Skip to main content
SpringerLink
Log in

Heuristic Rules for Attack Detection Charged by NSL KDD Dataset

  • Conference paper
  • First Online:
Genetic and Evolutionary Computing

Part of the book series: Advances in Intelligent Systems and Computing ((AISC,volume 387))

Abstract

With the rapidly growing and wide spread use of computer networks, the number of new threats has grown extensively. Automated rule induction procedures for detecting these threats, like machine learning and statistical techniques result in rules that lack generalization and maintainability. In this paper, we focus on detailed study of different types of attacks using NSL KDD dataset by manually developing rules through incorporation of attack signatures. It results in meaningful but weak rules as it is difficult to define thresholds. This paper utilizes a hybrid procedure for developing rules by combining expert knowledge with automated techniques to improve readability, comprehensibility, and maintainability of rules. Through the proposed rule-formation technique, heuristic rules were developed for different attack types included in NSL KDD dataset. Empirical results show that high detection rates with low false alarms are observed for different attack types in the dataset. The utilized techniques also highlighted a mislabeling problem in the NSL KDD dataset for the R2L and U2R attacks considered.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 129.00
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 169.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Agarwal, R., Joshi, M.V.: PNrule: A New Framework for Learning Classifier Models in Data Mining (A Case-Study in Network Intrusion Detection). Technical Report TR 00-015, Department of Computer Science, University of Minnesota (2000)

    Google Scholar 

  2. Levin, I.: KDD-99 Classifier Learning Contest LLSoft’s Results Overview. ACM SIGKDD SIGKDD Explorations 1(2), 67–75 (2000)

    Article  Google Scholar 

  3. Lee, W., Stolfo, S.J., Mok, K.W.: A data mining framework for building intrusion detection models. In: IEEE Symposium on Security and Privacy, Oakland, California, pp. 120–132 (1999)

    Google Scholar 

  4. Lindqvist, U., Porras, P.: Detecting computer and network misuse through the production-based expert system toolset (P-{BEST}). In: IEEE Symposium on Security and Privacy, pp. 146–161 (1999)

    Google Scholar 

  5. Porras, P.A., Neumann, P.G.: EMERALD: event monitoring enabling responses to anomalous live disturbances. In: Proceedings of the 20th National Information Systems Security Conference, Baltimore, Maryland, pp. 353–365 (1997)

    Google Scholar 

  6. Cohen, W.W.: Fast effective rule induction. In: Proceedings of the 12th International Conference on Machine Learning (ML-95), Lake Tahoe, CA: Morgan Kaufmann, pp. 115–123 (1995)

    Google Scholar 

  7. DARPA dataset 1998, April 2003. http://www.ll.mit.edu/IST/ideval/data/1998/1998_data_index.html

  8. Lee, W., Stolfo, S.J., Mok, K.W.: Mining in a data-flow environment: experience in network intrusion detection. In: Proceedings of the 5th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, San Diego, CA, pp. 114–124 (1999)

    Google Scholar 

  9. KDD data set, 1999, April 2003. http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html

  10. Yeung, D.Y., Chow, C.: Parzen-window network intrusion detectors. In: Proceedings of the Sixteenth International Conference on Pattern Recognition, Quebec City, Canada, Vol. 4, pp. 385–388, August 2002

    Google Scholar 

  11. Lee, W., Stolfo, S.: A Framework for Constructing Features and Models for Intrusion Detection Systems. ACM Transactions on Information and System Security 3(4), 227–261 (2000)

    Article  Google Scholar 

  12. Lippmann, R.P., Haines, J.W., Fried, D.J., Korba, J., Das, K.: The 1999 DARPA Off-Line Intrusion Detection Evaluation. Computer Networks 34(4), 579–595 (2000)

    Article  Google Scholar 

  13. Elkan, C.: Results of the KDD 1999 Classifier Learning. ACM SIGKDD SIGKDD Explorations 1(2), 63–64 (2000)

    Article  Google Scholar 

  14. Yu, W.-Y., Lee, H.-M.: An incremental-learning method for supervised anomaly detection by cascading service classifier and ITI decision tree methods. In: Chen, H., Yang, C.C., Chau, M., Li, S.-H. (eds.) PAISI 2009. LNCS, vol. 5477, pp. 155–160. Springer, Heidelberg (2009). http://dx.doi.org/10.1007/978-3-642-01393-5

    Chapter  Google Scholar 

  15. Laskov, P., Gehl, C., Kr¨uger, S., M¨uller, K.-R.: Incremental support vector learning: Analysis, implementation and applications. Journal of Machine Learning Research 7, 1909–1936 (2006)

    MathSciNet  Google Scholar 

  16. Ren, F., Hu, L., Liang, H., Liu, X., Ren, W.: Using density-based incremental clustering for anomaly detection. In: Proceedings of the 2008 International Conference on Computer Science and Software Engineering. Washington, DC, USA, pp. 986–989. IEEE Computer Society (2008). http://dx.doi.org/10.1109/CSSE.2008.811

  17. Khreich, W., Granger, E., Miri, A., Sabourin, R.: Adaptive ensembles of HMMs applied to anomaly detection. Pattern Recognition (Elsevier Science), July 19, 2011. doi:10.1016/j.patcog.2011.06.014

    Google Scholar 

  18. Yi, Y., Wu, J., Xu, W.: Incremental SVM based on reserved set for network intrusion detection. Journal of Expert Systems with Applications 38(6), 7698–7707 (2011). USA

    Article  Google Scholar 

  19. Lu, N., Khoa, D., Chawla, S.: Online Anomaly Detection Systems Using Incremental Commute Time. CoRR, Vol. abs/1107.3894 (2011)

    Google Scholar 

  20. Burbeck, K., Nadjm-Tehrani, S.: ADWICE – anomaly detection with real-time incremental clustering. In: Park, C.-s., Chee, S. (eds.) ICISC 2004. LNCS, vol. 3506, pp. 407–424. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  21. Rasoulifard, A., Bafghi, A.G., Kahani, M.: Incremental hybrid intrusion detection using ensemble of weak classifiers. In: Sarbazi-Azad, H., Parhami, B., Miremadi, S.-G., Hessabi, S. (eds.) CSICC 2008. CCIS, vol. 6, pp. 577–584. Springer, Heidelberg (2005). doi:10.1007/978-3-540-89985-3

    Chapter  Google Scholar 

  22. Burbeck, K., Nadjm-Tehrani, S.: Adaptive real-time anomaly detection with incremental clustering. Inf. Secur. Tech. Rep. 12(1), 56–67 (2007). http://dx.doi.org/10.1016/j.istr.2007.02.004

    Article  MATH  Google Scholar 

  23. Hsu, C.C., Huang, Y.-P.: Incremental clustering of mixed data based on distance hierarchy. Expert Syst. Appl. 35(3), 1177–1185 (2008). http://dx.doi.org/10.1016/j.eswa.2007.08.049

    Article  Google Scholar 

  24. Zhong, C., Li, N.: Incremental clustering algorithm for intrusion detection using clonal selection. In: Proceedings of the 2008 IEEE Pacific-Asia Workshop on Computational Intelligence and Industrial Application. Washington, DC, USA, pp. 326–331. IEEE Computer Society (2008). http://dx.doi.org/10.1109/PACIIA.2008.25

Download references

Author information

Authors and Affiliations

  1. University of Computer Studies Mandalay (UCSM), Mandalay, Myanmar

    Khaing Shwe Wutyi & Mie Mie Su Thwin

Authors
  1. Khaing Shwe Wutyi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mie Mie Su Thwin
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Khaing Shwe Wutyi .

Editor information

Editors and Affiliations

  1. Faculty of Engineering, University of Miyazaki, Miyazaki, Japan

    Thi Thi Zin

  2. School of Computer Science and Tech..., Harbin Institute of Technology Shenzhen Graduate School, Shenzhen, China

    Jerry Chun-Wei Lin

  3. College of Information Science and Engg, Fujian University of Technology, Fuzhou, China

    Jeng-Shyang Pan

  4. Faculty of Engineering, University of Miyazaki, Miyazaki, Japan

    Pyke Tin

  5. Faculty of Engineering, University of Miyazaki, Miyazaki, Japan

    Mitsuhiro Yokota

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Wutyi, K.S., Thwin, M.M.S. (2016). Heuristic Rules for Attack Detection Charged by NSL KDD Dataset. In: Zin, T., Lin, JW., Pan, JS., Tin, P., Yokota, M. (eds) Genetic and Evolutionary Computing. Advances in Intelligent Systems and Computing, vol 387. Springer, Cham. https://doi.org/10.1007/978-3-319-23204-1_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-23204-1_15

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-23203-4

  • Online ISBN: 978-3-319-23204-1

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation