Multilayer Machine Learning-Based Intrusion Detection System

  • Amira Sayed A. Aziz
  • Aboul Ella Hassanien
Part of the Intelligent Systems Reference Library book series (ISRL, volume 70)


Almost daily we hear news about a security breach somewhere, as hackers are constantly finding new ways to get around even the most complex firewalls and security systems. This turned the security into one of the top research areas. Artificial Immune Systems are techniques inspired by biological immune system—specifically the human immune system—which basic function is to protect the body (system) and defend against attacks of different types. For this reason, many have applied the artificial immune system in the field of network security and intrusion detection. In this chapter, a basic model of a multi-layer system is discussed, along with the basics of artificial immune systems and network intrusion detection. An actual experiment is included, which involved a layer for data preprocessing and feature selection (using Principal Component Analysis), a layer for detectors generation and anomaly detection (Using Genetic Algorithm with Negative Selection Approach), and finally a layer for detected anomalies classification (using decision tree classifiers). The principle interest of this work is to benchmark the performance of the proposed multi-layer IDS system by using NSL-KDD benchmark data set used by IDS researchers. The obtained results of the anomaly detection layer shows that up to 81 % of the attacks were successfully detected as attacks. The results of the classification layer demonstrated that naive bayes classifier has better classification accuracy in the case of lower presented attacks such as U2R and R2L, while the J48 decision tree classifier gives high accuracy up to 82 % for DoS attacks and 65.4 % for probe attacks in the anomaly traffic.


Artificial immune systems Anomaly intrusion detection Machine learning Computational intelligence 


  1. 1.
    Teller, T.: The Biggest Cybersecurity Threats of 2013, Forbes magazine, May 2012Google Scholar
  2. 2.
    2013 Cisco Annual Security Report, Cisco SystemsGoogle Scholar
  3. 3.
    Worldwide Infrastructure Security Report, 2012 vol. VIII, ARBOR NetworksGoogle Scholar
  4. 4.
    Peddabachigari, S., Abraham, A., Grosan, C., Thomas, J.: Modeling intrusion detection system using hybrid intelligent systems. J. Netw. Comput. Appl. 30(1), 114–132 (2007)CrossRefGoogle Scholar
  5. 5.
    Farid, D., Harbi, N., Rahman, M.Z.: Combining naive bayes and decision tree for adaptive intrusion detection. arXiv, preprint arXiv:1005.4496 (2010)
  6. 6.
    Xiang, C., Yong, P.C., Meng, L.S.: Design of multiple-level hybrid classifier for intrusion detection system using Bayesian clustering and decision trees. Pattern Recogn. Lett. 29(7), 918–924 (2008)CrossRefGoogle Scholar
  7. 7.
    Omar, S., Ngadi, A., Jebur, H.H.: An adaptive intrusion detection model based on machine learning techniques. Int. J. Comput. Appl. 70 (2013)Google Scholar
  8. 8.
    Mukkamala, S., Janoski, G., Sung, A.: Intrusion detection using neural networks and support vector machines. In: Proceedings of the 2002 International Joint Conference on Neural Networks, IJCNN’02, IEEE, vol. 2, pp. 1702–1707 (2002)Google Scholar
  9. 9.
    Aleksandar, L., Vipin, K., Jaideep, S.: Intrusion detection: a survey. In: Kumar, V. et al. (eds.) Managing Cyber Threats Issues, Approaches, and Challenges, vol. 5, pp. 19–78 (2005)Google Scholar
  10. 10.
    Murali, A., Roa, M.: A survey on intrusion detection approaches. First International Conference on Information and Communication Technologies. pp. 233–240 (2005)Google Scholar
  11. 11.
    Garcia-Teodora, P., Diaz-Verdejo, J., Macia-Fernandez, G., Vazquez, E.: Anomaly-based network intrusion detection: techniques, systems and challenges. Comput. Secur. 28(1–2), 18–28 (2009)CrossRefGoogle Scholar
  12. 12.
    Li, W.: Using genetic algorithm for network intrusion detection. Proceedings of the United States Department of Energy Cyber Security Grou, Training Conference vol. 8, pp. 24–27 (2004)Google Scholar
  13. 13.
    Sinclair, C., Pierce, L., Matzner, S.: An application of machine learning to network intrusion detection. In: Proceedings of 15th Annual Computer Security Applications Conference, ACSAC’99, pp. 371–377, IEEE (1999)Google Scholar
  14. 14.
    Jolliffe, I.: Principal Component Analysis. John Wiley & Sons Ltd, New York (2005)Google Scholar
  15. 15.
    Smith, L.I.: A tutorial on principal components analysis. Cornell University, USA vol. 51, pp. 52 (2002)Google Scholar
  16. 16.
    Hofmeyr, S.A., Forrest, S.: Immunity by design: an artificial immune system. Proceedings of Genetic and Evolutionary Computation Conference, pp. 1289–1296 (1999)Google Scholar
  17. 17.
    Aickelin, U., Dasgupta, D.: Artificial immune systems tutorial. In: Burke, E., Kendall, G. (eds.) Search Methodologies Introductory Tutorials in Optimization and Decision Support Techniques. Kluwer, pp. 375–399 (2005)Google Scholar
  18. 18.
    Greensmith, J., Whitbrook, A., Aickelin, U.: Artificial immune systems. Handbook of Metaheuristics, pp. 421–448. Springer, US (2010)Google Scholar
  19. 19.
    Forrest, S.: Self-nonself discrimination in a computer. IEEE Computer Society Symposium on Research in Security and Privacy, pp. 202–212 (1994)Google Scholar
  20. 20.
    Shen, X., Gao, X.Z., Bie, R., Jin, X.: Artificial immune networks: models and applications. International Conference on Computational Intelligence and Security, vol. 1, pp. 394–397 (2006)Google Scholar
  21. 21.
    Galeano, G.C., Veloza-Suan, A., Gonzalez, F.A.: A comparative analysis of artificial immune network models. Proceedings of the Conference on Genetic and Evolutionary Computation, GECCO ’05, pp. 361–368 (2005)Google Scholar
  22. 22.
    Ulutas, B.H., Kulturel-Konak, S.: A review of clonal selection algorithm and its applications. Artif. Intell. Rev. 36(2), 117–138 (2011)CrossRefGoogle Scholar
  23. 23.
    Iqbal, A., Maarof, M.A.: Danger theory and intelligent data processing. World Academy of Science, Engineering and Technology vol. 3 (2005)Google Scholar
  24. 24.
    Aickelin, U., Cayzer, S.: The danger theory and its application to artificial immune systems. Computing Research Repository—CORR 0801.3 (2008)Google Scholar
  25. 25.
    Greensmith, J., Aickelin, U., Cayzer, S.: Introducing dendritic cells as a novel immune-inspired algorithm for anomaly detection. Proceedings ICARIS-2005, 4th International Conference on Artificial Immune Systems, LNCS 3627, pp. 153–167, Springer (2005)Google Scholar
  26. 26.
    de Castro, L.N., Timmis, J.: Artificial Immune System: A Novel Paradigm to Pattern Recognition. University of Paisley, vol. 2, pp. 67–84 (2002)Google Scholar
  27. 27.
    de Castro, L.N., Von Zuben, F.J.: Artificial Immune Systems: Part I Basic Theory and Applications, pp. 57–58. Springer, Berlin (1999)Google Scholar
  28. 28.
    Burke, E.K., Kendall, G. (eds.): Search Methodologies: Introductory Tutorials in Optimization and Decision Support Techniques. Springer, Berlin (2005)Google Scholar
  29. 29.
    Middlemiss, M.: Positive and Negative Selection in a Multilayer Artificial Immune System. The Information Science Discussion Paper Series 2006/03, University of Otago (2006)Google Scholar
  30. 30.
    Dasgupta, D.: Immunity-based intrusion detection system: a general framework. In: Proceedings of the 22nd NISSC vol. 1, pp. 147–160 (1999)Google Scholar
  31. 31.
    Liang, G., Li, T., Ni, J., Jiang, Y., Yang, J., Gong, X.: An immunity-based dynamic multilayer intrusion detection system. In Computational Intelligence and Bioinformatics, pp. 641–650. Springer, Berlin (2006)Google Scholar
  32. 32.
    Aziz, A.S.A., Hassanien, A.E., Azar, A.T., Hanafi, S.E.O.: Machine learning techniques for anomalies detection and classification. Advances in Security of Information and Communication Networks, pp. 219–229. Springer, Berlin (2013)Google Scholar
  33. 33.
    Aziz, A.S.A., Hassanien, A.E., Hanafy, S.E.O., Tolba M.F.: Multi-layer hybrid machine learning techniques for anomalies detection and classification approach (2013)Google Scholar
  34. 34.
    A. Aziz, A.S., Salama, M.A., Hassanien, A.E., Hanafy, S.E.O.: Artificial Immune System Inspired Intrusion Detection System Using Genetic Algorithm. Special Issue: Advances in Network Systems Guest Editors: Andrzej Chojnacki vol. 36, pp. 347–357 (2012)Google Scholar
  35. 35.
    Aziz, A.S.A., Azar, A.T., Hassanien, A.E., Hanafi, S.E.O.: Continuous features discretizaion for anomaly intrusion detectors generation. In: WSC17 2012 Online Conference on Soft Computing in Industrial Applications (2012)Google Scholar
  36. 36.
    Khoshgoftaar, T.M., Gao, K., Ibrahim, N.H.: Evaluating indirect and direct classification techniques for network intrusion detection. Intell. Data Anal. 9(3), 309–326 (2005)Google Scholar
  37. 37.
    Kotsiantis, S.B.: Supervised machine learning: a review of classification techniques. Informatica 31, 249–268 (2007)MATHMathSciNetGoogle Scholar
  38. 38.
    Krugel, C., Toth, T.: Using decision trees to improve signature-based intrusion detection. In: Recent Advances in Intrusion Detection, pp. 173–191. Springer, Berlin (2003)Google Scholar
  39. 39.
    Mitchell, T.M.: Machine Learning. McGraw Hill, Burr Ridge (1997)Google Scholar
  40. 40.
    NSL-KDD Intrusion Detection data set, March 2009
  41. 41.
    Tavallaee, M., Bagheri, E., Lu, W., Ghorbani A.A.: A detailed analysis of the KDD CUP 99 data set. In: Proceedings of the Second IEEE Symposium on Computational Intelligence for Security and Defence Applications (2009)Google Scholar
  42. 42.
    KDD Cup’99 Intrusion Detection data set, Available on: Oct 2007

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  1. 1.Scientific Research Group in Egypt (SRGE)Cairo UniversityCairoEgypt
  2. 2.Faculty of Business Administration and Information SystemsUniversité Française d’Egypte (UFE)CairoEgypt

Personalised recommendations