A Novel Classification via Clustering Method for Anomaly Based Network Intrusion Detection System


Published on

Intrusion detection in the internet is an active
area of research. Intruders can be classified into two
types, namely; external intruders who are unauthorized
users of the computers they attack, and internal
intruders, who have permission to access the system but
with some restrictions. The aim of this paper is to present
a methodology to recognize attacks during the normal
activities in a system. A novel classification via sequential
information bottleneck (sIB) clustering algorithm has
been proposed to build an efficient anomaly based
network intrusion detection model. We have compared
our proposed method with other clustering algorithms
like X-Means, Farthest First, Filtered clusters, DBSCAN,
K-Means, and EM (Expectation-Maximization)
clustering in order to find the suitability of our proposed
algorithm. A subset of KDDCup 1999 intrusion detection
benchmark dataset has been used for the experiment.
Results show that the proposed method is efficient in
terms of detection accuracy, low false positive rate in
comparison to the other existing methods.

Published in: Technology, Education
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

A Novel Classification via Clustering Method for Anomaly Based Network Intrusion Detection System

  1. 1. ACEEE International Journal on Network Security, Vol 1, No. 2, July 2010 A Novel Classification via Clustering Method for Anomaly Based Network Intrusion Detection System Mrutyunjaya Panda1 and Manas Ranjan Patra2 1 Department of ECE, Gandhi Institute of Engineering and Technology, Gunupur, Orissa-765022, India Email: mrutyunjaya.2007@rediffmail.com 2 Department of Computer Science, Berhampur University, Orissa-760007, India Email: mrpatra12@gmail.comAbstract- Intrusion detection in the internet is an active intrusions by scanning for pre-classified signatures inarea of research. Intruders can be classified into two network packets. On the other hand, anomaly detectiontypes, namely; external intruders who are unauthorized can detect new intrusions while misuse detection mayusers of the computers they attack, and internal not. The idea behind anomaly detection is that if weintruders, who have permission to access the system but can establish a normal activity profile for a system, inwith some restrictions. The aim of this paper is to presenta methodology to recognize attacks during the normal theory we can flag all system states varying from theactivities in a system. A novel classification via sequential established profile as intrusion attempts. However, if ainformation bottleneck (sIB) clustering algorithm has set of intrusive activities is not identical to the set ofbeen proposed to build an efficient anomaly based known anomalous activities, the situation becomesnetwork intrusion detection model. We have compared more interesting as we can find new interestingour proposed method with other clustering algorithms possibilities. Anomalous activities that are not intrusivelike X-Means, Farthest First, Filtered clusters, DBSCAN, but flagged as intrusive are referred as false positives.K-Means, and EM (Expectation-Maximization) Actual intrusive activities that go undetected are calledclustering in order to find the suitability of our proposed false negatives. This is a serious problem and far morealgorithm. A subset of KDDCup 1999 intrusion detectionbenchmark dataset has been used for the experiment. serious than false positives. Anomaly detection isResults show that the proposed method is efficient in computationally expensive because of the overhead ofterms of detection accuracy, low false positive rate in keeping track of and possibly updating several systemcomparison to the other existing methods. profiles. Recently proposed system learning rules for anomaly detection (LERAD) discovers relationshipsIndex Terms: Intrusion Detection, Meta Classifier, among attributes in order to model applicationUnsupervised clustering, Sequential Information protocols [3, 4].bottleneck clustering. In fact, intrusion detection can be regarded as a classification problem, namely; identifying normal and I INTRODUCTION other types of intrusive behavior. Hence, the key pointIdentifying unauthorized use, misuse and attacks on here is to choose an effective classification approach toinformation systems is defined as intrusion detection build accurate intrusion detection models. A number of[1, 2]. The most popular way to detect intrusions has machine learning algorithms have been applied tobeen done by analyzing audit data generated by intrusion detection to learn intrusion rules or buildoperating systems and by networks. Since almost all normal usage patterns. In this paper, we investigate andactivities are logged on a system, it is possible that a evaluate the performance of classifiers using differentmanual inspection of these logs would allow intrusions cluster algorithms like Sequential Informationto be detected. It is important to analyze the audit data Bottleneck (sIB), Farthest First Traversal (FFT), K-even an attack has occurred, for determining the extent Means, DBSCAN and EM. The motivation behindof damage occurred, this analysis helps in attack trace using the classification using clustering algorithms is toback and also in recording the attack patterns for future improve the accuracy of the intrusion detection systemprevention of such attacks. An intrusion detection in comparison to the individual clustering algorithms.system (IDS) can be used to analyze audit data for The rest of the paper is organized as follows. Asuch insights. This makes IDS a valuable real-time literature review is presented in Section 2 followed bydetection and prevention tool as well as a forensic a short theoretical background on the clusteringanalysis tool. algorithms used in this research in Section 3. Section 4Traditionally, intrusion detection techniques fall into provides a brief idea about the KDDCup 1999 datasettwo categories: signature detection and anomaly used. The proposed methodology is described indetection. Signature detection, or misuse detection, Section 5 followed by the experimental setup insearches for well known patterns of attacks and Section 6. Section 7 describes the results and 17© 2010 ACEEEDOI: 01.ijns.01.02.04
  2. 2. ACEEE International Journal on Network Security, Vol 1, No. 2, July 2010discussion. Finally, the paper concludes with future In our experiments, some clustering algorithms areresearch directions in Section 8. selected for performance comparison. Some of them are discussed as follows. II. RELATED RESEARCH A. K-Means:In [5], the authors have designed an Intrusion response We first describe the K-means algorithm for producing(IR) system cooperating with IDS using mobile agents a clustering of the points in the input into K clusters. Itdistributed throughout the network, based on partitions the data-points into K subsets such that allstigmergic properties. In [6], the authors introduced a points in a given subset “belong” to some centre. Theself-organized ant colony based intrusion detection algorithm keeps track of the centroids of the subsetssystem (ANTIDS) to detect intrusions and compares and proceeds in iterations. Before the first iteration theits performance with linear genetic programming centroids are initialized to random values. The(LGP) [7], Support vector machines (SVM) [8] and algorithm terminates when the centroid locations stayDecision Trees (DT) [9]. Other works have made use fixed during iteration. During each iteration theof Multiple Adaptive Regression Splines (MARS) following is performed:[10]. In [11], the authors have compared various data  For each point x, find the centroid which is closestmining algorithms for detecting network intrusions. to x. Associate x with this centroid.The authors have used Naïve Bayes algorithm in  Re-estimate centroid locations by taking, for eachbuilding a network intrusion detection model [12]. In centroid, the canter of mass of points associated[13], the authors proposed Bayesian Belief network with it.(BBN) with genetic and simulated annealing local The K-Means algorithm is known to converge to asearch in order to build an efficient network intrusion local minimum of the distortion measure (that is,detection model. The authors have compared various average squared distance from points to their classensemble algorithms in detecting the intrusion centroids). It is also known to be very simple and candetection in [14]. Modeling intrusion detection system be easily implemented in solving many practicalusing hybrid intelligent systems is proposed in [15]. In problems. It can work very well for compact and hyperthis, DT and SVM are combined as a hierarchical spherical clusters. The time complexity of the K-meanshybrid intelligent system model (DT_SVM) and an is O (NKd). Since, K and d are usually much less thanensemble approach combining the base classifiers. In N, K-means can be used to cluster large data sets.[16], the authors propose support vector learningapproach to classify network requests. The authors in B. Expectation Maximization (EM)[17] used K-Means and DBSCAN to demonstrate how We follow the procedure as in [20]. The steps for ourcluster analysis can be used to effectively identify implementation of EM are as follows. We initiate thegroups of traffic that are similar using only transport process by an initial estimate of mean and standardlayer statistics. The authors propose hierarchical deviation. The EM algorithm then searches for aGaussian Mixture Model (HGMM) a novel type of maximum likelihood hypothesis through the followingGaussian Mixture which detects network based attacks iterative scheme.as anomalies using statistical processing classification • Initialization Step: Initialize the hypothesis θ 0 = ( µ10 , µ2 ,...., µ k0 ) , θ k0 = µk0in [18]. In [19], the authors use automated feature 0weighting for network anomaly detection. Theyconclude that their proposed method not only increases (1)the detection rate but also reduces false alarm rate as Where k is the current number of Gaussians, σ iswell. the standard deviation, θ 0 is the estimate at 0thWe believe that an unsupervised clustering approach iteration, µ is the mean.offers some advantages over supervised learningapproaches. One of the main benefits is that new • Expectation Step: Estimate the expected valuesapplications can be identified by examining the of the hidden variables zij (mean and standardconnections that are grouped to form a new cluster. deviation) using the current hypothesis θ = ( µ , µ ,...., µ )The supervised approach can not discover new t t t tapplications and can only classify network traffic for 1 2 kwhich it has labeled training data. This prompted us to � x −µt ) � −( i 2use unsupervised clustering approach in building an exp � k �efficient classifier for detecting anomaly based � 2σ2 � E ( zik ) = � �network intrusions. (2) k � x −µt ) 2 � −( i ¥ � 2σ2 � j exp � � I. CLUSTERING ALGORITHMS j= 1 � � where t is the number of iteration, E zij ( ) is the expected value for the hidden variables (namely 18© 2010 ACEEEDOI: 01.ijns.01.02.04
  3. 3. ACEEE International Journal on Network Security, Vol 1, No. 2, July 2010 mean and standard deviation), k is the dimension, The farthest first traversal k-center algorithm (FFT) is a σ is the standard deviation. fast, greedy algorithm that minimizes the maximum • Maximization Step: provides a new estimate cluster radius [23]. This is also treated as an efficient of the parameters. algorithm which always returns the right answer. The n pseudo code for the farthest first traversal algorithm is ¥( z ) x E ik i as follows: µt +1 = k i=1 n (3) ¥( zik ) E i=1 • Pick any z ᆪ S and set T = { z} • While Convergence Step: if θ − θ < e , stop t +1 t T <k : • z = arg max ρ( x, T ) (finish iteration); otherwise, go to step 2. xᆪSThe hidden variables are the parameters of the model. T =T ᆪ z} {In this case, we use mixture of Gaussians; hence thehidden variables are the mean and standard deviationfor each Gaussian distribution. We start with an initial Here, ρ ( x, T ) is the distance from point ( x ) to theestimate of those parameters and iteratively run the closest point in set T. This builds a solution T one pointalgorithm to find the maximum likelihood (ML) for at a time. It starts with any point, and then iterativelyour estimates. adds in the point farthest from the ones chosen so far.The reason we are using EM is to fit the data better, sothat clusters are compact and far from other clusters, The farthest point ( x ) from a set ( S ) is obtained fromsince we initially estimate the parameters and iterate to ρ ( x, T ) . Farthest first traversal takes time O ( k S ) ,find the ML for those parameters which is fairly efficient and is always close to optimalC. DBSCAN solution, in the sense that if T is the solution returnedDensity-based methods are based on a simple by the farthest first traversal, and T * is the optimalassumption: clusters are dense regions in the dataspace that are separated by regions of lower density. ( ) solution, then cos t ( T ) ᆪ2 cos t T * .Their general idea is to continue growing the given E. Filtered Clusterercluster as long as the density in the neighborhoodexceeds some threshold. In other words, for each data The Filtered Clusterer is Meta-Clusterer which offerspoint within a given cluster, the neighborhood of a the possibility to apply filters directly before thegiven radius has to contain at least a minimum number Clusterer is learnt. The structure of the filter is basedof points. These methods are good at altering out exclusively on the training data and test instances areoutliers and discovering clusters of arbitrary shapes. processed by the filter without changing their structureDensity based spatial clustering of applications with [24].noise (DBSCAN) is an example of density based F. X-Meansmethods [21]. X-means is a new algorithm that quickly estimates theThe algorithm DBSCAN (Density Based Spatial number of clusters K. It goes into action after each runClustering of Applications with Noise) targeting low- of K-means, making local decisions about which subsetdimensional spatial data is the major representative in of the current centroids should split themselves in orderthis category. Two input parameters ε and MinPts are to better fit the data. The splitting decision is done byused to define: ε -neighborhood computing the Bayesian Information Criterion (BIC).1)An X-means have been experimented against a moreNε ( x ) = y ΣX | d ( x, y ) ε ) of the point x, traditional method that estimates the number of clusters2) A core object (a point with a neighborhood by guessing K. X-means consistently produced betterconsisting of more than MinPts points) clustering on both synthetic and real-life data, with3) A concept of a point y density-reachable from a respect to BIC. It also runs much faster, whichcore object x (a finite sequence of core objects prompted us to select this algorithm for our intrusionbetween x and y exists such that each next belongs to detection model, which has not been considered so faran ε -neighborhood of its predecessor) for intrusion detection. A detailed description on X-4) A density-connectivity of two points x, y (they Means operations can be seen in [25].should be density-reachable from a common coreobject). IV INTRUSION DETECTION DATASETMore details about the DBSCAN can be found in [22]. The KDD Cup 1999 Intrusion detection contest data isD. Farthest First used in our experiments. This data was prepared by DARPA Intrusion detection evaluation program by 19© 2010 ACEEEDOI: 01.ijns.01.02.04
  4. 4. ACEEE International Journal on Network Security, Vol 1, No. 2, July 2010MIT Lincoln Laboratory. Lincoln labs acquired nine as the number of class labels in the dataset in order toweeks of raw TCP dump data. The raw data was obtain a useful model. However, in case of sIBprocessed into connection records, which contains clustering algorithm, we need not specify the numberabout 5 million connection records. The data set of clusters to generate a model, as it fixes the numbercontains 24 attack types. These attacks fall into four of clusters automatically.main categories such as Denial of Service (DoS), B. Proposed Sequential Information BottleneckProbing, User to Root (U2R) and Remote to Local Clustering(sIB)(R2L) attacks.Besides the four different types of attacks mentioned The steps for the Sequential Information Bottleneckabove, normal class needs to be detected. The data set (sIB) Clustering are as follows.for our experiments contained 1000 connection  Finding the global minimum for given numberrecords, which is a subset of 10% KDD Cup’99 of clusters (W)intrusion detection benchmark dataset. These were  Initialized with a (possibly random) partitionrandomly generated from the MIT data set. Random of W clustersgeneration of data include the number of data from  sIB draws a sample x at random, treats it as aeach class proportional to its size, except that the singleton cluster and merges it to a newsmallest class is completely included. All the intrusion cluster cnew such that,detection models are trained and tested with the samedata set. Although, the data set contains five different cnew = arg min cᆪC JS ( x, c ) (4)classes, we perform 2-class classification (eithernormal or attack) as our proposed method could not Where JS ( .,.) is the Jensen-Shannon distance.handle multiple class labels for building an efficient  At each step the objective function improvesintrusion detection model. or remains un-changed. More details about this algorithm can be found in [26]. V PROPOSED METHODOLOGYThe proposed methodology for classification Via VI EXPERIMENTAL SETUPClustering using Sequential Information Bottleneck All our experiments were performed using a Pentium 4,(sIB) principle is shown in Fig. 1 below. 2.8 GHz CPU with 512 MB RAM. Full data set is used for the purpose of training in order to build an intrusion Featu Clustering Clust detection model. Then, 10-fold cross validation method re Algorithm ers is used in order to test the efficacy of the model built Select (sIB) during the training phase. Data Samples ion/ Design/ Extra Selection A. Cross Validation Methods Knowl Resul ction Classi Cluster edge Cross-validation (CV) tests exist in a number of ts ficatio validatio variants but the general idea is to divide the training Interp n n data into a number of partitions or folds. The classifier retatio is evaluated by its classification accuracy over one n partition after having learned from the other. ThisFigure1.Proposed methodology of Classification Via procedure is then repeated until all partitions have beensIB clustering used for evaluation. Some of the most common types are 10-fold, n-fold and bootstrap CV [27]. TheA. Meta Classifier difference between these three types of CV lies in theMeta Classifier which comes under Decision way data is partitioned. Leave-one-out is similar to n-committee learning has demonstrated spectacular fold CV, where n stands for the number of instances insuccess in reducing classification error from learned the data set. Leave–one-out or n-fold CV is performedclassifiers. These techniques develop a classifier in the by leaving one instance out for testing and training onform of a committee of subsidiary classifiers. The the other instances. This procedure is then performedcommittee members are applied to a classification task until all instances have been left out once. It has beenand their individual outputs combined to create a argued that the design of 10-fold cross-validationsingle classification from the committee as a whole. introduces a source of correlation since one is used forThese are recent methods for improving the predictive training in one trial and then the same is used forpower of classifier learning systems. testing in another [28].In our proposed methodology, we design a simplemeta-classifier that uses a clusterer for classification. VII RESULTS AND DISCUSSIONFor cluster algorithms that use a fixed number of Here, we present the behavior of different unsupervisedClusterer, like Simple K-Means, the user has to make approaches in building an efficient anomaly basedsure that the number of clusters to generate is the same network intrusion detection model. In Table 1, we 20© 2010 ACEEEDOI: 01.ijns.01.02.04
  5. 5. ACEEE International Journal on Network Security, Vol 1, No. 2, July 2010present a comparative study of our proposed sIB Classificati Average Average Unclassifiedclustering method with respect to the other existing on via Detection False instancesapproaches. Clustering Rate (%) positive (%) Algorithms Rate (%) Table 1. Comparative Study of Existing Clustering and K-Means 80.1 35 NIL Classification Algorithms X-Means 88.3 26.8 12.6 Filtered 80.1 19.8 NIL Algorithm Average False Positive Clusterer Detection Rate Rate (%) +K-Means (%) K-Means [29] 46.986 0.875 Farthest 86.6 89.6 0.8 KM-VQ [19] 48.4 10 First (FFT) FES-KM- 60.1 10 VQ[19] DBSCAN 86.7 100 18.66 X-Means (ours) 78 36 EM 89.1 52.3 2.2 KDDCup 48.57 0.225 sIB 86.3 34 NIL Winner [29] (Proposed) GMIX [30] 53.725 29.715 SOM [30] 47 25.685 Nearest Cluster 47.875 0.2 [31] VIII. CONCLUSION AND FUTURE SCOPE Incremental 44.57 to 84.78 15.99 to 76.83 In this paper, we have illustrated the use of Clustering [32] classification via clustering methodology using sIB Cluster [32] 66 2 clustering algorithm for modeling intrusion detection K-NN [32] 23 6 systems. The proposed approach provides better FR-1 [33] 74.82 73.07 detection accuracy with comparatively low false FR-2 [33] 79.68 85.66 Pure SVM [34] 57.6 35.5 positive rate in comparison to other existing SVM + Rocchio 51.6 44.2 unsupervised clustering algorithms. This makes the bundling [34] approach suitable for building an efficient anomaly SVM +DGSOT 69.8 37.8 based network intrusion detection model. As evident [34] from the results none of the algorithms provide the best sIB (Proposed) 85.5 34 detection with zero false positive rates. Therefore, in ANTIDS-a [6] 69.9 ---- our future research we shall investigate other data mining techniques with a view to enhance the detectionFrom, the above comparison, it is clear that our accuracy as close as possible to 100% whileproposed method is efficient in detecting anomalous maintaining a low false positive rate.activities with high detection rate and relatively lowfalse positive rate. REFERENCESIt is also quite evident from Table 1 and Table 2 thatthe Meta classifier using sIB clustering for [1] D. Denning. An Intrusion detection model. IEEEclassification enhances the intrusion detection rate Transaction on software Engineering.SE-13(2), pp.222-while maintaining the same false positive rate in 232, 1998. [2] S. Kumar, E. H. Spafford. An application of patterncomparison to unsupervised sIB clustering method. matching in Intrusion Detection. Technical report,CSD-It can be seen from Table 2 that our proposed method TR-94-013. Purdue University, 1994.is able to detect intrusions with highest accuracy in [3] M.Mahoney, P.K.Chan. An analysis of the 199comparison to K-Means and Filtered Clusterer with K- DARPA/Lincoln Laboratory evaluation data for networkMeans classification via clustering methods. It can also anomaly detection. In 6th Intl. symposium on RAID,be observed that the proposed methodology with X- 2003. pp. 220-237.Means, FFT, DBSCAN and EM clustering provides [4] P. K. Chan, M. mahoney and M. Arshad. Learning ruleshigh average detection rate in comparison to our sIB and clusters for anomaly detection in network traffic”, in managing cyber threats,issues,approaches andclustering, but they are not able to classify all the challenges, V.Kumar,J.Srivastava, and A.Lazarevicinstances successfully. At the same time, their false (Edns.),Kluwer.2004.positive rates except in case of X-Means are more than [5] N. Foukia, S. Hassas, S. Fenet and J. Hulaas, “AnsIB clustering. These comparisons show that our Intrusion response scheme:Tracking the source using theproposed classification via sIB clustering is more sigmery paradigm”, in Proc. Of security of mobile multisuitable in building an efficient anomaly based agent system workshop (SEMAS-2002).Italy, July16,network intrusion detection model. 2002. [6] V. Ramos and Ajith Abraham, “ANTIDS-Self organisedTable 2.Comparison of our proposed Classification via Ant based clustering model for intrusion detection system. WSTST, 2005, pp.103-112.Clustering Methods http://www.softcomputing.net/WSTST-ra.pdf 21© 2010 ACEEEDOI: 01.ijns.01.02.04
  6. 6. ACEEE International Journal on Network Security, Vol 1, No. 2, July 2010 [7] M. Brameier and W. Banzhaf, “A comparison of linear [20] The Expectation Maximization Algorithm. genetic programming and neural network in medical data http://www.cs.unr.edu/~bebis/mathmethods/EM/lecture mining”, in IEEE Transaction on Evolutionary .pdf. Sept. 25, 2004. computation.5 (1), pp.17-26, 2001. [21] M. Ester, H.-P Kriegel, J. Sander and X. Xu, „A density- [8] V.N. Vapnik, The Nature of Statistical Learning Theory. based algorithm for discovering clusters in large spatial Springer, 1995. database with noise“, in Proc. of KDD-96,pp.226- [9] J. Denebourg ,et al. “The dynamic of collective sorting 231,1996. Robot like ants and Ant like Robots”, in 1st conf. on [22] Pavel Berkhin, “Survey of clustering data mining simulation of Adaptive behaviour ;from animals to techniques”, Technical report. Accrue software, San animats,cambridg,MA,MIT Press,pp.356-365,1991. Jose,CA,USA,pp.1-56.2002. [10] S. Mukkamala, A.H. Sung, A. Abraham, V. Ramos, http://www.ee.ucr.edu/~barth/EE242/clustering_survey. “Intrusion Detection Systems using Adaptive Regression pdf Splines”, in ICEIS-04, 6th Int. Conf. on Enterprise [23] A.Willium, “Clustering algorithm for categorical Information Systems, to appear at Kluwer Academic data”.2006. Press, 2005, Porto, 14-17 April 2004. http://www.cse.yorku.ca/~billa/MULIC/Bill_Andreopo [11] M. Panda and M. R. Patra, “A comparative study of data ulous_PhD_thesis_web.pdf mining algorithms for network intrusion detection”, [24] A. William, “Clustering Algorithms for categorical proc. of ICETET, India, 2008.pp.504-507. IEEE data”, September 2006. Xplore. http://www.cse.yorku.ca/~billa/MULIC/Bill_Andreopou [12] M. Panda and M. R. Patra, “Network intrusion detection los_PhD_thesis_web.pdf using Naïve Bayes”, International journal of computer [25] D. Pellag and A. Moore, “X-Means: Extending K-Means science and network security, vol.7, No.12, 2007, with efficient estimation of the number of clusters”. Int. pp.258-263. Conf. on Machine Learning (ICML), pp.727-734, San [13] M. Panda and M. R. Patra. “Bayesian belief Network Francisco, 2000. using genetic local search for network intrusion”, [26] N. Slonim, N. Friedman and N. Tishby, “Unsupervised International journal of secure digital information document classification using sIB maximization: SIGIR, age.Vol.1, issue.1, June 2009. In Press. Tempere, Finland, pp.129-136, ACM Press. ISBN: 1- [14] M. Panda and M. R. Patra, “Network intrusion detection 58113-561-0102/0008. using boosting support vector classifiers”, In 2009 IEEE [27] N. Lavesson and P. Davidson, “Multi dimensional Intl.Advance computing Conference, ptaila, Punjab, measures function for classifier performance”, in 2 nd pp.926-931. IEEE Press.USA. IEEE Intl. Conf. on Intelligent systems, June [15] S. Peddabachigari, A. Abraham, C. Grosan and J. 2004,pp.508-513. Thomas, “Modelling intrusion detection system using [28] M. A. Maloof, “On machine learning ROC analysis and hybrid intelligent systems”, Journal of Network and statistical tests of significance”, in 16 th Intl.Conf. on computer applications.Elsevier, 30(1), pp.114-132, pattern recognition, IEEE,Vol.2,2002,pp.204-207. 2007. [29] I. Levin,”KDD-99 classifier learning context”, in [16] John Mill and A. Inoue, “Support vector classifier and LLSoft’s results overview, SIGKDD explorations, network intrusion detection”, In proc. of 2004 IEEE ACMSIGKDD, Vol.1, No.2, pp.67-75, 2000. international conference on fuzzy system, WA, USA, [30] V. Venkatchalam and S. Selvan, “Performance 2004, Vol.1, pp.407-410. ISBN: 1098-7584. comparison of intrusion detection system classifier[17] J. Erman, M. Arlitt and A. Mahanti, “Traffic using various feature reduction techniques”, classification using clustering algorithms”, in International journal of simulation, Vol.9, No.1, 2008. SIGCOMM-06 workshops, sept.11-15, 2006, Pisa, [31] M. K. Sabhani and G. Sarpen, “Application of machine Italy.pp.281-286.ACM Press. learning algorithm on KDD intrusion detection dataset with misuse detection context”, in Proc. of Intl.conf. on[18] M. Bahrololum and M. Khaleghi, “Anomaly intrusion machine learning models,technologies and applications detection system using hierarchical gausian mixture (MLMTA 2005), Los Vegas,NV,2003,pp.209-215. model”, International journal of computer science and [32] T. Hassan, M. Hashaem and A. Fahmy,” Unsupervised network security, vol.8, no.8, pp.264-271, August anomaly detection using an incremental clustering 2008. algorithm”, International journal of intelligent[19] Dat Tran, W. Ma and Dharmendra Sharma, computing and information sciences, Vol.5, No.1, “Automatedfeature weighting for network anomaly pp.253-268, 2005. detection”, in International journal of computer science and network security, Vol.8, no.2, pp.173-178, Feb.2008. 22© 2010 ACEEEDOI: 01.ijns.01.02.04