International Journal of Computer Applications (0975 – 8887)

Volume 78 – No.16, September 2013

Survey on Intrusion Detection System using

Machine Learning Techniques

Sharmila Kishor Wagh Vinod K. Pachghare, Ph.D Satish R. Kolhe, Ph.D

Research Scholar Department of Computer Professor, School of Computer
North Maharashtra University, Engineering, Science
Jalgaon College of Engineering, Pune North Maharashtra University,
Jalgaon

ABSTRACT good detection of novel attacks. Intrusion detection system

In today’s world, almost everybody is affluent with computers (IDS) is a security technique attempting to detect various
and network based technology is growing by leaps and attacks. They are the set of techniques that are used to detect
bounds. So, network security has become very important, suspicious activity both on host and network level.
rather an inevitable part of computer system. An Intrusion
Detection System (IDS) is designed to detect system attacks 2. TAXONOMY OF ANOMALY
and classify system activities into normal and abnormal form. DETECTION
Machine learning techniques have been applied to intrusion Several classifications of intrusion detection methods have
detection systems which have an important role in detecting been proposed in the earlier period, but there is still no
Intrusions. This paper reviews different machine approaches universally accepted taxonomy. A taxonomy that is based on
for Intrusion detection system. This paper also presents the the synthesis of a number of existing ones is here presented,
system design of an Intrusion detection system to reduce false using six criteria to classify IDSs, as summarized in Fig. 1.
alarm rate and improve accuracy to detect intrusion.
Currently the two basic methods of detection (analytical
Keywords method) are signature-based and anomaly-based [1],[2]. The
Intrusion Detection System (IDS) , Machine Learning signature-based method, also known as misuse detection,
Techniques, Anomaly Detection, False Alarm Rate (FAR). seems for a specific signature to match, signaling an intrusion.
They can detect many or all known attack patterns, but the
1. INTRODUCTION weakness of signature based intrusion detection systems is the
The security of computer networks has been in the focus of
incapability of identifying new types of attacks or variations
research for years. The organization has come to realize that
of known attacks.
information & network security technology has become very
important in protecting its information. Any successful Another useful method for intrusion detection is called
attempt or unsuccessful attempt to compromise the integrity, anomaly detection. Anomaly detection applied to intrusion
confidentiality, and availability of any information resource or detection and computer security has been an active area of
the information itself is considered a security attack or an research since it was originally proposed in [3]. In anomaly
intrusion. Every day new kind of attacks is being faced by based IDSs, the normal behavior of the system or network
industries. One of the solutions to this problem is by using traffic are represented and, for any behavior that varies over a
Intrusion Detection System (IDS). pre-defined threshold, an anomalous activity is identified. By
the other side, in anomaly based IDSs, the number of false
Machine Learning is one of the technique used in the IDS to
positives generated are higher than on those based on
detect attacks. Machine learning is concerned with the design
signatures. An important issue in anomaly based IDSs is how
and development of algorithms and methods that allow
these systems should be trained, i.e., how to define what is a
computer systems to autonomously acquire and integrate
normal behavior of a system or network environment (which
knowledge to continuously improve them to finish their tasks
features are relevant) and how to represent this behavior
efficiently and effectively. In recent years, Machine Learning
computationally.
Intrusion Detection system has been giving high accuracy and

30
 International Journal of Computer Applications (0975 – 8887)
Volume 78 – No.16, September 2013

INTRUSION
DETECTION

TIME OF DATA
ALERT ARCHITECTURE ENVIRONMENT PROCESSING
DETECTION SOURCE

WITHOUT WITH ON LINE OFF LINE

COUNTER COUNTER
MEASURE MEASURE

ANALYSIS/
STRATEGY
MEATHOD
WIRED WIRELESS CONJUGATION
BASICALLY FULL

CENTRALIZED DISTRIBUTED
WITH WITHOUT
INFRASTRUCTURE INFRASTRUCTURE

ANOMALY MISUSE
DETECTION DETECTION

DATA RULE
COMPONENT HYBRID DISTRIBUTED CENTRALIZED MINING BASED
FIG:2

STATE SIGNATURE
TRANSITION BASED
DISTRIBUTED GRID
IDS IDS

STATE EXPERT SRTING

SENSOR MODEL SYSTEM MATCH
MANAGEMENT DATABASE CONSOLE
OR AGENT

HOST NETWORK
HYBRID NBA
BASED BASED

SYSTEM SYSTEM SYSTEM SECURITY

COMMAND ACCOUNTING LOG LOG

Fig 1: Taxonomy of IDS

31
 International Journal of Computer Applications (0975 – 8887)
Volume 78 – No.16, September 2013

ANOMALY DETECTION

STATISTICAL KNOWLEDGE MACHINE

BASED BASED LEARNING
BASED

UNIVARIATE MULTIVARIATE FSM DESCRIPTION

LANGUAGES

TIME SERIES EXPERT

MODEL SYSTEM

BAYESIAN MARKOV NEURAL FUZZY GENETIC CLUSTERING AND DATA MINING/

NETWORKS MODELS NETWORKS LOGIC ALGORITHMS OUTLIER DETECTION (CLASSIFICATION)

Fig 2: Classification of Anomaly detection

According to the type of processing related to the knowledge-based IDS schemes. Knowledge based techniques
‘‘behavioral’’ model of the target system, anomaly detection are divided into frame based model, rule based model and
techniques can be classified into three main categories [4] expert system. Rule based is modified form of the grammar
statistical based, knowledge-based, and machine learning- based production rules. Frame based model localizes an entire
based. In [18] the well-known intrusion detection approaches body of expected knowledge and actions into a single
and Comparison of various approaches reviewed with the structure. Expert systems are intended to classify the audit
strength and weakness of those approaches. data according to a set of rules, involving three steps. First,
different attributes and classes are identified from the training
2.1 Statistical anomaly-based IDS data. Second, a set of classification rules, parameters or
A statistical anomaly-based IDS find out normal network procedures are deduced. Third, the audit data are classified
activity like what sort of bandwidth is generally used, what accordingly [5], [6] .
protocols are used, what ports and devices generally connect Pros: - 1) Robustness. Flexibility and scalability
to each other- and aware the administrator or user when traffic
is detected which is anomalous (not normal) [5] [7]. It is again Cons: -1) Difficult and time-consuming availability of high-
categorized into univariate, multivariate and time series quality knowledge/data.
model. Univariate model parameters are modeled as
independent Gaussian random variables thus defining an 2.3 Machine learning-based IDS
acceptable range of values for every variable. The multivariate Machine learning techniques are based on establishing an
model considers the correlation between two or more explicit or implicit model. A singular characteristic of these
variables. The time series model uses an interval timer, schemes is the need for labeled data to train the behavioral
together with an event counter or resource measure and take model, a procedure that places severe demands on resources.
into account the order and inter arrival times of observations In many cases, the applicability of machine learning
and their values which are labelled as anomaly if its principles coincides with that for the statistical techniques,
probability of occurrence is too low at a given time. although the former is focused on building a model that
improves its performance on the basis of previous results.
Pros: - 1) Prior knowledge about normal activity not required. Hence, machine learning for IDS has the ability to change its
2) Accurate notification of malicious activities execution strategy as it acquires new information. This feature
could make it desirable to use such schemes for all situations.
Cons:- 1) Susceptible to be trained by attackers.
2)Difficult setting of parameters and metrics. Pros:-1)Flexibility and adaptability capture of
3) Unrealistic quasi-stationary process assumption interdependencies.

Cons:-1) High depended on the assumption about the behavior

2.2 Knowledge-based techniques
Knowledge based stores information about subject domain. accepted into the system.
Information in knowledge based contains symbolic
representations of expert’s rules of judgment in a format that
allow the inference engine to perform deduction upon it. The
expert system approach is one of the most widely used

32
 International Journal of Computer Applications (0975 – 8887)
Volume 78 – No.16, September 2013

3. INTRUSION DETECTION AND Where P (E |H ) is the conditional probability of the evidence

E once the hypothesis H is at hand. P(H) is the probability of
MACHINE LEARNING
The idea of applying machine learning techniques for the hypothesis H. P (E) is the probability of the evidence E. P
intrusion detection is to automatically build the model based (H |E ) is the posterior probability of the hypothesis H once
on the training data set. This data set contains a collection of the evidence E is available.
data instances each of which can be described using a set of
A framework of NIDS based on a Naïve Bayes algorithm is
attributes (features) and the associated labels. The attributes
proposed in [19]. The framework constructs the patterns of
can be of different types such as categorical or continuous.
the network services over data sets labeled by the
The nature of attributes determines the applicability of
services. The framework detects attacks in the datasets
anomaly detection techniques. For example, distance-based
using the naïve Bayes Classifier algorithm using the built
methods are initially built to work with continuous features
patterns. Compared to the Neural network based approach,
and usually do not provide satisfactory results on categorical
their approach achieves higher detection rate, less time
attributes. The labels associated with data instances are
consuming and has a low cost factor. However, it generates
usually in the form of binary values i.e. normal and
more false [Link]ïve Bayesian network is a restricted
anomalous. In contrast, some researchers have employed
network that has only two layers and assumes complete
different types of attacks such as DoS, U2R, R2L and Probe
independence between the information nodes. This poses a
rather than the anomalous label. This way learning techniques
limitation of this research work. In order to minimize this
is able to provide more information about the types of
problem so as to reduce the false positives, active platform
anomalies. However, experimental results show that current
or event based classification may be thought of using
learning techniques are not precise enough to recognize the
Bayesian network.
type of anomalies. Since labeling is often done manually by
human experts, obtaining an accurate labeled data set which is Researchers have designed several systems dealing with the
representative of all types of behaviors is quite expensive. As problem of false alarms in recent years. In [12] author
a result, based on the availability of the labels, three operating proposed to use Bayesian networks to perform reasoning on
modes are defined for anomaly detection techniques: as complementary security evidence, and thus to potentially
Supervised Learning, Unsupervised Learning, Semi reduce false alert rates.
supervised Learning.
4.2 Markov models
4. CLASSIFICATION OF ANOMALY There are two subtypes of Markov models: Markov chains
DETECTION and hidden Markov models. A Markov chain is a set of states
Several machine learning-based schemes have been applied to that are interconnected through certain transition probabilities,
IDS. Some of the most important techniques are explained in which determine the topology and the capabilities of the
following subsections. model. During a first training phase, the probabilities
associated with the transitions are estimated from the normal
4.1 Bayesian Network behavior of the target system. The detection of anomalies is
A Bayesian network is a model that encodes probabilistic then carried out by comparing the anomaly score (associated
relationships among impotant variables. This technique is probability) obtained for the observed sequences with a fixed
generally used for intrusion detection in combination with threshold. In the case of a hidden Markov model, the system
statistical schemes, a procedure that yields several advantages of interest is assumed to be a Markov process in which states
[9], including the capability of encoding interdependencies and transitions are hidden. Only the so-called productions are
between variables and of predicting events, as well as the observable. Markov-based techniques have been extensively
ability to incorporate both prior knowledge and data. used in the context of host IDS, normally applied to system
calls.
Conditional probability P (A|B) is used for calculating the
probability of at once the condition B is present. However, in A hybrid fuzzy-based anomaly IDS using hidden Markov
the real world applications. one needs to know about the model (HMM) detection engine and a normal database
conditional probability P (B|A) for B once its evidence A is detection engine to reduce FAR is proposed in [13].
present. In this Bayes theory, the goal is to calculate the
probability of a given hypothesis H considering its sign or Development of host-based anomaly IDS has been studied
evidence E already exists. The H can be assumed to be a with highlighting places on system call-based HMM training
sampled column feature vector and noted as x = {x1 , x2 , . . explained in [26].
.}. In the following text the E (Evidence) and the C (Class)
sign can be replaced (where C = {c1 ,c2 , . . .} ), if it makes it 4.3 Neural networks
easier for the reader to understand the concept. The formula to Artificial Neural Networks: - Inspired from known facts about
calculate this probability is presented below how the brain works, researchers in the area of artificial
intelligence (AI) have developed computational models which
exhibit performance somewhat comparable to that of the brain
(1) [22]. Artificial neural networks (ANNs) are adaptive parallel

33
 International Journal of Computer Applications (0975 – 8887)
Volume 78 – No.16, September 2013

distributed information processing models that consist of: (a) MEDIUM-LOW) and suitable fuzzy rules to detect the
a set of simple processing units (nodes, neurons), (b) a set of intrusion. In their report authors have not specified how they
synapses (connection weights), (c) the network architecture have derived their fuzzy set. The fuzzy set is a very important
(pattern of connectivity), and (d) a learning process used to issue for the fuzzy inference engine\ and in some cases
train the network. [20] Based on the advantages and genetic approach can be implemented to select the best
disadvantages of the improved GA and LM algorithm, in this combination. The proposed system is tested using data
paper, the Hybrid Neural Network Algorithm (HNNA) is collected from the local area network in the college of
presented. Firstly, the algorithms uses the advantage of the Engineering at Iowa State University and the results are
improved GA with strong whole searching capacity to search reported in this paper. The reported results are descriptive and
global optimal point in the whole question domain. Then, it not numerical; therefore, it is difficult to evaluate the
adopts the strong point of the LM algorithm with fast local performance of the reported work.
searching to fine search near the global optimal point. The
paper used respectively the three algorithms, namely the 4.5 Genetic algorithms
Improved GA, LM algorithm and HNNA, to adjust the input Genetic algorithms are classified as global search heuristics,
and output parameters of the ANN model, and adopt the and evolutionary computation that uses techniques inspired by
theories of the fusion of the multi-classifiers to structure the evolutionary biology such as recombination, selection,
Intrusion Detection System. By repeating an experiment, it is inheritance and mutation. Thus, genetic algorithms represent
found that the HNNA is better in stability and convergence another type of machine learning-based technique, capable of
precision than LM algorithm and improved GA from the deriving classification rules [11] and/or selecting appropriate
training result. The testing results are also proving that the features or optimal parameters for the detection process [10] .
detection rate of the multiple classifier intrusion detection
system based on HNNA learning algorithm, including all In [25] rule evolution approach based on Genetic
attack categories that has a few or many training samples, is Programming (GP) for detecting novel attacks on networks is
higher than the IDS that use LM and improved GA learning proposed. In their framework, four genetic operators, namely
algorithm, and the false negative rate is less. So, the HNNA is reproduction, mutation, crossover and dropping condition
proved to be feasible in theory and practice. operators, are used to evolve new rules. New rules are used to
detect novel or known network attacks. Experimental results
In [21] according to the difference between the attack show that rules generated by GPs with part of KDD 1999 Cup
categories, they adjust the 41-dimensional input features of data set has a low false positive rate (FPR), a low false
the neural-network-based multiple classifier intrusion negative rate (FNR) and a high rate of detecting unknown
detection system. After repeated experiment, they find that the attacks. However, an evaluation with full KDD training and
every adjusted sub-classifier is better in convergence testing data is missing in the paper.
precision, shorter in training time than the 41-features sub-
classing, moreover, the whole intrusion detection system is More efforts using GA for intrusion detection are made in [14,
higher in the detection rate, and less in the false negative rate 4, 8] proposes a linear representation scheme for evolving
than the 41-features multiple classifier intrusion detection fuzzy rules using the concept of complete binary tree
system. So, the scheme of the adjusting input features is able structures. GA is used to generate genetic operators
to optimize the neural-network-based multiple classifier For producing useful and minimal structural modifications to
intrusion detection system, and proved to be feasible in the fuzzy expression tree represented by chromosomes.
practice However, the training process in this approach is
computationally very expensive and time consuming. Bridges
4.4 Fuzzy logic techniques and Vaughn employ GA to tune the fuzzy membership
Fuzzy logic is derived from fuzzy set theory under which functions and select an appropriate set of features
reasoning is approximate rather than precisely deduced from in their intelligent intrusion detection system. GA as
classical predicate logic. Fuzzy techniques are thus used in the evolutionary algorithms was successfully used in different
field of anomaly detection mainly because the features to be types of IDS. Using GA returned impressive results; the best
considered can be seen as fuzzy variables [10]. The fitness value was very close to the ideal fitness value. GA is a
application of fuzzy logic for computer security was first randomization search method often used for optimization
proposed in [23]. Fuzzy Intrusion Recognition Engine (FIRE) problem. GA was successfully able to generate a model with
for detecting intrusion activities is proposed in [24] and the the desired characteristics of high correct detection rate and
anomaly based IDS is implemented using the data mining low false positive rate for IDS [15].
techniques and the fuzzy logic. The fuzzy logic part of the
system is responsible for both handling the large number of 4.6 Clustering and outlier detection
input parameters and dealing with the inaccuracy of the input Clustering techniques work by grouping the observed data
data. Three fuzzy characteristics used in this work are into clusters, according to a given similarity or distance
COUNT, UNIQUENESS and VARIANCE. The implemented measure. The procedure most commonly used for this consists
fuzzy inference engine uses five fuzzy sets for each data in selecting a representative point for each cluster. Clustering
element (HIGH, MEDIUM-HIGH, MEDIUM LOW and techniques to determine the occurrence of intrusion events
only from the raw audit data, and so the effort required to tune

34
 International Journal of Computer Applications (0975 – 8887)
Volume 78 – No.16, September 2013

the IDS is reduced. One of the most popular and most widely system process is performed providing input as packets
used clustering algorithms is K-Means [19], which is a non- without specifying answer class.
hierarchical Centroid-based approach.

Packets
4.7 Data Mining
Data mining is an information activity to discover hidden
facts contained in the database. These techniques are used to
Packet Sniffing
find patterns and intelligent relationships in data and infer
rules that allow the prediction of future result.
Packets
Association rule learning is one of many data mining
techniques that describe events that tend to occur together.
Association rule discovery is to define normal activity by
which discovery of anomalies is easily enabled. Classification Preprocessing
is to classify each audit record into one of the possible
categories normal and anomaly. Packets

In [17] authors discussed the uses of data mining approach in

Intrusion Detection. This data mining technique works by
Decision
learning the training data know to be free of attacks (normal)
and then uses an algorithm group an attack from the data. It
Packets
uses associates rules to store knowledge data about the nature
of pattern about individual records that can improve the
classification efficiency.
Training Testing
5. SYSTEM DESIGN FOR INTRUSION
DETECTION SYSTEM
Result Result
Figure 3 shows system design for intrusion detection
[Link] has following main modules.
5.1 Preprocessing Phase
On-line (real-time) IDS: - In this phase packet capturing and Write To Log File Database
extraction of packet features is done with the help of packet
sniffing tools (for e.g Wireshark ,Capsa ) which are used to
capture the packet information like, IP/TCP/ICMP headers, Display Result
from each of the packets. After that partition the packet header
with source addresses, destination address etc. In this phase
need of some techniques for selection of essential feature. Fig 3: System Design for IDS
And finding whether the packet is normal or intrusion.

Off-line IDS: - In this phase packet capturing is done from 5.3 Post Processing
dataset (for e.g KDD dataset/NLS KDD) to serve for the data The result got in preprocessing phase is evaluated against
source of the IDS. answer class and system performance is measured in
5.2 Classification combinations of correctness and false alarms. i.e. True
In classification phase utilize the data received from the Positive, True Negative, False Positive and False Negative.
previous phase for detecting whether the normal packet or
attack packet. Depending on feature values the corresponding 5.4 Reducing False Alarms
algorithms will classify the packet into similar groups. It If the system is still giving some false alarms for all the
consists of two processes: algorithms some more training is needed to be given. This is
the machine learning mechanism i.e. the system will keep on
(a) Training data (b) Testing data learning on its own without human interference. And hence
there is no updating required.
In training phase answer class is provided along with the
packet features which will help to formulate rules deciding 6. CONCLUSIONS
mapping domains. These rules may get changed replaced In this paper authors have presented an overview of machine
depending on further training. Every algorithm has its own learning technologies which are being utilized for the
strategy of classification. detection of attacks in IDS and system design of effective
IDS. The security of information in computer based systems is
In the Testing Phase, untrained data are given to the system
a major concern to researchers. The work of IDS and
for sampling whether true answers are obtained or not. The

35
 International Journal of Computer Applications (0975 – 8887)
Volume 78 – No.16, September 2013

methodologies which has been a major focus of information Computer Science Laboratory, SRI International; 1985.
security related research. Machine learning is a vast and Technical Report #83F83- 01-00
advanced field still relatively immature and definitely not [6] Anderson D, Lunt TF, Javitz H, Tamaru A, Valdes A.
optimized for IDS. “Detecting unusual program behavior using the statistical
component of the next-generation intrusion detection
7. FUTURE DIRECTION expert system (NIDES),” Menlo Park, CA, USA:
In recent years, the challenges that lie ahead of us in intrusion Computer Science Laboratory, SRI International; 1995.
SRIO-CSL-95-06.
detection system are huge, which are listed as follows
[7] Ye N, Emran SM, Chen Q, Vilbert S. “ Multivariate
1. Inability to lessen the number of false positives statistical analysis of audit trails for host-based intrusion
which reduce efficiency of IDS. Good IDS should detection,” IEEE Transactions on Computers 2002;51(7).
perform with a high precision and a high recall, as [8] Wenke Lee and Salvatore J. Stolfo, “A framework for
well as a lower false positive rate and a lower false constructing features and models for intrusion detection
negative rate. How one can have confidence in the systems,” 2000, ACM Trans. Inf. Syst. Secur., 3(4):227–
result is a major issue. 261.
[9] Heckerman D.“A tutorial on learning with Bayesian
2. Time taken to process the huge amount of data for networks,” Microsoft Research; 1995. Technical Report
training is very large. MSRTR-95-06.

3. To improve classification accuracy is a major task [10] Bridges, Vaughn, “Fuzzy Data mining and genetic
algorithms applied to intrusion detection,” In:
in IDS. Impose to focus on multi classifier system.
Proceedings of the National Information Systems
Security Conference; 2000. pp. 13–31.
4. Because of inadequate computing resources and
tremendous increase of targeted attacks necessity of [11] Li W. “Using genetic algorithm for network intrusion
real time Intrusion detection system. However, its detection,” C.S.G. Department of Energy; 2004. pp. 1–8.
implementation in real life environment is [12] Y. Zhai, P. Ning, P. Iyer, D.S. Reeves, “Reasoning about
challenging. complementary intrusion evidence,” in: Proceedings of
the 20th Annual Computer Security Applications
5. Need of the standard evaluation dataset which Conference (ACSAC 04), December 2004.
simulate for real time IDS . [13] X.D. Hoang, J. Hu, P. Bertok, “A program-based
anomaly intrusion detection scheme using multiple
6. Feature reduction work -Many studies use feature detection engines and fuzzy inference,” Journal of Net-
selection for data reduction, to decrease the work and Computer Applications 32 (2009) 1219–1228.
computational complexity. Need to concentrate [14] Kamra, Bertino, “Design and Implementation of
more to perform the task of data deduction an Intrusion Response System for Relational Databases,”
IEEE Transaction on Knowledge and Data
7. Need to implement a combination technique for Engineering, Volume: 23, Issue: 6 doi 10.1109
misuse detection and anomaly detection /TKDE.2010.151 ,2011, pp: 875 – 888
[15] Suhail Owais ,Václav Snášel, Pavel Krömer,Ajith
The machine learning technique could turn out very good Abraham ,”Survey: Using Genetic Algorithm Approach
field for IDS by resolving these challenges. in Intrusion Detection Systems Techniques “,978-0-
7695-3184-7/08 DOI 10.1109/CISIM7th Computer
8. RREFERENCES Information Systems and Industrial Management
[1] S. Chebrolu, A. Abraham, and J. P. Thomas, “Feature Applications./2008 IEEE
deduction and ensemble design of intrusion detection [16] C. Xiang and S. M. Lim, “Design of multiple-level
systems,” Comput. Secure., vol. 24, no. 4, pp. 295–307, hybrid classifier for intrusion detection system,” in
Jun. 2005 Workshop on Machine Learning for Signal Processing,
[2] W. Lee and S. J. Stolfo, “A framework for constructing 2005, pp. 117–122.
features and models for intrusion detection systems,” [17] B. Daniel, C. Julia, J. Sushil, P. Leonard, N. N. Wu,
ACM Trans. Inf. Syst. Secur. vol. 3, no. 4, pp. 227–261, “ADAM: Detecting intrusions by data mining”,
Nov. 2000. Proceedings of the 2001 IEEE, workshop on Information
[3] Denning D, “An Intrusion-Detection Model,” IEEE Assurance and Security, West Point, NY, 2001.
Transactions on Software Engineering, Vol. SE-13, No [18] Murali A, Rao M, “A Survey
2, Feb 1987. on Intrusion Detection Approaches,” Information and
[4] Lazarevic A, Kumar V, Srivastava J. Intrusion detection: Communication Technologies, 2005. ICICT 2005. First
“A survey, Managing cyber threats: issues, approaches, International Conference
and challenges,” Springer Verlag; 2005. pp. 330. on DOI: 10.1109/ICICT.2005.1598592, Year: 2005, pp:
233 – 240
[5] Denning DE, Neumann PG. “Requirements and model
for IDES – a real-time intrusion detection system,”

36
 International Journal of Computer Applications (0975 – 8887)
Volume 78 – No.16, September 2013

[19] Mrutyunjaya Panda, and Manas Ranjan Patra “ paradigms, ACM New York, NY, USA, 1993, pp. 175-
NETWORK INTRUSION DETECTION USING 184.
NAÏVE BAYES ”, IJCSNS International Journal of
Computer Science and Network Security, VOL.7 No.12, [24] John E. Dickerson and Julie A. Dickerson, Fuzzy
December 2007 network profiling for intrusion detection, Proceedings of
NAFIPS 19th International Conference of the North
[20] Li Xiangmei Qin Zhi “The Application of Hybrid American Fuzzy Infor mation Processing Society
Neural Network Algorithms in Intrusion Detection (Atlanta, USA), July 2000, pp. 301-306.
System “978-1-4244-8694-6/11 ©2011 IEEE
[25] [Link] and [Link], Unsupervised Anomaly Detection
[21] Xiangmei Li ,”Optimization of the Neural-Network- Using an Evolutionary Extension of K-means
Based Multiple Classifiers Intrusion Detection System Algorithm,International Journal on Information and
“,978-1-4244-5143-2/10 ©2010 IEEE computer Science, Inderscience Pulisher 2 (May, 2008),
107-139.
[22] Naeem Seliya Taghi M. Khoshgoftaar, ”Active Learning
with Neural Networks for Intrusion Detection”, IEEE IRI [26] Jiankun Hu, Xinghuo Yu, Qiu D, Hsiao-Hwa Chen; “A
2010, August 4-6, 2010, Las Vegas, Nevada, USA 978- simple and efficient hidden Markov model scheme for
1-4244-8099-9/10 host-based anomaly intrusion detection,” IEEE
Transaction on Network, Volume: 23, Issue:
[23] H.H. Hosmer, Security is fuzzy!: applying the fuzzy 1 DOI: 10.1109/MNET.2009.4804323, Year: 2009,
logic paradigm to the multipolicy paradigm, Page(s): 42 – 47.
Proceedings of the 1992-1993 workshop on New security

IJCATM : [Link] 37