Skip to main content

Anomaly Detection Using Gaussian Mixture Probability Model to Implement Intrusion Detection System

Part of the Lecture Notes in Computer Science book series (LNAI,volume 11734)

Abstract

Network intrusion detection systems (NIDS) detect attacks or anomalous network traffic patterns in order to avoid cybersecurity issues. Anomaly detection algorithms are used to identify unusual behavior or outliers in the network traffic in order to generate alarms. Traditionally, Gaussian Mixture Models (GMMs) have been used for probabilistic-based anomaly detection NIDS. We propose to use multiple simple GMMs to model each individual feature, and an asymmetric voting scheme that aggregates the individual anomaly detectors to provide. We test our approach using the NSL dataset. We construct the normal behavior models using only the samples labelled as normal in this dataset and evaluate our proposal using the official NSL testing set. As a result, we obtain a F1-score over 0.9, outperforming other supervised and unsupervised proposals.

Keywords

  • Intrusion Detection
  • Gaussian Mixture Model
  • Voting

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-29859-3_55
  • Chapter length: 12 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   89.00
Price excludes VAT (USA)
  • ISBN: 978-3-030-29859-3
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   119.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.

References

  1. Axelsson, S.: Intrusion detection systems: a survey and taxonomy. Chalmers University of Technology, Tech. rep. (2000)

    Google Scholar 

  2. Bahrololum, M., Khaleghi, M.: Anomaly intrusion detection system using Gaussian mixture model. In: 2008 Third International Conference on Convergence and Hybrid Information Technology, November 2008, vol. 1, pp. 1162–1167. https://doi.org/10.1109/ICCIT.2008.17

  3. Barkan, O., Averbuch, A.: Robust mixture models for anomaly detection. In: 2016 IEEE 26th International Workshop on Machine Learning for Signal Processing (MLSP), September 2016, pp. 1–6. https://doi.org/10.1109/MLSP.2016.7738885

  4. Breunig, M.M., Kriegel, H., Ng, R.T., Sander, J.: LOF: identifying density-based local outliers. In: Chen, W., Naughton, J.F., Bernstein, P.A. (eds.) Proceedings of the 2000 ACM SIGMOD International Conference on Management of Data, 16–18 May 2000, Dallas, Texas, USA, pp. 93–104. ACM (2000). https://doi.org/10.1145/342009.335388

  5. Denning, D.E.: An intrusion-detection model. IEEE Trans. Softw. Eng. 13(2), 222–232 (1987). https://doi.org/10.1109/TSE.1987.232894

    CrossRef  Google Scholar 

  6. Domingues, R., Filippone, M., Michiardi, P., Zouaoui, J.: A comparative evaluation of outlier detection algorithms: experiments and analyses. Pattern Recogn. 74, 406–421 (2018)

    CrossRef  Google Scholar 

  7. Dromard, J., Roudière, G., Owezarski, P.: Online and scalable unsupervised network anomaly detection method. IEEE Trans. Netw. Serv. Manage. 14(1), 34–47 (2017). https://doi.org/10.1109/TNSM.2016.2627340

    CrossRef  Google Scholar 

  8. Heady, R., Luger, G., Maccabe, A., Servilla, M.: The architecture of a network level intrusion detection system. Tech. rep., Los Alamos National Lab., NM, United States, New Mexico University, Albuquerque (1990)

    Google Scholar 

  9. Hock, D., Kappes, M.: A self-learning network anomaly detection system using majority voting. In: Dowland, P., Furnell, S., Ghita, B.V. (eds.) Proceedings Tenth International Network Conference, INC 2014, Plymouth, UK, 8–10 July 2014, pp. 59–69. Plymouth University (2014). http://www.cscan.org/openaccess/?paperid=225

  10. Hodge, V.J., Austin, J.: A survey of outlier detection methodologies. Artif. Intell. Rev. 22(2), 85–126 (2004). https://doi.org/10.1007/s10462-004-4304-y

    CrossRef  MATH  Google Scholar 

  11. Kdd cup 1999, October 2007. http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html

  12. Kim, J., Scott, C.D.: Robust kernel density estimation. J. Mach. Learn. Res. 13(1), 2529–2565 (2012). http://dl.acm.org/citation.cfm?id=2503308.2503323

    MathSciNet  MATH  Google Scholar 

  13. Kukielka, P., Kotulski, Z.: Analysis of neural networks usage for detection of a new attack in IDS. Ann. UMCS Inf. 10(1), 51–59 (2010)

    Google Scholar 

  14. Liu, D., Lung, C., Lambadaris, I., Seddigh, N.: Network traffic anomaly detection using clustering techniques and performance comparison. In: 2013 26th IEEE Canadian Conference on Electrical and Computer Engineering (CCECE), May 2013, pp. 1–4. https://doi.org/10.1109/CCECE.2013.6567739

  15. Moustafa, N., Slay, J.: UNSW-NB15: a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set). In: Military Communications and Information Systems Conference (MilCIS), pp. 1–6. IEEE Stream (2015)

    Google Scholar 

  16. Moustafa, N., Slay, J.: The evaluation of network anomaly detection systems: statistical analysis of the UNSW-NB15 data set and the comparison with the KDD99 data set. Inf. Secur. J. A Global Perspect. 25(1–13), 1–14 (2016)

    Google Scholar 

  17. NSL-KDD data set for network-based intrusion detection systems, March 2009. http://nsl.cs.unb.ca/NSL-KDD/

  18. Pedregosa, F., et al.: Scikit-learn: machine learning in Python. J. Mach. Learn. Res. 12, 2825–2830 (2011)

    MathSciNet  MATH  Google Scholar 

  19. Revathi, S., Malathi, A.: A detailed analysis on NSL-KDD dataset using various machine learning techniques for intrusion detection. Int. J. Eng. Res. Tech. 2(12), 1848–1853 (2013)

    Google Scholar 

  20. Reynolds, D.D.: Gaussian Mixture Models. In: Li, S.Z., Jain, A. (eds.) Encyclopedia of Biometrics. Springer, Boston (2009). https://doi.org/10.1007/978-0-387-73003-5

    CrossRef  Google Scholar 

  21. Shahreza, M.L., Moazzami, D., Moshiri, B., Delavar, M.: Anomaly detection using a self-organizing map and particle swarm optimization. Scientia Iranica 18(6), 1460–1468 (2011). https://doi.org/10.1016/j.scient.2011.08.025

    CrossRef  Google Scholar 

  22. Zhang, R., Zhang, S., Muthuraman, S., Jiang, J.: One class support vector machine for anomaly detection in the communication network performance data. In: Proceedings of the 5th Conference on Applied Electromagnetics, Wireless and Optical Communications, pp. 31–37. ELECTROSCIENCE’07, World Scientific and Engineering Academy and Society (WSEAS), Stevens Point (2007)

    Google Scholar 

Download references

Acknowledgements

This work was supported by the Spanish Ministry of Economy and Competitiveness under contracts TIN-2015-65277-R, AYA2015-65973-C3-3-R and RTC-2016-5434-8.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Pedro Malagón .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Blanco, R., Malagón, P., Briongos, S., Moya, J.M. (2019). Anomaly Detection Using Gaussian Mixture Probability Model to Implement Intrusion Detection System. In: Pérez García, H., Sánchez González, L., Castejón Limas, M., Quintián Pardo, H., Corchado Rodríguez, E. (eds) Hybrid Artificial Intelligent Systems. HAIS 2019. Lecture Notes in Computer Science(), vol 11734. Springer, Cham. https://doi.org/10.1007/978-3-030-29859-3_55

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-29859-3_55

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-29858-6

  • Online ISBN: 978-3-030-29859-3

  • eBook Packages: Computer ScienceComputer Science (R0)