trees. Wadsworth and Brooks/Cole Advanced Books and Software (1986)Google Scholar
  12. 12.
    Salford Systems. TreeNet, CART, MARS ManualGoogle Scholar
  13. 13.
    Friedman, J.H.: Stochastic Gradient Boosting. Journal of Computational Statistics and Data Analysis 38, 367–378 (2002)CrossRefMATHGoogle Scholar
  14. 14.
    Kendall, K.: A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems. Master’s Thesis, Massachusetts Institute of Technology (MIT) (1998)Google Scholar
  15. 15.
    Webster, S.E.: The Development and Analysis of Intrusion Detection Algorithms. Master’s Thesis, MIT (1998)Google Scholar
  16. 16.
    Lee, W., Stolfo, S.J.: A Framework for Constructing Features and Models for Intrusion Detection Systems. ACM Transactions on Information and System Security 3, 227–261 (2000)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Srinivas Mukkamala
    • 1
  • Dennis Xu
    • 1
  • Andrew H. Sung
    • 1
  1. 1.Institute for Complex Additive Systems and AnalysisDepartment of Computer Science, New Mexico TechSocorro

Personalised recommendations