Skip to main content
SpringerLink
Log in

Intrusion detection using reduced-size RNN based on feature grouping

  • Original Article
  • Published:
Neural Computing and Applications Aims and scope Submit manuscript

Abstract

Intrusion detection is well-known as an essential component to secure the systems in Information and Communication Technology (ICT). Based on the type of analyzing events, two kinds of Intrusion Detection Systems (IDS) have been proposed: anomaly-based and misuse-based. In this paper, three-layer Recurrent Neural Network (RNN) architecture with categorized features as inputs and attack types as outputs of RNN is proposed as misuse-based IDS. The input features are categorized to basic features, content features, time-based traffic features, and host-based traffic features. The attack types are classified to Denial-of-Service (DoS), Probe, Remote-to-Local (R2L), and User-to-Root (U2R). For this purpose, in this study, we use the 41 features per connection defined by International Knowledge Discovery and Data mining group (KDD). The RNN has an extra output which corresponds to normal class (no attack). The connections between the nodes of two hidden layers of RNN are considered partial. Experimental results show that the proposed model is able to improve classification rate, particularly in R2L attacks. This method also offers better Detection Rate (DR) and Cost Per Example (CPE) when compared to similar related works and also the simulated Multi-Layer Perceptron (MLP) and Elman-based intrusion detectors. On the other hand, False Alarm Rate (FAR) of the proposed model is not degraded significantly when compared to some recent machine learning methods.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1

Similar content being viewed by others

References

  1. Sabhnani M, Serpen G (2004) Why machine learning algorithms fail in misuse detection on KDD intrusion detection data set. J Intelli Data Anal 6:1–13

    Google Scholar 

  2. Shon T, Moon J (2007) A hybrid machine learning approach to network anomaly detection. J Infor Sci 177:3799–3821

    Article  Google Scholar 

  3. Chen Y, Abraham A, Yang B (2007) Hybrid flexible neural-tree-based intrusion detection systems. Int J Intell Syst 22:337–352

    Article  MATH  Google Scholar 

  4. Ye N, Emran SM, Chen Q, Vilbert S (2002) Multivariate statistical analysis of audit Trials for host-based intrusion detection. IEEE Trans Comput 51:810–820

    Article  Google Scholar 

  5. Garcia-Teodoro P, Diaz-Verdejo J, Macia-Fernandez G, Vazquez E (2009) Anomaly-base network intrusion detection: techniques, systems and challenges. J Comput Secur 28:18–28

    Article  Google Scholar 

  6. Kruegel C, Mutz D, Robertson W, Valeur F (2003) Bayesian event classification for intrusion detection. In: The proceedings of the annual computer security applications conference, pp 14–23

  7. Yeung DY, Ding Y (2003) Host-based intrusion detection using dynamic and static behavioral models. J Pattern Recognit 36:229–243

    Article  MATH  Google Scholar 

  8. Cansian AM, Moreira E, Carvalho A, Bonifacio JM (1997) Network intrusion detection using neural networks. In: The proceedings of the international conference on computational intelligence and multimedia applications, pp 276–280

  9. Ramadas M, Ostermann S, Tjaden B (2003) Detecting anomalous network traffic with self-organizing maps. Recent advances in intrusion detection, RAID, Lecture notes in computer science (LNCS) 2820:36–54

  10. Dickerson JE (2000) Fuzzy network profiling for intrusion detection. In: The proceedings of the North American fuzzy information processing society (NAFIPS) international conference, pp 301–306

  11. Gomez J, Dasgupta D (2002) Evolving fuzzy classifiers for intrusion detection. In: The proceedings of the IEEE workshop on information assurance, pp 68–75

  12. Song D, Heywood MI, Zincir-Heywood AN (2005) Training genetic programming on half a million patterns: an example from anomaly detection. IEEE Trans Evol Comput 9:225–239

    Article  Google Scholar 

  13. Sequeira K, Zaki M (2002) ADMIT: anomaly-based data mining for intrusions. In: The proceedings of the ACM SIGKDD international conference on knowledge discovery and data mining, pp 386–395

  14. Biermann E, Cloeteand E, Venter LM (2001) A comparison of intrusion detection systems. J Comput Secur 20:676–683

    Article  Google Scholar 

  15. Han SJ, Cho SB (2003) Detecting intrusion with rule-based integration of multiple models. J Comput Secur 22:613–623

    Article  Google Scholar 

  16. Novikov D, Yampolskiy RV, Reznik L (2006) Artificial intelligence approaches for intrusion detection. In: The proceedings of the IEEE conference on systems, applications and technology, pp 1–8

  17. Joshi MV, Agrawal RC, Kumar V (2001) Mining needless in a haystack: classifying rare classes via two-phase rule induction. In: The proceedings of the ACM SIGMOD conference on management of data, pp 91–102

  18. Debar H, Dorizzi B (1992) An application of recurrent network to an intrusion detection system. In: The proceedings of the international joint conference on neural networks, pp 478–483

  19. Kayacik G, Zincir-Heywood N, Heywood M (2003) On the capability of an SOM-based intrusion detection system. In: The proceedings of the international joint conference on neural networks, pp 1808–1813

  20. Golovko V, Vaitsekhovich L, Kochurko P, Rubanau U (2007) Dimensionality reduction and attack recognition using neural network approaches. In: The proceedings of the international joint conference on neural networks, pp 2734–2739

  21. Beghdad R (2008) Critical study of neural networks in detecting intrusions. J Comput Secur 27:168–175

    Article  Google Scholar 

  22. Sheikhan M, Sha’bani AA (2009) Fast neural intrusion detection system based on hidden weight optimization algorithm and feature selection. World Appl Sci J 7(Special Issue of Computer & IT):45–53

  23. Lin Y, Chen K, Liao X (2004) A genetic clustering method for intrusion detection. J Pattern Recognit 37:924–927

    Google Scholar 

  24. Denning DE (1987) An intrusion-detection model. IEEE Trans Softw Eng 13:222–232

    Article  Google Scholar 

  25. Pfahringer B (2000) Winning the KDD 99 classification cup: bagged boosting. J SIGKDD Explor 1:65–66

    Article  Google Scholar 

  26. Levin I (2000) KDD classifier learning contest: LLSoft’s results overview. J SIGKDD Explor 1:67–75

    Article  Google Scholar 

  27. Mukkamala S, Janoski G, Sung AH (2002) Intrusion detection using neural networks and support vector machines. In: The proceedings of the international joint conference on neural networks, pp 1702–1707

  28. Abadeh MS, Habibi J, Lucas C (2005) Intrusion detection using a fuzzy genetic–based learning algorithm. J Netw Comput Appl 30:414–428

    Article  Google Scholar 

  29. Tajbakhsh A, Rahmati M, Mirzaei A (2009) Intrusion detection using fuzzy association rules. J Appl Soft Comput 9:462–469

    Article  Google Scholar 

  30. Sheikhan M, Jadidi Z (2009) Misuse detection using hybrid of association rule mining and connectionist modelling. World Appl Sci J 7(Special Issue of Computer & IT):31–37

  31. KDD Cup 1999 Data. http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html. Accessed July 2008

  32. Agrawal R, Joshi MV (2000) PNrule: a new framework for learning classifier models in data mining (a case-study in network intrusion detection). IBM research division, report no. RC-21719

  33. Beghdad R (2007) Training all the KDD data set to classify and detect attacks. Neural Netw World 17:81–91

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Communication Engineering, Faculty of Engineering, Islamic Azad University, South Tehran Branch, P.O. Box 11365-4435, Tehran, Iran

    Mansour Sheikhan

  2. Department of Electronic Engineering, Islamic Azad University, South Tehran Branch, Tehran, Iran

    Zahra Jadidi & Ali Farrokhi

Authors
  1. Mansour Sheikhan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Zahra Jadidi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ali Farrokhi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mansour Sheikhan.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Sheikhan, M., Jadidi, Z. & Farrokhi, A. Intrusion detection using reduced-size RNN based on feature grouping. Neural Comput & Applic 21, 1185–1190 (2012). https://doi.org/10.1007/s00521-010-0487-0

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00521-010-0487-0

Keywords

Search

Navigation