Skip to main content

Advertisement

SpringerLink
Log in

An ensemble-based evolutionary framework for coping with distributed intrusion detection

  • Original Paper
  • Published:
Genetic Programming and Evolvable Machines Aims and scope Submit manuscript

Abstract

A distributed data mining algorithm to improve the detection accuracy when classifying malicious or unauthorized network activity is presented. The algorithm is based on genetic programming (GP) extended with the ensemble paradigm. GP ensemble is particularly suitable for distributed intrusion detection because it allows to build a network profile by combining different classifiers that together provide complementary information. The main novelty of the algorithm is that data is distributed across multiple autonomous sites and the learner component acquires useful knowledge from this data in a cooperative way. The network profile is then used to predict abnormal behavior. Experiments on the KDD Cup 1999 Data show the capability of genetic programming in successfully dealing with the problem of intrusion detection on distributed data.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5

Similar content being viewed by others

References

  1. A. Abraham, C. Grosan, C. Martin-Vide, Evolutionary design of intrusion detection programs. Int. J. Netw. Secur. 4(3), 328–339 (2007)

    Google Scholar 

  2. E. Alba, M. Tomassini, Parallelism and evolutionary algorithms. IEEE Trans. Evol. Comput. 6(5), 443–462 (2002)

    Article  Google Scholar 

  3. D. Barbara, N. Wu, S. Jajodia, Detecting novel network intrusions using bayes estimator. In First SIAM Conference on Data Mining (2001)

  4. A.P. Bradley, The use of the area under the roc curve in the evaluation of machine learning algorithms. Pattern Recognit. 30(7), 1145–1159 (1997)

    Article  Google Scholar 

  5. L. Breiman, Bagging predictors. Mach. Learn. 24(2), 123–140 (1996)

    MATH  MathSciNet  Google Scholar 

  6. M. Crosbie, G. Spafford, Applying genetic programming techniques to intrusion detection. In Proceedings of the AAAI Fall Symposium Series (AAAI Press, Nov 1995)

  7. N. Einwechter, An Introduction to Distributed Intrusion Detection Systems. in http://www.securityfocus.com/infocus/1532 (2002)

  8. E. Eskin, A. Arnold, M. Prerau, L. Portnoy, S. Stolfo, A geometric framework for unsupervised anomaly detection: Detecting intrusions in unlabeled data. In Applications of Data Mining in Computer Security (Kluwer, 2002)

  9. K. Faraoun, A. Boukelif, Genetic programming approach for multi-category pattern classification applied to network intrusions detection. Int. J. Comput. Intell. Appl. 6(1), 77–99 (2006)

    Article  Google Scholar 

  10. G. Folino, C. Pizzuti, G. Spezzano, A scalable cellular implementation of parallel genetic programming. IEEE Trans. Evol. Comput. 7(1), 37–53 (2003)

    Article  Google Scholar 

  11. G. Folino, C. Pizzuti, G. Spezzano, GP ensemble for distributed intrusion detection systems. In ICAPR 2005, Proceedings of the 3rd International Conference on Advanced in Pattern Recognition (2005), pp. 54–62

  12. G. Folino, C. Pizzuti, G. Spezzano, GP ensembles for large scale data classification. IEEE Trans. Evol. Comput. 10(5), 604–616 (2006)

    Article  Google Scholar 

  13. Y. Freund, R. Schapire, Experiments with a new boosting algorithm. In Proceedings of the 13th International Conference on Machine Learning (1996), pp. 148–156

  14. J.V. Hansen, P.B. Lowry, R.D. Meservy, D.M. McDonald, Genetic programming for prevention of cyberterrorism through dynamic and evolving intrusion detection. Decis. Support Syst. 43(4), 1362–1374 (2007)

    Article  Google Scholar 

  15. A. Lazarevic, L. Ertoz, V. Kumar, A. Ozgur, J. Srivastava, A comparative study of anomaly detection schemes in network intrusion detection. In Proceedings of the SIAM International Conference on Data Mining (SIAM-03) (2003)

  16. W. Lee, S.J. Stolfo, Data mining approaches for intrusion detection. In Proceedings of the 1998 USENIX Security Symposium (1998), pp. 66–72

  17. R.P. Lippmann, D.J. Fried, I.Graf, J.W. Haines, K.R. Kendall, D. Mcclung, D. Weber, S.E. Webster, D. Wyschogrod, R.K. Cunningham, M.A. Zissman, Evaluating intrusion detection systems: The 1998 darpa off-line intrusion detection evaluation. In Proceedings of the 2000 DARPA Information Survivability Conference and Exposition (2000), pp. 12–26

  18. W. Lu, I. Traoré, Detecting new forms of network intrusion using genetic programming. In Proceedings of the Congress on Evolutionary Computation CEC’2003 (IEEE Press, 2003), pp. 2165–2173

  19. J. McHugh, Testing intrusion detection systems: a critique of the 1988 and 1999 darpa intrusion detection system evaluations as performed by lincoln laboratory. ACM Trans. Inf. Syst. Secur. 3(4), 262–294 (2000)

    Article  Google Scholar 

  20. S. Mukkamala, A.H. Sung, A.Abraham, Modeling intrusion detection systems using linear genetic programming approach. In 17th International Conference on Industrial and Engineering Applications of Artificial Intelligence and Expert Systems, IEA/AIE 2004 (Ottawa, Canada, 2004), pp. 633–642

  21. A. Orfila, J.M. Estevez-Tapiador, A. Ribagorda, Evolving high-speed, easy-to-understand network intrusion detection rules with genetic programming. In EvoWorkshops ’09: Proceedings of the EvoWorkshops 2009 on Applications of Evolutionary Computing (Springer, Berlin, Heidelberg, 2009), pp. 93–98

  22. S. Peddabachigari, A. Abraham, C. Grosan, J. Thomas, Modeling intrusion detection system using hybrid intelligent systems. Int. J. Netw. Comput. Appl. 30, 114–132 (2007)

    Google Scholar 

  23. F. Provost, T. Fawcett, R. Kohavi, The case against accuracy estimation for comparing induction algorithms. In Proceedings of International Conference on Machine Learning (ICML’98) (1998)

  24. J.R. Quinlan, Bagging, boosting, and C4.5. In Proceedings of the 13th National Conference on Artificial Intelligence AAAI96 (Mit Press, 1996), pp. 725–730

  25. R.E. Schapire, The strength of weak learnability. Mach. Learn. 5(2), 197–227 (1990)

    Google Scholar 

  26. R.E. Schapire, Boosting a weak learning by maiority. Inf. Comput. 121(2), 256–285 (1996)

    Google Scholar 

  27. D. Song, M.I. Heywood, A. Nur Zincir-Heywood, A linear genetic programming approach to intrusion detection. In Proceedings of the Genetic and Evolutionary Computation Conference GECCO 2003 (LNCS 2724, Springer, 2003), pp. 2325–2336

  28. D. Song, M.I. Heywood, A.N. Zincir-Heywood, Training genetic programming on half a millio patterns: An example from anomaly detection. IEEE Trans. Evol. Comput. 9(3), 225–239 (2005)

    Article  Google Scholar 

  29. The third international knowledge discovery and data mining tools competition dataset kdd99-cup, in http://www.kdd.ics.uci.edu/databases/kddcup99/kddcup99.html (1999)

  30. I.H. Witten, E. Frank, Data Mining: Practical machine learning tools and techniques, 2nd edn. (Morgan Kaufmann, San Francisco, 2005)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. National Research Council (CNR), Institute for High Performance Computing and Networking (ICAR), Via P. Bucci 41C, 87036, Rende, CS, Italy

    Gianluigi Folino, Clara Pizzuti & Giandomenico Spezzano

Authors
  1. Gianluigi Folino
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Clara Pizzuti
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Giandomenico Spezzano
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Gianluigi Folino.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Folino, G., Pizzuti, C. & Spezzano, G. An ensemble-based evolutionary framework for coping with distributed intrusion detection. Genet Program Evolvable Mach 11, 131–146 (2010). https://doi.org/10.1007/s10710-010-9101-6

Download citation

  • Received:

  • Revised:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10710-010-9101-6

Keywords

Search

Navigation