article

A program-based anomaly intrusion detection scheme using multiple detection engines and fuzzy inference

Authors:

Xuan Dau Hoang,

Peter BertokAuthors Info & Claims

Journal of Network and Computer Applications, Volume 32, Issue 6

Pages 1219 - 1228

https://doi.org/10.1016/j.jnca.2009.05.004

Published: 01 November 2009 Publication History

Abstract

In this paper, a hybrid anomaly intrusion detection scheme using program system calls is proposed. In this scheme, a hidden Markov model (HMM) detection engine and a normal database detection engine have been combined to utilise their respective advantages. A fuzzy-based inference mechanism is used to infer a soft boundary between anomalous and normal behaviour, which is otherwise very difficult to determine when they overlap or are very close. To address the challenging issue of high cost in HMM training, an incremental HMM training with optimal initialization of HMM parameters is suggested. Experimental results show that the proposed fuzzy-based detection scheme can reduce false positive alarms by 48%, compared to the single normal database detection scheme. Our HMM incremental training with the optimal initialization produced a significant improvement in terms of training time and storage as well. The HMM training time was reduced by four times and the memory requirement was also reduced significantly.

References

[1]

Intrusion detection using a fuzzy genetics-based learning algorithm. Journal of Network and Computer Application. v30. 414-428.

Digital Library

[2]

Analoui M, Bidgoli MB, Rezvani, HM. Hierarchical classifier combination and its application in networks intrusion detection. In: 7th IEEE international conference on data mining workshops, 28-31 October 2007. p. 533-8.

Digital Library

[3]

Anderson D, Frivold T, Tamaru A, Valdes A. Next generation intrusion detection expert system (NIDES), Software user's manual, beta-update release. Computer Science Laboratory, SRI International, Menlo Park, CA, USA, Technical Report SRI-CSL-95-0, May 1994.

[4]

Anderson D, Lunt TF, Javitz H, Tamaru A., Valdes A. Detecting unusual program behaviour using the statistical component of the next-generation intrusion detection expert system (NIDES). Computer Science Laboratory, SRI International, Menlo Park, CA, USA, SRI-CSL-95-06, May 1995.

[5]

Bose S, Bharathimurugan S, Kannan A. Multi-layer integrated anomaly intrusion detection system for mobile ad hoc networks. In: IEEE ICSCN 2007, MIT Campus, India, February 22-24, 2007. p. 360-5.

[6]

Incorporating soft computing techniques into a probabilistic intrusion detection system. IEEE Transactions on Systems, Man, and Cybernetics. v32 i2.

Digital Library

[7]

Davis RIA, Lovell BC. Improved estimation of hidden Markov model parameters from multiple observation sequences. In: International Conference on Pattern Recognition, Quebec City, Canada, August 2002. p. 168-71.

[8]

An intrusion-detection model. IEEE Transactions in Software Engineering. v13. 222-232.

Digital Library

[9]

Dickerson J, Juslin J, Koukousoula O. Fuzzy intrusion detection. In: Proceedings of the North American Fuzzy Information Processing society, Vancouver, Canada, July 25, 2001. p. 1506-10.

[10]

Dong SK, Nguyen HN, Park JS. Genetic algorithm to improve SVM based network intrusion detection system. Advanced information AINA 2005. In: 19th international conference on networking and applications 2005, vol. 2. p. 155-8.

Digital Library

[11]

Evers J. FBI: computer crime costs US firms $67bn. {http://news.zdnet.co.uk/security/0,1000000189,39248195,00.htm}. Retrieved on 15 April, 2008.

[12]

Feng C, Peng J, Qiao H, Rozenblit JW. Alert fusion for a computer host based intrusion detection system. In: The 4th annual IEEE international conference and workshops on the, engineering of computer-based systems, 26-29 March 2007. p. 433-40.

Digital Library

[13]

Florez G, Bridges S, Vaughn R. An improved algorithm for fuzzy data mining for intrusion detection. In: Annual meeting of the North American on fuzzy information processing society, June 27-29, 2002. p. 457-62.

[14]

Forrest S, Hofmeyr S, Somayaji A, Longstaff T. A sense of self for Unix processes. In: Proceedings of the IEEE symposium on computer security and privacy, 1996.

Digital Library

[15]

Giacinto G, Roli F. Intrusion detection in computer networks by multiple classifier systems. In: Proceedings of the 16th international conference on pattern recognition, vol. 2, August 11-15, 2002. p. 390-3.

[16]

Gòmez J, Dasgupta D. Evolving fuzzy classifiers for intrusion detection. In: The 3rd annual IEEE workshop on information assurance, New Orleans, Louisiana, USA, June 17-19, 2002.

[17]

Gòmez J, Gonzí¿lez F, Dasgupta D. An immuno-fuzzy approach to anomaly detection. In: IEEE international conference on fuzzy systems, vol. 2, May 25-28, 2003. p. 1219-24.

[18]

Gotoh Y, Hochberg MM, Silverman HF. Efficient training algorithms for HMMs using incremental estimation. In: IEEE transactions on speech and audio processing, vol. 6 (6), 1998. p. 539-48.

[19]

Hautamaki V, Karkkainen I, Franti P. Outlier detection using k-nearest neighbour graph. In: Proceedings of the 17th international conference on pattern recognition, Los Alamitos, CA, USA, 2004. p. 430-3.

Digital Library

[20]

Hoang X, Hu J, Bertok P. A multi-layer model for anomaly intrusion detection using program sequences of system calls. In: Proceedings of IEEE international conference on network, Sydney, Australia, September 2003a. p. 531-6.

[21]

Hoang X, Hu J, Bertok P. Intrusion detection based on data mining. In: The 15th international conference on enterprise information systems, Angers, France, vol. 3, 2003b. p. 341-6.

[22]

Hoang X, Hu J. An efficient hidden Markov model training scheme for anomaly intrusion detection of server applications based on system calls. In: Proceedings of the IEEE international conference on network, November 2004, vol. 2. p. 470-4.

[23]

A simple and efficient hidden Markov model scheme for host-based anomaly intrusion detection. IEEE Network. v23 i1.

[24]

Hybrid intrusion detection with weighted signature generation over anomalous Internet episodes. IEEE Transactions on Dependable and Secure Computing. v4 i1. 41-55.

Digital Library

[25]

Lee W, Stolfo SJ, Mok KW. A data mining framework for building intrusion detection models. In: Proceedings of the IEEE symposium on security and privacy, Oakland, CA, 1999. p. 120-32.

[26]

Lee W, Nimbalkar RA, Yee KK, Patil SB, Desai PH, Tran TT, Stolfo SJ. A data mining and CIDF based approach for detecting novel and distributed intrusions. In: Proceedings of the third international workshop on Recent Advances in Intrusion Detection (RAID 2000), Toulouse, France, 2000. p. 49-65.

Digital Library

[27]

Lunt TF, Tamaru A, Gilham F, Jagannathm R, Jalali C, Neumann PG, Javitz HS, Valdes A, Garvey TD. A real-time intrusion detection expert system (IDES). Computer Science Laboratory, SRI International, Menlo Park, CA, USA, Final Technical Report, February 1992.

[28]

Luo J, Bridges S, Vaughn R. Fuzzy frequent episodes for real-time intrusion detection. In: IEEE international conference on fuzzy systems, Melbourne, Australia, December 2-5, 2001.

[29]

Averaging over decision trees. Journal of Classification. v13. 281-297.

[30]

An overview of anomaly detection techniques: existing solutions and latest technological trends. Computer Networks. v51. 3448-3470.

Digital Library

[31]

A tutorial on hidden Markov model and selected applications in speech recognition. Proceedings of the IEEE. v77 i2.

[32]

Tokhtabayev AG, Skormin VA. Non-stationary Markov models and anomaly propagation analysis in IDS. In: The 3rd international symposium on information assurance and security, 2007. p. 203-8.

Digital Library

[33]

Tsang CH, Kwong S, Wang H. Anomaly intrusion detection using multi-objective genetic fuzzy system and agent-based evolution computation framework. In: Proceedings of the 5th IEEE International Conference on Data Mining (ICDM'05), 2005.

Digital Library

[34]

University of New Mexico's Computer Immune Systems Project: {http://www.cs.unm.edu/~immsec/systemcalls.htm}, Retrieved on 2005.

[35]

Varghese SM, Jacob KP. Process profiling using frequencies of system calls. In: The 2nd international conference on availability, reliability and security, 2007. p. 473-9.

Digital Library

[36]

Vokorokos L, Chovanec M, Latka O, Kleinova A. Security of distributed intrusion detection system based on multisensor fusion. SAMI 2008. In: 6th international symposium on applied machine intelligence and informatics, 2008. p. 19-24.

[37]

Warrender C, Forrest S, Pearlmutter B. Detecting intrusions using system calls: alternative data models. In: Proceedings of the IEEE symposium on security and privacy, Oakland, CA, USA, 1999. p. 133-45.

[38]

Not so naive Bayes: aggregating one-dependence estimators. Machine Learning. v58 i1. 5-24.

[39]

Ye N, Xu M. Information fusion for intrusion detection. In: Proceedings of the 3rd international conference on information fusion, vol. 2, 2000. p. THB3/17-THB3/20.

Cited By

Kiersztyn APylak DHorodelski MKiersztyn KUrbanovich P(2024)Random clustering-based outlier detectorInformation Sciences: an International Journal10.1016/j.ins.2024.120498667:COnline publication date: 1-May-2024
https://dl.acm.org/doi/10.1016/j.ins.2024.120498
Kiersztyn AKarczmarek PKiersztyn KPedrycz W(2022)Detection and Classification of Anomalies in Large Datasets on the Basis of Information GranulesIEEE Transactions on Fuzzy Systems10.1109/TFUZZ.2021.307626530:8(2850-2860)Online publication date: 1-Aug-2022
https://dl.acm.org/doi/10.1109/TFUZZ.2021.3076265
Kiersztyn KKiersztyn A(2022)Fuzzy Rule-based Outlier Detector2022 IEEE International Conference on Fuzzy Systems (FUZZ-IEEE)10.1109/FUZZ-IEEE55066.2022.9882567(1-7)Online publication date: 18-Jul-2022
https://dl.acm.org/doi/10.1109/FUZZ-IEEE55066.2022.9882567
Show More Cited By

A program-based anomaly intrusion detection scheme using multiple detection engines and fuzzy inference
1. Computing methodologies
  1. Artificial intelligence
    1. Knowledge representation and reasoning

Recommendations

Intrusion Detection Method Based on Fuzzy Hidden Markov Model
FSKD '09: Proceedings of the 2009 Sixth International Conference on Fuzzy Systems and Knowledge Discovery - Volume 03

Because of the excellent performance of the HMM (Hidden Markov Model), it has been widely used in pattern recognition. Due to the high false alarm rate in the classical intrusion detection system(IDS) based on HMM, a fuzzy approach for the HMM, called ...
A Bio-inspired Host-Based Multi-engine Detection System with Sequential Pattern Recognition
DASC '11: Proceedings of the 2011 IEEE Ninth International Conference on Dependable, Autonomic and Secure Computing

In this paper, multiple detection engines with multi-layered intrusion detection mechanisms are proposed. The principle is to coordinate the results from each single-engine intrusion alert system, by seamlessly integrating with the multiple layered ...
Combining incremental Hidden Markov Model and Adaboost algorithm for anomaly intrusion detection
CSI-KDD '09: Proceedings of the ACM SIGKDD Workshop on CyberSecurity and Intelligence Informatics

Traditional Hidden Markov Model (HMM) has been successfully applied to anomaly intrusion detection. Incremental HMM (IHMM) further improves the training time of HMM. However, both HMM and IHMM still have the problem of high false positive rate. In this ...

Comments

Information & Contributors

Information

Published In

Copyright © Elsevier Ltd © 2009.

Publisher

Academic Press Ltd.

United Kingdom

Publication History

Published: 01 November 2009

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

17
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 04 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Kiersztyn APylak DHorodelski MKiersztyn KUrbanovich P(2024)Random clustering-based outlier detectorInformation Sciences: an International Journal10.1016/j.ins.2024.120498667:COnline publication date: 1-May-2024
https://dl.acm.org/doi/10.1016/j.ins.2024.120498
Kiersztyn AKarczmarek PKiersztyn KPedrycz W(2022)Detection and Classification of Anomalies in Large Datasets on the Basis of Information GranulesIEEE Transactions on Fuzzy Systems10.1109/TFUZZ.2021.307626530:8(2850-2860)Online publication date: 1-Aug-2022
https://dl.acm.org/doi/10.1109/TFUZZ.2021.3076265
Kiersztyn KKiersztyn A(2022)Fuzzy Rule-based Outlier Detector2022 IEEE International Conference on Fuzzy Systems (FUZZ-IEEE)10.1109/FUZZ-IEEE55066.2022.9882567(1-7)Online publication date: 18-Jul-2022
https://dl.acm.org/doi/10.1109/FUZZ-IEEE55066.2022.9882567
Karczmarek PGałka ŁDolecki MPedrycz WCzerwinski DKiersztyn AStęgierski R(2022)Enhanced Tree-Based Anomaly Detection2022 IEEE International Conference on Fuzzy Systems (FUZZ-IEEE)10.1109/FUZZ-IEEE55066.2022.9882557(1-7)Online publication date: 18-Jul-2022
https://dl.acm.org/doi/10.1109/FUZZ-IEEE55066.2022.9882557
Karczmarek PKiersztyn APedrycz WBadurowicz MCzerwiński DMontusiewicz J(2021)K-Medoids Clustering and Fuzzy Sets for Isolation Forest2021 IEEE International Conference on Fuzzy Systems (FUZZ-IEEE)10.1109/FUZZ45933.2021.9494460(1-8)Online publication date: 11-Jul-2021
https://dl.acm.org/doi/10.1109/FUZZ45933.2021.9494460
Bridges RGlass-Vanderlan TIannacone MVincent MChen Q(2019)A Survey of Intrusion Detection Systems Leveraging Host DataACM Computing Surveys10.1145/334438252:6(1-35)Online publication date: 14-Nov-2019
https://dl.acm.org/doi/10.1145/3344382
Mamalakis GDiou CSymeonidis AGeorgiadis L(2019)Of daemons and men: reducing false positive rate in intrusion detection systems with file system footprint analysisNeural Computing and Applications10.1007/s00521-018-3550-x31:11(7755-7767)Online publication date: 1-Nov-2019
https://dl.acm.org/doi/10.1007/s00521-018-3550-x
Liu MXue ZXu XZhong CChen J(2018)Host-Based Intrusion Detection System with System CallsACM Computing Surveys10.1145/321430451:5(1-36)Online publication date: 19-Nov-2018
https://dl.acm.org/doi/10.1145/3214304
Ahmadian Ramaki ARasoolzadegan AJavan Jafari A(2018)A systematic review on intrusion detection based on the Hidden Markov ModelStatistical Analysis and Data Mining10.1002/sam.1137711:3(111-134)Online publication date: 15-May-2018
https://dl.acm.org/doi/10.1002/sam.11377
Haider WHu JSlay JTurnbull BXie Y(2017)Generating realistic intrusion detection system dataset based on fuzzy qualitative modelingJournal of Network and Computer Applications10.1016/j.jnca.2017.03.01887:C(185-192)Online publication date: 1-Jun-2017
https://dl.acm.org/doi/10.1016/j.jnca.2017.03.018
Show More Cited By

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Issue’s Table of Contents