survey

A Survey of Random Forest Based Methods for Intrusion Detection Systems

Authors:

Paulo Angelo Alves Resende,

André Costa DrummondAuthors Info & Claims

ACM Computing Surveys (CSUR), Volume 51, Issue 3

Article No.: 48, Pages 1 - 36

https://doi.org/10.1145/3178582

Published: 23 May 2018 Publication History

Abstract

Over the past decades, researchers have been proposing different Intrusion Detection approaches to deal with the increasing number and complexity of threats for computer systems. In this context, Random Forest models have been providing a notable performance on their applications in the realm of the behaviour-based Intrusion Detection Systems. Specificities of the Random Forest model are used to provide classification, feature selection, and proximity metrics. This work provides a comprehensive review of the general basic concepts related to Intrusion Detection Systems, including taxonomies, attacks, data collection, modelling, evaluation metrics, and commonly used methods. It also provides a survey of Random Forest based methods applied in this context, considering the particularities involved in these models. Finally, some open questions and challenges are posed combined with possible directions to deal with them, which may guide future works on the area.

References

[1]

Amira Sayed A. Aziz, Sanaa EL-Ola Hanafi, and Aboul Ella Hassanien. 2017. Comparison of classification techniques applied for network intrusion detection and classification. Journal of Applied Logic 24 (2017), 109--118.

[2]

Abdulla Amin Aburomman and Mamun Bin Ibne Reaz. 2017. A survey of intrusion detection systems based on ensemble and hybrid classifiers. Computers 8 Security 65 (2017), 135--152.

Digital Library

[3]

Paul Aitken, Benoit Claise, and Brian Trammell. 2013. Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of Flow Information. RFC 7011. (Sept. 2013).

[4]

O. Y. Al-Jarrah, A. Siddiqui, M. Elsalamouny, P. D. Yoo, S. Muhaidat, and K. Kim. 2014. Machine-learning-based feature selection techniques for large-scale network intrusion detection. In 2014 IEEE 34th International Conference on Distributed Computing Systems Workshops (ICDCSW’14). 177--181.

Digital Library

[5]

Ahmed Aleroud and George Karabatis. 2017. Contextual information fusion for intrusion detection: A survey and taxonomy. Knowledge and Information Systems 52, 3 (2017), 563--619

Digital Library

[6]

Gonzalo Alvarez and Slobodan Petrovic. 2003. A new taxonomy of web attacks suitable for efficient encoding. Computers 8 Security 22, 5 (2003), 435--449.

Digital Library

[7]

Yali Amit and Donald Geman. 1997. Shape quantization and recognition with randomized trees. Neural Computation 9, 7 (1997), 1545--1588.

Digital Library

[8]

P. Amudha and H. Abdul Rauf. 2011. Performance analysis of data mining approaches in intrusion detection. In 2011 International Conference on Process Automation, Control and Computing. 1--6.

[9]

James P. Anderson and others. 1980. Computer Security Threat Monitoring and Surveillance. Technical Report. James P. Anderson Company, Fort Washington, PA.

[10]

Rana Aamir Raza Ashfaq, Xi-Zhao Wang, Joshua Zhexue Huang, Haider Abbas, and Yu-Lin He. 2017. Fuzziness based semi-supervised learning approach for intrusion detection system. Information Sciences 378 (Feb. 2017), 484--497.

Digital Library

[11]

Stefan Axelsson. 2000. Intrusion Detection Systems: A Survey and Taxonomy. Technical Report.

[12]

Rebecca Bace and Peter Mell. 2001. NIST Special Publication on Intrusion Detection Systems. Technical Report. Booz-Allen and Hamilton Inc., McLean, VA.

[13]

Manjula C. Belavagi and Balachandra Muniyal. 2016. Performance evaluation of supervised machine learning algorithms for intrusion detection. Procedia Computer Science 89 (Jan. 2016), 117--123.

[14]

E. Bertino and N. Islam. 2017. Botnets and internet of things security. Computer 50, 2 (Feb. 2017), 76--79.

Digital Library

[15]

Monowar H. Bhuyan, Dhruba Kumar Bhattacharyya, and Jugal K. Kalita. 2014. Network anomaly detection: Methods, systems and tools. IEEE Communications Surveys 8 Tutorials 16, 1 (2014), 303--336.

[16]

Leyla Bilge, Davide Balzarotti, William Robertson, Engin Kirda, and Christopher Kruegel. 2012. Disclosure: Detecting botnet command and control servers through large-scale netflow analysis. In 28th Annual Computer Security Applications Conference. ACM, 129--138.

Digital Library

[17]

Leo Breiman. 2001. Random forests. Machine Learning 45, 1 (Oct. 2001), 5--32.

Digital Library

[18]

Leo Breiman, Jerome Friedman, Charles J. Stone, and R. A. Olshen. 1984. Classification and Regression Trees (1st ed.). Chapman and Hall/CRC.

[19]

Susan M. Bridges and Rayford B. Vaughn. 2000. Fuzzy data mining and genetic algorithms applied to intrusion detection. In National Information Systems Security Conference (NISSC’00). 16--19.

[20]

Anna L. Buczak and Erhan Guven. 2016. A survey of data mining and machine learning methods for cyber security intrusion detection. IEEE Communications Surveys 8 Tutorials 18, 2 (2016), 1153--1176.

[21]

I. Butun, S. D. Morgera, and R. Sankar. 2014. A survey of intrusion detection systems in wireless sensor networks. IEEE Communications Surveys Tutorials 16, 1 (2014), 266--282.

[22]

CAIDA. 2008a. The CAIDA UCSD Dataset. Retrieved Feb. 22, 2017 from https://www.caida.org/data/passive/telescope-3days-conficker_dataset.xml.

[23]

CAIDA. 2008b. ContagioDump Blogspot. Retrieved Feb. 22, 2017 from http://contagiodump.blogspot.in/.

[24]

Rich Caruana and Alexandru Niculescu-Mizil. 2006. An empirical comparison of supervised learning algorithms. In 23rd International Conference on Machine Learning (ICML’06). ACM, 161--168.

Digital Library

[25]

A. Chakrabarti and G. Manimaran. 2002. Internet infrastructure security: A taxonomy. IEEE Network 16, 6 (11 2002), 13--21.

Digital Library

[26]

Nanak Chand, Preeti Mishra, C. Rama Krishna, Emmanuel Shubhakar Pilli, and Mahesh Chandra Govil. 2016. A comparative analysis of SVM and its stacking with other classification algorithm for intrusion detection. In International Conference on Advances in Computing, Communication, 8 Automation. 1--6.

[27]

Varun Chandola, Arindam Banerjee, and Vipin Kumar. 2009. Anomaly detection: A survey. ACM Computing Surveys 41, 3 (2009), 15.

Digital Library

[28]

H. Chauhan, V. Kumar, S. Pundir, and E. S. Pilli. 2013. A comparative study of classification techniques for intrusion detection. In 2013 International Symposium on Computational and Business Intelligence. 40--43.

Digital Library

[29]

Nitesh V. Chawla, Kevin W. Bowyer, Lawrence O. Hall, and W. Philip Kegelmeyer. 2002. SMOTE: Synthetic minority over-sampling technique. Journal of Artificial Intelligence Research 16 (2002), 321--357.

[30]

S. Choudhury and A. Bhowal. 2015. Comparative analysis of machine learning algorithms along with classifiers for network intrusion detection. In 2015 International Conference on Smart Technologies and Management for Computing, Communication, Controls, Energy and Materials (ICSTM’15). 89--95.

[31]

Benoit Claise and Brian Trammell. 2013. Information Model for IP Flow Information Export (IPFIX). RFC 7012. (Sept. 2013).

[32]

N. Cleetus and K. A. Dhanya. 2014. Multi-objective functions in particle swarm optimization for intrusion detection. In 2014 International Conference on Advances in Computing, Communications and Informatics (ICACCI’14). 387--392.

[33]

P. M. Comar, Lei Liu, S. Saha, Pang-Ning Tan, and A. Nucci. 2013. Combining supervised and unsupervised learning for zero-day malware detection. In IEEE INFOCOM, 2013. 2022--2030.

[34]

Victor G. T. da Costa, Sylvio Barbon, Jr., Rodrigo S. Miani, Joel J. P. C. Rodrigues, and Bruno B. Zarpelão. 2017. Detecting mobile botnets through machine learning and system calls analysis. In IEEE International Conference on Communications (ICC’17).

[35]

CSIC. 2010. The CSIC 2010 HTTP dataset. Retrieved July 31, 2017 from http://www.isi.csic.es/dataset/. (2010).

[36]

D. Dagon, G. Gu, C. P. Lee, and W. Lee. 2007. A taxonomy of botnet structures. In 23rd Annual Computer Security Applications Conference (ACSAC’07). 325--339.

[37]

DARPA. 1998. The DARPA 1998 dataset. Retrieved Aug. 2, 2017 from https://www.ll.mit.edu/ideval/data/1998data.html.

[38]

D. E. Denning. 1987. An intrusion-detection model. IEEE Transactions on Software Engineering SE-13, 2 (Feb. 1987), 222--232.

Digital Library

[39]

Menachem Domb, Elisheva Bonchek-Dokow, and Guy Leshem. 2017. Lightweight adaptive random-forest for IoT rule generation and execution. Journal of Information Security and Applications 34 (2017), 218--224.

[40]

Lin Dong, Eibe Frank, and Stefan Kramer. 2005. Ensembles of balanced nested dichotomies for multi-class problems. In PKDD. Springer, 84--95.

[41]

DShield. 2001. DShield.org datasets. Retrieved Aug. 1, 2017 from https://www.dshield.org/.

[42]

Shreya Dubey and Jigyasu Dubey. 2015. KBB: A hybrid method for intrusion detection. IEEE, 1--6.

[43]

Samuel East, Jonathan Butts, Mauricio Papa, and Sujeet Shenoi. 2009. A taxonomy of attacks on the DNP3 protocol. In Critical Infrastructure Protection III, Charles Palmer and Sujeet Shenoi (Eds.). Vol. 311. Springer, Berlin, 67--81.

[44]

Adel Sabry Eesa, Zeynep Orman, and Adnan Mohsin Abdulazeez Brifcani. 2015. A novel feature-selection approach based on the cuttlefish optimization algorithm for intrusion detection systems. 42, 5 (Apr. 2015), 2670--2679.

Digital Library

[45]

Juan M. Estevez-Tapiador, Pedro Garcia-Teodoro, and Jesus E. Diaz-Verdejo. 2004. Anomaly detection methods in wired networks: A survey and taxonomy. 27, 16 (2004), 1569--1584.

Digital Library

[46]

Nabila Farnaaz and M. A. Jabbar. 2016. Random forest modeling for network intrusion detection system. Procedia Computer Science 89 (2016), 213--217.

[47]

Tom Fawcett. 2006. An introduction to ROC analysis. 27, 8 (06 2006), 861--874.

Digital Library

[48]

Gianluigi Folino and Pietro Sabatino. 2016. Ensemble based collaborative and distributed intrusion detection systems: A survey. 66 (May 2016), 1--16.

Digital Library

[49]

E. Frank, M. A. Hall, and I. H. Witten. 2016. The WEKA workbench. Online Appendix for Data Mining: Practical Machine Learning Tools and Techniques (4th ed.). Morgan Kaufman, Burlington.

Digital Library

[50]

Eibe Frank and Ian H. Witten. 1998. Generating Accurate Rule Sets Without Global Optimization. Working Paper. University of Waikato, Department of Computer Science.

Digital Library

[51]

Xu-sheng Gan, Jing-shun Duanmu, Jia-fu Wang, and Wei Cong. 2013. Anomaly intrusion detection based on PLS feature extraction and core vector machine. 40 (Mar. 2013), 1--6.

Digital Library

[52]

Sebastian Garcia, Martin Grill, Honza Stiborek, and Alejandro Zunino. 2014. An empirical comparison of botnet detection methods. Computers and Security Journal 45 (2014), 100--123.

Digital Library

[53]

P. García-Teodoro, J. Díaz-Verdejo, G. Maciá-Fernández, and E. Vázquez. 2009. Anomaly-based network intrusion detection: Techniques, systems and challenges. 28, 1--2 (Feb. 2009), 18--28.

Digital Library

[54]

Amirhossein Gharib, Iman Sharafaldin, Arash Habibi Lashkari, and Ali A. Ghorbani. 2016. An evaluation framework for intrusion detection dataset. In 2016 International Conference on Information Science and Security (ICISS’16). IEEE, 1--6.

[55]

F. Gharibian and A. A. Ghorbani. 2007. Comparative study of supervised machine learning techniques for intrusion detection. In 5th Annual Conference on Communication Networks and Services Research (CNSR’07). 350--358.

Digital Library

[56]

Ali A. Ghorbani, Wei Lu, and Mahbod Tavallaee. 2010. Network Intrusion Detection and Prevention: Concepts and Techniques. Springer.

Digital Library

[57]

Colin Gilmore and Jason Haydaman. 2016. Anomaly detection and machine learning methods for network intrusion detection: An industrially focused literature review. The Steering Committee of The World Congress in Computer Science, Computer Engineering and Applied Computing (WorldComp), 292--298.

[58]

Govind P. Gupta and Manish Kulariya. 2016. A framework for fast and efficient cyber security network intrusion detection using Apache Spark. Procedia Computer Science 93 (Jan. 2016), 824--831.

[59]

Arash Habibi Lashkari, Gerard Draper Gil, Mohammad Saiful Islam Mamun, and Ali A. Ghorbani. 2017. Characterization of Tor traffic using time based features. SCITEPRESS - Science and Technology Publications, 253--262.

[60]

Fariba Haddadi and A. Nur Zincir-Heywood. 2016. Benchmarking the effect of flow exporters and protocol filters on botnet traffic classification. 10, 4 (2016), 1390--1401.

[61]

Hadoop. 2011. The Apache Hadoop framework. Retrieved Aug. 2, 2017 from http://hadoop.apache.org/.

[62]

Mark A. Hall. 1998. Correlation-Based Feature Selection for Machine Learning. Ph.D. Thesis. Waikato University, New Zealand.

[63]

Roger Hallman, Josiah Bryan, Geancarlo Palavicini, Joseph Divita, and Jose Romero-Mariona. 2017. IoDDoS the internet of distributed denial of sevice attacks. In 2nd International Conference on Internet of Things, Big Data and Security. SCITEPRESS, 47--58.

[64]

Simon Hansman and Ray Hunt. 2005. A taxonomy of network and computer attacks. 24, 1 (Feb. 2005), 31--43.

Digital Library

[65]

Md. Al Mehedi Hasan, Mohammed Nasser, Shamim Ahmad, and Khademul Islam Molla. 2016. Feature selection for intrusion detection using random forest. 7, 3 (2016), 129--140.

[66]

Trevor Hastie, Robert Tibshirani, and Jerome Friedman. 2016. The Elements of Statistical Learning: Data Mining, Inference, and Prediction (2nd ed.). Springer.

[67]

Tin Kam Ho. 1995. Random decision forests. In 3rd International Conference on Document Analysis and Recognition - Volume 1 (ICDAR’95). IEEE Computer Society, 278--282.

Digital Library

[68]

Tin Kam Ho. 1998. The random subspace method for constructing decision forests. 20, 8 (Aug. 1998), 832--844.

Digital Library

[69]

Rick Hofstede, Pavel Čeleda, Brian Trammell, Idilio Drago, Ramin Sadre, Anna Sperotto, and Aiko Pras. 2014. Flow monitoring explained: From packet capture to data analysis with netflow and ipfix. 16, 4 (2014), 2037--2064.

[70]

H. S. Hota and Akhilesh Kumar Shrivas. 2014. Data mining approach for developing various models based on types of attack and feature selection as intrusion detection systems (IDS). In Intelligent Computing, Networking, and Informatics. Springer, New Delhi, 845--851.

[71]

IANA. 2007. IPFIX Information Elements registered at IANA. Retrieved July 31, 2017 from https://www.iana.org/assignments/ipfix/ipfix.xhtml.

[72]

V. M. Igure and R. D. Williams. 2008. Taxonomies of attacks and vulnerabilities in computer systems. 10, 1 (2008), 6--19.

Digital Library

[73]

ISOT. 2010. The ISOT Dataset. Retrieve Aug. 1, 2017 from http://www.uvic.ca/engineering/ece/isot/datasets/.

[74]

Gareth James, Daniela Witten, Trevor Hastie, and Robert Tibshirani. 2014. An Introduction to Statistical Learning: With Applications in R. Springer Publishing Company, Inc.

[75]

Soo-Yeon Ji, Bong-Keun Jeong, Seonho Choi, and Dong Hyun Jeong. 2016. A multi-level intrusion detection method for abnormal network behaviors. 62 (Feb. 2016), 9--17.

Digital Library

[76]

D. Jiang and K. Omote. 2015. An approach to detect remote access trojan in the early stage of communication. In 2015 IEEE 29th International Conference on Advanced Information Networking and Applications. 706--713.

[77]

Jiong Zhang, M. Zulkernine, and A. Haque. 2008. Random-forests-based network intrusion detection systems. 38, 5 (Sept. 2008), 649--659.

Digital Library

[78]

N. V. Juliadotter and K. K. R. Choo. 2015. Cloud attack and risk assessment taxonomy. 2, 1 (Jan. 2015), 14--20.

[79]

KDD. 1999. KDD Cup task presentation. Retrieved July 26, 2017 from https://kdd.ics.uci.edu/databases/kddcup99/task.html.

[80]

T. M. Khoshgoftaar, M. Golawala, and J. V. Hulse. 2007. An empirical study of learning from imbalanced data using random forest. In 19th IEEE International Conference on Tools with Artificial Intelligence (ICTAI’07), Vol. 2. 310--317.

Digital Library

[81]

E. Kim and S. Kim. 2015. A novel hierarchical detection method for enhancing anomaly detection efficiency. In 2015 International Conference on Computational Intelligence and Communication Networks (CICN’15). 1018--1022.

[82]

Gisung Kim, Seungmin Lee, and Sehun Kim. 2014. A novel hybrid intrusion detection method integrating anomaly detection with misuse detection. 41, 4, Part 2 (Mar. 2014), 1690--1700.

Digital Library

[83]

Kenji Kira and Larry A. Rendell. 1992. A practical approach to feature selection. In 9th International Workshop on Machine Learning, Derek H. Sleeman and Peter Edwards (Eds.). Morgan Kaufmann, 249--256.

[84]

Constantinos Kolias, Georgios Kambourakis, Angelos Stavrou, and Stefanos Gritzalis. 2016. Intrusion detection in 802.11 networks: Empirical evaluation of threats and a public dataset. IEEE Communications Surveys 8 Tutorials 18, 1 (2016), 184--208.

[85]

Sunil Kumar and Kamlesh Dutta. 2016. Intrusion detection in mobile ad hoc networks: Techniques, systems, and future challenges: Intrusion detection in mobile ad hoc networks. 9, 14 (Sept. 2016), 2484--2556.

Digital Library

[86]

LBL. 2009. The HoneyNet Dataset. Retrieved September 2, 2017 from http://ee.lbl.gov/.

[87]

S. M. Lee, D. S. Kim, and J. S. Park. 2007. A hybrid approach for real-time network intrusion detection systems. In 2007 International Conference on Computational Intelligence and Security (CIS’07). 712--715.

Digital Library

[88]

S. M. Lee, D. S. Kim, Y. Yoon, and J. S. Park. 2009. Quantitative intrusion intensity assessment using important feature selection and proximity metrics. In 2009 15th IEEE Pacific Rim International Symposium on Dependable Computing. 127--134.

Digital Library

[89]

F. Li, H. Mi, and F. Yang. 2011. Exploring the stability of feature selection for imbalanced intrusion detection data. In 2011 9th IEEE International Conference on Control and Automation (ICCA’11). 750--754.

[90]

Shing-Han Li, Yu-Cheng Kao, Zong-Cyuan Zhang, Ying-Ping Chuang, and David C. Yen. 2015. A network behavior-based botnet detection mechanism using PSO and K-means. 6, 1 (Apr. 2015), 3:1--3:30.

Digital Library

[91]

Hung-Jen Liao, Chun-Hung Richard Lin, Ying-Chih Lin, and Kuang-Yuan Tung. 2013. Intrusion detection system: A comprehensive review. Journal of Network and Computer Applications 36, 1 (2013), 16--24.

Digital Library

[92]

Wei-Chao Lin, Shih-Wen Ke, and Chih-Fong Tsai. 2015. CANN: An intrusion detection system based on combining cluster centers and nearest neighbors. 78 (Apr. 2015), 13--21.

Digital Library

[93]

Carl Livadas, Robert Walsh, David Lapsley, and W. Timothy Strayer. 2006. Using machine learning techniques to identify botnet traffic. In 2nd IEEE LCN Workshop on Network Security (WoNS’06). 967--974.

[94]

Wei-Yin Loh. 2011. Classification and regression trees. 1, 1 (2011), 14--23.

[95]

Wei-Yin Loh and Yu-Shan Shih. 1997. Split selection methods for classification trees. (1997), 815--840.

[96]

Mahout. 2014. The Apache Mahout environment. Retrieved August 2, 2017 from http://mahout.apache.org/.

[97]

Long Mai and Minho Park. 2016. A comparison of clustering algorithms for botnet detection based on network flow. In 2016 8th International Conference on Ubiquitous and Future Networks (ICUFN’16). 667--669.

[98]

A. J. Malik and F. A. Khan. 2013. A hybrid technique using multi-objective particle swarm optimization and random forests for PROBE attacks detection in a network. In 2013 IEEE International Conference on Systems, Man, and Cybernetics. 2473--2478.

Digital Library

[99]

A. J. Malik, W. Shahzad, and F. A. Khan. 2011. Binary PSO and random forests algorithm for PROBE attacks detection in a network. In 2011 IEEE Congress of Evolutionary Computation (CEC’11). 662--668.

[100]

Arif Jamal Malik, Waseem Shahzad, and Farrukh Aslam Khan. 2015. Network intrusion detection using hybrid binary PSO and random forests algorithm. 8, 16 (Nov. 2015), 2646--2660.

Digital Library

[101]

Saman Masarat, Saeed Sharifian, and Hassan Taheri. 2016. Modified parallel random forest for intrusion detection systems. The Journal of Supercomputing 72, 6 (June 2016), 2235--2258.

Digital Library

[102]

S. McElwee. 2017. Active learning intrusion detection using k-means clustering selection. In SoutheastCon 2017. 1--7.

[103]

Jelena Mirkovic and Peter Reiher. 2004. A taxonomy of DDoS attack and DDoS defense mechanisms. 34, 2 (Apr. 2004), 39--53.

Digital Library

[104]

Preeti Mishra, Emmanuel S. Pilli, Vijay Varadharajan, and Udaya Tupakula. 2017. Intrusion detection techniques in cloud environment: A survey. 77 (Jan. 2017), 18--47.

Digital Library

[105]

Robert Mitchell and Ing-Ray Chen. 2014a. A survey of intrusion detection in wireless network applications. Computer Communications 42, Supplement C (April 2014), 1--23. http://www.sciencedirect.com/science/article/pii/S0140366414000280

Digital Library

[106]

Robert Mitchell and Ing-Ray Chen. 2014b. A survey of intrusion detection techniques for cyber-physical systems. ACM Computing Surveys 46, 4 (March 2014), 55:1--55:29.

Digital Library

[107]

James N. Morgan and John A. Sonquist. 1963. Problems in the analysis of survey data, and a proposal. 58, 302 (1963), 415--434.

[108]

S. Mukkamala, G. Janoski, and A. Sung. 2002. Intrusion detection using neural networks and support vector machines. In 2002 International Joint Conference on Neural Networks (IJCNN’02), Vol. 2. 1702--1707.

[109]

NetFlow. 1995. The NetFlow implementation, by Cisco Systems. Retrieved July 31, 2017 from http://www.cisco.com/c/en/us/products/ios-nx-os-software/ios-netflow/index.html.

[110]

T. T. T. Nguyen and G. Armitage. 2008. A survey of techniques for internet traffic classification using machine learning. 10, 4 (2008), 56--76.

Digital Library

[111]

OpenMalware 2012. Open Malware. Retrieved February 22, 2017 from http://openmalware.org/.

[112]

Feng Pan and Weinong Wang. 2006. Anomaly detection based-on the regularity of normal behaviors. In 2006 1st International Symposium on Systems and Control in Aerospace and Astronautics. 1041--1046.

[113]

Mrutyunjaya Panda, Ajith Abraham, and Manas Ranjan Patra. 2012. A hybrid intelligent approach for network intrusion detection. 30 (Jan. 2012), 1--9.

[114]

D. Papp, Z. Ma, and L. Buttyan. 2015. Embedded systems security: Threats, vulnerabilities, and attack taxonomy. In 2015 13th Annual Conference on Privacy, Security and Trust (PST’15). 145--152.

[115]

Animesh Patcha and Jung-Min Park. 2007. An overview of anomaly detection techniques: Existing solutions and latest technological trends. 51, 12 (2007), 3448--3470.

Digital Library

[116]

Jian Peng, Kim-Kwang Raymond Choo, and Helen Ashman. 2016. User profiling in intrusion detection: A review. 72 (Sept. 2016), 14--27.

Digital Library

[117]

Tao Peng, Christopher Leckie, and Kotagiri Ramamohanarao. 2007. Survey of network-based defense mechanisms countering the DoS and DDoS problems. 39, 1 (2007), 3.

Digital Library

[118]

Truong Son Pham, Tuan Hao Hoang, and Van Canh Vu. 2016. Machine learning techniques for web intrusion detection—A comparison. IEEE, 291--297.

[119]

G. Prashanth, V. Prashanth, P. Jayashree, and N. Srinivasan. 2008. Using random forests for network-based anomaly detection at active routers. In 2008 International Conference on Signal Processing, Communications and Networking. 93--96.

[120]

J. Ross Quinlan. 1993. C4.5: Programs for Machine Learning. Morgan Kaufmann Publishers, Inc.

Digital Library

[121]

R 1993. The R-tool statistical environment. Retrieved August 2, 2017 from https://www.r-project.org/.

[122]

Manikantan Ramadas, Shawn Ostermann, and Brett Tjaden. 2003. Detecting anomalous network traffic with self-organizing maps. In Recent Advances in Intrusion Detection, G. Vigna, C. Kruegel, and E. Jonsson (Eds.). Lecture Notes in Computer Science, Vol. 2820. Springer, 36--54.

[123]

R. R. R. Robinson and C. Thomas. 2015. Ranking of machine learning algorithms based on the performance in classifying DDoS attacks. In 2015 IEEE Recent Advances in Intelligent Computational Systems (RAICS’15). 185--190.

[124]

N. Sarnsuwan, C. Charnsripinyo, and N. Wattanapongsakorn. 2010. A new approach for internet worm detection and classification. In INC2010: 6th International Conference on Networked Computing. 1--4.

[125]

Scikit. 2007. The Scikit Python library. Retrieved August 2, 2017 from http://scikit-learn.org/.

[126]

sFlow. 2003. sFlow official page. Retrieved February 22, 2017 from http://www.sflow.org/.

[127]

S. Shafieian, M. Zulkernine, and A. Haque. 2015. CloudZombie: Launching and detecting slow-read distributed denial of service attacks from the cloud. In 2015 IEEE International Conference on Computer and Information Technology; Ubiquitous Computing and Communications; Dependable, Autonomic and Secure Computing; Pervasive Intelligence and Computing. 1733--1740.

[128]

Kamaldeep Singh, Sharath Chandra Guntuku, Abhishek Thakur, and Chittaranjan Hota. 2014. Big data analytics framework for peer-to-peer botnet detection using random forests. 278 (Sept. 2014), 488--497.

[129]

R. Sommer and V. Paxson. 2010. Outside the closed world: On using machine learning for network intrusion detection. In IEEE Symposium on Security and Privacy (SP’10). 305--316.

Digital Library

[130]

S. Souissi and A. Serhrouchni. 2014. AIDD: A novel generic attack modeling approach. In 2014 International Conference on High Performance Computing Simulation (HPCS’14). 580--583.

[131]

Spark. 2014. The Apache Spark cluster-computing framework. Retrieved August 2, 2017 from https://spark.apache.org/.

[132]

Anna Sperotto, Ramin Sadre, Frank Van Vliet, and Aiko Pras. 2009. A labeled data set for flow-based intrusion detection. In International Workshop on IP Operations and Management. Springer, 39--50.

Digital Library

[133]

Anna Sperotto, Gregor Schaffrath, Ramin Sadre, Cristian Morariu, Aiko Pras, and Burkhard Stiller. 2010. An overview of ip flow-based intrusion detection. 12, 3 (2010), 343--356.

Digital Library

[134]

Z. Stefanova and K. Ramachandran. 2017. Network attribute selection, classification and accuracy (NASCA) procedure for intrusion detection systems. In 2017 IEEE International Symposium on Technologies for Homeland Security (HST’17). 1--7.

[135]

T. Subbulakshmi and A. F. Afroze. 2013. Multiple learning based classifiers using layered approach and feature selection for attack detection. In 2013 IEEE International Conference on Emerging Trends in Computing, Communication and Nanotechnology (ICECCN’13). 308--314.

[136]

Bo Sun, Lawrence Osborne, Yang Xiao, and Sghaier Guizani. 2007. Intrusion detection techniques in mobile ad hoc and wireless sensor networks. 14, 5 (2007).

Digital Library

[137]

Géza Szabó, Dániel Orincsay, Szabolcs Malomsoky, and István Szabó. 2008. On the validation of traffic classification algorithms. In International Conference on Passive and Active Network Measurement. Springer, 72--81.

Digital Library

[138]

Bayu Adhi Tama and Kyung Hyune Rhee. 2015. A combination of PSO-based feature selection and tree-based classifiers ensemble for intrusion detection systems. In Advances in Computer Science and Ubiquitous Computing. Springer, 489--495.

[139]

Mahbod Tavallaee, Ebrahim Bagheri, Wei Lu, and Ali A. Ghorbani. 2009. A detailed analysis of the KDD CUP 99 data set. In 2nd IEEE International Conference on Computational Intelligence for Security and Defense Applications (CISDA’09). IEEE Press, 53--58.

Digital Library

[140]

Mahbod Tavallaee, Natalia Stakhanova, and Ali Akbar Ghorbani. 2010. Toward credible evaluation of anomaly-based intrusion-detection methods. 40, 5 (2010), 516--524.

Digital Library

[141]

A. Tesfahun and D. L. Bhaskari. 2013. Intrusion detection using random forests classifier with SMOTE and feature reduction. In 2013 International Conference on Cloud Ubiquitous Computing Emerging Technologies. 127--132.

Digital Library

[142]

Xin-guang Tian, Li-zhi Gao, Chun-lai Sun, Mi-yi Duan, and Er-yang Zhang. 2006. A method for anomaly detection of user behaviors based on machine learning. 13, 2 (June 2006), 61--78.

[143]

Chih-Fong Tsai, Yu-Feng Hsu, Chia-Ying Lin, and Wei-Yang Lin. 2009. Intrusion detection by machine learning: A review. 36, 10 (Dec. 2009), 11994--12000.

[144]

Muhammad Fahad Umer, Muhammad Sher, and Yaxin Bi. 2017. Flow-based intrusion detection: Techniques and challenges. 70 (2017), 238--254.

[145]

A. Verikas, A. Gelzinis, and M. Bacauskiene. 2011. Mining data with random forests: A survey and results of new tests. 44, 2 (2011), 330--349.

Digital Library

[146]

Y. Wang, Y. Xiang, and J. Zhang. 2013. Network traffic clustering using random forest proximities. In 2013 IEEE International Conference on Communications (ICC’13). 2058--2062.

[147]

David Watson. 2007. Web application attacks. 2007, 10 (Oct. 2007), 10--14.

Digital Library

[148]

Ian H. Witten, Eibe Frank, Mark A. Hall, and Christopher J. Pal. 2016. Data Mining: Practical Machine Learning Tools and Techniques. Morgan Kaufmann.

Digital Library

[149]

Shelly Xiaonan Wu and Wolfgang Banzhaf. 2010. The use of computational intelligence in intrusion detection systems: A review. 10, 1 (2010), 1--35.

Digital Library

[150]

Z. Wu, Y. Ou, and Y. Liu. 2011. A taxonomy of network and computer attacks based on responses. In 2011 International Conference of Information Technology, Computer Engineering and Management Sciences, Vol. 1. 26--29.

Digital Library

[151]

Liyuan Xiao, Yetian Chen, and Carl K. Chang. 2014. Bayesian model averaging of Bayesian network classifiers for intrusion detection. IEEE, 128--133.

Digital Library

[152]

M. Yin, D. Yao, J. Luo, X. Liu, and J. Ma. 2013. Network backbone anomaly detection using double random forests based on non-extensive entropy feature extraction. In 2013 9th International Conference on Natural Computation (ICNC’13). 80--84.

[153]

X. Yue, X. Qiu, Y. Ji, and C. Zhang. 2009. P2P attack taxonomy and relationship analysis. In 2009 11th International Conference on Advanced Communication Technology, Vol. 02. 1207--1210.

Digital Library

[154]

Z. Yueai and C. Junjie. 2009. Application of unbalanced data approach to network intrusion detection. In 2009 1st International Workshop on Database Technology and Applications. 140--143.

Digital Library

[155]

A. Zainal, M. A. Maarof, S. M. Shamsuddin, and A. Abraham. 2008. Ensemble of one-class classifiers for network intrusion detection system. In The 2008 4th International Conference on Information Assurance and Security. 180--185.

Digital Library

[156]

Bruno Bogaz Zarpelão, Rodrigo Sanches Miani, Cláudio Toshio Kawakani, and Sean Carlisto de Alvarenga. 2017. A survey of intrusion detection in internet of things. 84 (Apr. 2017), 25--37.

[157]

Jiong Zhang and Mohammad Zulkernine. 2005. Network intrusion detection using random forests. In PST.

[158]

J. Zhang and M. Zulkernine. 2006a. Anomaly based network intrusion detection with unsupervised outlier detection. In 2006 IEEE International Conference on Communications, Vol. 5. 2388--2393.

[159]

J. Zhang and M. Zulkernine. 2006b. A hybrid network intrusion detection technique using random forests. In 1st International Conference on Availability, Reliability and Security (ARES’06). 8 pp.

Digital Library

[160]

X. Zhang and G. Wang. 2015. Hadoop-based system design for website intrusion detection and analysis. In 2015 IEEE International Conference on Smart City/SocialCom/SustainCom (SmartCity’15). 1171--1174.

[161]

Yongguang Zhang, Wenke Lee, and Yi-An Huang. 2003. Intrusion detection techniques for mobile wireless networks. 9, 5 (Sept. 2003), 545--556.

Digital Library

[162]

Yong Zhang and Linjie Zhu. 2010. Integration of heterogeneous classifiers for intrusion detection. In 2010 3rd International Conference on Advanced Computer Theory and Engineering (ICACTE’10), Vol. 5. V5-145--V5-147.

[163]

David Zhao, Issa Traore, Bassam Sayed, Wei Lu, Sherif Saad, Ali Ghorbani, and Dan Garant. 2013. Botnet detection based on traffic behavior analysis and flow intervals. 39, Part A (Nov. 2013), 2--16.

Digital Library

[164]

B. Zhu, A. Joseph, and S. Sastry. 2011. A taxonomy of cyber attacks on SCADA systems. In 2011 International Conference on Internet of Things and 4th International Conference on Cyber, Physical and Social Computing. 380--388.

Digital Library

Cited By

Al Siam AAlazab MAwajan AFaruqui N(2025)A Comprehensive Review of AI’s Current Impact and Future Prospects in CybersecurityIEEE Access10.1109/ACCESS.2025.352811413(14029-14050)Online publication date: 2025
https://doi.org/10.1109/ACCESS.2025.3528114
Slimani CMorge-Rollet LLemarchand LEspes DLe Roy FBoukhobza J(2025)A study on characterizing energy, latency and security for Intrusion Detection Systems on heterogeneous embedded platformsFuture Generation Computer Systems10.1016/j.future.2024.07.051162:COnline publication date: 1-Jan-2025
https://dl.acm.org/doi/10.1016/j.future.2024.07.051
Paravantis JMalefaki SNikolakopoulos PRomeos AGiannadakis AGiannakopoulos EMihalakakou GSouliotis M(2025)Statistical and machine learning approaches for energy efficient buildingsEnergy and Buildings10.1016/j.enbuild.2025.115309330(115309)Online publication date: Mar-2025
https://doi.org/10.1016/j.enbuild.2025.115309
Show More Cited By

Index Terms

A Survey of Random Forest Based Methods for Intrusion Detection Systems

Recommendations

Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episodes

This paper reports the design principles and evaluation results of a new experimental hybrid intrusion detection system (HIDS). This hybrid system combines the advantages of low false-positive rate of signature-based intrusion detection system (IDS) and ...
Intrusion Detection Model Based on Rough Set and Random Forest

Currently, redundant data affects the speed of intrusion detection, many intrusion detection systems (IDS) have low detection rates and high false alert rate. Focusing on these weakness, a new intrusion detection model based on rough set and random ...
Design of a Snort-Based Hybrid Intrusion Detection System
IWANN '09: Proceedings of the 10th International Work-Conference on Artificial Neural Networks: Part II: Distributed Computing, Artificial Intelligence, Bioinformatics, Soft Computing, and Ambient Assisted Living

Computer security has become a major problem in our society. In particular, computer network security is concerned with preventing the intrusion of an unauthorized person into a network of computers. An intrusion detection system (IDS) is a tool to ...

Comments

Information & Contributors

Information

Published In

cover image ACM Computing Surveys

ACM Computing Surveys Volume 51, Issue 3

May 2019

796 pages

ISSN:0360-0300

EISSN:1557-7341

DOI:10.1145/3212709

Editor:
Sartaj Sahni
Department of Computer and Information Science and Engineering / University of Florida / Gainesville, FL 32611

Issue’s Table of Contents

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 23 May 2018

Accepted: 01 January 2018

Revised: 01 January 2018

Received: 01 September 2017

Published in CSUR Volume 51, Issue 3

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Survey
Research
Refereed

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

219
Total Citations
View Citations
2,763
Total Downloads

Downloads (Last 12 months)276
Downloads (Last 6 weeks)31

Reflects downloads up to 03 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Al Siam AAlazab MAwajan AFaruqui N(2025)A Comprehensive Review of AI’s Current Impact and Future Prospects in CybersecurityIEEE Access10.1109/ACCESS.2025.352811413(14029-14050)Online publication date: 2025
https://doi.org/10.1109/ACCESS.2025.3528114
Slimani CMorge-Rollet LLemarchand LEspes DLe Roy FBoukhobza J(2025)A study on characterizing energy, latency and security for Intrusion Detection Systems on heterogeneous embedded platformsFuture Generation Computer Systems10.1016/j.future.2024.07.051162:COnline publication date: 1-Jan-2025
https://dl.acm.org/doi/10.1016/j.future.2024.07.051
Paravantis JMalefaki SNikolakopoulos PRomeos AGiannadakis AGiannakopoulos EMihalakakou GSouliotis M(2025)Statistical and machine learning approaches for energy efficient buildingsEnergy and Buildings10.1016/j.enbuild.2025.115309330(115309)Online publication date: Mar-2025
https://doi.org/10.1016/j.enbuild.2025.115309
Makris IKarampasi ARadoglou-Grammatikis PEpiskopos NIturbe ERios EPiperigkos NLalos AXenakis CLagkas TArgyriou VSarigiannidis P(2025)A comprehensive survey of Federated Intrusion Detection Systems: Techniques, challenges and solutionsComputer Science Review10.1016/j.cosrev.2024.10071756(100717)Online publication date: May-2025
https://doi.org/10.1016/j.cosrev.2024.100717
Chen ZZou HHu TYuan XFang XPan YLi J(2025)HC-NIDS: Historical contextual information based network intrusion detection system in Internet of ThingsComputers & Security10.1016/j.cose.2025.104367152(104367)Online publication date: May-2025
https://doi.org/10.1016/j.cose.2025.104367
Lee JFan YCheng CChew CKuo C(2025)ML-based intrusion detection system for precise APT cyber-clusteringComputers and Security10.1016/j.cose.2024.104209149:COnline publication date: 1-Feb-2025
https://dl.acm.org/doi/10.1016/j.cose.2024.104209
Nadimi NLoo BMansourifar FZayandehroodi MKazemi M(2025)Earthquake-related evacuation transportation: Insights from Kerman, IranCities10.1016/j.cities.2025.105713158(105713)Online publication date: Mar-2025
https://doi.org/10.1016/j.cities.2025.105713
Tian TSong DZhen LBi ZZhang LHuang HLi Y(2025)Colorimetric – Fluorescence – Photothermal tri-mode sensor array combining the machine learning method for the selective identification of sulfonylurea pesticidesBiosensors and Bioelectronics10.1016/j.bios.2025.117286277(117286)Online publication date: Jun-2025
https://doi.org/10.1016/j.bios.2025.117286
Gu XHowells GYuan H(2025)A semi-supervised soft prototype-based autonomous fuzzy ensemble system for network intrusion detectionApplied Soft Computing10.1016/j.asoc.2025.112719170(112719)Online publication date: Feb-2025
https://doi.org/10.1016/j.asoc.2025.112719
Dong HKotenko I(2025)Cybersecurity in the AI era: analyzing the impact of machine learning on intrusion detectionKnowledge and Information Systems10.1007/s10115-025-02366-wOnline publication date: 19-Feb-2025
https://doi.org/10.1007/s10115-025-02366-w
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Issue’s Table of Contents