Abstract
With the rapidly growing and wide spread use of computer networks, the number of new threats has grown extensively. Automated rule induction procedures for detecting these threats, like machine learning and statistical techniques result in rules that lack generalization and maintainability. In this paper, we focus on detailed study of different types of attacks using NSL KDD dataset by manually developing rules through incorporation of attack signatures. It results in meaningful but weak rules as it is difficult to define thresholds. This paper utilizes a hybrid procedure for developing rules by combining expert knowledge with automated techniques to improve readability, comprehensibility, and maintainability of rules. Through the proposed rule-formation technique, heuristic rules were developed for different attack types included in NSL KDD dataset. Empirical results show that high detection rates with low false alarms are observed for different attack types in the dataset. The utilized techniques also highlighted a mislabeling problem in the NSL KDD dataset for the R2L and U2R attacks considered.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Agarwal, R., Joshi, M.V.: PNrule: A New Framework for Learning Classifier Models in Data Mining (A Case-Study in Network Intrusion Detection). Technical Report TR 00-015, Department of Computer Science, University of Minnesota (2000)
Levin, I.: KDD-99 Classifier Learning Contest LLSoft’s Results Overview. ACM SIGKDD SIGKDD Explorations 1(2), 67–75 (2000)
Lee, W., Stolfo, S.J., Mok, K.W.: A data mining framework for building intrusion detection models. In: IEEE Symposium on Security and Privacy, Oakland, California, pp. 120–132 (1999)
Lindqvist, U., Porras, P.: Detecting computer and network misuse through the production-based expert system toolset (P-{BEST}). In: IEEE Symposium on Security and Privacy, pp. 146–161 (1999)
Porras, P.A., Neumann, P.G.: EMERALD: event monitoring enabling responses to anomalous live disturbances. In: Proceedings of the 20th National Information Systems Security Conference, Baltimore, Maryland, pp. 353–365 (1997)
Cohen, W.W.: Fast effective rule induction. In: Proceedings of the 12th International Conference on Machine Learning (ML-95), Lake Tahoe, CA: Morgan Kaufmann, pp. 115–123 (1995)
DARPA dataset 1998, April 2003. http://www.ll.mit.edu/IST/ideval/data/1998/1998_data_index.html
Lee, W., Stolfo, S.J., Mok, K.W.: Mining in a data-flow environment: experience in network intrusion detection. In: Proceedings of the 5th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, San Diego, CA, pp. 114–124 (1999)
KDD data set, 1999, April 2003. http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html
Yeung, D.Y., Chow, C.: Parzen-window network intrusion detectors. In: Proceedings of the Sixteenth International Conference on Pattern Recognition, Quebec City, Canada, Vol. 4, pp. 385–388, August 2002
Lee, W., Stolfo, S.: A Framework for Constructing Features and Models for Intrusion Detection Systems. ACM Transactions on Information and System Security 3(4), 227–261 (2000)
Lippmann, R.P., Haines, J.W., Fried, D.J., Korba, J., Das, K.: The 1999 DARPA Off-Line Intrusion Detection Evaluation. Computer Networks 34(4), 579–595 (2000)
Elkan, C.: Results of the KDD 1999 Classifier Learning. ACM SIGKDD SIGKDD Explorations 1(2), 63–64 (2000)
Yu, W.-Y., Lee, H.-M.: An incremental-learning method for supervised anomaly detection by cascading service classifier and ITI decision tree methods. In: Chen, H., Yang, C.C., Chau, M., Li, S.-H. (eds.) PAISI 2009. LNCS, vol. 5477, pp. 155–160. Springer, Heidelberg (2009). http://dx.doi.org/10.1007/978-3-642-01393-5
Laskov, P., Gehl, C., Kr¨uger, S., M¨uller, K.-R.: Incremental support vector learning: Analysis, implementation and applications. Journal of Machine Learning Research 7, 1909–1936 (2006)
Ren, F., Hu, L., Liang, H., Liu, X., Ren, W.: Using density-based incremental clustering for anomaly detection. In: Proceedings of the 2008 International Conference on Computer Science and Software Engineering. Washington, DC, USA, pp. 986–989. IEEE Computer Society (2008). http://dx.doi.org/10.1109/CSSE.2008.811
Khreich, W., Granger, E., Miri, A., Sabourin, R.: Adaptive ensembles of HMMs applied to anomaly detection. Pattern Recognition (Elsevier Science), July 19, 2011. doi:10.1016/j.patcog.2011.06.014
Yi, Y., Wu, J., Xu, W.: Incremental SVM based on reserved set for network intrusion detection. Journal of Expert Systems with Applications 38(6), 7698–7707 (2011). USA
Lu, N., Khoa, D., Chawla, S.: Online Anomaly Detection Systems Using Incremental Commute Time. CoRR, Vol. abs/1107.3894 (2011)
Burbeck, K., Nadjm-Tehrani, S.: ADWICE – anomaly detection with real-time incremental clustering. In: Park, C.-s., Chee, S. (eds.) ICISC 2004. LNCS, vol. 3506, pp. 407–424. Springer, Heidelberg (2005)
Rasoulifard, A., Bafghi, A.G., Kahani, M.: Incremental hybrid intrusion detection using ensemble of weak classifiers. In: Sarbazi-Azad, H., Parhami, B., Miremadi, S.-G., Hessabi, S. (eds.) CSICC 2008. CCIS, vol. 6, pp. 577–584. Springer, Heidelberg (2005). doi:10.1007/978-3-540-89985-3
Burbeck, K., Nadjm-Tehrani, S.: Adaptive real-time anomaly detection with incremental clustering. Inf. Secur. Tech. Rep. 12(1), 56–67 (2007). http://dx.doi.org/10.1016/j.istr.2007.02.004
Hsu, C.C., Huang, Y.-P.: Incremental clustering of mixed data based on distance hierarchy. Expert Syst. Appl. 35(3), 1177–1185 (2008). http://dx.doi.org/10.1016/j.eswa.2007.08.049
Zhong, C., Li, N.: Incremental clustering algorithm for intrusion detection using clonal selection. In: Proceedings of the 2008 IEEE Pacific-Asia Workshop on Computational Intelligence and Industrial Application. Washington, DC, USA, pp. 326–331. IEEE Computer Society (2008). http://dx.doi.org/10.1109/PACIIA.2008.25
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Wutyi, K.S., Thwin, M.M.S. (2016). Heuristic Rules for Attack Detection Charged by NSL KDD Dataset. In: Zin, T., Lin, JW., Pan, JS., Tin, P., Yokota, M. (eds) Genetic and Evolutionary Computing. Advances in Intelligent Systems and Computing, vol 387. Springer, Cham. https://doi.org/10.1007/978-3-319-23204-1_15
Download citation
DOI: https://doi.org/10.1007/978-3-319-23204-1_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-23203-4
Online ISBN: 978-3-319-23204-1
eBook Packages: EngineeringEngineering (R0)