Skip to main content
Springer Nature Link
Log in

Development of an Early Warning System for Network Intrusion Detection Using Benford’s Law Features

  • Conference paper
  • First Online:
Security and Privacy in Social Networks and Big Data (SocialSec 2019)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 1095))

  • 710 Accesses

Abstract

In order to ensure a high level of security in computer networks, it is important to prevent malicious behaviours from the intruders. However, high volumes of network traffic make it difficult for intrusion detection systems (IDSs) to separate abnormal network traffic from the normal ones. To alleviate this problem, a window-based feature extraction method using the Benford’s law has been proposed in this paper. Our method employs six features of the divergence values, including the first digit and the first three digits of size difference between traffic flows. Experiments are performed and evaluated using the KDD99 dataset . To illustrate the advantages of our proposed method, three popular classifiers, Multi-Layer Perceptron (MLP), Support Vector Machine (SVM) and Naïve Bayes are analysed using different combinations of these six features as the input feature sets. The results demonstrated that the MLP classifier performs the best in classifying the normal, mixed and malicious windows by correctly classifying the normal and malicious windows. This is particularly useful to reduce the amount of network traffic that needs to be analysed. The only exception is the mixed window which contains both normal flows and attack flows, and it needs to be further analysed to distinguish normal flows from malicious ones . Our method is fast and can be used as an early warning system to trigger other more advanced IDSs to focus on the specific regions of the network traffic. The combined system, incorporating our method with a traditional IDS, can provide a lower FAR of 0.27% compared with 9.87% of the isolated IDS, along with no significant reduction of the detection performance. Moreover, the whole accuracy of the combined system achieves 92.09%.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Khan, L., Awad, M., Thuraisingham, B.: A new intrusion detection system using support vector machines and hierarchical clustering. VLDB J. 16(4), 507–521 (2007)

    Article  Google Scholar 

  2. Amor, N.B., Benferhat, S., Elouedi, Z.: Naive Bayes vs decision trees in intrusion detection systems. In: Proceedings of the 2004 ACM Symposium on Applied Computing, pp. 420–424. ACM (2004)

    Google Scholar 

  3. Shafi, K., Abbass, H.A.: An adaptive genetic-based signature learning system for intrusion detection. Expert Syst. Appl. 36(10), 12036–12043 (2009)

    Article  Google Scholar 

  4. Wang, W., Battiti, R.: Identifying intrusions in computer networks with principal component analysis. In: International Conference on Availability, Reliability and Security, pp. 270–279. IEEE (2006)

    Google Scholar 

  5. Kennedy, J.: Particle swarm optimization. In: Encyclopedia of Machine Learning, pp. 760–766. Springer, Heidelberg (2011)

    Google Scholar 

  6. Li, Y., Guo, L.: An active learning based TCM-KNN algorithm for supervised network intrusion detection. Comput. Secur. 26(7–8), 459–467 (2007)

    Article  Google Scholar 

  7. Moradi, M., Zulkernine, M.: A neural network based system for intrusion detection and classification of attacks. In: Proceedings of the IEEE International Conference on Advances in Intelligent Systems-Theory and Applications, pp. 15–18 (2004)

    Google Scholar 

  8. Labib, K., Vemuri, R.: NSOM: a real-time network-based intrusion detection system using self-organizing maps. Netw. Secur., 1–6 (2002)

    Google Scholar 

  9. Aslahi-Shahri, B.M., Rahmani, R., Chizari, M., et al.: A hybrid method consisting of GA and SVM for intrusion detection system. Neural Comput. Appl. 27(6), 1–8 (2016)

    Article  Google Scholar 

  10. Kayacik, H.G., Zincir-Heywood, A.N., Heywood, M.I.: Selecting features for intrusion detection: a feature relevance analysis on KDD 99 intrusion detection datasets. In: Proceedings of the Third Annual Conference on Privacy, Security and Trust (2005)

    Google Scholar 

  11. Parsazad, S., Saboori, E., Allahyar, A.: Fast feature reduction in intrusion detection datasets. In: 2012 Proceedings of the 35th International Convention MIPRO, pp. 1023–1029. IEEE (2012)

    Google Scholar 

  12. Gan, X.S., Duanmu, J.S., Wang, J.F., et al.: Anomaly intrusion detection based on PLS feature extraction and core vector machine. Knowl.-Based Syst. 40(1), 1–6 (2013)

    Article  Google Scholar 

  13. Kuang, F., Zhang, S., Jin, Z., et al.: A novel SVM by combining kernel principal component analysis and improved chaotic particle swarm optimization for intrusion detection. Soft. Comput. 19(5), 1187–1199 (2015)

    Article  Google Scholar 

  14. Sun, L., Anthony, T.S.H., Xia, Z., et al.: Detection and classification of malicious patterns in network traffic using Benford’s law. In: 2017 Asia-Pacific Signal and Information Processing Association Annual Summit and Conference (APSIPA ASC), pp. 864–872. IEEE (2017)

    Google Scholar 

  15. Li, Y., Xia, J., Zhang, S., et al.: An efficient intrusion detection system based on support vector machines and gradually features removal method. Expert Syst. Appl. 39(1), 424–430 (2012)

    Article  MathSciNet  Google Scholar 

  16. Elkan, C.: Results of the KDD’99 classifier learning. ACM SIGKDD Explor. Newslett. 1(2), 63–64 (2000)

    Article  Google Scholar 

  17. Newcomb, S.: Note on the frequency of use of the different digits in natural numbers. Am. J. Math. 4(1), 39–40 (1881)

    Article  MathSciNet  Google Scholar 

  18. Benford, F.: The law of anomalous numbers. Proc. Am. Philos. Soc., 551–572 (1938)

    Google Scholar 

  19. Hill, T.P.: A statistical derivation of the significant-digit law. Stat. Sci. 10, 354–363 (1995)

    Article  MathSciNet  Google Scholar 

  20. Nigrini, M.: Benford’s Law: Applications for Forensic Accounting, Auditing, and Fraud Detection. Wiley, Hoboken (2012)

    Book  Google Scholar 

  21. Durtschi, C., Hillison, W., Pacini, C.: The effective use of Benford’s law to assist in detecting fraud in accounting data. J. Forensic Account. 5(1), 17–34 (2004)

    Google Scholar 

  22. Fu, D., Shi, Y.Q., Su, W.: A generalized Benford’s law for JPEG coefficients and its applications in image forensics. In: Security, Steganography, and Watermarking of Multimedia Contents IX. International Society for Optics and Photonics, vol. 6505, p. 65051L (2007)

    Google Scholar 

  23. Sambridge, M., Tkalčić, H., Jackson, A.: Benford’s law in the natural sciences. Geophys. Res. Lett. 37(22) (2010)

    Google Scholar 

  24. Arshadi, L., Jahangir, A.H.: An empirical study on TCP flow interarrival time distribution for normal and anomalous traffic. Int. J. Commun. Syst. 30(1), e2881 (2017)

    Article  Google Scholar 

  25. Asadi, A.N.: An approach for detecting anomalies by assessing the inter-arrival time of UDP packets and flows using Benford’s law. In: 2015 2nd International Conference on Knowledge-Based Engineering and Innovation (KBEI), pp. 257–262. IEEE (2015)

    Google Scholar 

  26. Iorliam, A., Tirunagari, S., Ho, A.T.S., et al.: “Flow size difference” can make a difference: detecting malicious TCP network flows based on Benford’s law. arXiv preprint arXiv:1609.04214 (2016)

  27. Lewis, D.D.: Naive (Bayes) at forty: the independence assumption in information retrieval. In: Nédellec, C., Rouveirol, C. (eds.) ECML 1998. LNCS, vol. 1398, pp. 4–15. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0026666

    Chapter  Google Scholar 

  28. Sperotto, A., Pras, A.: Flow-based intrusion detection. In: 2011 IFIP/IEEE International Symposium on Integrated Network Management (IM), pp. 958–963. IEEE (2011)

    Google Scholar 

  29. Plackett, R.L.: Karl Pearson and the chi-squared test. Int. Stat. Rev., 59–72 (1983)

    Google Scholar 

  30. Haykin, S.: Neural Networks: A Comprehensive Foundation. Prentice Hall PTR, Upper Saddle River (1994)

    MATH  Google Scholar 

  31. Vapnik, V.: The Nature of Statistical Learning Theory. Springer, Heidelberg (2013)

    MATH  Google Scholar 

  32. Panchal, G., Ganatra, A., Kosta, Y.P., et al.: Behaviour analysis of multilayer perceptrons with multiple hidden neurons and hidden layers. Int. J. Comput. Theory Eng. 3(2), 332–337 (2011)

    Article  Google Scholar 

  33. Ghorbani, A.A., Lu, W., Tavallaee, M.: Network Intrusion Detection and Prevention: Concepts and Techniques. Springer, Heidelberg (2009). https://doi.org/10.1007/978-0-387-88771-5

    Book  Google Scholar 

  34. Ibrahim, H.E., Badr, S.M., Shaheen, M.A.: Adaptive layered approach using machine learning techniques with gain ratio for intrusion detection systems. arXiv preprint arXiv:1210.7650 (2012)

Download references

Acknowledgments

This work was partially supported by the National Natural Science Foundation of China (Grant No. 61702212, 61672010) and the Natural Science Foundation of Hubei Province (Grant No. 2017CFB303).

Author information

Authors and Affiliations

  1. Department of Computer Science and Technology, Wuhan University of Technology, Wuhan, 430063, China

    Liuying Sun, Anthony Ho & Zhe Xia

  2. Department of Computer Science, University of Surrey, Guildford, Surrey, GU2 7XH, UK

    Anthony Ho

  3. Department of Computer Science and Technology, Central China Normal University, Wuhan, 430079, China

    Jiageng Chen

  4. School of Computers, Hubei University of Technology, Wuhan, 430068, China

    Mingwu Zhang

Authors
  1. Liuying Sun
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Anthony Ho
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Zhe Xia
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Jiageng Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Mingwu Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Zhe Xia .

Editor information

Editors and Affiliations

  1. Technical University of Denmark, Lyngby, Denmark

    Weizhi Meng

  2. University of Plymouth, Devon, UK

    Steven Furnell

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Sun, L., Ho, A., Xia, Z., Chen, J., Zhang, M. (2019). Development of an Early Warning System for Network Intrusion Detection Using Benford’s Law Features. In: Meng, W., Furnell, S. (eds) Security and Privacy in Social Networks and Big Data. SocialSec 2019. Communications in Computer and Information Science, vol 1095. Springer, Singapore. https://doi.org/10.1007/978-981-15-0758-8_5

Download citation

  • DOI: https://doi.org/10.1007/978-981-15-0758-8_5

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-15-0757-1

  • Online ISBN: 978-981-15-0758-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics