With the progressive increase of network application and electronic devices (computer, mobile phones, android, etc), attack and intrusion detection is becoming a very challenging task in cybercrime detection area. in this context, most of existing approaches of attack detection rely mainly on a finite set of attacks. However, these solutions are vulnerable, that is, they fail in detecting some attacks when sources of information’s are ambiguous or imperfect. But, few approaches started investigating toward this direction. Following this trends, this paper investigates the role of machine learning approach (ANN, SVM) in detecting TCP connection traffic as normal or suspicious one. But, using ANN and SVM is an expensive technique individually. In this paper, combining two classifiers has been proposed, where artificial neural network (ANN) classifier and support vector machine (SVM) were employed. Additionally, our proposed solution allows visualizing obtained classification results. Accuracy of the proposed solution has been compared with other classifier results. Experiments have been conducted with different network connection selected from NSL-KDD DARPA dataset. Empirical results show that combining ANN and SVM techniques for attack detection is a promising direction
2. Detection of Attacks in Wireless Networks using Data Mining Techniques
https://iaeme.com/Home/journal/IJM 281 editor@iaeme.com
With the continuous number and forms of attacks, there has been a huge number of Internet
Detection Systems (IDSs) identifying malicious attacks in order to protect computer systems
from possible damages. However, some unknown attacks remained hard challenges [3] for IDS.
Sometimes, where the source of data is ambiguous or imperfect, IDS cannot able to
differentiating between normal and suspicious connection [4]. For that, attack detection
accuracy of system can be degraded and the false positive rate of detection stays increased even
though accuracy stays low [5].
To improve attack detection rate and to facilitate administration of IDS, many approaches
have been suggested in the literature that can offers a major opportunity [5], [4] in detection
and classification network connection for unknown attacks. One approach is machine learning
(ML) which builds models from training data because anomaly and intrusion detection can be
treated as a classification challenge. However, where the classification features are ambiguous
or imperfect, some classifiers using random factors can generate false, higher overall accuracy
of detection. Therefore, it is necessary to move from a certain environment to an uncertain
attack detection environment. This idea has been the basic objective of our classic data fusion
system. This helps to combine information to improve the decision making of information with
a reduced error rate. Following this trend, some works emerged and explored a new attack
detection approach with using an hybrid approach that merges classification algorithms. But,
these works still suffer from the lack of dealing with ambiguous sources of information.
To resolve this problem, we propose, in this paper to improve the complexity of supervised
and unsupervised ML techniques in detecting attack and intrusion process. In fact, a comparison
of SVM and ANN classifiers for network intrusion detection will be presented and their
computational complexity will be discussed. Then, to reduce error rate experimented by ANN
and SVM classifiers, we suggest applying classic data fusion approach based conditional
probability that combine ANN and SVM classifier decision. To validate our experimentation
results, we evaluated our approach on the real benchmark of TCP connections gathered in
DARPA KDD99 dataset [6]. Our results show that combining classifiers decisions and features
selection can reduce the error rate of attack detection.
2. RELATED WORKS
Many approaches have been proposed to solve attack detection problem within network
connection ranging from supervised approaches [7] unsupervised approaches [8] to hybrid ones
[9], [10]. Supervised approach use a wide range of features and labeled data for training attack
classifiers. For instance, Haddadi et al.[11] proposed IDS using feed-forward neural network
with back propagation algorithm for network based intrusion detection. This scheme deals with
KDD-CUP99 dataset for the classification of network attacks. In the same context, Haidar et
al. [12] introduced anomaly-based detection system using supervised neural networks classifier
to show the reliability of intrusion system.
The first issue is the luck of a training data set that increases the complexity of classification
algorithm. Moreover, having significant features is a challenge and, where the information
sources are unbalanced, the training sets contain some noises that result increase false alarm
rates. To overcome this problem, authors proposed unsupervised approaches to attack detection
of network connection. For instance, Chandola et al. [13] suggest a support vector machine
(SVM) classifier for attack classification. In this context, Moor Andrew [14] used the Markov
model-based intrusion detection system to calculate the probability of attacks presented in the
system based on a list of observations. For example, a sequence of alerts from an intrusion
detection system (IDS) such as Snort can be used to calculate the probability of system being
attacked. Furthermore, Bronstein Alexandre et al. [15] propose networks model for network
intrusion detection based on a Bayesian probability. In the same context of unsupervised
3. T. Dheepak
https://iaeme.com/Home/journal/IJM 282 editor@iaeme.com
method, Imam Riadi et al. [16] used K-means clustering technique was tested in order to range
attack in TCP and UDP connection into three classes respectively known as very dangerous,
rather dangerous and not dangerous attack but this method cannot deal with a huge number of
intrusion scenarios.
However, unsupervised classifiers is based only on training of normal attack. Then, any
deviation is judged as an attack. This algorithm accurate weakly in attack detection, that is, the
number of false positive rate remains important. But, using one classifier algorithm (supervised
or unsupervised) to classify the network traffic data as normal behavior or anomalous, cannot
give the best possible attack detection accuracy and cannot reduced alarm rate. Hence, some
hybrid approaches, that merge both supervised and unsupervised methods, are combined. For
instance, M.Elbasiony et al. [9] proposed an hybrid IDS based on two famous data mining
algorithms called random forests and k-means. In the same context, Panda et al. [10] proposed
an hybrid attack detection algorithm that combine Decision Trees, SVM and Random Forest to
classify network attack.
However, these techniques suffer from identifying all intrusion attempts, that as, it cannot
achieve a higher detection rate and lower false alarm rate. Moreover, Tsujii [17] used the Naive
Bayes classifier combined with the well-established EM algorithm to exploit the unlabeled data.
In other works, Nave Bayes and decision tree algorithm were combined for network intrusion
detection which provided high accuracy for different types of network.
But all the works presented above use decisions of independent classifiers without
emphasizing the dependence of the combined classes. Indeed, under the assumption that there
is a gap between classes, the attack detection may be easier to implement, faster to evaluate and
reduce the amount of training data needed to estimate the attack.
3. CLASSIFICATION TECHNIQUES
3.1. Artificial Neural Network
A neural network model which is the branch of artificial intelligence is generally referred to as
artificial neural networks (ANNs). ANN teaches the system to execute task, instead of
programming computational system to do definite tasks. To perform such tasks, Artificial
Intelligence System (AI) is generated. It is a pragmatic model which can quickly and precisely
find the patterns buried in data that replicate useful knowledge. One case of these AI models is
neural networks. AI systems should discover from data on a constant basis. In the areas of
medical diagnosis relationships with dissimilar data, the most available techniques are the
Artificial Intelligence techniques.
An artificial neural network is made up of many artificial neurons which are correlated
together in accordance with explicit network architecture. The objective of the neural network
is to convert the inputs into significant outputs. The teaching mode can be supervised or
unsupervised. Neural Networks learn in the presence of noise.
Artificial neural networks (ANN) consider classification as one of the most dynamic
research and application areas. The major disadvantage in using ANN is to find the most
appropriate grouping of training, learning and transfer function for classifying the data sets with
growing number of features and classified sets. The different combinations of functions and its
effect while using ANN as a classifier is studied and the correctness of these functions are
analyzed for various kinds of datasets.
3.2. Support Vector Machine
Support vector machine (SVMs) was first proposed by Vapnik [18] which is used for binary
classification. SVM prove that SVM is fit for the highly variable and high dimensional data.
4. Detection of Attacks in Wireless Networks using Data Mining Techniques
https://iaeme.com/Home/journal/IJM 283 editor@iaeme.com
Data acquired in IDS domain is more complex. So we introduce SVM to the research for
intrusion detection system (IDS). SVM is a classifier which can be store the result in two ways:
partial or true. Generally, SVM is a simplest linear form which is the hyper plane for separating
the positive and negative examples. Support Vector Machine (SVM) Algorithm is specially
used for solving the classification problem. The fundamental concept of SVM is to find decision
surface that separates the best data vectors into two classes for a given problem which is defined
over the vector space. SVM is a simplest linear form; generally it is a hyper plane that separates
the positive examples from the negative example. Figure. 1 shows the hyper plane that separates
the training data by a maximal margin between two classes [19]. All vectors lies on one side of
the hyper plane labeled as +1 and other vectors lies on another side of the hyper plane labeled
as -1. The training objects are lying closest to the hyper plane are called the support vectors
[20].
Figure 1 Linear Support Vector Machine
An advantage of SVM method is that the modeling of the hyper plane only deals with these
support vectors than the whole training dataset, and therefore size of the training dataset is not
usually an issue. A disadvantage is that the algorithm is time consuming for multiclass database
and also it is sensitive to choice of the parameters, making it difficult to use.
4. DATASET DESCRIPTION
The amount of intrusions has detected in any network, and network audit data are abundant as
well as always-dynamic. They are also completely scattered and tries to structure or catalog
audit data are greatly effort-intensive. The model-building algorithms typically need a high
quantity of labeled data for designing the effective intrusion models. One important difficulty
in implementing IDS is the necessary to label method audit data for the algorithms. Misuse-
detection systems need the data has correctly labeled as either ‘normal' or ‘attack.' Whereas for
anomaly-detection systems, the data must be verified to ensure that it is exclusively ‘normal’
namely attack-free. A liberal supporter for the generation of intrusion-detection audit data have
detected in the US administration agency DARPA (Defense Advanced Research Project
Agency, US) promotor and an innovator of technology; this group has funded many schemes
in the last few decades [21][22].
Aware of the shortage of proper audit data sets for intrusion detection, DARPA sets out (1)
to produce an intrusion-detection valuation corpus which could be given by many researchers,
(2) to estimate many intrusion-detection systems, (3) to introduce a comprehensive type of
attacks and (4) to calculate both attack-both false-alarm rates and detection rates for realistic
5. T. Dheepak
https://iaeme.com/Home/journal/IJM 284 editor@iaeme.com
regular traffic. The following are the types of attacks in 1999 DARPA dataset. (a) Denial of
Service, (b) Probing, (c) Remote to Local (R2L), and (d) User to Root (U2R).
Table 1 Description about the DARPA dataset
Feature Name Description
Duration length (number of seconds) of the connection
Protocol_type type of protocol (e.g., TCP, UDP, etc.)
Service network service on the destination, e.g., HTTP, telnet, etc.
Src_bytes the quantity of data bytes from source to destination
Dst_bytes number of data bytes from destination to source
Flag normal or error status of the connection
Land 1 if the connection is from/to the same host/port;
0 otherwise.
Wrong_fragment number of ‘wrong’ fragments
Urgent number of urgent packets
hot Number of ‘hot’' indicators
Num_failed_logins Number of failed login attempts
Logged_in 1 if successfully logged in ; 0 otherwise
Num_compromised Number of ‘compromised’ conditions
Root_shell 1 if root shell has reached; 0 otherwise
Su_attempted 1 if ‘su root’ command attempted; 0 otherwise
Num_root Number of ‘root’ accesses
Num_file_creations Number of file creation operations
Num_shells Number of shell prompts
Num_access_files Number of operations on access control files
Num_outbound_cmds Quantity of outbound commands in an FTP session
Is_hot_login 1 if the login belongs to the ‘hot’ list; 0 otherwise
Is_guest_login 1 if the login is a ‘guest’ login ; 0 otherwise
count number of connections to the same host as the current
connection in the past two seconds
serror_rate % of connections that have ``SYN'' errors
rerror_rate % of connections that have ``REJ'' errors
same_srv_rate % of connections to the same service
diff_srv_rate % of connections to different services
srv_count the number of connections to the identical service as the
current connection in the past two seconds
srv_serror_rate % of connections that have ‘SYN’ errors
srv_rerror_rate % of connections that have ‘REJ’ errors
srv_diff_host_rate % of connections to different hosts
dst_host_count No. of connections to the same host as the current connection
in the past two seconds
dst_host_serror_rate % of connections that have ‘SYN’ errors
dst_host_rerror_rate % of connections that have ‘REJ’ errors
dst_host_same_srv_rate % of connections to the same service
dst_host_diff_srv_rate % of connections to the different services
dst_host_srv_count No. of connections to the same service as the current
connection in the past two seconds
dst_host_srv_serror_rate % of the connections that have “SYN” errors
dst_host_srv_rerror_rate % of the connections that have “REJ” err= 1ors
dst_host_srv_diff_host_ra
te
% of the connections to different hosts
6. Detection of Attacks in Wireless Networks using Data Mining Techniques
https://iaeme.com/Home/journal/IJM 285 editor@iaeme.com
5. RESULT AND DISCUSSION
Artificial Neural Network and Support Vector Machine has implemented in WEKA for the
comparing the attack detection accuracy of the network.
Table 2 Performance analysis of Support Vector Machine and ANN Classification method for attack
detection classification
Performance Metrics Support Vector Machine ANN
Classification Accuracy 93.3333 % 89.3333 %
Kappa statistic 0.7352 0.5272
Mean absolute error 0.0667 0.2314
Root mean squared error 0.2582 0.3267
Relative absolute error 22.9943 % 79.7998 %
Root relative squared error 68.146 % 86.2241 %
Table 3 Detailed Classification Accuracy of Support Vector Machine for DARPA dataset
Class TP rate FP rate Precision Recall F-Measure ROC Area
0 0.654 0.008 0.944 0.654 0.773 0.823
1 0.992 0.346 0.932 0.992 0.961 0.823
Weighted
Average
0.933 0.288 0.934 0.933 0.928 0.823
Table 4 Detailed Classification Accuracy of ANN for DARPA dataset
Class TP rate FP rate Precision Recall F-Measure ROC Area
0 0.423 0.008 0.917 0.423 0.579 0.809
1 0.992 0.577 0.891 0.992 0.939 0.809
Weighted
Average
0.893 0.478 0.896 0.893 0.877 0.809
Figure 1 Performance analysis of the Support Vector Machine and ANN based on Classification
accuracy, Relative Absolute Error and Root Relative Squared Error
7. T. Dheepak
https://iaeme.com/Home/journal/IJM 286 editor@iaeme.com
Figure 2 Performance analysis of the Support Vector Machine and ANN based on Kappa Statistic,
Mean Absolute Error, Root Mean Squared Error
Figure 3 Performance analysis of the Support Vector Machine and ANN based on True Positive Rate,
False Positive Rate, Precision, Recall, F-Measure and ROC Area
6. CONCLUSION
The pre-processing technique has used to remove the irrelevant and redundant features from
the dataset. This methodology has utilized to enhance the prediction accuracy. In this article, a
comparison of the classification technique for attack detection by using Support Vector
Machine and Artificial Neural Network technique are studied. This method has introduced to
remove the irrelevant feature in the IDS dataset for the classification of the network. From the
results obtained it has been proved that the proposed methodology performed better than the
existing feature selection technique in the Intrusion Detection System. And also it improves the
prediction accuracy and reduces the error rates. This minimization of error rates results in the
good classification accuracy.
8. Detection of Attacks in Wireless Networks using Data Mining Techniques
https://iaeme.com/Home/journal/IJM 287 editor@iaeme.com
REFERENCES
[1] T. Singleton, The Top 5 Cybercrimes, 1st ed. AICPA, 220 Leigh Farm Road, Durham:
American Institute of CPAs, 2013.
[2] M. Gercke, Understanding cybercrime phenomina, challenges and lega response. ITU, 2012.
[3] M. Thottan, C. Ji, and F. House, “Anomaly detection in ip networks,” IEEE Transactions on
Signal Processing, vol. 51, no. 8, pp. 2191–2204, 2003.
[4] S. Y. Shahul Kshirsagar, “Intrusion detection systems:a survey and analysis of classification
techniques,” International Journal of Scientific Research Engineering and Technology IJRSET,
vol. 3, no. 4, pp. 742–747, 2014.
[5] S. M. V Jaiganesh and P. Sumathi, “Intrusion detection systems: A survey and analysis of
classification techniques,” International Journal of Advanced Research in Computer and
Communication Engineering, vol. 2, no. 4, pp. 1629–1635, 2013.
[6] S. Hettich and S. B. S.D, “Uci kdd archive,” http://kdd.ics.edu//databases/kddcup99.
[7] J. K. Monowar Bhuyan, D.K. Bhattacharyya, “Network anomaly detection: Methods, systems
and tools,” EEE Communication Surveys and Tutorials, vol. 16, no. 1, pp. 303–336, 2014.
[8] Anomaly Detection and Machine Learning Methods for Network Intrusion Detection: an
Industrially Focused Literature Review, 2016.
[9] T. E. Reda Elbasiony, Elsayed Sallam, “A hybrid network intrusion detection framework based
on random forests and weighted k-means,” Shams Engineering Journal(ASEJ), vol. 4, pp. 753–
762, 2013.
[10] M. R. P. Mrutyunjaya Panda, Ajith Abraham, “A hybrid intelligent approach for network
intrusion detection,” Procedia Engineering, vol. 4, pp. 1–9, 2012.
[11] M. S. Fariba Haddadi, Sara Khanchi and V. Derhami, “Intrusion detection and attack
classification using feed-forward neural network,” in Second International Conference on
Computer and Network Technology, 2010.
[12] G. A. Haidar and C. Boustany, “High perception intrusion detection system using neural
networks,” 2015.
[13] A. B. V Chandola and V. K. V, “Anomaly detection: A survey,” ACM Comput. Surv., pp. 15–
58, 2009.
[14] Statistical Data Mining Tutorials. elf-aware services: Using bayesian networks for detecting
anomalies in Internet-based services, 2001.
[15] A. A. Imam Riadi, Jazi Eko, “Log analysis techniques using clustering in network forensics,”
International Journal of Computer Science and Information Security(IJCSIS), vol. 10, no. 7,
pp. 303–336, 2012.
[16] Y. Tsuruoka and J. Tsujii, “Training a naive bayes classifier via the em algorithm with a class
distribution constraint,” CONLL ’03 Proceedings of the seventh conference on Natural
language learning at HLT-NAACL, vol. 4, pp. 127–134, 2003.
[17] V. Vapnik, “ The Nature of Statistical Learning Theory”, Springer- Verlag, New York, 1995.
9. T. Dheepak
https://iaeme.com/Home/journal/IJM 288 editor@iaeme.com
[18] Pang-Ning Tan, M. Steinbach, and V. Kumar, “Data Mining Addison Wesley”, London, 2006.
[19] Inderjit S. Dhillon, Subramanyam Mallela and Rahul Kumar, “Enhanced Word Clustering for
Hierarchical Text Classification”, University of Texas at Austin, 2002.
[20] Santosh Kumar Sahu, “A Detail Analysis on Intrusion Detection Datasets”, IEEE International
Advance Computing Conference (IACC), pp.1348-1353, 2014.
[21] Zibusiso Dewa and Leandros A. Maglaras, “Data Mining and Intrusion Detection Systems”,
(IJACSA) International Journal of Advanced Computer Science and Applications, Vol. 7, No.
1, pp. 62-71, 2016.