Skip to main content
SpringerLink
Log in

A fast anomaly detection system using probabilistic artificial immune algorithm capable of learning new attacks

  • Special Issue
  • Published:
Evolutionary Intelligence Aims and scope Submit manuscript

Abstract

In this paper, we propose anomaly based intrusion detection algorithms in computer networks using artificial immune systems, capable of learning new attacks. Unique characteristics and observations specific to computer networks are considered in developing faster algorithms while achieving high performance. Although these characteristics play a key role in the proposed algorithms, we believe they have been neglected in the previous related works. We evaluate the proposed algorithms on a number of well-known intrusion detection datasets, as well as two new real datasets extracted from the data networks for intrusion detection. We analyze the detection performance and learning capabilities of the proposed algorithms, in addition to performance criteria such as false alarm rate, detection rate, and response time. The experimental results demonstrate that the proposed algorithms exhibit fast response time, low false alarm rate, and high detection rate. They can also learn new attack patterns, and identify them the next time they are introduced to the network.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17
Fig. 18
Fig. 19
Fig. 20
Fig. 21
Fig. 22

Similar content being viewed by others

References

  1. Shon T, Moon J (2007) A hybrid machine learning approach to network anomaly detection. Inf Sci 177:3799–3821

    Article  Google Scholar 

  2. Zhou Z, Leckie C, Karunasekera S (2010) A survey of coordinated attacks and collaborative intrusion detection. Comput Security 29:124–140

    Article  Google Scholar 

  3. Teodoro P, Verdejo J, Fernandez G, Va′zquez E (2009) Anomaly-based network intrusion detection: techniques, systems and challenges. Comput Secuity 28:18–28

    Article  Google Scholar 

  4. Axelsson S (1999) Research in intrusion detection systems: a survey. Technical Report TR 98-17. Chalmers University of Technology, Goteborg, Sweden

  5. Debar H, Dacier M, Wespi A (2000) A revised taxonomy for intrusion detection systems. Ann Télécommun 55(7–8):361–378

    Google Scholar 

  6. Masri W, Podgurski A (2008) Application-based anomaly intrusion detection with dynamic information flow analysis. Comput Security 27:176–187

    Article  Google Scholar 

  7. Twycross J, Aickelin U (2006) Libtissue—implementing innate immunity. In: Aickelin U (ed) Proceedings of the IEEE congress on evolutionary, computation (CEC’06). Vancouver, Canada, pp 16–21

  8. Luther K, Bye R, Alpcan T, Muller A, Albayrak S (2007) A cooperative ais framework for intrusion detection. In: IEEE international conference on communications (ICC’07), Glasgow, Scotland, 4–28 June 2007, pp 1409–1416

  9. Kim J (2003) Integrating artificial immune algorithms for intrusion detection, PhD Thesis, Department of Computer Science, University College London

  10. Kim J, Bentley P (2002) Towards an artificial immune system for network intrusion detection: an investigation of dynamic clonal selection. In: Fogel DB, El-Sharkawi MA, Yao X, Greenwood G, Iba H, Marrow P, Shackleton M (eds) Proceedings of the IEEE congress on evolutionary computation (CEC’02), vol 2, Honolulu, HI, USA, 12–17 May 2002. IEEE Press, pp 1015–1020

  11. Liu F, Qu B, Chen R (2004) Intrusion detection based on immune clonal selection algorithms. In: Webb GI, Yu X (eds) AI 2004: advances in artificial intelligence, volume 3339 of lecture notes in computer science. Springer, Berlin, pp 1226–1232

    Google Scholar 

  12. Xian J, Lang F, Tang X (2005) A novel intrusion detection method based on clonal selection clustering algorithm. In: Proceedings of 2005 international conference on machine learning and cybernetics, vol 6, 18–21 August 2005, pp 3905–3910

  13. Ye N, Emran S, Chen Q, Vilbert S (2002) Multivariate statistical analysis of audit trails for host-based intrusion detection. IEEE Trans Comput 51(7):810–820

    Article  Google Scholar 

  14. Kerkar R, Srinivas S (2009) Knowledge-based systems. Jones & Bartlett Publishers, Sudbury

    Google Scholar 

  15. Burbeck K, Tehrani A (2004) Adwice—anomaly detection with real-time incremental clustering. Inf Security Cryptol 3506:407–424

    Google Scholar 

  16. Borah B, Bhattacharyya D (2008) Catsub: a technique for clustering categorical data based on subspace. J Comput Sci 2:7–20

    Google Scholar 

  17. Khan L, Awad M, Thuraisingham B (2007) A new intrusion detection system using support vector machines and hierarchical clustering. Int J Very Large Data Bases 16:507–552

    Google Scholar 

  18. Gaddam S, Phoha V, Balagani K (2007) K-means + id3: a novel method for supervised anomaly detection by cascading k-means clustering and id3 decision tree learning methods. IEEE Trans Knowl Data Eng 19(3):345–354

    Article  Google Scholar 

  19. Holland J (1975) Adaptation in natural and artificial systems. University of Michigan Press, Ann Arbor

    Google Scholar 

  20. Glover F (1977) Heuristic for integer programming using surrogate constraints. Decis Sci 8(1):156–166

    Article  Google Scholar 

  21. Kirkpatrick S, Gelatt C, Vecchi M (1983) Optimization by simulated annealing. Science 220:671–680

    Article  MATH  MathSciNet  Google Scholar 

  22. Mohammadi M, Raahemi R, Akbari A, Nassersharif B, Moeinzadeh H (2011) Improving linear discriminant analysis with artificial immune system-based evolutionary algorithms. Inf Sci 189:219–232

    Article  Google Scholar 

  23. Zhao W, Davis W (2011) A modified artificial immune system based pattern recognition approach an application to clinical diagnostics. Artif Intell Med 52(1):1–9

    Article  Google Scholar 

  24. Polat K, Güneş S, Tosun S (2006) Diagnosis of heart disease using artificial immune recognition system and fuzzy weighted pre-processing. Pattern Recogn 39(11):2186–2193

    Article  Google Scholar 

  25. Zhou J, Dasgupta D (2004) Real-valued negative selection algorithm with variable-sized detectors, LNCS 3102. In: Proceedings of GECCO, pp 287–298

  26. Bolón-Canedo V, Sánchez-Maroño N, Betanzos A (2011) Feature selection and classification in multiple class datasets: an application to KDDCup99 dataset. Expert Syst Appl 38(5):5947–5957

    Article  Google Scholar 

  27. Tsai C, Lin C (2010) A triangle area based nearest neighbors approach to intrusion detection. Pattern Recognit 43(1):222–229

    Article  MATH  MathSciNet  Google Scholar 

  28. Toosi AN, Kahani M (2007) A new approach to intrusion detection based on an evolutionary soft computing model using neuro-fuzzy classifiers. Comput Commun 30(10):2201–2212

    Article  Google Scholar 

  29. Mahbod T, Ebrahim B, Wei L, Ali AG (2009) A detailed analysis of the KDD CUP 99 data set in proceeding of computational intelligence in security and defense application

  30. McHugh J (2000) Testing intrusion detection systems: a critique of the 1998 and 1999 darpa intrusion detection system evaluations as performed by Lincoln laboratory. ACM Trans Inf Syst Security 3:262–294

    Article  Google Scholar 

  31. Botta A, Dainotti A, Pescapè A (2012) A tool for the generation of realistic network workload for emerging networking scenarios. Comput Netw 56(15):3531–3547

    Article  Google Scholar 

  32. Asgharian Z, Asgharian H, Akbari A, Raahemi B (2011) A framework for SIP intrusion detection and response systems. Computer networks and distributed systems (CNDS), pp 100–105

  33. Asgharian Z, Asgharian H, Akbari A, Raahemi B (2012) Detecting denial of service attacks on sip based services and proposing solutions. Intrusion Detect Response Technol Protect Netw 6:145–167

    Google Scholar 

  34. Nassar M, State R, Festor O (2010) Labeled VoIP data-set for intrusion detection evaluation. Conference on Networked services and applications: engineering, control and management (EUNICE’10), pp 97–106

  35. Nassar M, State R, Festor O (2008) Monitoring SIP traffic using support vector machines. In: Proceedings of the 11th international symposium on recent advances in intrusion detection (RAID ‘08), pp 311–330

  36. Nassar M, State R, Festor O (2009) VoIP malware: attack tool & attack scenarios, ICC ‘09. IEEE international conference on communications, pp 1–6

  37. Dunn J (1973) A fuzzy relative of the isodata process and its use in detecting compact well-separated clusters. J Cybern 3:32–57

    Article  MATH  MathSciNet  Google Scholar 

  38. Mohammadi M, Raahemi B, Akbari A. Unsupervised sample reduction using clustering for intrusion detection system. Technical Report, Knowledge Discovery and Data mining Lab. University of Ottawa. http://web5.uottawa.ca/www5/braahemi/publications.htm/Sample-Reduction.pdf

Web references

  1. NSL-KKD dataset is available at: http://iscx.ca/NSL-KDD/ last visit: May 2012

  2. “Nmap”. http://nmap.org/download.html last visit: May 2012

  3. “PacketStorm”. http://packetstormsecurity.org last visit: May 2012

  4. “Libsvm,” http://www.csie.ntu.edu.tw/cjlin/libsvm/.last visit: May 2012

  5. “DataSets”. http://nrg.iust.ac.ir/index.php/research. Last visit August 2013

Download references

Author information

Authors and Affiliations

  1. University of Ottawa, 55 Laurier Ave, E., Ottawa, ON, K1N 6N5, Canada

    Mahdi Mohammadi & Bijan Raahemi

  2. Department of Computer Engineering, Iran University of Science and Technology, University Road, Hengam Street, Resalat Square, Tehran, Iran

    Ahmad Akbari & Hassan Asgharian

  3. Electrical and Computer Engineering Department, K.N. Toosi University of Technology, Tehran, Iran

    Babak Nassersharif

Authors
  1. Mahdi Mohammadi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ahmad Akbari
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Bijan Raahemi
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Babak Nassersharif
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Hassan Asgharian
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ahmad Akbari.

Appendix

Appendix

See Figs. 23 and 24.

Fig. 23
figure 23

Experimental results on the NSL-KDD-dataset

Full size image
Fig. 24
figure 24

Experimental results on the INRIASip dataset

Full size image

Rights and permissions

Reprints and permissions

About this article

Cite this article

Mohammadi, M., Akbari, A., Raahemi, B. et al. A fast anomaly detection system using probabilistic artificial immune algorithm capable of learning new attacks. Evol. Intel. 6, 135–156 (2014). https://doi.org/10.1007/s12065-013-0101-3

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s12065-013-0101-3

Keywords

Search

Navigation