Skip to main content
Springer Nature Link
Log in

A Survey on the Development of Self-Organizing Maps for Unsupervised Intrusion Detection

  • Published:
Mobile Networks and Applications Aims and scope Submit manuscript

Abstract

This paper describes a focused literature survey of self-organizing maps (SOM) in support of intrusion detection. Specifically, the SOM architecture can be divided into two categories, i.e., static-layered architectures and dynamic-layered architectures. The former one, Hierarchical Self-Organizing Maps (HSOM), can effectively reduce the computational overheads and efficiently represent the hierarchy of data. The latter one, Growing Hierarchical Self-Organizing Maps (GHSOM), is quite effective for online intrusion detection with low computing latency, dynamic self-adaptability, and self-learning. The ultimate goal of SOM architecture is to accurately represent the topological relationship of data to identify any anomalous attack. The overall goal of this survey is to comprehensively compare the primitive components and properties of SOM-based intrusion detection. By comparing with the two SOM-based intrusion detection systems, we can clearly understand the existing challenges of SOM-based intrusion detection systems and indicate the future research directions.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15

Similar content being viewed by others

References

  1. Denning DE (1987) An intrusion detection model. IEEE Trans Softw Eng (Special issue on Computer Security and Privacy) 13(2):222–232

    Google Scholar 

  2. Wu SX, Banzhaf W (2010) The use of computational intelligence in intrusion detection systems: a review. Appl Soft Comput 10:1–35

    Google Scholar 

  3. De la Hoz E, De la Hoz E, Ortiz A, Ortega J, Prieto B (2015) PCA filtering and probabilistic SOM for network intrusion detection. Advances in Computational Intelligence in Elsevier Neurocomputing 164:71–81

    Google Scholar 

  4. Zhisheng W, Xiaobing X (2013) An improved adaptive self-organizing map. Comput Eng Appl 49(17):112–115

    Google Scholar 

  5. Hoglund AJ, Hatonen K, Sorvari AS (2000) A computer host-based user anomaly detction system using the self-organizing map. Proceedings of the IEEEINNS-ENNS International Joint Conference on Neural Networks (IJCNN00) 5:24–27

    Google Scholar 

  6. Lichodzijewski P, Nur Zincir-Heywood A, Heywood MI (2002) Host-based intrusion detection using self-organizing maps. The IEEE World Congress on Computational Intelligence International Joint Conference on Neural Networks (IJCNN02)

  7. Kayacik HG, Zincir-Heywood AN, Heywood MI (2003) On the capability of a SOM based intrusion detection system. In: Proceedings of the International Joint Conference on Neural Networks (IJCNN03), vol 3, pp 20–24

  8. Kayacik HG, Zincir-Heywood AN, Heywood MI (2007) A hierarchical SOM-based intrusion detection system. Eng Appl Artif Intell 20(4):439–451

    Google Scholar 

  9. Rauber A, Merkl D, Dittenbach M (2002) The growing hierarchical self-organizingmap:exploratory analysis of high-dimensional data. IEEE Trans Neural Networks 13:1331–1341

    MATH  Google Scholar 

  10. dela Hoza E, dela Hoza E, Ortiz A, Ortega J, Martinez-Alvarez A (2014) Feature selection by multi-objective optimisation: Application to network anomaly detection by hierarchical self-organising maps. Knowl-Based Syst 71:322–338

    Google Scholar 

  11. Zanero S, Savaresi SM (2013) Unsupervised learning techniques for an intrusion detection system. Proceedings of the ACM symposium on applied computing 49(17):112–115

    Google Scholar 

  12. Zanero S (2004) Improving self organizing map performance for network intrusion detection. In: SDM 2005 Workshop on clustering high dimensional data and its applications, submitted for publication

  13. Zanero S (2005) Analyzing TCP traffic patterns using self organizing maps. In: Roli F., Vitulano S. (eds) International conference on image analysis and processing (ICIAP05), Cagliari, Italy, 6C8 September 2005, volume 3617 of Lecture Notes in Computer Science. Springer, Berlin, pp 83–90

  14. Zanero S (May 2008) Unsupervised learning algorithms for intrusion detection. PhD dissertation, Politecnico di Milano T.U.

  15. Palomo EJ, Domnguez E, Luque RM, Munoz J (2009) Network security using growing hierarchical self-organizing maps. In: Proceedings of the 9th international conference on adaptive and natural computing algorithms, ICANNGA09. Springer, Berlin, pp 130–139

  16. Yang Y, Jiang D, Xia M (2010) Using improved GHSOM for intrusion detection. Journal of Information Assurance and Security 5:232–239

    Google Scholar 

  17. Ippoliti D, Zhou X (2012) A-GHSOM: an adaptive growing hierarchical self organizing map for network anomaly detection. J Parallel Distr Comput 72(12):1576–1590

    Google Scholar 

  18. Fox KL, Henning RR, Reed JH (1990) A neural network approach towards intrusion detection. In: Proceedings of the 13th national computer security conference

  19. De La Hoz E, Ortiz A, Ortega J, De La Hoz E, Mendoza F (2015) Implementation of an intrusion detection system based on self-organizing map. J Theor Appl Inf Technol 71(3):324–334

    Google Scholar 

  20. McElwee S, Cannady J (2016) Improving the performance of self-organizing maps for intrusion detection. Southeastcon

  21. Yin C, Zhang S, Kim K (2017) Mobile anomaly detection based on improved self-organizing maps. Mob Inf Syst 1:1–9

    Google Scholar 

  22. Shareef SM, Hashim SH (2017) An approach based on decision tree and self-organizing map for intrusion detection. Iraqi Journal of Science 58(3B):1503–1515

    Google Scholar 

  23. Vasighi M, Amini H (2017) A directed batch growing approach to enhance the topology preservation of self-organizing map[J]. Appl Soft Comput 55:424–435

    Google Scholar 

  24. Ullah I, Mahmoud QH (2017) A filter-based feature selection model for anomaly-based intrusion detection systems. IEEE international conference on big data (BIGDATA)

  25. Ichimura T, Yamaguchi T (2011) A proposal of interactive growing hierarchical SOM. Proc. of 2011 IEEE SMC2011, pp 3149–3154

  26. Zhu Y, Liang J, Chen J, Ming Z (2017) An improved NSGA-iii algorithm for feature selection used in intrusion detection. Knowl.-Based Syst 116:74–85

    Google Scholar 

  27. Yaping Z, Wenxiu B, Chang S, Luyao W, Han X (2016) Intrusion detection method based on improved growing hierarchical self-organizing map. Transactions of Tianjin University 22:334–338. https://doi.org/10.1007/s12209-016-2737-4

    Article  Google Scholar 

  28. Landress AD (2016) A hybrid approach to reducing the false positive rate in unsupervised machine learning intrusion detection. In: Southeastcon, pp 1–6

  29. Vesanto J, Alhoniemi E (2000) Clustering of the self-organizing map. IEEE Trans Neural Netw 3:11

    Google Scholar 

  30. Kohonen T (1998) The self-organizing map. Neurocomputing 21:1–6

    MATH  Google Scholar 

  31. Kohonen T (1993) Things you haven’t heard about the self-organizing map. In: IEEE international conference on neural networks, 1993, pp 1147–1156

  32. Tang A, Sethumadhavan S, Stolfo SJ (2014) Unsupervised anomaly-based malware detection using hardware features. In: 17th international symposium on research in attacks intrusions and defenses (RAID)

  33. Alsulaiman MM, Alyahya AN, Alkharboush RA, Alghafis NS (2009) Intrusion detection system using self organizing maps. In: International conference on network & system security

  34. Wang C, Yu H, Wang H (2009) Grey self-organizing map based intrusion detection. Optoelectron Lett 5:64–68

    Google Scholar 

  35. Ryan W, Obimbo C (2011) Self-organizing feature maps for user-to-root and remote-to-local network intrusion detection on the KDD cup 1999 dataset. In: 2011 World congress on internet security (WorldCIS). IEEE

  36. Xue B, Zhang M, Yao X, Browne WN A survey on evolutionary computation approaches to feature selection. IEEE transactions on evolutionary computation. https://doi.org/10.1109/TEVC.2015.2504420

  37. Sarasamma ST, Zhu QA (2006) MinCMax hyperellipsoidal clustering for anomaly detection in network security. IEEE Transactions on Systems Man & Cybernetics Part B Cybernetics A Publication of the IEEE Systems Man & Cybernetics Society 36(4):887–901

    Google Scholar 

  38. Ramadas M, Ostermann S, Tjaden B (2003) Detecting anomalous network traffic with self-organizing maps. International Workshop on Recent Advances in Intr 2820(1):36–54

    Google Scholar 

  39. Kaski S (1997) Data exploration using self-organizing maps. Acta polytechnica scandinavica mathematics, computing and management in engineering series, no. 82

  40. Sarasamma ST, Zhu QA, Julie H (2005) Hierarchical Kohonenen net for anomaly detection in network security. IEEE Transactions on Systems Man & Cybernetics Part B Cybernetics A Publication of the IEEE Systems Man & Cybernetics Society vol 35, no 2

  41. Lichodzijewski P (2002) Network based anomaly detection using self organizing maps. Technical Report, Nova Scotia, Dalhousie University, Halifax

  42. Huai-bin W, Hong-liang Y, Zhi-jian X, Zheng Y (2010) A clustering algorithm use SOM and k-means in intrusion detection. In: Proceedings of 2010 international conference on E-business and Egovernment. IEEE, pp 1281–1284

  43. Hoglund AJ, Hatonen K, Sorvari AS (2000) A computer host based user anomaly detection system using the self-organizing map. Proc Int Joint Conf Neural Netw 5:411–416

    Google Scholar 

  44. Depren O, Topallar M, Anarim E, Ciliz MK (2005) An intelligent intrusion detection system (IDS) for anomaly and misuse detection in computer networks. Expert Systems with Applications 29:713–722

    Google Scholar 

  45. Garcia-Teodoro P, Diaz-Verdejo J, Macia-Fernandez G, Vazquez E (2009) Anomaly-based network intrusion detection. Techniques, systems and challenges, Computers & Security 28(1):18–28

    Google Scholar 

  46. Patcha A, Park J-M (2007) An overview of anomaly detection techniques: Existing solutions and latest technological trends. Comput Netw 51(12):3448–3470

    Google Scholar 

  47. Lampinen J, Oja E (1992) Clustering properties of hierarchical self-organizing maps. J Math Imaging Vision 2:261–272

    MATH  Google Scholar 

  48. Zhisheng W, Xiaobing X (2013) Improved SOM-based high-dimensional data visualization algorithm. Comput Eng Appl 49(17):112–115

    Google Scholar 

  49. Dittenbach M, Merkl D, Rauber A (2000) Growing hierarchical self-organizing map. Neural Netw 6 (2):15–19

    MATH  Google Scholar 

  50. KDDCUP 99 Accessed 11 Nov (2011), [Online]. Available: https://blog.csdn.net/com_stu_zhang/article/details/6987632

  51. Almi’ani M, Ghazleh AA, Al-Rahayfeh A, Razaque A (2018) Intelligent intrusion detection system using clustered self organized map. In: 2018 Fifth international conference on software defined systems (SDS), pp 138–144

  52. Patcha A, Park JM (2007) An overview of anomaly detection techniques: Existing solutions and latest technological trends. Comput Netw 51(12):3448–3470

    Google Scholar 

  53. Brahmi I, Brahmi H, Ben Yahia S (2015) A multi-agents intrusion detection system using ontology and clustering techniques. IFIP Advances in Information and Communication Technology 456:381–393

    Google Scholar 

  54. Fung C, Zhang J, Aib I, Boutaba R (2011) Trust management and admission control for host-based collaborative intrusion detection. J Netw Syst Manag 19(2):257–277

    Google Scholar 

  55. Perez MG, Marmol FG, Perez GM (2015) Improving attack detection in self-organizing networks: a trust-based approach toward alert satisfaction. International Conference on Advances in Computing, pp 1945–1951

  56. Bashir U, Chachoo M (2014) Intrusion detection and prevention system. In: International conference on computing for sustainable global development (INDIACom). IEEE

  57. Anomaly Detection Accessed 17 Nov, 2015 [Online]. Available: https://iwringer.wordpress.com/2015/11/17/anomaly-detection-concepts-and-techniques/

  58. Kumar G, Kumar K, Sachdeva M (2010) The use of artificial intelligence based techniques for intrusion detection: a review. Artif Intell Rev 34(4):369–387

    Google Scholar 

  59. Prez-Surez A, Martnez-Trinidad JF, Carrasco-Ochoa JA (2018) A review of conceptual clustering algorithms. Artif Intell Rev 6:1–30

    Google Scholar 

  60. Salem M, Buehler U (2013) An enhanced GHSOM for IDS. In: Proc iEEE SMC: cybernetic, October

  61. Li M, Tian X, Sun Y, Yang J (2015) Adaptive recognition method based on improved-GHSOM for motor imagery EEG. Chin J Sci Instrum 36(5):1064–1071

    Google Scholar 

  62. Kohonen T (2001) Self-organizing maps. Volume 30 of Springer series in information sciences, 3rd edn. Springer, Berlin

    Google Scholar 

  63. Hsu AL, Halgamuge SK (2003) Enhancement of topology preservation and hierarchical dynamic self organizing maps for data visualistion. Int J Approx Reason 32:259–279

    MATH  Google Scholar 

  64. Roberto H, Victor L, Fernando B (2012) Spatial clustering using hierarchical SOM. Chapter 12: applications of self-organizing maps, pp 231–250

  65. Kopylova Y, Buell DA, Huang CT, et al. (2008) Mutual information applied to anomaly detection[J]. J Commun Networks 10(1):89–97

    Google Scholar 

  66. Huai-bin W, Hong-liang Y, Zhi-jian X (2010) A clustering algorithm use SOM and k-means in intrusion detection[C]. In: International conference on E-business and E-government, pp 1281–1284

  67. Saraswati A, Nguyen VT, Hagenbuchner M, Tsoi AC (2018) High-resolution self-organizing maps for advanced visualization and dimension reduction. Neural networks the official journal of the international neural network society 105–166

  68. Kohonen T (1982) Self-organized formation of topologically correct feature maps. T Biol Cybern, pp 43–59. [Online] Available: https://doi.org/10.1007/BF00337288

  69. LippMann RP, Fried DJ, Graf I, Haines JW, Kendall KR, McClung D, Weber D, Webster SE, Wyschogrod D, Cunningham RK, Zissman MA (2000) Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation. Proc DARPA Information Survivability Conf and Expo 2:12–26

    Google Scholar 

  70. Guo M, Huafu D (2008) Clustering algorithm based on SOM network and K-means. Computer & Digital Engineering 36(9):22–36

    Google Scholar 

  71. Hou L, Wang W (2011) Improved K-Means clustering algorithm based on SOM. Journal of Inner Mongolia University (Natural Science Edition) 5:42

    Google Scholar 

  72. Almi’ani M, Ghazleh AA (2018) Intelligent intrusion detection system using clustered self organized map. In: Fifth international conference on software defined systems (SDS)

  73. Amini M, Jalili R (2004) Network-based intrusion detection using unsupervised adaptive resonance theory (ART). In: Proceedings of the fourth conference on engineering of intelligent systems (EIS 2004), Madeira, Portugal

  74. Choksi K, Shah B, Kale O (2004) Intrusion detection system using self organizing maps a survey. Int J Eng Res Appl 12:4

    Google Scholar 

  75. Buczak AL, Guven E (2017) A survey of data mining and machine learning methods for cyber security intrusion Detection[J]. IEEE Commun Surv Tutorials 18(2):1153–1176

    Google Scholar 

  76. Fernando ZT, Thaseen IS, Kumar CA (2014) Network attacks identification using consistency based feature selection and self-organizing maps. IEEE conference on N/ws & soft computing

  77. Franco ED, Garcia AO, Lopera JO, Correa ED, Palechor FM (2015) Implementation of an intrusion detection system based on self organizing map. J Theor Appl Inf Technol 3:71

    Google Scholar 

  78. Koikkalainen P, Oja E (1990) Self-organizing hierarchical feature maps. IJCNN International Joint Conference on Neural Networks 2:279–284

    Google Scholar 

  79. Hu YC, Chen RS, Hsu YT, Tzeng GH (2002) Grey self-organizing feature maps 48(1-4):863–877

  80. Forti A, Foresti GL (2006) Growing hierarchical tree SOM: an unsupervised neural network with dynamic topology. Neural Netw 19(10):1568–1580

    MATH  Google Scholar 

  81. Wang CD, Yu HF, Wang HB (2009) Grey self-organizing map based intrusion detection[J]. Optoelectron Lett 5(1):64–68

    Google Scholar 

  82. Le DC, Nur Zincir-Heywood A, Malcolm I, Wang HB (2019) Unsupervised monitoring of network and service behaviour using self organizing maps. Journal of Cyber Security and Mobility 8(1):15–52

  83. Jing X, Yan Z, Liang X, Pedrycz W (2018) Network traffic fusion and analysis against DDoS flooding attacks with a novel reversible sketch, information fusion(2018), 10(13). https://doi.org/10.1016/j.inffus

  84. CSE-CIC-IDS2018 [Online]. Available: https://www.unb.ca/cic/datasets/ids-2018.html

  85. Alahakoon D, Halgamuge SK, Srinivasan B (2000) Dynamic self-organizing maps with controlled growth for knowledge discover. IEEE Trans Neural Netw 10:601–614

    Google Scholar 

  86. Hsu AL, Saeed I, Halgamuge SK (2009) Dynamic self-organizing maps: theory, methods and applications. In: Foundations of computational intelligence volume 1, vol 201. pp 363-379

  87. Self-organizingmap [Online]. Available: https://en.wikipedia.org/wiki/Self-organizingmap

  88. Fontugne R, Borgnat P, Abry P (2010) MAWILAb: combining diverse anomaly detectors for automated anomaly labeling and performance benchmarking. International conference, ACM

  89. Self-organizingmap Accessed 9 June (2018), [Online]. Available: https://commons.wikimedia.org/wiki/Category:Self-organizing-map

  90. Liukkonen M, Hiltunen Y (2018) Recognition of systematic spatial patterns in silicon wafers based on som and k-means. IFAC-PapersOnLine

  91. Zhang M, Yang P, Tian C, Tang S, Gao X, Wang B, Xiao F (2016) Quality-aware sensing coverage in budget-constrained mobile crowdsensing networks. IEEE Trans Veh Technol 65(9):7698–7707

    Google Scholar 

  92. Wu X, Xiong Y, Yang P, Wan S, Huang W (2014) Sparsest random scheduling for compressive data gathering in wireless sensor networks. IEEE Trans Wirel Commun 13(10):5867–5877

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. College of Command and Control Engineering, Army Engineering University, Nanjing, 210007, China

    Xiaofei Qu, Meng Sun, Mingxing Ke & Mu Li

  2. National Key Laboratory of Science and Technology on Information System Security, Institute of Systems Engineering, AMS, Beijing, 100039, China

    Xiaofei Qu, Lin Yang, Kai Guo & Linru Ma

Authors
  1. Xiaofei Qu
    View author publications

    You can also search for this author inPubMed Google Scholar

  2. Lin Yang
    View author publications

    You can also search for this author inPubMed Google Scholar

  3. Kai Guo
    View author publications

    You can also search for this author inPubMed Google Scholar

  4. Linru Ma
    View author publications

    You can also search for this author inPubMed Google Scholar

  5. Meng Sun
    View author publications

    You can also search for this author inPubMed Google Scholar

  6. Mingxing Ke
    View author publications

    You can also search for this author inPubMed Google Scholar

  7. Mu Li
    View author publications

    You can also search for this author inPubMed Google Scholar

Corresponding author

Correspondence to Xiaofei Qu.

Additional information

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Qu, X., Yang, L., Guo, K. et al. A Survey on the Development of Self-Organizing Maps for Unsupervised Intrusion Detection. Mobile Netw Appl 26, 808–829 (2021). https://doi.org/10.1007/s11036-019-01353-0

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11036-019-01353-0

Keywords