Abstract
A serial multi-stage classification system for facing the problem of intrusion detection in computer networks is proposed. The whole decision process is organized into successive stages, each one using a set of features tailored for recognizing a specific attack category. All the stages employ suitable criteria for estimating the reliability of the performed classification, so that, in case of uncertainty, information related to a possible attack are only logged for further processing, without raising an alert for the system manager. This permits to reduce the number of false alarms. On the other hand, in order to keep low the number of missed detections, the proposed system declares a connection as normal traffic only if all the stages do not detect an attack. The proposed multi-stage intrusion detection system has been tested on three different services (http, telnet and ftp) of a standard database used for benchmarking intrusion detection systems and also on real network traffic data. The experimental analysis highlights the effectiveness of the approach: the proposed system behaves significantly better than other multiple classifier systems performing classification in a single stage.
Similar content being viewed by others
References
Vigna G, Kemmerer R (1999) Netstat: a network based intrusion detection system. J Comput Secur 7(1)
Andersson S (1995) Detecting usual program behavior using the statistical component of the next-generation intrusion detection. Technical report, Comput Sci Lab
Broucek V, Turner P (2002) Bridging the divide: rising awareness of forensic issues amongst systems administrators. In: Proceedings of the 3rd international system administration and network engineering conference, Maastricht pp 27–31
Axelsson S (1999) Research in intrusion detection systems: a survey. Technical report TR, Chalmers University of Technology 98–17
Kumar R, Spafford EH (1995) A software architecture to support misuse intrusion detection. In: Proceedings of the 18th national information security conference pp 194–204
Meier M, Schmerl S, Koenig H (2005) Improving the efficiency of misuse detection. In: Julisch K, Kruegel C (eds) LNCS vol. 3548 Proceedings of the second international conference on detection of intrusions and malware, and vulnerability assessment, Vienna, Austria July 7–8, pp 188–205
Sy BK (2005) Signature-based approach for intrusion detection. In: Perner P, Imiya A (eds) LNAI vol. 3587 In: Proceedings of the 4th international conference on machine learning and data mining in pattern recognition, Leipzig July 9–11
Zhang C, Jiang J, Kamel M (2005) Intrusion detection using hierarchical neural networks. Pattern Recognit Lett 26(6):779–791
Ghosh AK, Schwartzbard A (1999) A study in using neural networks for anomaly and misuse detection. In: Proceedings of the 8th USENIX security symposium, Washington, Aug 26–29
Lane T, Brodley CE (1999) Temporal sequence learning and data reduction for anomaly detection. ACM Trans Inform System Secur 2(3):295–261
Eskin E, Arnold A, Prerau M, Portnoy L, Stolfo S (2002) A geometric framework for unsupervised anomaly detection: detecting intrusions in unlabeled data. In: Barbara D, Jajodia S (eds) Applications of data mining in computer security, Kluwer
Singh S, Markou M (2003) Novelty detection: a review—part 2: neural network based approaches. Signal Process 83(12):2499–2521
Mahoney MV, Chan P (2003) An Analysis of the 1999 DARPA/Lincoln laboratory evaluation data for network anomaly detection. In: Vigna G, Jonsson E, Kruegel C (eds) LNCS vol. 2820, Proceedings of RAID 2003, pp 220–238
Ramadas M, Ostermann S, Tjaden B (2003) Detecting anomalous network traffic with self-organizing maps. In: Vigna G, Jonsson E, Kruegel C (eds) LNCS vol. 2820, Proceedings of RAID 2003, pp 36–54
Wang K, Stolfo SJ (2004) Anomalous payload-based network intrusion detection. In: Jonsson E, Valdes A, Almgren M (eds) LNCS, vol. 3224, Proceedings of RAID 2004, pp 203–222
Zanero S, Savaresi SM (2004) Unsupervised learning techniques for an intrusion detection system. In: Proceedings of the 2004 ACM symposium on applied computing, pp 412–419
Kendall K (1998) A database of computer attacks for the evaluation of intrusion detection systems. Master’s Thesis, Massachusetts institute of technology
Giacinto G, Roli F, Didaci L (2003) Fusion of multiple classifiers for intrusion detection in computer networks. Pattern Recognit Lett 24:1795–1803
Lee SC, Heinbuch DV (2001) Training a neural network based intrusion detector to recognize novel attack. IEEE Trans Syst Man Cybern Part-A 31:294–299
Fugate M, Gattiker JR (2003) Computer intrusion detection with classification and anomaly detection, using SVMs. Intern J Pattern Recognit Artif Intell 17(3):441–458
Giacinto G, Roli F, Didaci L (2003) A modular multiple classifier system for the detection of intrusions. Lecture Notes Comput Sci 2709:346–355
Sansone C, Vento M (2000) Signature verification: increasing performance by a multi-stage system. Pattern Anal Appl 3(2):169–181
De Santo M, Percannella G, Sansone C, Vento M (2002) Cooperating experts for soundtrack analysis of MPEG movies. Inf Fusion 3(3):225–236
Rajan S, Ghosh J (2004) An empirical comparison of hierarchical vs two level approaches to multiclass problems. Lecture Notes Comput Sci 3077:283–292
Beale J, Foster JC (2003) Snort 2.0 intrusion detection. Syngress Publishing, Rockland
Valeur F, Vigna G, Kruegel C, Kemmerer R (2004) A comprehensive approach to intrusion detection alert correlation. IEEE Trans Dependable and Secure Comput 1(3):146–169
Cuppens F, Miege A (2002) Alert correlation in a cooperative intrusion detection framework. In: Proceedings of the IEEE symposium on security and privacy, pp 202–215
Kuncheva LI (2004) Classifiers ensembles for changing environments. Lecture Notes Comput Sci 3077:1–15
Cordella LP, Sansone C, Tortorella F, Vento M, De Stefano C (1998) Neural networks classification reliability. In: Leondes CT (ed) Academic press theme volumes on neural network systems, Techniques and applications, Academic Press, vol. 5, pp 161–199
Cordella LP, Foggia P, Sansone C, Tortorella F, Vento M (1999) Reliability parameters to improve combination strategies in multi-expert systems. Pattern Anal Appl 3(2):205–214
Elkan C (2000) Results of the KDD99 classifier learning. ACM SIGKDD Explorations 1:63–64
Lee W, Stolfo SJ (2000) A framework for constructing features and models for intrusion detection systems. ACM Trans Inform System Secur 3(4):227–261
McHugh J (2000) Testing intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by lincoln laboratory. ACM Trans Inform System Secur 3(4):262–294
Liu Y, Chen K, Liao X, Zhang W (2004) A genetic clustering method for intrusion detection. Pattern Recognit 37
Kruegel C, Toth T, Kirda E (2002) Service specific anomaly detection for network intrusion detection. In: Proceedings of symposium on applied computing (SAC), Spain
Kuncheva LI, Bezdek JC, Duin RPW (2001) Decision templates for multiple classifier fusion: an experimental comparison. Pattern Recognit 34(2):299–314
Esposito M, Mazzariello C, Oliviero F, Romano SP, Sansone C (2006) Real time detection of novel attacks by means of data mining techniques. In: Chen C-S, Filipe J, Seruca I, Cordeiro J (eds) Enterprise information systems VII Springer, Berlin Heidelberg New York, pp 197–204
Acknowledgments
This work has been partially supported by the Ministero dell’Istruzione, dell’Università e della Ricerca (MIUR) in the framework of the FIRB Project “Middleware for advanced services over large-scale, wired- wireless distributed systems (WEB-MINDS)”, and by the Regione Campania, in the framework of the “Soft Computing for Internet Traffic Anomaly Detection (SCI-TrADe)” Project.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Cordella, L.P., Sansone, C. A multi-stage classification system for detecting intrusions in computer networks. Pattern Anal Applic 10, 83–100 (2007). https://doi.org/10.1007/s10044-006-0053-7
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10044-006-0053-7