Abstract
Research in cyber-security has demonstrated that dealing with cyber-attacks is by no means an easy task. One particular limitation of existing research originates from the uncertainty of information that is gathered to discover attacks. This uncertainty is partly due to the lack of attack prediction models that utilize contextual information to analyze activities that target computer networks. The focus of this paper is a comprehensive review of data analytics paradigms for intrusion detection along with an overview of techniques that apply contextual information for intrusion detection. A new research taxonomy is introduced consisting of several dimensions of data mining techniques, which create attack prediction models. The survey reveals the need to use multiple categories of contextual information in a layered manner with consistent, coherent, and feasible evidence toward the correct prediction of cyber-attacks.
Similar content being viewed by others
References
Abadeh MS, Habibi J (2007) Computer intrusion detection using an iterative fuzzy rule learning approach. In: IEEE international fuzzy systems conference, Imperial College, London, UK, 23–26 July 2007, pp 1–6. doi:10.1109/FUZZY.2007.4295375
Abdoli F, Kahani M (2009) Ontology-based distributed intrusion detection system. In: 14th international CSI computer conference, Tehran, Iran, 20–21 Oct 2009, pp 65–70. doi:10.1109/CSICC.2009.5349372
Abe N, Zadrozny B, Langford J (2006) Outlier detection by active learning. In: Proceedings of the 12th ACM SIGKDD international conference on knowledge discovery and data mining, Philadelphia, PA, USA. 1150459. ACM, pp 504–509. doi:10.1145/1150402.1150459
Abouzakhar NS, Gani A, Manson G (2003) Bayesian learning networks approach to cybercrime detection. In: Proceedings of the PostGraduate networking conference (PGNET’03), Liverpool, UK
Adetunmbi AO, Falaki SO, Adewale OS, Alese BK (2008) Network intrusion detection based on rough set and k-nearest neighbour. Int J Comput ICT Res 2(1):60–66
Agrawal R, Imielinski T, Swami A (1993) Mining association rules between sets of items in large databases. In: Proceedings of the ACM SIGMOD international conference on management of data, Washington, D.C., USA, 170072. ACM, pp 207–216. doi:10.1145/170035.170072
Agrawal R, Srikant R (1994) Fast algorithms for mining association rules in large databases. Paper presented at the proceedings of the 20th international conference on very large data bases, Santiago de Chile, Chile
Ahmed U, Masood A (2009) Host based intrusion detection using rbf neural networks. In: International conference on emerging technologies (ICET’09), Slamabad, Pakistan, 19–20 Oct 2009, pp 48–51. doi:10.1109/ICET.2009.5353204
Al-Subaie M, Zulkernine M (2006) Efficacy of hidden Markov models over neural networks in anomaly intrusion detection. In: 30th annual international computer software and applications conference (COMPSAC’06), Illinois, USA. IEEE, pp 325–332
Albayrak S, Muller A, Scheel C, Milosevic D (2005) Combining self-organizing map algorithms for robust and scalable intrusion detection. In: International conference on computational intelligence for modelling, control, and automation, Vienna, Austria, 28–30 Nov 2005, vol 2, pp 123–130. doi:10.1109/CIMCA.2005.1631456
AlEroud A, Karabatis G (2013a) A contextual anomaly detection approach to discover zero-day attacks. In: ASE international conference on cyber security, Washington, D.C., USA, pp 40–45
AlEroud A, Karabatis G (2013b) A contextual anomaly detection approach to discover zero-day attacks. ASE international conference on cyber security, Washington, D.C, USA, pp 386–388
AlEroud A, Karabatis G (2013c) A system for cyber attack detection using contextual semantics. In: 7th international conference on knowledge management in organizations: service and cloud computing, vol 172 (Advances in Intelligent Systems and Computing). Springer, Berlin, pp 431–442
AlEroud A, Karabatis G (2013d) Toward zero-day attack identification using linear data transformation techniques. In: IEEE 7th international conference on software security and reliability (SERE’13), Washington, D.C., 18–20 June 2013, pp 159–168. doi:10.1109/SERE.2013.16
Aleroud A, Karabatis G (2014a) Context infusion in semantic link networks to detect cyber-attacks: a flow-based detection approach. In: IEEE international conference on semantic computing (ICSC) LA, California 16–18 June 2014, pp 175–182. doi:10.1109/ICSC.2014.29
AlEroud A, Karabatis G (2014b) Context infusion in semantic link networks to detect cyber-attacks: a flow-based detection approach. In: Eighth IEEE international conference on semantic computing, Newport Beach, California, USA, IEEE
AlEroud A, Karabatis G (2016) Queryable semantics for the detection of cyber-attacks a flow-based detection approach. IEEE transactions on systems, man, and cybernetics: systems
AlEroud A, Karabatis G, Sharma P, He P (2014) Context and semantics for detection of cyber attacks. Int J Inf Comput Secur 6(1):63–92. doi:10.1504/ijics.2014.059791
Alserhani F, Akhlaq M, Awan IU, Cullen AJ, Mirchandani P (2010) MARS: multi-stage attack recognition system. In: 24th IEEE international conference on advanced information networking and applications (AINA’10), Perth, Australia, 20–23 April 2010, pp 753–759. doi:10.1109/AINA.2010.57
Ambwani T (2003) Multi class support vector machine implementation to intrusion detection. In: Proceedings of the international joint conference on neural networks, Portland, vol 3. IEEE, pp 2300–2305
An X, Jutla D, Cercone N (2006) Privacy intrusion detection using dynamic Bayesian networks. In: Proceedings of the 8th international conference on electronic commerce, Fredericton, New Brunswick, Canada. 1151493. ACM, pp 208–215. doi:10.1145/1151454.1151493
Angelini M, Prigent N, Santucci G (2015) PERCIVAL: proactive and reactive attack and response assessment for cyber incidents using visual analytics. In: IEEE symposium on visualization for cyber security (VizSec), 25–25 Oct 2015, pp 1–8. doi:10.1109/VIZSEC.2015.7312764
Apiletti D, Baralis E, Cerquitelli T, D’Elia V (2008) Network digest analysis by means of association rules. In: 4th international IEEE conference on intelligent systems(IS ’08), Varna, 6–8 Sept 2008, vol 2, pp 11–32. doi:10.1109/is.2008.4670505
Arya A, Kumar, S (2014) Information theoretic feature extraction to reduce dimensionality of Genetic Network Programming based intrusion detection model. In: Issues and challenges in intelligent computing techniques (ICICT). IEEE, pp 34–37
Atallah M, Szpankowski W, Gwadera R (2004) Detection of significant sets of episodes in event sequences. In: Fourth IEEE international conference on data mining (ICDM’04) Brighton, UK. IEEE, pp 3–10
Axelsson S (2000) Intrusion detection systems: a survey and taxonomy. Accessed (2000)
Ayd MA, Zaim AH, Ceylan K (2009) A hybrid intrusion detection system design for computer network security. Comput Electr Eng 35(3):517–526. doi:10.1016/j.compeleceng.2008.12.005
Baldauf M, Dustdar S, Rosenberg F (2007) A survey on context-aware systems. Int J Ad Hoc Ubiquitous Comput 2(4):263–277. doi:10.1504/ijahuc.2007.014070
Barbar D, Couto J, Jajodia S, Wu N (2001) ADAM: a testbed for exploring the use of data mining in intrusion detection. SIGMOD Rec 30(4):15–24. doi:10.1145/604264.604268
Barbara D, Wu N, Jajodia S (2001) Detecting novel network intrusions using Bayes estimators. In: First SIAM conference on data mining, Chicago IL, Citeseer, pp 1–17
Bazire M, Brézillon P (2005) Understanding context before using it. In: Proceedings of the 5th international conference on modeling and using context, Paris, France, pp 113–192
Beauquier J, Hu Y (2007) Intrusion detection based on distance combination. In: World Acacemy of Science and Engineering (CESSE’07), Venice, Italy
Bloedorn E, Christiansen AD, Hill W, Skorupka C, Talbot LM, Tivel J (2001) Data mining for network intrusion detection: how to get started. Accessed (2001)
Blum AL, Langley P (1997) Selection of relevant features and examples in machine learning. Artif Intell 97(1):245–271
Böhmer M, Bauer G, Krüge A (2011) Context tags: exploiting user-given contextual cues for disambiguation. In: Proceedings of the 13th international conference on human computer interaction with mobile devices and services, Stockholm, Sweden. ACM, pp 611–616, 2037469. doi:10.1145/2037373.2037469
Bonifacio JM, Jr Cansian AM, de Carvalho A, Moreira ES (1998) Neural networks applied in intrusion detection systems. In: The IEEE international joint conference on neural networks, Anchorage, AK, 4–8 May 1998, vol 1, pp 205–210. doi:10.1109/IJCNN.1998.682263
Boriah S, Chandola V, Kumar V (2008) Similarity measures for categorical data: a comparative evaluation. In: In Proceedings of the eighth SIAM international conference on data mining, Atlanta, Georgia
Botha M, von Solms R (2003) Utilising fuzzy logic and trend analysis for effective intrusion detection. Comput Secur 22(5):423–434. doi:10.1016/S0167-4048(03)00511-X
Bouramoul A, Kholladi MK, Doan BL (2011) Using context to improve the evaluation of information retrieval systems. Int J Database Manag Syst (IJDMS ) 3(2):22–39
Bouzida Y, Cuppens F, Cuppens-Boulahia N, Gombault S (2004) Intrusion detection using principal component analysis. In: In proceedings of the 7th world multiconference on systemics, cybernetics and informatics, Orlando, USA
Bridges SM, Vaughn RB (2000) Fuzzy data mining and genetic algorithms applied to intrusion detection. In: In Proceedings of the national information systems security conference (NISSC), Baltimore, MD
Bringas PG (2007) Intensive use of Bayesian belief networks for the unified, flexible and adaptable analysis of misuses and anomalies in network intrusion detection and prevention systems. In: 18th international workshop on database and expert systems applications(DEXA ’07), Regensburg, Germany, 3–7 Sept 2007, pp 365–371. doi:10.1109/DEXA.2007.38
Brown PJ, Bovey JD, Chen X (1997) Context-aware applications: from the laboratory to the marketplace. IEEE Pers Commun 4(5):58–64
Buczak AL, Guven E (2015) A survey of data mining and machine learning methods for cyber security intrusion detection. IEEE Commun Surv Tutor 18(2):1153–1176
Burroughs DJ, Wilson LF, Cybenko GV (2002) Analysis of distributed intrusion detection systems using Bayesian methods. In: 21st IEEE international performance, computing, and communications conference, Austin, Texas, USA, pp 329–334. doi:10.1109/IPCCC.2002.995166
Cannady J (1998) Artificial neural networks for misuse detection. In: National information systems security conference, Crystal City Arlington, Virginia, USA, pp 368–381
Cha BR, Vaidya B, Han S (2005) Anomaly intrusion detection for system call using the soundex algorithm and neural networks. In: 10th IEEE symposium on computers and communications (ISCC’05), Cartagena, Spain. IEEE, pp 427–433
Chandola V, Banerjee A, Kumar V (2009) Anomaly detection: a survey. ACM Comput Surv 41(3):1–58. doi:10.1145/1541880.1541882
Chandola V, Eilertson E, Ertoz L, Simon G, Kumar V (2006) Data mining for cyber security, book chapter in data warehousing and data mining techniques for computer security, 1st edn. Springer, Berlin
Cheboli D (2010) Anomaly detection of time series. PhD Thesis, University of Minnesota
Chebrolu S, Abraham A, Thomas JP (2005) Feature deduction and ensemble design of intrusion detection systems. Comput Secur 24(4):295–307. doi:10.1016/j.cose.2004.09.008
Chen H, Finin T, Joshi A (2003) An ontology for context-aware pervasive computing environments. Knowl Eng Rev 18(3):197–207. doi:10.1017/s0269888904000025
Chen RC, Chen SP (2008) Intrusion Detection Using a Hybrid Support Vector Machine Based on Entropy and TF-IDF. Int J Innov Comput Inf Control 4(2):413–424
Chen RC, Cheng KF, Chen YH, Hsieh CF (2009) Using rough set and support vector machine for network intrusion detection system. In: First Asian conference on intelligent information and database systems (ACIIDS’09), Quang binh, Vietnam. IEEE, pp 465–470
Cheng X, Liu B-x, Li K, Yan J (2009) Intrusion detection system based on KNN-MARS. In: WRI world congress on software engineering (WCSE ’09), Xiamen, China, 19–21 May 2009, vol 1, pp 392–396. doi:10.1109/WCSE.2009.79
Chimphlee W, Abdullah AH, Noor Md Sap M, Srinoy S, Chimphlee S (2006) Anomaly-based intrusion detection using fuzzy rough clustering. In: International conference on hybrid information technology (ICHIT ’06), Jeju Island, Korea, 9–11 Nov 2006, vol 1, pp 329–334. doi:10.1109/ICHIT.2006.253508
Chitta R, Jin R, Jain AK (2012) Efficient kernel clustering using random fourier features. In: IEEE 12th international conference on data mining, IEEE, pp 161–170
Chuanliang C, Yunchao G, Yingjie T (2008) Semi-supervised learning methods for network intrusion detection. In: IEEE international conference on systems, man and cybernetics (SMC’08), Seoul, Korea, 12–15 Oct 2008, pp 2603–2608. doi:10.1109/ICSMC.2008.4811688
Dasgupta D, González F (2002) An immunity-based technique to characterize intrusions in computer networks. IEEE Trans Evol Comput 6(3):281–291
Dasgupta D, Nino F (2000) A comparison of negative and positive selection algorithms in novel pattern detection. In: IEEE international conference on systems, man, and cybernetics, Nashville, TN, vol 1. IEEE, pp 125–130
Dayu Y, Hairong Q (2008) A network intrusion detection method using independent component analysis. In: 19th international conference on pattern recognition (ICPR’08), Tampa, Florida, USA, 8–11 Dec 2008, pp 1–4. doi:10.1109/ICPR.2008.4761087
de Lima IVM, Degaspari JA, Sobral JBM (2008) Intrusion detection through artificial neural networks. In: IEEE network operations and management symposium (NOMS’08), Bahia, Brazil, 7–11 April 2008, pp 867–870. doi:10.1109/NOMS.2008.4575234
Debar H, Becker M, Siboni D (1992) A neural network component for an intrusion detection system. In: IEEE computer society symposium on research in security and privacy, Oakland, California, 4–6 May 1992, pp 240–250. doi:10.1109/RISP.1992.213257
Debar H, Dacier M, Wespi A (1999) Towards a taxonomy of intrusion-detection systems. Comput Netw 31(8):805–822
Debar H, Dacier M, Wespi A (2000) A revised taxonomy for intrusion-detection systems. Ann Telecommun 55(7):361–378
Denning DE (1987) An intrusion-detection model. IEEE Trans Software Eng 13(2):222–232
Depren O, Topallar M, Anarim E, Ciliz MK (2005) An intelligent intrusion detection system (IDS) for anomaly and misuse detection in computer networks. Expert Syst Appl 29(4):713–722. doi:10.1016/j.eswa.2005.05.002
Desheng F, Shu Z, Ping G (2009) Research on a distributed network intrusion detection system based on association rule mining. In: 1st international conference on information science and engineering (ICISE), Nanjing, 26–28 Dec 2009, pp 1816–1818. doi:10.1109/icise.2009.929
Dey AK (2000) Providing architectural support for building context-aware applications. PhD Thesis , Georgia Institute of Technology
Dharap C (Google Patents, Patent version number: 6,256,633, 2001). Context-based and user-profile driven information retrieval. Google Patents
Dickerson JE, Dickerson JA (2000) Fuzzy network profiling for intrusion detection. In: 19th international conference of the North American on Fuzzy Information Processing Society, Atlanta, Georgia, 2000, pp 301–306. doi:10.1109/NAFIPS.2000.877441
Dickerson JE, Juslin J, Koukousoula O, Dickerson JA (2001) Fuzzy intrusion detection. In: IFSA (International Fuzzy Systems Association) world congress and 20th NAFIPS (North American Fuzzy Information Processing Society) international conference, Vancouver, British Columbia, vol 3. IEEEE, pp 1506–1510
Ding T, AlEroud A Karabatis G (2015) Multi-granular aggregation of network flows for security analysis. In: IEEE international conference on intelligence and security informatics (ISI). IEEE, pp 173–175
Ding X, Zhang G, Ke Y, Ma B, Li Z (2008) High efficient intrusion detection methodology with twin support vector machines. In: International symposium on information science and engineering (ISISE’08), Shanghai, China, vol 1. IEEE, pp 560–564
Dwen-Ren T, Wen-Pin T, Chi-Fang C (2003) A hybrid intelligent intrusion detection system to recognize novel attacks. In: IEEE 37th Annual international Carnahan conference on security technology, Taipei, Taiwan, 14–16 Oct 2003, pp 428–434. doi:10.1109/CCST.2003.1297598
Eiland EE, Liebrock LM (2006) An application of information theory to intrusion detection. In: Fourth IEEE international workshop on information assurance (IWIA’06), Egham, Surrey, UK, 13–14 April 2006, pp 66–81. doi:10.1109/IWIA.2006.3
El-Semary A, Edmonds J, Gonzalez-Pino J, Papa M (2006) Applying data mining of fuzzy association rules to network intrusion detection. In: IEEE information assurance workshop, New York, USA, 21–23 June 2006, pp 100–107. doi:10.1109/iaw.2006.1652083
Eskin E, Arnold A, Prerau M, Portnoy L, Stolfo S (2002) A geometric framework for unsupervised anomaly detection: detecting intrusions in unlabeled data. In: Proceedings of the conference on applications of data mining in computer security. Kluwer Academics, pp 78–100
Eskin E, Lee W, Stolfo SJ (2001) Modeling system calls for intrusion detection with dynamic window sizes. In: Proceedings of DARPA information survivability conference & exposition (DISCEX’01), Anaheim, California, vol 1. IEEE, pp 165–175
Estévez-Tapiador JM, Garcıa-Teodoro P, Dıaz-Verdejo JE (2004) Measuring normality in HTTP traffic for anomaly-based intrusion detection. Comput Netw 45(2):175–193. doi:10.1016/j.comnet.2003.12.016
Fan W, Miller M, Stolfo S, Lee W, Chan P (2004) Using artificial anomalies to detect unknown and known network intrusions. Knowl Inf Syst 6(5):507–527
Fangfei W, Qingshan J, Lifei C, Zhiling H (2007) Clustering ensemble based on the fuzzy KNN algorithm. In: Eighth ACIS international conference on software engineering, artificial intelligence, networking, and parallel/distributed computing (SNPD’07), Qingdao, July 30 2007–Aug 1 2007, vol 3, pp 1001–1006. doi:10.1109/SNPD.2007.504
Fischer F, Mansmann F, Keim DA, Pietzko S, Waldvogel M (2008) Large-scale network monitoring for visual analysis of attacks. In: Visualization for computer security. Springer, pp 111–118
Florez G, Bridges S, Vaughn RB (2002) An improved algorithm for fuzzy data mining for intrusion detection. In: Annual meeting of the North American fuzzy information processing society (NAFIPS’02), Ann Arbor, MI. IEEE, pp 457–462
Fortu O, Moldovan D (2005) Identification of textual contexts. In: Proceedings of the 5th international conference on modeling and using context, Paris, France. 2136862. Springer, pp 169–182. doi:10.1007/11508373_13
Gao B, Ma HY, Yang YH (2002) HMMS (Hidden Markov Models) based on anomaly intrusion detection method. In: International conference on machine learning and cybernetics, Beijing, vol 1. IEEE, pp 381–385
Gao M, Tian J, Xia M (2009) Intrusion detection method based on classify support vector machine. In: Second international conference on intelligent computation technology and automation (ICICTA’09), Zhangjiajie, China, vol 2. IEEE, pp 391–394
Giseop N, Ilkyeun R (2009) An efficient and reliable DDoS attack detection using a fast entropy computation method. In: 9th international symposium on communications and information technology (ISCIT’09), Icheon, South Korea, 28–30 Sept 2009, pp 1223–1228. doi:10.1109/ISCIT.2009.5341118
Gomez J, Dasgupta D (2002) Evolving fuzzy classifiers for intrusion detection. In: Proceedings of the IEEE workshop on information assurance, West Point, NY, vol 6. IEEE Computer Press, New York, vol 3, pp 321–323
Gómez J, González F, Dasgupta D (2003) An immuno-fuzzy approach to anomaly detection. In: The 12th IEEE international conference on fuzzy systems(FUZZ’03), St. Louis, MO, USA, vol 2. IEEE, pp 1219–1224
Granitzer M, Kroll M, Seifert C, Rath AS, Weber N, Dietzel O, et al (2008) Analysis of machine learning techniques for context extraction. In: Third international conference on digital information management (ICDIM’08), London, UK. IEEE, pp 233–240
Gray D, Kraus R (2012, Available: https://www.necam.com/docs/?id=36eda3e2-ec01-4117-a7cc-3483db8422e7). Contextual security provides actionable intelligence. Accessed 2012, Available: https://www.necam.com/docs/?id=36eda3e2-ec01-4117-a7cc-3483db8422e7
Green DM, Swets JA (1966) Signal detection theory and psychophysics, vol 1974. Wiley, New, York
Greenberg S (2001) Context as a dynamic construct. Hum Comput Interact 16(2):257–268. doi:10.1207/s15327051hci16234_09
Grobelnik M, Mladenic D, Leban G, Stajner T (2011) Context and semantics for knowledge management: technologies for personal productivity: machine learning techniques for understanding context and process (1st ed). Springer, Berlin, pp 127–145
Gross T, Specht M (2001) Awareness in context-aware information systems. In: Mensch & computer conference, Germany, vol 1. Citeseer, pp 173–182
Gruber TR (1993) A translation approach to portable ontology specifications. Knowl Acquis 5(2):199–220. doi:10.1006/knac.1993.1008
Gruschke B (1998) Integrated event management: event correlation using dependency graphs. In: Proceedings of the 9th IFIP/IEEE international workshop on distributed systems: operations & management (DSOM 98), Newark, DE, USA, pp 130–141
Gu G, Fogla P, Dagon D, Lee W, Skorić B (2006) Measuring intrusion detection capability: an information-theoretic approach. In: Proceedings of the ACM symposium on information, computer and communications security, Taipei, Taiwan. ACM, pp 90–101
Guan Y, Ghorbani AA, Belacel N (2003) Y-means: a clustering method for intrusion detection. In: IEEE Canadian conference on electrical and computer engineering, Canada; Montreal, 4–7 May 2003, vol 2, pp 1083–1086. doi:10.1109/CCECE.2003.1226084
Gujral S, Ortiz E, Syrmos VL (2009) An unsupervised method for intrusion detection using spectral clustering. In: IEEE symposium on computational intelligence in cyber security (CICS ’09), Nashville, TN, USA, March 30 2009–April 2 2009, pp 99–106. doi:10.1109/CICYBS.2009.4925096
Guo C, Zhou Y-J, Ping Y, Luo S-S, Lai Y-P, Zhang Z-K (2013) Efficient intrusion detection using representative instances. Comput Secur 39:255–267. doi:10.1016/j.cose.2013.08.003
Haijun X, Fang P, Ling W, Hongwei L (2007) Ad hoc-based feature selection and support vector machine classifier for intrusion detection. In: IEEE international conference on grey systems and intelligent services, (GSIS07), Macau, China. IEEE, pp 1117–1121
Hall MA (1999) Correlation-based feature selection for machine learning. PhD thesis, the University of Waikato
Halme LR (1995) AIN’T misbehaving-A taxonomy of anti-intrusion techniques. Comput Secur 14(7):606–606
Han J, Pei J, Yin Y (2000) Mining frequent patterns without candidate generation. SIGMOD Rec 29(2):1–12. doi:10.1145/335191.335372
Han SJ, Cho SB (2005) Evolutionary neural networks for anomaly detection based on the behavior of a program. IEEE Trans Syst Man Cybern B Cybern 36(3):559–570
Han W, Xiong W, Xiao Y, Ellabidy M, Vasilakos AV, Xiong N (2012) A class of non-statistical traffic anomaly detection in complex network systems. In: 32nd international conference on distributed computing systems workshops (ICDCSW), Macau, China. IEEE, pp 6400–6406
Handra SI, Ciocarlie H (2011) Anomaly detection in data mining. Hybrid approach between filtering-and-refinement and DBSCAN. In: 6th IEEE international symposium on applied computational intelligence and informatics (SACI), Timisoara, Romania, 19–21 May 2011, pp 75–83. doi:10.1109/SACI.2011.5872976
Hassanzadeh A, Sadeghian B (2008) Intrusion detection with data correlation relation graph. In: Third international conference on availability, reliability and security (ARES’08), Washington, DC, USA, 4–7 March 2008, pp 982–989. doi:10.1109/ARES.2008.119
Hawkins S, He H, Williams G, Baxter R (2002) Outlier detection using replicator neural networks. In: 4th international conference on data warehousing and knowledge discovery, Aix-en-Provence, France, pp 113–123
Hayes MA, Capretz MA (2014) Contextual anomaly detection in big sensor data. In: 2014 IEEE international congress on big data. IEEE, pp 64–71
Hellemons L, Hendriks L, Hofstede R, Sperotto A, Sadre R, Pras A (2012) SSHCure: a flow-based SSH intrusion detection system. In: Sadre R, Novotný J, Čeleda P, Waldburger M, Stiller B (eds) Dependable networks and services, vol 7279 (Lecture Notes in Computer Science), Springer, Berlin, pp 86–97
Heller K, Svore K, Keromytis AD, Stolfo S (2003) One class support vector machines for detecting anomalous windows registry accesses. In: Workshop on data mining for computer security (DMSEC), Melbourne, FL, pp 2–9
Hendry GR, Yang SJ (2008) Intrusion signature creation via clustering anomalies. In: Proceeding of SPIE, Bellingham, WA, pp 69730–69731
Hu W, Gao J, Wang Y, Wu O, Maybank S (2014) Online Adaboost-based parameterized methods for dynamic distributed network intrusion detection. IEEE Trans Cybern 44(1):66–82
Hu W, Liao Y, Vemuri VR (2003) Robust anomaly detection using support vector machines. In: Proceedings of the international conference on machine learning, Washington, DC USA, pp 282–289
Hunt EB, Marin J, Stone PJ (1966) Experiments in induction, 1st ed. The University of Michigan, Academic Press, Michigan
Hussein M, Zulkernine M (2006) UMLINTR: A UML profile for specifying intrusions. In: Proceedings of the 13th annual IEEE international symposium and workshop on engineering of computer based systems, Potsdam, Germany. 1126211: IEEE Computer Society, pp. 279–288. doi:10.1109/ecbs.2006.70
Ide T, Kashima H (2004) Eigenspace-based anomaly detection in computer systems. In: Proceedings of the tenth ACM SIGKDD international conference on knowledge discovery and data mining, Seattle, WA, USA. 1014102: ACM, pp 440–449. doi:10.1145/1014052.1014102
Idris NB, Shanmugam B (2005) Artificial intelligence techniques applied to intrusion detection. In: EEE India conference Indicon (INDICON’05), Chennai, India, 11–13 Dec 2005, pp 52–55. doi:10.1109/INDCON.2005.1590122
Ippoliti D, Xiaobo Z (2010) An adaptive growing hierarchical self organizing map for network intrusion detection. In: Proceedings of 19th international conference on computer communications and networks (ICCCN’10), Zurich, Switzerland, 2–5 Aug 2010, pp 1–7. doi:10.1109/ICCCN.2010.5560165
Jadidi Z, Muthukkumarasamy V, Sithirasenan E, Sheikhan M (2013) Flow-based anomaly detection using neural network optimized with GSA algorithm. In: Distributed computing systems workshops (ICDCSW), 2013 IEEE 33rd international conference on, 8–11 July 2013, pp 76–81. doi:10.1109/ICDCSW.2013.40
Jakobson G (2003) The technology and practice of integrated multiagent event correlation systems. In: International conference on integration of knowledge intensive multi-agent systems, Boston MA, USA, 30 Sept–4 Oct 2003, pp 568–573. doi:10.1109/KIMAS.2003.1245102
Jha S, Tan K, Maxion RA (2001) Markov chains, classifiers, and intrusion detection. In: Proceedings. 14th IEEE Computer Security Foundations., Nova Scotia, Canada, 2001, pp 206–219. doi:10.1109/CSFW.2001.930147
Ji-Qing X, Feng-Hua L, Xian-Lun T (2005) A novel intrusion detection method based on clonal selection clustering algorithm. In: Proceedings of international conference on machine learning and cybernetics, Guangzhou, China, 18–21 Aug 2005, vol 6, pp 3905–3910. doi:10.1109/ICMLC.2005.1527620
Ji S-Y, Jeong B-K, Choi S, Jeong DH (2016) A multi-level intrusion detection method for abnormal network behaviors. J Netw Comput Appl 62:9–17
Jianxiong L, Bridges SM, Vaughn RB Jr (2001) Fuzzy frequent episodes for real-time intrusion detection. In: The 10th IEEE international conference on fuzzy systems, Melbourne, VIC, 2001, vol 1, pp 368–371. doi:10.1109/FUZZ.2001.1007325
Jie L, Zhi-tang L (2007) Using network attack graph to predict the future attacks. In: Second international conference on communications and networking in China (CHINACOM ’07), Xi’an, China, 22–24 Aug 2007, pp 403–407. doi:10.1109/CHINACOM.2007.4469413
Jing-xin W, Zhi-ying W, Kui D (2004) A network intrusion detection system based on the artificial neural networks. In: Proceedings of the 3rd international conference on information security, Shanghai, China. ACM, pp 166–170
Jing Z, Hongjuan W, Yushu L (2011) Intrusion detection using evolving fuzzy classifiers. In: 6th IEEE joint international information technology and artificial intelligence conference (ITAIC’11), Chongqing, 20–22 Aug 2011, vol 1, pp 119–122. doi:10.1109/ITAIC.2011.6030165
Jirapummin C, Wattanapongsakorn N, Kanthamanon P (2002) Hybrid neural networks for intrusion detection system. In: International conference on multimedia technology (ICMT), Wuhan, China, pp 928–931
Johnson RA, Wichern DW (1992) Applied multivariate statistical analysis, vol 4, 3rd edn. Prentice Hall, Englewood Cliffs
Jones AK, Sielken RS (2000) Computer system intrusion detection. A survey Accessed (2000)
Jou YF, Gong F, Sargor C, Wu SF, Cleaveland WR (1997) Architecture design of a scalable intrusion detection system for the emerging network infrastructure. Accessed (1997)
Juan W, Feng-Li Z, Jing J, Wei C (2010) Alert analysis and threat evaluation in network situation awareness. In: 2010 international conference on communications, circuits and systems (ICCCAS’10), Chengdu, China, 28–30 July 2010, pp 278–281. doi:10.1109/ICCCAS.2010.5582005
Jun L, Manikopoulos C (2003) Early statistical anomaly intrusion detection of DoS attacks using MIB traffic parameters. In: IEEE systems, man and cybernetics society information assurance workshop, West Point, New York, USA, 18–20 June 2003, pp 53–59. doi:10.1109/SMCSIA.2003.1232401
Jun M, Guanzhong D, Zhong X (2009) Network anomaly detection using dissimilarity-based one-class SVM classifier. In: International conference on parallel processing workshops (ICPPW ’09), Kaohsiung, 22–25 Sept 2009, pp 409–414. doi:10.1109/ICPPW.2009.6
Kim G, Lee S, Kim S (2014) A novel hybrid intrusion detection method integrating anomaly detection with misuse detection. Expert Syst Appl 41(4, Part 2):1690–1700. doi:10.1016/j.eswa.2013.08.066
Kind A, Stoecklin MP, Dimitropoulos X (2009) Histogram-based Traffic Anomaly Detection. IEEE Trans Netw Serv Manag 6(2):110–121. doi:10.1109/TNSM.2009.090604
Kohavi R, John GH (1995) Automatic parameter selection by minimizing estimated error. In: Proceedings of the twelfth annual international conference on machine learning, Tahoe City, California, USA. Citeseer, pp 304–312)
Kruegel C, Mutz D, Robertson W, Valeur F (2003) Bayesian event classification for intrusion detection. In: 19th annual computer security applications conference, Las Vegas, NV, USA, 8–12 Dec 2003, pp 14–23. doi:10.1109/CSAC.2003.1254306
Kruegel C, Valeur F, Vigna G (2004) Intrusion detection and correlation: challenges and solutions, vol 14). Springer, Berlin
Kuang L, Zulkernine M (2008) An anomaly intrusion detection method using the CSI-KNN algorithm. In: Proceedings of the 2008 ACM symposium on applied computing, Fortaleza, Ceara, Brazil. 1363897: ACM, pp 921–926. doi:10.1145/1363686.1363897
Kulsoom A, Lee C, Conti G, Copeland JA (2005) Visualizing network data for intrusion detection. In: Proceedings from the sixth annual IEEE SMC information assurance workshop (IAW ’05), West Point, NY, 15–17 June 2005, pp 100–108. doi:10.1109/IAW.2005.1495940
Kumar P, Rao M, Krishna P, Bapi R (2005a) Using sub-sequence information with K-NN for classification of sequential data. In: Distributed computing and internet technology, Bhubaneswar, India, pp 1–11
Kumar P, Rao M, Krishna P, Bapi R (2005b) Using sub-sequence information with kNN for classification of sequential data. In: Distributed computing and internet technology, Bhubaneswar, India, pp 1–11
Kun-Lun L, Hou-Kuan H, Sheng-Feng T, Wei X (2003) Improving one-class SVM for anomaly detection. In: International conference on machine learning and cybernetics, Xi’an, China, 2–5 Nov 2003, vol 5, pp 3077–3081, vol 3075. doi:10.1109/ICMLC.2003.1260106
Labib K, Vemuri VR (2006) An application of principal component analysis to the detection and visualization of computer network attacks. Annales des télécommunications 61(1–2):218–234
Lakhina A, Crovella M, Diot C (2005) Mining anomalies using traffic feature distributions. In: Proceedings of the conference on applications, technologies, architectures, and protocols for computer communications (SIGCOMM ’05), Philadelphia, PA, USA, vol 35. ACM, pp 217–228, vol 4
Lazarevic A, Ertoz L, Kumar V, Ozgur A, Srivastava J (2003) A Comparative study of anomaly detection schemes in network intrusion detection. In: Proceedings of the third SIAM international conference on data mining, San Francisco, CA, USA, vol 3, pp 25–36. Society for Industrial & Applied
Lee SC, Heinbuch DV (2001) Training a neural-network based intrusion detector to recognize novel attacks. IEEE Trans Syst Man Cybern Syst Hum 31(4):294–299
Lee W, Stolfo SJ (1998a) Data mining approaches for intrusion detection. In: Proceedings of the 7th conference on USENIX security symposium, San Antonio, Texas, pp 6–12. 1267555: USENIX Association
Lee W, Stolfo SJ (1998b) Data mining approaches for intrusion detection. In: Usenix security
Lee W, Stolfo SJ (2000) A framework for constructing features and models for intrusion detection systems. ACM Trans Inf Syst Secur (TISSEC) 3(4):227–261
Lee W, Stolfo SJ, Mok KW (2000) Adaptive intrusion detection: a data mining approach. Artif Intell Rev 14(6):533–567
Lei JZ, Ghorbani A (2004) Network intrusion detection using an improved competitive learning neural network. In: Second annual conference on communication networks and services research, Fredericton, N.B., Canada, 19–21 May 2004, pp 190–197. doi:10.1109/DNSR.2004.1344728
Leung K, Leckie C (2005) Unsupervised anomaly detection in network intrusion detection using clusters. In: Proceedings of the twenty-eighth Australasian conference on computer science, Newcastle, NSW, Australia. Australian Computer Society, Inc, pp 333–342
Li H, Guan XH, Zan X, Han CZ (2003) Network intrusion detection based on support vector machine. J Comput Res Dev 6(1):799–807
Li X-B (2005) A scalable decision tree system and its application in pattern recognition and intrusion detection. Decis Support Syst 41(1):112–130. doi:10.1016/j.dss.2004.06.0l6
Li Xy, Gao Gh, Sun Jx (2010) A new intrusion detection method based on improved DBSCAN. In: WASE international conference on information engineering (ICIE), Beidaihe, 14–15 Aug 2010, vol 2, pp 117–120. doi:10.1109/ICIE.2010.123
Li Y, Fang B, Guo L, Chen Y (2007) Network anomaly detection based on TCM-KNN algorithm. In: Proceedings of the 2nd ACM symposium on information, computer and communications security, Singapore. 1229292: ACM, pp 13–19. doi:10.1145/1229285.1229292
Li Y, Guo L (2007) An active learning based TCM-KNN algorithm for supervised network intrusion detection. Comput Secur 26(7):459–467
Liang Y, Wang HQ, Cai HB, He YJ (2008) A novel stochastic modeling method for network security situational awareness. In: 3rd IEEE conference on industrial electronics and applications (ICIEA’08), Singapore, 3–5 June 2008, pp 2422–2426. doi:10.1109/ICIEA.2008.4582951
Liao Y, Vemuri VR (2002) Use of K-nearest neighbor classifier for intrusion detection. Comput Secur 21(5):439–448
Lichodzijewski P, Nur Zincir-Heywood A, Heywood MI (2002) Host-based intrusion detection using self-organizing maps. In: Proceedings of the international joint conference on neural networks (IJCNN’02), Honolulu, Hawaii, vol 2. IEEE, pp 1714–1719
Likas A, Vlassis N, Verbeek JJ (2003) The global k-means clustering algorithm. Pattern Recognit 36(2):451–461
Liu G, Yi Z, Yang S (2007) A hierarchical intrusion detection model based on the PCA neural networks. Neurocomputing 70(7–9):1561–1568. doi:10.1016/j.neucom.2006.10.146
Liu L, Liu Y (2009) MQPSO based on wavelet neural network for network anomaly detection. In: 5th international conference on wireless communications (WiCom’09), Bijing, China. IEEE, pp 1–5
Livnat Y, Agutter J, Moon S, Erbacher RF, Foresti S (2005) A visualization paradigm for network intrusion detection. In: Proceedings from the sixth annual IEEE SMC information assurance workshop. IEEE, pp 92–99
Lizhong X, Zhiqing S, Gang L (2006) K-means algorithm based on particle swarm optimization algorithm for anomaly intrusion detection. In: The sixth world congress on intelligent control and automation (WCICA’06), Dalian, China, vol 2, pp 5854–5858. doi:10.1109/WCICA.2006.1714200
Lopes CT (2009) Context features and their use in information retrieval. Paper presented at the proceedings of the third BCS-IRSG conference on Future directions in information access, Padua, Italy
Lu H, Chen J, Wei W (2008) Two stratum bayesian network based anomaly detection model for intrusion detection system. In: International symposium on electronic commerce and security, Guangzhou, China 3–5:482–487. doi:10.1109/ISECS.2008.178
Lu N, Mabu S, Wang T, Hirasawa K (2012) Integrated fuzzy GNP rule mining with distance-based classification for intrusion detection system. In: IEEE international conference on systems, man, and cybernetics (SMC). Seoul, Korea, 14–17 Oct 2012, pp 1569–1574. doi:10.1109/ICSMC.2012.6377960
Luo J, Bridges SM (2000) Mining fuzzy association rules and fuzzy frequency episodes for intrusion detection. Int J Intell Syst 15(8):687–703
Mehdi MSZ, Bensebti AAaM (2007) A bayesian networks in intrusion detection systems. J Comput Sci 3(5):259–265
Ma J, Perkins S (2003) Time-series novelty detection using one-class support vector machines. In: Proceedings of the international joint conference on neural networks, Portland, 20–24 July 2003, vol 3, pp 1741–1745, vol 1743. doi:10.1109/IJCNN.2003.1223670
Ma Y (2010) The intrusion detection system based on fuzzy association rules mining. In: 2nd international conference on computer engineering and technology (ICCET), Chengdu, China, 16–18 April 2010, vol 7, pp V7-667–V667-672). doi:10.1109/iccet.2010.5485674
Mahoney MV, Chan PK (2002) Learning nonstationary models of normal network traffic for detecting novel attacks. Paper presented at the proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining, Edmonton, Alberta, Canada
Mamei M, Nagpal R (2007) Macro programming through Bayesian networks: distributed inference and anomaly detection. In: Fifth annual IEEE international conference on pervasive computing and communications (PerCom ’07). White Plains, New York, USA, 19-23 March 2007, pp 87–96. doi:10.1109/PERCOM.2007.19
Manganaris S, Christensen M, Zerkle D, Hermiz K (2000) A data mining analysis of RTID alarms. Comput Netw 34(4):571–577
Martinez CA, Echeverri GI, Sanz AGC (2010) Malware detection based on cloud computing integrating intrusion ontology representation. In: IEEE Latin-American conference on communications (LATINCOM’10), Belem, Brazil, 15–17 Sept 2010, pp 1–6. doi:10.1109/LATINCOM.2010.5641013
Mathew S, Shah C, Upadhyaya S (2005) An alert fusion framework for situation awareness of coordinated multistage attacks. In: Third IEEE international workshop on information assurance, College Park, MD, USA, 23–24 March 2005, pp 95–104. doi:10.1109/IWIA.2005.3
Meng J, Shang H, Bian L (2009) The application on intrusion detection based on K-means cluster algorithm. In: International forum on information technology and applications(IFITA ’09), Chengdu, China, 15–17 May 2009, vol 1, pp 150–152. doi:10.1109/IFITA.2009.34
Middlemiss M, Dick G (2003) Feature selection of intrusion detection data using a hybrid genetic algorithm/KNN approach. Design Appl Hybrid Intell Syst 3(1):519–527
Min L, Xiaohong L, Shouhe X (2008) An intrusion detection research based on spectral clustering. In: 4th international conference on wireless communications, networking and mobile computing (WiCOM ’08), Dalian, China, 12–14 Oct 2008, pp 1–4. doi:10.1109/WiCom.2008.1100
Mitrokotsa A, Dimitrakakis C (2013) Intrusion detection in MANET using classification algorithms: the effects of cost and model selection. Ad Hoc Netw 11(1):226–237. doi:10.1016/j.adhoc.2012.05.006
Mohajerani M, Moeini A, Kianie M (2003) NFIDS: a neuro-fuzzy intrusion detection system. In: 10th IEEE international conference on electronics, circuits and systems(ICECS’03), Sharjah, United Arab Emirates, vol 1. IEEE, pp 348–351
Mora FJ, Macia F, Garcia JM, Ramos H (2006) Intrusion detection system based on growing grid neural network. In: IEEE Mediterranean electrotechnical conference(MELECON’06), Malaga, Spain. IEEE, pp 839–842
Mukkamala S, Janoski G, Sung A (2002) Intrusion detection using neural networks and support vector machines. In: Proceedings of the international joint conference on neural networks( IJCNN’02), Honolulu, Hawaii, vol 2. IEEE, pp 1702–1707
Mukkamala S, Sung AH (2002) Identifying key features for intrusion detection using neural networks. In: Proceedings of the 15th international conference on computer communication, Maharashtra, India. 838234: International Council for Computer Communication, pp 1132–1138
Mukkamala S, Sung AH, Abraham A (2005) Intrusion detection using an ensemble of intelligent paradigms. J Netw Comput Appl 28(2):167–182. doi:10.1016/j.jnca.2004.01.003
Mulay SA, Devale PR, Garje GV (2010) Decision tree based support vector machine for intrusion detection. In: International conference on networking and information technology (ICNIT), Manila, Philippines, 11–12 June 2010, pp 59–63. doi:10.1109/icnit.2010.5508557
Muntean M, Valean H, Miclea L, Incze A (2010) A novel intrusion detection method based on support vector machines. In: 11th international symposium on computational intelligence and informatics (CINTI’11), Hungary. IEEE, pp 47–52
Naveen N (2012) Application of relevance vector machines in real time intrusion detection. Int J Adv Comput Sci Appl 3(9):48–53
Niu W, Li G, Zhao Z, Tang H, Shi Z (2011) Multi-granularity context model for dynamic Web service composition. J Netw Comput Appl 34(1):312–326. doi:10.1016/j.jnca.2010.07.014
Noel S, Jajodia S (2005) Understanding complex network attack graphs through clustered adjacency matrices. In: 21st annual computer security applications conference, AZ, USA, 5–9 Dec 2005, pp 159–169. doi:10.1109/CSAC.2005.58
Noel S, Robertson E, Jajodia S (2004) Correlating intrusion events and building attack scenarios through attack graph distances. In: 20th annual computer security applications conference, Tucson, AZ, USA, 2004, pp 350–359. doi:10.1109/CSAC.2004.11
Noel S, Sushil J, O’Berry B, Jacobs M (2003) Efficient minimum-cost network hardening via exploit dependency graphs. In: Proceedings 19th annual computer security applications conference, Orlando, FL USA, 8–12 Dec 2003, pp 86–95. doi:10.1109/CSAC.2003.1254313
Nong Y, Yebin Z, Borror CM (2004) Robustness of the Markov-Chain model for Cyber-Attack Detection. IEEE Trans Reliab 53(1):116–123. doi:10.1109/TR.2004.823851
Nwanze N, Summerville D (2008) Detection of anomalous network packets using lightweight stateless payload inspection. In: 33rd IEEE conference on local computer networks (LCN’08), Montreal, Que, 14–17 Oct 2008, pp 911–918. doi:10.1109/LCN.2008.4664303
Otey M, Parthasarathy S, Ghoting A, Li G, Narravula S, Panda D (2003) Towards NIC-based intrusion detection. In: Proceedings of the ninth ACM SIGKDD international conference on knowledge discovery and data mining, Washington, D.C. 956847: ACM, pp 723–728. doi:10.1145/956750.956847
Pan ZS, Chen SC, Hu GB, Zhang DQ (2003) Hybrid neural network and C4. 5 for misuse detection. In: International conference on machine learning and cybernetics, Xi’an, China, vol 4. IEEE, pp 2463–2467
Panda M, Patra MR (2007) Network intrusion detection using Naïve Bayes. IJCSNS Int J Comput Sci Netw Secur 7(12):259–263
Patcha A, Park JM (2005) Detecting denial-of-service attacks with incomplete audit data. In: Proceedings of 14th international conference on computer communications and networks ( ICCCN’05), Washington, DC, USA, 17–19 Oct 2005, pp 263–268. doi:10.1109/ICCCN.2005.1523864
Peddabachigari S, Abraham A, Grosan C, Thomas J (2007) Modeling intrusion detection system using hybrid intelligent systems. J Netw Comput Appl 30(1):114–132
Peddabachigari S, Abraham A, Thomas J (2004) Intrusion detection systems using decision trees and support vector machines. Int J Appl Sci Comput 2:18–134
Peng T, Chen X, Liu H, Chen K (2010) Data reduction for network forensics using manifold learning. In: 2nd international workshop on database technology and applications (DBTA), Wuhan, Hubei, China, 27–28 Nov 2010, pp 1–5. doi:10.1109/DBTA.2010.5659004
Pensa RG, Leschi C, Besson J, Boulicaut JF (2004) Assessment of discretization techniques for relevant pattern discovery from gene expression data. In: Proceedings of ACM BIOKDD, Seattle, Washington, USA, vol 4, pp 24–30
Phua C, Alahakoon D, Lee V (2004) Minority report in Fraud detection: classification of Skewed Data. ACM SIGKDD Explor Newsl 6(1):50–59
Portnoy L (2001) Intrusion detection with unlabeled data using clustering, Accessed (2001)
Powell D, Stroud R (2001) Malicious-and accidental-fault tolerance for internet applications conceptual model and architecture. Accessed (2001)
Qiao Y, Xin XW, Bin Y, Ge S (2002) Anomaly intrusion detection method based on HMM. Electron Lett 38(13):663–664. doi:10.1049/el:20020467
Qin M, Hwang K (2004) Frequent episode rules for intrusive anomaly detection with internet datamining. In: USENIX security symposium, San Diego, CA
Qin X (2005) A probabilistic-based framework for Infosec alert correlation, PhD thesis. Georgia Institute of Technology
Qin X, Lee W (2004) Attack plan recognition and prediction using causal networks. In: 20th annual computer security applications conference, Tucson, AZ, USA, 6–10 Dec 2004, pp 370–379. doi:10.1109/CSAC.2004.7
Qishi W, Ferebee D, Yunyue L, Dasgupta D (2009) An integrated cyber security monitoring system using correlation-based techniques. In: IEEE international conference on system of systems engineering, Albuquerque, NM, May 30 2009–June 3 2009, pp 1–6
Qiu H, Eklund N, Hu X, Yan W, Iyer N (2008) Anomaly detection using data clustering and neural networks. In: IEEE international joint conference on neural networks, Hong Kong, China. IEEE, pp 3627–3633
Ranganathan A, Campbell RH (2003) A middleware for context-aware agents in ubiquitous computing environments. In: Proceedings of the ACM/IFIP/USENIX international conference on middleware, Rio de Janeiro, Brazil. 1515926: Springer, New York, pp 143–161
Reichle R, Wagner M, Khan MU, Geihs K, Lorenzo J, Valla M, et al. (2008) A comprehensive context modeling framework for pervasive computing systems. In: Proceedings of the 8th IFIP WG 6.1 international conference on distributed applications and interoperable systems, Oslo, Norway. 1789105: Springer, pp 281–295
Ren P, Gao Y, Li Z, Chen Y, Watson B (2005) IDGraphs: intrusion detection and analysis using histographs. In: IEEE workshop on visualization for computer security, 2005 (VizSEC 05). IEEE, pp 39–46
Ritchey R, O’Berry B, Noel S (2002) Representing TCP/IP connectivity for topological analysis of network security. In: Proceedings of the 18th annual computer security applications conference, Las Vegas, Nevada, 2002, pp 25–31. doi:10.1109/CSAC.2002.1176275
Roesch M Snort intrusion detection system. http://www.snort.org. Accessed 22 Dec 2013
Roschke S, Feng C, Meinel C (2010) Using vulnerability information and attack graphs for intrusion detection. In: Sixth international conference on information assurance and security (IAS), GA, USA, 23–25 Aug 2010, pp 68–73. doi:10.1109/ISIAS.2010.5604041
Rui Z, Yongquan Y, Mingjun C (2009) An intrusion detection algorithm model based on extension clustering support vector machine. In: International conference on artificial intelligence and computational intelligence (AICI’09), Shanghai, China, vol 1. IEEE, pp 15–18
Ryan J, Lin MJ, Miikkulainen R (1998) Intrusion detection with neural networks. In: Proceedings of advances in neural information processing systems, Denver, Colorado, USA. Morgan Kaufmann Publishers, pp 943–949
Saad S, Traore I (2010) Method ontology for intelligent network forensics analysis. In: Eighth annual international conference on privacy security and trust (PST’10), Ottawa, Ontario, Canada, 17–19 Aug 2010, pp 7–14. doi:10.1109/PST.2010.5593235
Sánchez R, Herrero Á, Corchado E (2013) Visualization and clustering for SNMP intrusion detection. Cybern Syst 44(6–7):505–532
Sang-Hyun O, Jin-Suk K, Yung-Cheol B, Gyung-Leen P, Sang-Yong B (2005) Intrusion detection based on clustering a data stream. In: Third ACIS international conference on software engineering research, management and applications, Michigan, USA, 11–13 Aug 2005, pp 220–227. doi:10.1109/SERA.2005.49
Sang JH, Cho SB (2003) Combining multiple host-based detectors using decision tree. In: Gedeon T, Fung L (eds) Proceedings of 16th Australian conferenceon artificial intelligence, Perth, Australia, 2003/01/01 (vol 2903, Lecture Notes in Computer Science). Springer Berlin, pp 208–220. doi:10.1007/978-3-540-24581-0_18
Sarasamma ST, Zhu QA, Huff J (2005) Hierarchical Kohonenen net for anomaly detection in network security. IEEE Trans Syst Man Cybern B Cybern 35(2):302–312. doi:10.1109/TSMCB.2005.843274
Schölkopflkopf Platt JC, Shawe-Taylor JC, Smola AJ, Williamson RC (2001) Estimating the support of a high-dimensional distribution. Neural Comput 13(7):1443–1471. doi:10.1162/089976601750264965
Schifanella C, Sapino ML, Sel K, Candan U (2012) On context-aware co-clustering with metadata support. J Intell Inf Syst 38(1):209–239. doi:10.1007/s10844-011-0151-x
Schilit B, Adams N, Want R (1994) Context-aware computing applications. In:First workshop on mobile computing systems and applications (WMCSA’94). Santa Cruz, CA, USA. IEEE, pp 85–90
Schmidt A, Beigl M, Gellersen H-W (1999) There is more to context than location. Comput Graph 23(6):893–901. doi:10.1016/S0097-8493(99)00120-X
Scott SL (2004) A Bayesian paradigm for designing intrusion detection systems. Comput Stat Data Anal 45(1):69–83. doi:10.1016/S0167-9473(03)00177-4
Sebyala AA, Olukemi T, Sacks L (2002) Active platform security through intrusion detection using Naive Bayesian network for anomaly detection. In: The London communications symposium. Citeseer, London
Sekeh MA, bin Maarof MA (2009) Fuzzy intrusion detection system via data mining technique with sequences of system calls. In: Fifth international conference on information assurance and security (IAS ’09), Xi’An, China, 18–20 Aug 2009, vol 1, pp 154–157. doi:10.1109/IAS.2009.32
Shah H, Undercoffer J, Joshi A (2003) Fuzzy clustering for intrusion detection. In: The 12th IEEE international conference on fuzzy systems (FUZZ ’03), St Louis, MO, USA, 25–28 May 2003, vol 2, pp 1274–1278. doi:10.1109/FUZZ.2003.1206614
Sharma SK, Pandey P, Tiwari SK, Sisodia MS (2012) An improved network intrusion detection technique based on K-means clustering via Naive Bayes classification. In: International conference on advances in engineering, science and management (ICAESM), EGS Pillay Engineering College, Nagapattinam, 30–31 March 2012, pp 417–422
Shaw DG (2011) Reducing false-positives and false-negatives in security event data using context. https://www.nasa.gov/ppt/583349main_2011_Present_NASA_IT_Summit_Shaw_Reducing_False_Positives_(2).ppt. Accessed 2011
Shekhar RG, Vir VP, Kiran SB (2007) K-Means+ID3: a novel method for supervised anomaly detection by Cascading K-Means clustering and ID3 decision tree learning methods. IEEE Trans Knowl Data Eng 19(3):345–354. doi:10.1109/TKDE.2007.44
Sheyner O, Haines J, Jha S, Lippmann R, Wing JM (2002) Automated Generation and Analysis of Attack Graphs. In: IEEE symposium on security and privacy, Oakland, California, USA 2002:273–284. doi:10.1109/SECPRI.2002.1004377
Shokri R, Oroumchian F, Yazdani N (2005) CLUSID: a clustering scheme for intrusion detection improved by information theory. In: 13th IEEE international conference on networks, 16–18 Nov 2005, pp 553–558. doi:10.1109/ICON.2005.1635546
Shon T, Moon J (2007) A hybrid machine learning approach to network anomaly detection. Inf Sci 177(18):3799–3821
Shun J, Malki HA (2008) Network intrusion detection system using neural networks. In: Fourth international conference on natural computation (ICNC’08), Jinan, China, vol. 5. IEEE, pp 242–246
Shyu ML, Chen SC, Sarinnapakorn K, Chang LW (2003) A novel anomaly detection scheme based on principal component classifier. In: Third IEEE international conference on data mining (ICDM’03), Melbourne, Florida, USA, pp 172–179
Sinclair C, Pierce L, Matzner S (1999) An application of machine learning to network intrusion detection. In: 15th annual computer security applications conference (ACSAC ’99), Phoenix, AZ, USA, pp 371–377. doi:10.1109/csac.1999.816048
Sindhu S, Geetha S, Kannan A (2012) Decision tree based light weight intrusion detection using a wrapper approach. Expert Syst Appl 39(1):129–141. doi:10.1016/j.eswa.2011.06.013
Siraj MM, Maarof MA, Hashim SZM (2009) Intelligent clustering with PCA and unsupervised learning algorithm in intrusion alert correlation. In: Fifth international conference on information assurance and security ( IAS ’09), Xi’an, China, 18–20 Aug 2009, vol 1, pp 679–682. doi:10.1109/IAS.2009.261
Song J, Takakura H, Kwon Y (2008) A generalized feature extraction scheme to detect 0-Day attacks via IDS alerts. In: Proceedings of the 2008 international symposium on applications and the internet, Urku, Finland, 1442004. IEEE Computer Society, pp 55–61. doi:10.1109/saint.2008.85
Song S, Ling L, Manikopoulo C (2006) Flow-based statistical aggregation schemes for network anomaly detection. In: Proceedings of the IEEE international conference on networking, sensing and control (ICNSC’06), Hainan, China. IEEE, pp 786–791
Song X, Wu M, Jermaine C, Ranka S (2007) Conditional anomaly detection. IEEE Trans Knowl Data Eng 19(5):631–645. doi:10.1109/tkde.2007.1009
Sperotto A, Sadre R, Vliet F, Pras A (2009) A labeled data set for flow-based intrusion detection. In: Nunzi G, Scoglio C, Li X (eds) 9th IEEE international workshop on IP operations and management ((IPOM’09), Venice, Italy, 2009/01/01, vol 5843. Lecture Notes in Computer Science, pp 39–50. doi:10.1007/978-3-642-04968-2_4
Sperotto A, Schaffrath G, Sadre R, Morariu C, Pras A, Stiller B An overview of IP flow-based intrusion detection. IEEE Commun Surv Tutor 12(3):343–356
Sperotto A, Schaffrath G, Sadre R, Morariu C, Pras A, Stiller B (2010) An overview of IP flow-based intrusion detection. Commun Surv Tutor IEEE 12(3):343–356. doi:10.1109/SURV.2010.032210.00054
Stein G, Chen B, Wu AS, Hua KA (2005) Decision tree classifier for network intrusion detection with GA-based feature selection. In: Proceedings of the 43rd annual Southeast Regional Conference, Kennesaw, GA, USA. ACM, pp 136–141
Steinwart I, Hush D, Scovel C (2006) A classification framework for anomaly detection. J Mach Learn Res 6(1):211–232
Tabia K, Benferhat S, Leray P, Mé L (2011) Alert correlation in intrusion detection: combining AI-based approaches for exploiting security operators’ knowledge and preferences. In: Security and artificial intelligence (SecArt)
Takeuchi J-I, Yamanishi K (2006) A unifying framework for detecting outliers and change points from time series. IEEE Trans Knowl Data Eng 18(4):482–492
Tang P, Jiang R, Zhao M (2010) Feature selection and design of intrusion detection system based on K-means and triangle area support vector machine. In: Second international conference on future networks (ICFN’10), Hainan, China. IEEE, pp 144–148
Tao L, Ai-ling Q, Yuan-bin H, Xin-tan C (2008a) Method for anomaly detection based on classifier with time function. In: IEEE international conference on industrial technology (ICIT’08). Chengdu, China, 21–24 April 2008, pp 1–4. doi:10.1109/ICIT.2008.4608512
Tao L, Ailing Q, Yuanbin H, Xintan C (2008b) Method for network anomaly detection based on bayesian statistical model with time slicing. In: 7th world congress on intelligent control and automation (WCICA’08), Chongqing, China, 25–27 June 2008, pp 3359–3362. doi:10.1109/WCICA.2008.4593458
Te-Shun C, Yen KK (2007) Fuzzy belief k-nearest neighbors anomaly detection of user to root and remote to local attacks. In: IEEE SMC information assurance and security workshop (IAW ’07), West Point, New York, 20–22 June 2007, pp 207–213. doi:10.1109/IAW.2007.381934
Te-Shun C, Yen KK, Pissinou N, Makki K (2007) Fuzzy belief reasoning for intrusion detection design. In: Third international conference on intelligent information hiding and multimedia signal processing ( IIHMSP’07), Kaohsiung, Taiwan, 26–28 Nov 2007, pp 621–624. doi:10.1109/IIHMSP.2007.4457786
Thottan M, Ji C (2003) Anomaly detection in IP networks. IEEE Trans Signal Process 51(8):2191–2204
Tombini E, Debar H, Me L, Ducasse M (2004) A serial combination of anomaly and misuse IDSs applied to HTTP traffic. In: Proceedings of the 20th annual computer security applications conference, Tucson, Arizona, USA. 1038335: IEEE Computer Society, pp 428–437. doi:10.1109/csac.2004.4
Tsai CF, Hsu YF, Lin CY, Lin WY (2009) Intrusion detection by machine learning: a review. Expert Syst Appl 36(10):11994–12000
Tylman W (2008a) Anomaly-based intrusion detection using bayesian networks. In: Third international conference on dependability of computer systems (DepCos-RELCOMEX ’08), Szklarska Poreba, Poland, 26–28 June 2008, pp 211–218. doi:10.1109/DepCoS-RELCOMEX.2008.52
Tylman W (2008b) Misuse-based intrusion detection using bayesian networks. In: International conference on dependability of computer systems, Zklarska Poreba, Poland, pp 203–210
Ukil A (2010) Application of Kolmogorov complexity in anomaly detection. In: 16th Asia-Pacific conference on communications (APCC), Auckland, New Zealand, Oct 31 2010–Nov 3 2010, pp 141–146. doi:10.1109/APCC.2010.5679753
Vapnik V (1999) The nature of statistical learning theory, 2nd edn. Springer, New York
Viinikka J, Debar H, Mé L, Lehikoinen A, Tarvainen M (2009) Processing intrusion detection alert aggregates with time series modeling. Inf Fusion 10(4):312–324
Voelker GM, Bershad BN (1994) Mobisaic: an information system for a mobile wireless computing environment. In: Workshop on mobile computing systems and applications, California, USA, pp 185–190. doi:10.1109/mcsa.1994.513481
Vorobiev A, Jun H (2006) Security attack ontology for Web services. In: Second international conference on semantics, knowledge and grid (SKG ’06), Guangxi, China, 1–3 Nov 2006, pp 42–48. doi:10.1109/SKG.2006.85
Wagner D, Soto P (2002) Mimicry attacks on host-based intrusion detection systems. In: Proceedings of the 9th ACM conference on computer and communications security, Berlin, German. ACM, pp 255–264
Wan L, Shengfeng T (2009) Preprocessor of intrusion alerts correlation based on ontology. In: WRI international conference on communications and mobile computing (CMC ’09), Yunnan, China, 6–8 Jan 2009, pp 460–464. doi:10.1109/CMC.2009.63
Wang G, Hao J, Ma J, Huang L (2010) A new approach to intrusion detection using artificial neural networks and fuzzy clustering. Expert Syst Appl 37(9):6225–6232. doi:10.1016/j.eswa.2010.02.102
Wang K, Stolfo S (2004) Anomalous payload-based network intrusion detection. In: Recent advances in intrusion detection, Sophia Antipolis, France. Springer, pp 203–222
Wang W, Battiti R (2006) Identifying intrusions in computer networks with principal component analysis. In: The first international conference on availability, reliability and security, Vienna, Austria. IEEE, pp 8–15
Wang W, Guan X, Zhang X (2004) A novel intrusion detection method based on principle component analysis in computer security. In: IEEE international symposium on neural networks in computer security, Dalian, China. IEEE, pp 88–89
Wang X, He F (2006) Improving intrusion detection performance using rough set theory and association rule mining. In: International conference on hybrid information technology (ICHIT ’06), Jeju Island, Korea, 9–11 Nov. 2006, vol 2, pp 114–119. doi:10.1109/ichit.2006.253599
Wei W, Daniels TE (2005) Building evidence graphs for network forensics analysis. In: 21st Annual computer security applications conference, AZ, USA, 5–9 Dec 2005, p 11, 266. doi:10.1109/CSAC.2005.14
Weller-Fahy DJ, Borghetti BJ, Sodemann AA (2015) A survey of distance and similarity measures used within network intrusion anomaly detection. IEEE Commun Surv Tutor 17(1):70–91
Wenge R, Kecheng L, Lin L (2008) Association rule based context modeling for web service discovery. In: 10th IEEE conference on e-commerce technology, Washington, DC, 21–24 July 2008, pp 299–304. doi:10.1109/CECandEEE.2008.137
Wenke L, Stolfo SJ, Mok KW (1999) A data mining framework for building intrusion detection models. In: Proceedings of the IEEE symposium on security and privacy, Oakland, California 1999:120–132. doi:10.1109/secpri.1999.766909
Wentao F, Bouguila N, Ziou D (2011) Unsupervised anomaly intrusion detection via localized Bayesian feature selection. In: IEEE 11th international conference on data mining (ICDM’11), Vancouver, Canada, 11–14 Dec 2011, pp 1032–1037. doi:10.1109/ICDM.2011.152
White RW, Bailey P, Chen L (2009) Predicting user interests from contextual information. In: Proceedings of the 32nd international ACM SIGIR conference on research and development in information retrieval. ACM, pp 363–370
Williams G, Baxter R, He H, Hawkins S, Gu L (2002) A comparative study of RNN for outlier detection in data mining. In: Proceedings of IEEE international conference on data mining (ICDM’02), Maebashi City, Japan. IEEE, pp 709–712
Winter P, Hermann E, Zeilinger M (2011) Inductive intrusion detection in flow-based network data using one-class support vector machines. In: 4th IFIP international conference on new technologies, mobility and security (NTMS ’11), Paris, France. IEEE, pp 1–5
Wu N, Zhang J (2003) Factor analysis based anomaly detection. In: IEEE systems, man and cybernetics society information assurance workshop, West Point, New York, USA. IEEE, pp 108–115
Wuling R, Jinzhu C, Xianjie W (2009) Application of network intrusion detection based on fuzzy C-means clustering algorithm. In: Third international symposium on intelligent information technology application (IITA’09), Nanchang, China, 21–22 Nov 2009, vol 3, pp 19–22. doi:10.1109/IITA.2009.269
Xiao L, Chen Y, Chang CK (2014) Bayesian model averaging of Bayesian network classifiers for intrusion detection. In: 9th IEEE international workshop on security, trust, and privacy for software applications”, pp 21–15
Xiaolin W, Chou PA, Xiaohui X (2000) Minimum conditional entropy context quantization. In: IEEE international symposium on information theory, Sorrento, Italy, 2000, p 43. doi:10.1109/isit.2000.866333
Xiaorong C, Shanshan W (2010) A real-time hybrid intrusion detection system based on principle component analysis and self organizing maps. In: Sixth international conference on natural computation (ICNC’10), Shandong, China, 10–12 Aug 2010, vol 3, pp 1182–1185. doi:10.1109/ICNC.2010.5583654
Xie P, Li JH, Ou X, Liu P, Levy R (2010) Using Bayesian networks for cyber security analysis. In: IEEE/IFIP international conference on dependable systems and networks (DSN), Chicago, IL, pp 211–220
Xu J, Croft WB (2000) Improving the effectiveness of information retrieval with local context analysis. ACM Trans Inf Syst (TOIS) 18(1):79–112
Xu J, Shelton CR (2010) Intrusion detection using continuous time bayesian networks. J Artif Intell Res 39(1):745–774
Xuedou Y (2009) Research on active defence technology with host intrusion based on K-nearest neighbor algorithm of kernel. In: Fifth international conference on information assurance and security (IAS’09), Xi’an, China, 18–20 Aug 2009, vol 1, pp 411–414. doi:10.1109/IAS.2009.255
Ye C, Wei N, Wang T, Zhang Q, Zhu X (2009a) The research on the application of association rules mining algorithm in network intrusion detection. In: First international workshop on education technology and computer science (ETCS ’09), Wuhan, China, 7–8 March 2009, vol 2, pp 849–852. doi:10.1109/etcs.2009.451
Ye C, Zhang Q, Zhou J, Wei N, Zhu X, Wang T (2009b) Improvement of association rules mining algorithm in wireless network intrusion detection. In: International conference on computational intelligence and natural computing, Wuhan, China, 6–7 June 2009, vol 2, pp 413–416. doi:10.1109/cinc.2009.19
Ye D, Huiqiang W, Yonggang P (2004) A hidden markov models-based anomaly intrusion detection method. In: Fifth world congress on intelligent control and automation (WCICA’04), Hangzhou, China, 15–19 June 2004, vol 5, pp 4348–4351. doi:10.1109/WCICA.2004.1342334
Ye D, Tong W (2008) An anomaly intrusion detection method based on shell commands. In: IEEE international symposium on knowledge acquisition and modeling workshop(KAM’08), Wuhan, China, 21–22 Dec 2008, pp 798–801. doi:10.1109/KAMW.2008.4810611
Yeung DY, Ding Y (2003) Host-based intrusion detection using dynamic and static behavioral models. Pattern Recognit 36(1):229–243
Yoshida K (2003) Entropy based Intrusion Detection. In: IEEE Pacific RIM Conference on Communications, Computers and Signal Processing (PACRIM’03), Victoria, B.C., Canada, 28–30 Aug 2003, vol 2, pp 840–843. doi:10.1109/PACRIM.2003.1235912
Yu Y, Wei Y, Fu-Xiang G, Ge Y (2006) Anomaly Intrusion Detection Approach Using Hybrid MLP/CNN Neural Network. In: Kong H (ed) Sixth international conference on intelligent systems design and applications (ISDA’06), Wroclaw, Poland. IEEE, pp 1095–1102
Yun Y, Guyu H, Shize G, Jun L (2010) Imbalanced classification algorithm in Botnet detection. In: First international conference on pervasive computing signal processing and applications (PCSPA’10), Gjøvik, Norway, 17–19 Sept 2010, pp 116–119. doi:10.1109/PCSPA.2010.37
Zanero S, Savaresi SM (2004) Unsupervised learning techniques for an intrusion detection system. In: Proceedings of the 2004 ACM symposium on applied computing.ACM, pp 412–419
Zhang J, Zulkernine M (2006) A hybrid network intrusion detection technique using random forests. In: The first international conference on availability, reliability and security (ARES’06), Vienna University of Technology, Austria. IEEE, pp 262–269
Zhang Z, Li J, Manikopoulos C, Jorgenson J, Ucles J (2001) HIDE: a hierarchical network intrusion detection system using statistical preprocessing and neural network classification. In: IEEE workshop on information assurance and security, West Point, NY, pp 85–90
Zhang Z, Shen H (2004) Online training of SVMs for real-time intrusion detection. In: 18th international conference on advanced information networking and applications(AINA’04), Fukuoka, Japan, vol 1. IEEE, pp 568–573
Zhang Z, Shen H (2005) Application of online-training SVMs for real-time intrusion detection with different considerations. Comput Commun 28(12):1428–1442
Zhao W, Ma H, He Q (2009) Parallel k-means clustering based on mapreduce. In: IEEE international conference on cloud computing. Springer, pp 674–679
Zheng K, Qian X, Zhou Y, Jia L (2009) Intrusion detection using ISOMAP and support vector machine. In: International conference on artificial intelligence and computational intelligence (AICI’09), Shanghai, China, vol 3. IEEE, pp 235–239
Zhong LL, Ming ZY, Bin ZY (2010) Network intrusion detection method by least squares support vector machine classifier. In: 3rd IEEE international conference on computer science and information technology (ICCSIT’10), Beijing, China, vol 2. IEEE, pp 295–297
Zhou H, Meng X, Zhang L (2007) Application of support vector machine and genetic algorithms to network intrusion detection. In: International conference on wireless communications, networking and mobile computing (WiCom 07), Shanghai, China. IEEE, pp 2267–2269
Zhou M, Huang H, Wang Q (2012) A graph-based clustering algorithm for anomaly intrusion detection. In: 7th international conference on computer science & education (ICCSE’12), Melbourne, Australia, 14–17 July 2012, pp 1311–1314. doi:10.1109/ICCSE.2012.6295306
Zimmermann A, Lorenz A, Oppermann R (2007) An operational definition of context. In: Proceedings of the 6th international and interdisciplinary conference on modeling and using context (Context’07), Roskilde University, Denmark, pp 558–571
Acknowledgements
This research has been partially funded by grants from the State of Maryland, TEDCO (MII), and Northrop-Grumman Corporation, USA.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Aleroud, A., Karabatis, G. Contextual information fusion for intrusion detection: a survey and taxonomy. Knowl Inf Syst 52, 563–619 (2017). https://doi.org/10.1007/s10115-017-1027-3
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10115-017-1027-3