This document presents a new intrusion detection system (IDS) alert management system that uses learning vector quantization (LVQ) to classify IDS alerts. The proposed system takes in alerts generated by Snort from the DARPA 98 dataset, normalizes and filters the alerts, then trains an LVQ neural network on labeled alert data. The trained LVQ model is used to classify new alerts as either true positives or false positives. The system is shown to achieve high classification accuracy of 88.75% and a false positive reduction rate of 88.27%, while only taking 0.000018 seconds on average to classify each alert. This makes the system suitable for active alert management where alerts need to be classified in real-time
Nowadays there are several security tools that used to protect computer systems, computer networks, smart devices and etc. against attackers. Intrusion detection system is one of tools used to detect attacks. Intrusion Detection Systems produces large amount of alerts, security experts could not investigate important alerts, also many of that alerts are incorrect or false positives. Alert management systems are set of approaches that used to solve this problem. In this paper a new alert management system is presented. It uses K-nearest neighbor as a core component of the system that classify generated alerts. The suggested system serves precise results against huge amount of generated alerts. Because of low classification time per each alert, the system also could be used in online systems.
Managing Intrusion Detection Alerts Using Support Vector MachinesCSCJournals
In the computer network world Intrusion detection systems (IDS) are used to identify attacks
against computer systems. They produce security alerts when an attack is done by an intruder.
Since IDSs generate high amount of security alerts, analyzing them are time consuming and error
prone. To solve this problem IDS alert management techniques are introduced. They manage
generated alerts and handle true positive and false positive alerts. In this paper a new alert
management system is presented. It uses support vector machine (SVM) as a core component of
the system that classify generated alerts. The proposed algorithm achieves high accurate result
in false positives reduction and identifying type of true positives. Because of low classification
time per each alert, the system also could be used in active alert management systems.
False positive reduction by combining svm and knn algoeSAT Journals
Abstract
With the growth of information technology. There emerges many intrusion detection problem such as cyber security. Intrusion detection system provides basic infrastructure to detect a number of attacks. This research work focuses on intrusion detection problem of network security. The main goal is to detect network behaviour as normal or abnormal. In this research work, two different machine learning algorithm have been combined together to reduce its weakness and takes positive feature of both algorithm. Its experimental results generates better result than other algorithm in terms of performance, accuracy and false positive rate. These combined algorithm has been applied on KDDCUP99 dataset to find better result by improving its performance, accuracy and reducing its false positive rate.
Keywords: Intrusion detection system, KDDCUP99 dataset, False positive rate.
Machine learning in network security using knime analyticsIJNSA Journal
Machine learning has more and more effect on our every day’s life. This field keeps growing and expanding into new areas. Machine learning is based on the implementation of artificial intelligence that gives systems the capability to automatically learn and enhance from experiments without being explicitly
programmed. Machine Learning algorithms apply mathematical equations to analyze datasets and predict values based on the dataset. In the field of cybersecurity, machine learning algorithms can be utilized to train and analyze the Intrusion Detection Systems (IDSs) on security-related datasets. In this paper, we tested different machine learning algorithms to analyze NSL-KDD dataset using KNIME analytics.
MACHINE LEARNING IN NETWORK SECURITY USING KNIME ANALYTICSIJNSA Journal
Machine learning has more and more effect on our every day’s life. This field keeps growing and expanding into new areas. Machine learning is based on the implementation of artificial intelligence that gives systems the capability to automatically learn and enhance from experiments without being explicitly programmed. Machine Learning algorithms apply mathematical equations to analyze datasets and predict values based on the dataset. In the field of cybersecurity, machine learning algorithms can be utilized to train and analyze the Intrusion Detection Systems (IDSs) on security-related datasets. In this paper, we tested different machine learning algorithms to analyze NSL-KDD dataset using KNIME analytics.
An approach for ids by combining svm and ant colony algorithmeSAT Journals
Abstract This piece of work researches the intrusion detection problem of the network sanctuary; the primary task is to classify network behavior as normal or abnormal while reducing misclassification. In this paper, two efficient data mining algorithms are combined together to detect the network intrusion. Combining SVM and Ant colony (CSVAC) used for well-organized data classification, this technique takes the advantage of both the algorithm while avoiding their weaknesses. This algorithm is implemented and evaluated using standard benchmark KDDCUP99 data set. Experimental results drastically well produce superior results than the other algorithm in terms of accuracy rate and run time efficiency, and this algorithm able to detect the new types of attacks Keywords: Intrusion Detection; Support Vector Machine; Ant colony; Combined Support vector with ant colony
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology
Nowadays there are several security tools that used to protect computer systems, computer networks, smart devices and etc. against attackers. Intrusion detection system is one of tools used to detect attacks. Intrusion Detection Systems produces large amount of alerts, security experts could not investigate important alerts, also many of that alerts are incorrect or false positives. Alert management systems are set of approaches that used to solve this problem. In this paper a new alert management system is presented. It uses K-nearest neighbor as a core component of the system that classify generated alerts. The suggested system serves precise results against huge amount of generated alerts. Because of low classification time per each alert, the system also could be used in online systems.
Managing Intrusion Detection Alerts Using Support Vector MachinesCSCJournals
In the computer network world Intrusion detection systems (IDS) are used to identify attacks
against computer systems. They produce security alerts when an attack is done by an intruder.
Since IDSs generate high amount of security alerts, analyzing them are time consuming and error
prone. To solve this problem IDS alert management techniques are introduced. They manage
generated alerts and handle true positive and false positive alerts. In this paper a new alert
management system is presented. It uses support vector machine (SVM) as a core component of
the system that classify generated alerts. The proposed algorithm achieves high accurate result
in false positives reduction and identifying type of true positives. Because of low classification
time per each alert, the system also could be used in active alert management systems.
False positive reduction by combining svm and knn algoeSAT Journals
Abstract
With the growth of information technology. There emerges many intrusion detection problem such as cyber security. Intrusion detection system provides basic infrastructure to detect a number of attacks. This research work focuses on intrusion detection problem of network security. The main goal is to detect network behaviour as normal or abnormal. In this research work, two different machine learning algorithm have been combined together to reduce its weakness and takes positive feature of both algorithm. Its experimental results generates better result than other algorithm in terms of performance, accuracy and false positive rate. These combined algorithm has been applied on KDDCUP99 dataset to find better result by improving its performance, accuracy and reducing its false positive rate.
Keywords: Intrusion detection system, KDDCUP99 dataset, False positive rate.
Machine learning in network security using knime analyticsIJNSA Journal
Machine learning has more and more effect on our every day’s life. This field keeps growing and expanding into new areas. Machine learning is based on the implementation of artificial intelligence that gives systems the capability to automatically learn and enhance from experiments without being explicitly
programmed. Machine Learning algorithms apply mathematical equations to analyze datasets and predict values based on the dataset. In the field of cybersecurity, machine learning algorithms can be utilized to train and analyze the Intrusion Detection Systems (IDSs) on security-related datasets. In this paper, we tested different machine learning algorithms to analyze NSL-KDD dataset using KNIME analytics.
MACHINE LEARNING IN NETWORK SECURITY USING KNIME ANALYTICSIJNSA Journal
Machine learning has more and more effect on our every day’s life. This field keeps growing and expanding into new areas. Machine learning is based on the implementation of artificial intelligence that gives systems the capability to automatically learn and enhance from experiments without being explicitly programmed. Machine Learning algorithms apply mathematical equations to analyze datasets and predict values based on the dataset. In the field of cybersecurity, machine learning algorithms can be utilized to train and analyze the Intrusion Detection Systems (IDSs) on security-related datasets. In this paper, we tested different machine learning algorithms to analyze NSL-KDD dataset using KNIME analytics.
An approach for ids by combining svm and ant colony algorithmeSAT Journals
Abstract This piece of work researches the intrusion detection problem of the network sanctuary; the primary task is to classify network behavior as normal or abnormal while reducing misclassification. In this paper, two efficient data mining algorithms are combined together to detect the network intrusion. Combining SVM and Ant colony (CSVAC) used for well-organized data classification, this technique takes the advantage of both the algorithm while avoiding their weaknesses. This algorithm is implemented and evaluated using standard benchmark KDDCUP99 data set. Experimental results drastically well produce superior results than the other algorithm in terms of accuracy rate and run time efficiency, and this algorithm able to detect the new types of attacks Keywords: Intrusion Detection; Support Vector Machine; Ant colony; Combined Support vector with ant colony
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology
Online Intrusion Alert Aggregation with Generative Data Stream ModelingIJMER
Online intrusion alert aggregation with generative data stream modeling is a approach which uses generative modeling. It also use a method called as probabilistic methods. It can be assume that instances of an attack is similar as a process may be a random process which is producing alerts. This paper aims at collecting and modeling these attacks on some similar parameters, so that attack from beginning to completion can be identified. This collected and modeled alerts is given to security
personnel to estimate conclusion and take relative action. With some data sets, we show that it is easy to
deduct number of alerts and count of missing meta alerts is also extremely low. Also we demonstrate that generation of meta alerts having delay of only few seconds even after
first alert is produced already.
Survey of network anomaly detection using markov chainijcseit
Recently an internet threat has been increased. Our motive is detect the intrusion in the network in concise.
The real time issue such as DoS attack in banking, companies, industries and organization have been
increased significantly IDS has been used in both server and host side. The major challenge is to effectively
predict the periods of threats and protect the server from the unauthorized user. In this study, a novel
probabilistic approach is proposed effectively to detect the network intrusions. It uses a Markov chain for
probabilistic modelling of abnormal events in network systems. The degree of abnormality of the incoming
data is performed on the basis of the network states.
Outstanding to the promotion of the Internet and local networks, interruption occasions to computer
systems are emerging. Intrusion detection systems are becoming progressively vital in retaining
appropriate network safety. IDS is a software or hardware device that deals with attacks by gathering
information from a numerous system and network sources, then evaluating signs of security complexities.
Enterprise networked systems are unsurprisingly unprotected to the growing threats posed by hackers as
well as malicious users inside to a network. IDS technology is one of the significant tools used now-a-days,
to counter such threat. In this research we have proposed framework by using advance feature selection
and dimensionality reduction technique we can reduce IDS data then applying Fuzzy ARTMAP classifier
we can find intrusions so that we get accurate results within less time. Feature selection, as an active
research area in decreasing dimensionality, eliminating unrelated data, developing learning correctness,
and improving result unambiguousness.
INTRUSION DETECTION SYSTEM CLASSIFICATION USING DIFFERENT MACHINE LEARNING AL...ijcsit
Intrusion Detection System (IDS) has been an effective way to achieve higher security in detecting malicious activities for the past couple of years. Anomaly detection is an intrusion detection system. Current anomaly detection is often associated with high false alarm rates and only moderate accuracy and detection rates because it’s unable to detect all types of attacks correctly. An experiment is carried out to evaluate the performance of the different machine learning algorithms using KDD-99 Cup and NSL-KDD datasets. Results show which approach has performed better in term of accuracy, detection rate with reasonable false alarm rate.
Wmn06MODERNIZED INTRUSION DETECTION USING ENHANCED APRIORI ALGORITHM ijwmn
Communication networks are essential and it will create many crucial issues today. Nowadays, we
consider that the firewalls are the first line of defense but that policies cannot meet the particular
requirements of needed process to achieve security. Most of the research has been done in this area but
we are lagging to achieve security needs. Already many models such as ADAM, DHP, LERAD and
ENTROPHY are proposed to resolve security problems but we need an efficient model to detect new types
of various intrusions within the entire network. In this paper, we proposed to design a modernized
intrusion detection system which consist of two methods such as anomaly and misuse detection. Both are
integrated and also used to detect novel attacks. Our system proposed to discover temporal pattern of
attacker behaviors, which is profiled using an algorithm EAA (Enhanced Apriori Algorithm). This is
experimented with a simple interface to display the behaviors of attacks effectively
DETECTING NETWORK ANOMALIES USING CUSUM and FCMEditor IJMTER
The network intrusion detection techniques are important to prevent our systems and
networks from malicious behaviors. However, traditional network intrusion prevention such as firewalls,
user authentication and data encryption have failed to completely protect networks and systems from the
increasing and sophisticated attacks and malwares. Two anomaly detection techniques – CUSUM and
clustering are used to find network anomalies. CUSUM detect changes based on the cumulative effect of
the changes made in the random sequence instead of using a single threshold to check every variable. It
involves calculating cumulative sum and determining whether a packet is normal or not. The FCM
algorithm employs fuzzy partitioning such that a data point can belong to all groups with different
membership grades. Together, CUSUM and FCM become a good technique in detecting network
anomalies with a very less false alarm rate.
A Survey On Genetic Algorithm For Intrusion Detection SystemIJARIIE JOURNAL
The Internet has become a part of daily life and an essential tool today. Internet has been used as an important component of
business models. Therefore, It is very important to maintain a high level security to ensure safe and trusted communication of
information between various organizations.
Intrusion Detection Systems have become a needful component in terms of computer and network security. Intrusion detection is
one of the important security constraints for maintaining the integrity of information. Intrusion detection systems are the tools
used for prevention and detection of threats to computer systems. Various approaches have been applied in past that are less
effective to curb the menace of intrusion.
In this paper, a survey on applications of genetic algorithms in intrusion detection systems is carried out.
A BAYESIAN CLASSIFICATION ON ASSET VULNERABILITY FOR REAL TIME REDUCTION OF F...IJNSA Journal
IT assets connected on internetwill encounter alien protocols and few parameters of protocol process are exposed as vulnerabilities. Intrusion Detection Systems (IDS) are installed to alerton suspicious traffic or activity. IDS issuesfalse positives alerts, if any behavior construe for partial attack pattern or the IDS lacks environment knowledge. Continuous monitoring of alerts to evolve whether, an alert is false positive or not is a major concern. In this paper we present design of an external module to IDS,to identify false positive alertsbased on anomaly based adaptive learning model. The novel feature of this design is that the system updates behavior profile of assets and environment with adaptive learning process.A mixture model is used for behavior modeling from reference data. The design of the detection and learning process are based on normal behavior and of environment. The anomaly alert identification algorithm isbuiltonSparse Markov Transducers (SMT) based probability.The total process is presented using real-time data. The Experimental results are validated and presentedwith reference to lab environment.
Evaluation of network intrusion detection using markov chainIJCI JOURNAL
Day today life internet threat has been increased significantly. There is a need to develop model in order to
maintain security of system. The most effective techniques are Intrusion Detection System (IDS).The
purpose of intrusion system through the security devices detect and deal with it. In this paper, a
mathematical approach is used effectively to predict and detect intrusion in the network. Here we discuss
about two algorithms ‘K-Means + Apriori’, a method which classify normal and abnormal activities in
computer network. In K-Means process, it partitions the training set into K-clusters using Euclidean
distance and introduce an outlier factor, then it build Apriori Algorithm to prune the data by removing
infrequent data in the database. Based on defined state the degree of incoming data is evaluated through
the experiment using sample DARPA2000 dataset, and achieves high detection performance in level of
attack in stages.
A New System for Clustering and Classification of Intrusion Detection System ...CSCJournals
Intrusion Detection Systems (IDS) allow to protect systems used by organizations against threats that emerges network connectivity by increasing. The main drawbacks of IDS are the number of alerts generated and failing. By using Self-Organizing Map (SOM), a system is proposed to be able to classify IDS alerts and to reduce false positives alerts. Also some alert filtering and cluster merging algorithm are introduce to improve the accuracy of the proposed system. By the experimental results on DARPA KDD cup 98 the system is able to cluster and classify alerts and causes reducing false positive alerts considerably.
STANDARDISATION AND CLASSIFICATION OF ALERTS GENERATED BY INTRUSION DETECTION...IJCI JOURNAL
Intrusion detection systems are most popular de-fence mechanisms used to provide security to IT infrastructures. Organisation need best performance, so it uses multiple IDSs from different vendors. Different vendors are using different formats and protocols. Difficulty imposed by this is the generation of several false alarms. Major part of this work concentrates on the collection of alerts from different intrusion detection systems to represent them in IDMEF(Intrusion Detection Message Exchange Format) format. Alerts were collected from intrusion detection systems like snort, ossec, suricata etc. Later classification is attempted using machine learning technique, which helps to mitigate generation of false positives.
Optimizing cybersecurity incident response decisions using deep reinforcemen...IJECEIAES
The main purpose of this paper is to explore and investigate the role of deep reinforcement learning (DRL) in optimizing the post-alert incident response process in security incident and event management (SIEM) systems. Although machine learning is used at multiple levels of SIEM systems, the last mile decision process is often ignored. Few papers reported efforts regarding the use of DRL to improve the post-alert decision and incident response processes. All the reported efforts applied only shallow (traditional) machine learning approaches to solve the problem. This paper explores the possibility of solving the problem using DRL approaches. The main attraction of DRL models is their ability to make accurate decisions based on live streams of data without the need for prior training, and they proved to be very successful in other fields of applications. Using standard datasets, a number of experiments have been conducted using different DRL configurations The results showed that DRL models can provide highly accurate decisions without the need for prior training.
Synthesis of Polyurethane Solution (Castor oil based polyol for polyurethane)IJARIIE JOURNAL
Around 160 million hector unused is available in India. India is the world’s largest producer of castor oil,
producing over 75% of the total world’s supply. There are over a hundred companies in India-small and
medium-that are into castor oil production, producing a variety of the basic grades o castor oil. All the above
factors make it imperative that the India industry relooks at the castor oil sector in order to devise suitable
strategies to derive the most benefits from such an attractive confluence of factors. Castor oil is unique owing to
its exceptional diversity of application. The oil and its derivatives are used in over 100 different applications in
diverse industries such as paints, lubricants, pharma, cosmetics, paper, rubber and more. Recent developments
have successfully derived polyol from natural oils and synthesized range of PU product from them. However,
making flexible solution from natural oil polyol is still proving challenging. The goal of this thesis is to
understand the potentials and the limitations of natural oil as an alternative to petroleum polyol. An initial
attempt to understand natural oil polyol showed that flexible solution could be synthesized from castor oil,
which produced a rigid solution. Characterization results indicate that the glass transition temperature (Tg) was
the predominant factor that determines the rigidity of the solution. The high Tg of solution was attributed to the
low number of covalent bond between cross linkers.
Online Intrusion Alert Aggregation with Generative Data Stream ModelingIJMER
Online intrusion alert aggregation with generative data stream modeling is a approach which uses generative modeling. It also use a method called as probabilistic methods. It can be assume that instances of an attack is similar as a process may be a random process which is producing alerts. This paper aims at collecting and modeling these attacks on some similar parameters, so that attack from beginning to completion can be identified. This collected and modeled alerts is given to security
personnel to estimate conclusion and take relative action. With some data sets, we show that it is easy to
deduct number of alerts and count of missing meta alerts is also extremely low. Also we demonstrate that generation of meta alerts having delay of only few seconds even after
first alert is produced already.
Survey of network anomaly detection using markov chainijcseit
Recently an internet threat has been increased. Our motive is detect the intrusion in the network in concise.
The real time issue such as DoS attack in banking, companies, industries and organization have been
increased significantly IDS has been used in both server and host side. The major challenge is to effectively
predict the periods of threats and protect the server from the unauthorized user. In this study, a novel
probabilistic approach is proposed effectively to detect the network intrusions. It uses a Markov chain for
probabilistic modelling of abnormal events in network systems. The degree of abnormality of the incoming
data is performed on the basis of the network states.
Outstanding to the promotion of the Internet and local networks, interruption occasions to computer
systems are emerging. Intrusion detection systems are becoming progressively vital in retaining
appropriate network safety. IDS is a software or hardware device that deals with attacks by gathering
information from a numerous system and network sources, then evaluating signs of security complexities.
Enterprise networked systems are unsurprisingly unprotected to the growing threats posed by hackers as
well as malicious users inside to a network. IDS technology is one of the significant tools used now-a-days,
to counter such threat. In this research we have proposed framework by using advance feature selection
and dimensionality reduction technique we can reduce IDS data then applying Fuzzy ARTMAP classifier
we can find intrusions so that we get accurate results within less time. Feature selection, as an active
research area in decreasing dimensionality, eliminating unrelated data, developing learning correctness,
and improving result unambiguousness.
INTRUSION DETECTION SYSTEM CLASSIFICATION USING DIFFERENT MACHINE LEARNING AL...ijcsit
Intrusion Detection System (IDS) has been an effective way to achieve higher security in detecting malicious activities for the past couple of years. Anomaly detection is an intrusion detection system. Current anomaly detection is often associated with high false alarm rates and only moderate accuracy and detection rates because it’s unable to detect all types of attacks correctly. An experiment is carried out to evaluate the performance of the different machine learning algorithms using KDD-99 Cup and NSL-KDD datasets. Results show which approach has performed better in term of accuracy, detection rate with reasonable false alarm rate.
Wmn06MODERNIZED INTRUSION DETECTION USING ENHANCED APRIORI ALGORITHM ijwmn
Communication networks are essential and it will create many crucial issues today. Nowadays, we
consider that the firewalls are the first line of defense but that policies cannot meet the particular
requirements of needed process to achieve security. Most of the research has been done in this area but
we are lagging to achieve security needs. Already many models such as ADAM, DHP, LERAD and
ENTROPHY are proposed to resolve security problems but we need an efficient model to detect new types
of various intrusions within the entire network. In this paper, we proposed to design a modernized
intrusion detection system which consist of two methods such as anomaly and misuse detection. Both are
integrated and also used to detect novel attacks. Our system proposed to discover temporal pattern of
attacker behaviors, which is profiled using an algorithm EAA (Enhanced Apriori Algorithm). This is
experimented with a simple interface to display the behaviors of attacks effectively
DETECTING NETWORK ANOMALIES USING CUSUM and FCMEditor IJMTER
The network intrusion detection techniques are important to prevent our systems and
networks from malicious behaviors. However, traditional network intrusion prevention such as firewalls,
user authentication and data encryption have failed to completely protect networks and systems from the
increasing and sophisticated attacks and malwares. Two anomaly detection techniques – CUSUM and
clustering are used to find network anomalies. CUSUM detect changes based on the cumulative effect of
the changes made in the random sequence instead of using a single threshold to check every variable. It
involves calculating cumulative sum and determining whether a packet is normal or not. The FCM
algorithm employs fuzzy partitioning such that a data point can belong to all groups with different
membership grades. Together, CUSUM and FCM become a good technique in detecting network
anomalies with a very less false alarm rate.
A Survey On Genetic Algorithm For Intrusion Detection SystemIJARIIE JOURNAL
The Internet has become a part of daily life and an essential tool today. Internet has been used as an important component of
business models. Therefore, It is very important to maintain a high level security to ensure safe and trusted communication of
information between various organizations.
Intrusion Detection Systems have become a needful component in terms of computer and network security. Intrusion detection is
one of the important security constraints for maintaining the integrity of information. Intrusion detection systems are the tools
used for prevention and detection of threats to computer systems. Various approaches have been applied in past that are less
effective to curb the menace of intrusion.
In this paper, a survey on applications of genetic algorithms in intrusion detection systems is carried out.
A BAYESIAN CLASSIFICATION ON ASSET VULNERABILITY FOR REAL TIME REDUCTION OF F...IJNSA Journal
IT assets connected on internetwill encounter alien protocols and few parameters of protocol process are exposed as vulnerabilities. Intrusion Detection Systems (IDS) are installed to alerton suspicious traffic or activity. IDS issuesfalse positives alerts, if any behavior construe for partial attack pattern or the IDS lacks environment knowledge. Continuous monitoring of alerts to evolve whether, an alert is false positive or not is a major concern. In this paper we present design of an external module to IDS,to identify false positive alertsbased on anomaly based adaptive learning model. The novel feature of this design is that the system updates behavior profile of assets and environment with adaptive learning process.A mixture model is used for behavior modeling from reference data. The design of the detection and learning process are based on normal behavior and of environment. The anomaly alert identification algorithm isbuiltonSparse Markov Transducers (SMT) based probability.The total process is presented using real-time data. The Experimental results are validated and presentedwith reference to lab environment.
Evaluation of network intrusion detection using markov chainIJCI JOURNAL
Day today life internet threat has been increased significantly. There is a need to develop model in order to
maintain security of system. The most effective techniques are Intrusion Detection System (IDS).The
purpose of intrusion system through the security devices detect and deal with it. In this paper, a
mathematical approach is used effectively to predict and detect intrusion in the network. Here we discuss
about two algorithms ‘K-Means + Apriori’, a method which classify normal and abnormal activities in
computer network. In K-Means process, it partitions the training set into K-clusters using Euclidean
distance and introduce an outlier factor, then it build Apriori Algorithm to prune the data by removing
infrequent data in the database. Based on defined state the degree of incoming data is evaluated through
the experiment using sample DARPA2000 dataset, and achieves high detection performance in level of
attack in stages.
A New System for Clustering and Classification of Intrusion Detection System ...CSCJournals
Intrusion Detection Systems (IDS) allow to protect systems used by organizations against threats that emerges network connectivity by increasing. The main drawbacks of IDS are the number of alerts generated and failing. By using Self-Organizing Map (SOM), a system is proposed to be able to classify IDS alerts and to reduce false positives alerts. Also some alert filtering and cluster merging algorithm are introduce to improve the accuracy of the proposed system. By the experimental results on DARPA KDD cup 98 the system is able to cluster and classify alerts and causes reducing false positive alerts considerably.
STANDARDISATION AND CLASSIFICATION OF ALERTS GENERATED BY INTRUSION DETECTION...IJCI JOURNAL
Intrusion detection systems are most popular de-fence mechanisms used to provide security to IT infrastructures. Organisation need best performance, so it uses multiple IDSs from different vendors. Different vendors are using different formats and protocols. Difficulty imposed by this is the generation of several false alarms. Major part of this work concentrates on the collection of alerts from different intrusion detection systems to represent them in IDMEF(Intrusion Detection Message Exchange Format) format. Alerts were collected from intrusion detection systems like snort, ossec, suricata etc. Later classification is attempted using machine learning technique, which helps to mitigate generation of false positives.
Optimizing cybersecurity incident response decisions using deep reinforcemen...IJECEIAES
The main purpose of this paper is to explore and investigate the role of deep reinforcement learning (DRL) in optimizing the post-alert incident response process in security incident and event management (SIEM) systems. Although machine learning is used at multiple levels of SIEM systems, the last mile decision process is often ignored. Few papers reported efforts regarding the use of DRL to improve the post-alert decision and incident response processes. All the reported efforts applied only shallow (traditional) machine learning approaches to solve the problem. This paper explores the possibility of solving the problem using DRL approaches. The main attraction of DRL models is their ability to make accurate decisions based on live streams of data without the need for prior training, and they proved to be very successful in other fields of applications. Using standard datasets, a number of experiments have been conducted using different DRL configurations The results showed that DRL models can provide highly accurate decisions without the need for prior training.
Synthesis of Polyurethane Solution (Castor oil based polyol for polyurethane)IJARIIE JOURNAL
Around 160 million hector unused is available in India. India is the world’s largest producer of castor oil,
producing over 75% of the total world’s supply. There are over a hundred companies in India-small and
medium-that are into castor oil production, producing a variety of the basic grades o castor oil. All the above
factors make it imperative that the India industry relooks at the castor oil sector in order to devise suitable
strategies to derive the most benefits from such an attractive confluence of factors. Castor oil is unique owing to
its exceptional diversity of application. The oil and its derivatives are used in over 100 different applications in
diverse industries such as paints, lubricants, pharma, cosmetics, paper, rubber and more. Recent developments
have successfully derived polyol from natural oils and synthesized range of PU product from them. However,
making flexible solution from natural oil polyol is still proving challenging. The goal of this thesis is to
understand the potentials and the limitations of natural oil as an alternative to petroleum polyol. An initial
attempt to understand natural oil polyol showed that flexible solution could be synthesized from castor oil,
which produced a rigid solution. Characterization results indicate that the glass transition temperature (Tg) was
the predominant factor that determines the rigidity of the solution. The high Tg of solution was attributed to the
low number of covalent bond between cross linkers.
FORTIFICATION OF HYBRID INTRUSION DETECTION SYSTEM USING VARIANTS OF NEURAL ...IJNSA Journal
Intrusion Detection Systems (IDS) form a key part of system defence, where it identifies abnormal
activities happening in a computer system. In recent years different soft computing based techniques have
been proposed for the development of IDS. On the other hand, intrusion detection is not yet a perfect
technology. This has provided an opportunity for data mining to make quite a lot of important
contributions in the field of intrusion detection. In this paper we have proposed a new hybrid technique
by utilizing data mining techniques such as fuzzy C means clustering, Fuzzy neural network / Neurofuzzy and radial basis function(RBF) SVM for fortification of the intrusion detection system. The
proposed technique has five major steps in which, first step is to perform the relevance analysis, and then
input data is clustered using Fuzzy C-means clustering. After that, neuro-fuzzy is trained, such that each
of the data point is trained with the corresponding neuro-fuzzy classifier associated with the cluster.
Subsequently, a vector for SVM classification is formed and in the last step, classification using RBF-
SVM is performed to detect intrusion has happened or not. Data set used is the KDD cup 1999 dataset
and we have used precision, recall, F-measure and accuracy as the evaluation metrics parameters. Our
technique could achieve better accuracy for all types of intrusions. The results of proposed technique are
compared with the other existing techniques. These comparisons proved the effectiveness of our
technique.
Articles - International Journal of Network Security & Its Applications (IJNSA)IJNSA Journal
International Journal of Network Security & Its Applications (IJNSA) is a bi monthly open access peer-reviewed journal that publishes articles which contribute new results in all areas of the computer Network Security & its applications. The journal focuses on all technical and practical aspects of security and its applications for wired and wireless networks. The goal of this journal is to bring together researchers and practitioners from academia and industry to focus on understanding Modern security threats and countermeasures, and establishing new collaborations in these areas.
AN IMPROVED METHOD TO DETECT INTRUSION USING MACHINE LEARNING ALGORITHMSieijjournal
An intrusion detection system detects various malicious behaviors and abnormal activities that might harm
security and trust of computer system. IDS operate either on host or network level via utilizing anomaly
detection or misuse detection. Main problem is to correctly detect intruder attack against computer
network. The key point of successful detection of intrusion is choice of proper features. To resolve the
problems of IDS scheme this research work propose “an improved method to detect intrusion using
machine learning algorithms”. In our paper we use KDDCUP 99 dataset to analyze efficiency of intrusion
detection with different machine learning algorithms like Bayes, NaiveBayes, J48, J48Graft and Random
forest. To identify network based IDS with KDDCUP 99 dataset, experimental results shows that the three
algorithms J48, J48Graft and Random forest gives much better results than other machine learning
algorithms. We use WEKA to check the accuracy of classified dataset via our proposed method. We have
considered all the parameter for computation of result i.e. precision, recall, F – measure and ROC.
AN IMPROVED METHOD TO DETECT INTRUSION USING MACHINE LEARNING ALGORITHMSieijjournal1
An intrusion detection system detects various malicious behaviors and abnormal activities that might harm
security and trust of computer system. IDS operate either on host or network level via utilizing anomaly
detection or misuse detection. Main problem is to correctly detect intruder attack against computer
network. The key point of successful detection of intrusion is choice of proper features. To resolve the
problems of IDS scheme this research work propose “an improved method to detect intrusion using
machine learning algorithms”. In our paper we use KDDCUP 99 dataset to analyze efficiency of intrusion
detection with different machine learning algorithms like Bayes, NaiveBayes, J48, J48Graft and Random
forest. To identify network based IDS with KDDCUP 99 dataset, experimental results shows that the three
algorithms J48, J48Graft and Random forest gives much better results than other machine learning
algorithms. We use WEKA to check the accuracy of classified dataset via our proposed method. We have
considered all the parameter for computation of result i.e. precision, recall, F – measure and ROC.
SURVEY OF NETWORK ANOMALY DETECTION USING MARKOV CHAINijcseit
Recently an internet threat has been increased. Our motive is detect the intrusion in the network in concise.
The real time issue such as DoS attack in banking, companies, industries and organization have been
increased significantly IDS has been used in both server and host side. The major challenge is to effectively
predict the periods of threats and protect the server from the unauthorized user. In this study, a novel
probabilistic approach is proposed effectively to detect the network intrusions. It uses a Markov chain for
probabilistic modelling of abnormal events in network systems. The degree of abnormality of the incoming
data is performed on the basis of the network states.
International Journal of Computer Science, Engineering and Information Techno...ijcseit
Recently an internet threat has been increased. Our motive is detect the intrusion in the network in concise.
The real time issue such as DoS attack in banking, companies, industries and organization have been
increased significantly IDS has been used in both server and host side. The major challenge is to effectively
predict the periods of threats and protect the server from the unauthorized user. In this study, a novel
probabilistic approach is proposed effectively to detect the network intrusions. It uses a Markov chain for
probabilistic modelling of abnormal events in network systems. The degree of abnormality of the incoming
data is performed on the basis of the network states.
COMPUTER INTRUSION DETECTION BY TWOOBJECTIVE FUZZY GENETIC ALGORITHMcscpconf
The purpose of this paper is to describe two objective fuzzy genetics-based learning algorithms
and discusses its usage to detect intrusion in a computer network. Experiments were performed
with KDD-cup data set, which have information on computer networks, during normal behavior
and intrusive behavior. The performance of final fuzzy classification system has been
investigated using intrusion detection problem as a high dimensional classification problem.
This task is formulated as optimization problem with two objectives: To minimize the number of
fuzzy rules and to maximize the classification rate. We show a two-objective genetic algorithm
for finding non-dominated solutions of the fuzzy rule selection problem
A PROPOSED MODEL FOR DIMENSIONALITY REDUCTION TO IMPROVE THE CLASSIFICATION C...IJNSA Journal
Over the past few years, intrusion protection systems have drawn a mature research area in the field of computer networks. The problem of excessive features has a significant impact on
intrusion detection performance. The use of machine learning algorithms in many previous researches has been used to identify network traffic, harmful or normal. Therefore, to obtain the accuracy, we must reduce the dimensionality of the data used. A new model design based on a combination of feature selection and machine learning algorithms is proposed in this paper. This model depends on selected genes from every feature to increase the accuracy of intrusion detection systems. We selected from features content only ones which impact in attack detection. The performance has been evaluated based on a comparison of several known algorithms. The NSL-KDD dataset is used for examining classification. The proposed model outperformed the other learning approaches with accuracy 98.8 %.
An intrusion detection system (IDS) is an ad hoc security solution to protect flawed computer systems. It works
like a burglar alarm that goes off if someone tampers with or manages to get past other security mechanisms
such as authentication mechanisms and firewalls. An Intrusion Detection System (IDS) is a device or a software
application that monitors network or system activities for malicious activities or policy violations and produces
reports to a management station.Intrusion Detection System (IDS) has been used as a vital instrument in
defending the network from this malicious or abnormal activity..In this paper we are comparing host based and
network based IDS and various types of attacks possible on IDS.
Adapting New Data In Intrusion Detection SystemsCSCJournals
Most of the introduced anomaly intrusion detection system (IDS) methods focus on achieving better detection rates and lower false alarm rates. However, when it comes to real-time applications many additional issues come into the picture. One of them is the training datasets that are continuously becoming outdated. It is vital to use an up-to-date dataset while training the system. But the trained system will become insufficient if network behaviors change. As well known, frequent alteration is in the nature of computer networks. On the other hand it is costly to continually collect and label datasets while frequently training the system from scratch and discarding old knowledge is a waste. To overcome this problem, we propose the use of transfer learning which benefits from the previous gained knowledge. The carried out experiments stated that transfer learning helps to utilize previously obtained knowledge, improves the detection rate and reduces the need to recollect the whole dataset.
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfTechSoup
In this webinar you will learn how your organization can access TechSoup's wide variety of product discount and donation programs. From hardware to software, we'll give you a tour of the tools available to help your nonprofit with productivity, collaboration, financial management, donor tracking, security, and more.
Honest Reviews of Tim Han LMA Course Program.pptxtimhan337
Personal development courses are widely available today, with each one promising life-changing outcomes. Tim Han’s Life Mastery Achievers (LMA) Course has drawn a lot of interest. In addition to offering my frank assessment of Success Insider’s LMA Course, this piece examines the course’s effects via a variety of Tim Han LMA course reviews and Success Insider comments.
Normal Labour/ Stages of Labour/ Mechanism of LabourWasim Ak
Normal labor is also termed spontaneous labor, defined as the natural physiological process through which the fetus, placenta, and membranes are expelled from the uterus through the birth canal at term (37 to 42 weeks
2024.06.01 Introducing a competency framework for languag learning materials ...Sandy Millin
http://sandymillin.wordpress.com/iateflwebinar2024
Published classroom materials form the basis of syllabuses, drive teacher professional development, and have a potentially huge influence on learners, teachers and education systems. All teachers also create their own materials, whether a few sentences on a blackboard, a highly-structured fully-realised online course, or anything in between. Despite this, the knowledge and skills needed to create effective language learning materials are rarely part of teacher training, and are mostly learnt by trial and error.
Knowledge and skills frameworks, generally called competency frameworks, for ELT teachers, trainers and managers have existed for a few years now. However, until I created one for my MA dissertation, there wasn’t one drawing together what we need to know and do to be able to effectively produce language learning materials.
This webinar will introduce you to my framework, highlighting the key competencies I identified from my research. It will also show how anybody involved in language teaching (any language, not just English!), teacher training, managing schools or developing language learning materials can benefit from using the framework.
A Strategic Approach: GenAI in EducationPeter Windle
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
Embracing GenAI - A Strategic ImperativePeter Windle
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
Operation “Blue Star” is the only event in the history of Independent India where the state went into war with its own people. Even after about 40 years it is not clear if it was culmination of states anger over people of the region, a political game of power or start of dictatorial chapter in the democratic setup.
The people of Punjab felt alienated from main stream due to denial of their just demands during a long democratic struggle since independence. As it happen all over the word, it led to militant struggle with great loss of lives of military, police and civilian personnel. Killing of Indira Gandhi and massacre of innocent Sikhs in Delhi and other India cities was also associated with this movement.
Digital Tools and AI for Teaching Learning and Research
Using Learning Vector Quantization in IDS Alert Management System
1. Amir Azimi Alasti Ahrabi, Kaveh Feyzi, Zahra Atashbar Orang, Hadi Bahrbegi & Elnaz Safarzadeh
International Journal of Computer Science and Security, (IJCSS), Volume (6) : Issue (2) : 2012 128
Using Learning Vector Quantization in Alert Management of
Intrusion Detection System
Amir Azimi Alasti Ahrabi amir.azimi.alasti@gmail.com
Department of Computer
Islamic Azad University, Shabestar Branch
Shabestar, East Azerbaijan, Iran
Kaveh Feyzi kavehfeizi@gmail.com
Department of Computer
Ataturk University
Erzurum, Turkey
Zahra Atashbar Orang atashbarorang_z@yahoo.com
Department of Computer
Islamic Azad University, Tabriz Branch
Tabriz, East Azerbaijan, Iran
Hadi Bahrbegi hadi.bahrbegi@gmail.com
Department of Computer
Islamic Azad University, Shabestar Branch
Shabestar, East Azerbaijan, Iran
Elnaz Safarzadeh elnaz_safarzadeh@yahoo.com
Department of Computer
Islamic Azad University, Shabestar Branch
Shabestar, East Azerbaijan, Iran
Abstract
Intrusion detection system (IDS) is used to produce security alerts to discover attacks against
protected network and/or computer systems. IDSs generate high amount of security alerts and
analyzing these alert by a security expert are time consuming and error pron. IDS alert
management system are used to manage generated alerts and classify true positive and false
positives alert. This paper represents an IDS alert management system that uses learning vector
quantization technique to classify generated alerts. Because of low classification time per each
alert, the system also could be used in active alert management systems.
Keywords: IDS, Alert Management, Learning Vector Quantization, Alert Classification, True Positive and
False Positive Classification.
1. INTRODUCTION
An intrusion detection system (IDS) inspects all inbound and outbound network activity or
computer system events and identifies suspicious patterns that may indicate a network or system
attack from someone attempting to break into or compromise a system. [1]. IDSs are producing
many alerts each day that many of them are false positive alerts. Big amount of the false positive
alerts crowd and cover true positive alerts from security experts. Also identifying true positive
from false positives are time consuming and error prone therefore IDS alert management system
are introduced to manage generated IDS alerts. IDSs can be used as active or passive. In
passive usage of IDS, it analyzes traffics or events in offline mode but active IDSs work in online
mode. To manage alerts concurrently with alerts generation, active alert management systems
are used. Active alert management systems same work in online mode as active IDSs. These
2. Amir Azimi Alasti Ahrabi, Kaveh Feyzi, Zahra Atashbar Orang, Hadi Bahrbegi & Elnaz Safarzadeh
International Journal of Computer Science and Security, (IJCSS), Volume (6) : Issue (2) : 2012 129
types of alert management systems should have little amount of alert analyze time to be used in
online mode. Some of problems of IDS are: huge amount of generated alerts and high rate of
false positive alert among generated alerts. Also most alert management system has low speed.
In this paper authors change their previous work and proposed a new alert management system
by using Learning Vector Quantization (LVQ) [2]. It classifies the generated alerts based on
attack type of alerts, detects false positive alerts, high speed classification to use with alert
generation in IDSs. The proposed system uses some techniques of previous work techniques [3]
such as alert filtering, alert preprocessing, and alert filtering to improve accuracy of the results.
In Section 1 the alert management system is introduced. Section 2 reviews related works, section
3 explains the suggested alert management system and describes all component of the proposed
system, the experimental results are shown in section 4 and finally section 5 is a conclusion and
future works.
2. RELATED WORKS
Alert management systems use various method and techniques. Clustering and classification of
alerts is one of these techniques. A method of clustering based on root causes is proposed by K.
Julisch [4] which clusters IDS alerts by discovering main cause of their occurrences. He proves
that a small number of root causes imply 90% of alerts. By removing alerts related with these root
causes total number of alerts come down to 82%. The system uses information about underlying
network so it is not portable and this problem is a disadvantage of the algorithm.
Three artificial intelligence techniques with some dimension reduction techniques are used to
cluster generated IDS alerts from DARPA 2000 dataset in [5] then produced results are
compared. The problems of that system are: row alert without preprocessing are entered to the
algorithms and system is not tuned. Cuppens proposed another method that uses expert system
to make decision [8, 16]. In [6, 7] two genetic clustering algorithm based, named Genetic
Algorithm (GA) and Immune based Genetic Algorithm (IGA) used to manage IDS alerts. Their
proposed methods depend on underlying network information same as method proposed by
Julisch.
Wespi et al. [17] design a system that aggregates alerts together by placing them in situations.
Situations are set of special alerts. To construct a situation, source, destination and attack class
attributes of alert are used.
Authors of this paper propose a system that manages alert generated from DARPA 98 dataset
[3]. Some algorithms such as alert filtering, alert preprocessing and cluster merging are used in
the system. The main unit of the system is cluster/classify unit that uses Self-Organizing Maps
(SOM) [2] to cluster and classify IDS alerts. Results of [3] show that SOM was able to cluster and
classify true positive and false positive alerts more accurate than other techniques.
In another work, authors have developed an alert management system [9] similar to [3]. In that
work usage of seven genetic clustering algorithms named Genetic Algorithm (GA) [18], Genetic
K-means Algorithm (GKA) [19], Improved Genetic Algorithm (IGA) [20], Fast Genetic K-means
Algorithm (FGKA) [21], Genetic Fuzzy C-means Algorithm (GFCMA) [22], Genetic Possibilistic C-
Means Algorithm (GPCMA) [9] and Genetic Fuzzy Possibilistic C-Means Algorithm (GFPCMA) [9]
to cluster and classify true positive and false positive alerts, are explained. The system after
clustering alerts then prioritized produced clusters with Fuzzy Inference System [9].
In this paper an alert management system based on system proposed by authors in [3] is
proposed that uses LVQ as a tool to classify input alert vectors. Propose of this paper evaluating
another type of Kohonen networks named LVQ [2] in alert management system field. The system
will be able to improve accuracy of results and also to reduce the number of false positive alerts.
3. Amir Azimi Alasti Ahrabi, Kaveh Feyzi, Zahra Atashbar Orang, Hadi Bahrbegi & Elnaz Safarzadeh
International Journal of Computer Science and Security, (IJCSS), Volume (6) : Issue (2) : 2012 130
3. USING LVQ IN ALERT MANAGEMENT SYSTEM
The proposed system is shown in Figure 1. In this paper we use binary traffics files of a network
named DARPA 98 dataset [10] instead of real network traffics. Snort tool [11] is used to produce
alerts of DARPA 98 dataset network traffics. Snort is an open source signature based IDS which
gets DARPA 98 online traffic and then generates alert log files [3]. After generating alert log files
with Snort tool, these files are entered to the proposed system as its input.
FIGURE 1: Proposed alert management system.
3.1 Labeling Unit
Labeling unit gets generated alert from Snort and tcpdump.list files of DARPA 98 dataset and
then generate labeled alert which each alert has own attack type. tcpdump.list files contain
information about all packets in DARPA 98 dataset. These labels are used to train LVQ and
evaluate results of LVQ [3, 9].
3.2 Normalization and Filtering Unit
In this phase accepted attack types are entered to the unit and only alerts that are in class of
these attack types are selected [3, 9,12]. This unit uses eight attributes of alert to filter alert, this
attributes are: Signature ID, Signature Rev, Source IP, Destination IP, Source Port, Destination
Port, Datagram length and Protocol [13]
3.3 Preprocessing Unit
Preprocessing unit converts string values of attributes of alert to numerical data. It also reduces
the range of attribute values and converts alerts to data vectors (1), (2) and (3).
4321
4321
255)255))255(((_
,...
XXXXVALIP
XXXXIP
+×+×+×=
=
(1)
=
=
=
=
=
UDPprotocol
TCPprotocol
ICMPprotocol
Noneprotocol
valprotocol
,17
,10
,4
,0
_ (2)
4. Amir Azimi Alasti Ahrabi, Kaveh Feyzi, Zahra Atashbar Orang, Hadi Bahrbegi & Elnaz Safarzadeh
International Journal of Computer Science and Security, (IJCSS), Volume (6) : Issue (2) : 2012 131
1.08.0
minmax
min
+
−
−
×=
xx
xx
IUR (3)
3.4 LVQ Training and Classification Unit
In this unit we use LVQ as a classifier. LVQ should be trained with train dataset and then gets test
dataset to classify them.
• Learning Vector Quantization
LVQ is a special artificial neural network; it applies a winner-take-all Hebbian learning-based
approach. LVQ was invented by Teuvo Kohonen. It is a forerunner to SOM and related to Neural
gas, and to the k-Nearest Neighbor algorithm (k-NN) [2].
An LVQ system is represented by prototypes W=(w(i),...,w(n)) which are defined in the feature
space of data vectors. In winner-take-all training algorithms, the prototype which is closest to the
input vector according to a given distance measure for each vectors of input data are determined.
The position of this so-called winner prototype is then adapted, i.e. the winner is moved closer if it
correctly classifies the data point or moved away if it classifies the data point incorrectly.
4. EXPERIMENTAL RESULTS
To simulate the proposed system C#.net programming language, MATLAB software and SOM
toolbox is used [14, 15]. The parameters of simulation are shown below.
Suggested LVQ has 80 neurons in hidden layers. The LVQ gets a data vector of train data that
each data vector consists of 8 attributes as input to the system. Training phase consists of 50
epochs. Learning function is learnlv2. Because of Input data vectors consist of 9 alert attack
types, each attack type have typical class percentage 0.1 except false positive. False positive
typical class percentage is 0.2. The attack types used in this simulation are: Back, Pod, Nmap,
Imanp, Dict, Rootkit, Land and Phf. Train data contains 70% of total filtered alert data vectors or
10166 data vectors. The false positive count in the training dataset is 4113. Test dataset includes
30% of the data vectors of labeled alerts; it means 2591 data vectors of true positive, and 1764
data vectors of false positive alerts.
Figure 2 shows Mean Square Error (MSE) for each epoch. As you can see in this figure the error
value is reduced when we moved forward on epoch axis; and minimum value of the error
achieved in last step.
To evaluate the performance of algorithms four measurements are introduced, they are:
1- Classfication Error (ClaE),
2- Classfication Accuracy percent (ClaAR),
3- Average Alert Classification Time (AACT),
4- False Positive Reduction Rate (FPRR).
In table 1 value of these metrics are shown. The values of ClaE and ClaAR are 490 and 88.75%
respectively (Table 1). The value of AACT measurement is 0.000018 that shows the proposed
system can be used in active IDS alert management systems that evaluate alerts while IDS
produces them simultaneously. False positive alert type identification known FPRR is an
important point of extracted values. Because of production of false positive alerts beside true
positive ones then this metric value is very important in modern IDS alert management systems.
The value of this metric is 88.27% percent.
5. Amir Azimi Alasti Ahrabi, Kaveh Feyzi, Zahra Atashbar Orang, Hadi Bahrbegi & Elnaz Safarzadeh
International Journal of Computer Science and Security, (IJCSS), Volume (6) : Issue (2) : 2012 132
FIGURE 2: Errors of ANN output values per targets.
AACTFPRRClaARClaE
0.00001888.2788.75490
TABLE 1: Extracted performance metric values from simulation.
In [9] GA based algorithms are used to cluster and classify alerts. These results are shown in
table 2. For ClaE, ClaAR and FPRR metrics the proposed system has high value in contrast of
GA and GKA. But other methods such as IGA, FGKA, GFCMA, GPCMA and GFPCMA have
better performance in contrast proposed system. In AACT performance metric, LVQ based alert
management system has better result than all of GA based techniques. It means that LVQ could
be used in active alert management system.
Algorithm ClaE ClaAR FPRR AACT
GA 1218 72.03 52.15 Offline
GKA 1011 75.2 62.11 Offline
IGA 306 92.97 95.24 Offline
FGKA 314 92.79 97.51 Offline
GFCMA 148 96.60 97.51 Offline
GPCMA 91 97.91 96.03 Offline
GFPCMA 148 96.60 97.51 Offline
TABLE 2: Results of performance metrics for GA based algorithms.
5. CONCLUSION AND FUTURE WORKS
In this paper a LVQ based system is presented that is able to classify IDS alerts. The system
solved some problems of IDSs such as generating high amount of alerts and false positive alert.
The system could classify true positive alert and could identify false positive ones. The system
identifies and drastically reduces the number of false positive alerts. The results of the proposed
system are compared to GA based techniques. The comparison shows that in contrast of GA
based systems LVQ algorithm can be used in active alert management systems.
It seems to be useful using LVQ to correlate alerts to discover attack sequences so this idea is
another future work of this paper.
6. Amir Azimi Alasti Ahrabi, Kaveh Feyzi, Zahra Atashbar Orang, Hadi Bahrbegi & Elnaz Safarzadeh
International Journal of Computer Science and Security, (IJCSS), Volume (6) : Issue (2) : 2012 133
6. REFERENCES
[1] H. Debar, M. Dacier, and A. Wespi. "Towards a taxonomy of intrusion-detection systems”,
COMPUT. NETWORKS, Vol. 31, Issue: 8, pp.: 805-822, 1999.
[2] Kohonen, T, "Self-Organized Maps", Springer series in information. Science Berlin
Heidelberg, 1997.
[3] Amir Azimi Alasti Ahrabi, Ahmad Habibizad Navin, Hadi Bahrbegi, Mir Kamal Mirnia, Mehdi
Bahrbegi, Elnaz Safarzadeh, Ali Ebrahimi, "A New System for Clustering and Classification of
Intrusion Detection System Alerts Using Self-Organizing Maps", International Journal of
Computer Science and Security (IJCSS), Vol. 4, Issue 6, pp. 589 – 597, 2010.
[4] K. Julisch, "Clustering intrusion detection alarms to support root cause analysis", ACM Trans.
on Information and System Security, Vol. 6, Issue 4, pp. 443 – 471, 2003.
[5] Maheyzah, M. S., Mohd Aizaini, M., and Siti Zaiton, M. H. (2009), "Intelligent Alert Clustering
Model for Network Intrusion Analysis", Int. Jurnal in Advances Soft Computing and Its
Applications (IJASCA), Vol. 1, Issue 1, pp. 33 – 48, 2009.
[6] Wang, J., Wang, H., Zhao, G., "A GA-based Solution to an NP-hard Problem of Clustering
Security Events", IEEE, pp. 2093- 2097, 2006.
[7] Wang J., Baojiang Cui, "Clustering IDS Alarms with an IGA-based Approach", ICCCAS, pp.
586-591, 2009.
[8] Cuppens F., “Managing alerts in a multi-intrusion detection environment”, Proceedings of the
17th Annual Computer Security Applications Conference on, pp. 22-31, 2001.
[9] Bahrbegi H., Navin A.H., Ahrabi A.A.A., Mirnia M. K., Mollanejad A., "A new system to
evaluate GA-based clustering algorithms in Intrusion Detection alert management system",
Nature and Biologically Inspired Computing (NaBIC), Second World Congress on, pp. 115 –
120, 2010.
[10]MIT Lincoln Lab., DARPA 1998 Intrusion Detection Evaluation Datasets. Available:
http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/1998data.html, 1998.
[11]Snort: The open source network intrusion detection system. Available: http://www.snort.org/.
[12]Brugger S. T., J. Chow, "An Assessment of the DARPA IDS Evaluation Dataset Using Snort",
UC Davis Technical Report CSE-2007-1, Davis, CA, 2007.
[13]Snort Manual, www.snort.org/assets/82/snort_manual.pdf.
[14]Neural Network Toolbox, "ANN Toolbox for MATLAB", www.mathworks.com/products/neural-
network, 2011.
[15]Matlab Software, http://www.mathworks.com.
[16]E. MIRADOR, "Mirador: a cooperative approach of IDS", European Symposium on Research
in Computer Security (ESORICS). Toulouse, France, 2000.
[17]Debar H., Wespi A., "Aggregation and Correlation of Intrusion-Detection Alerts", Proceeding
RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion
Detection, pp.:87-105, 2001.
7. Amir Azimi Alasti Ahrabi, Kaveh Feyzi, Zahra Atashbar Orang, Hadi Bahrbegi & Elnaz Safarzadeh
International Journal of Computer Science and Security, (IJCSS), Volume (6) : Issue (2) : 2012 134
[18]Krovi R., "Genetic Algorithm for Clustering: A preliminary investigation", Proceeding on 25th
Hawaii International Conference on Systems Sciences (HICSS), pp. 540–544, 1992.
[19]Krishna K., Murty M., "Genetic K-means algorithm", IEEE Transactions on Systems, Man and
Cybernetics - Part B: Cybernetics, pp. 433-439, 1999.
[20]Fuyan L., Chouyong C., Shaoyi L., "An Improved Genetic Approach", International
Conference on Neural Networks and Brain, pp. 641-644, 2005.
[21]Lu Y., Lu S., Fotouhi F., Deng Y., Brown J. S., "FGKA: a Fast Genetic K-means Clustering
Algorithm", Proceeding of the ACM Symposium on Applied computing (SAC), Nicosia,
Cyprus, pp. 622-623, 2004.
[22]Nuovo A. D. G., Catania V., Palesi M., "The Hybrid Genetic Fuzzy C-means: a Reasoned
Implementation", Proceedings of the 7th WSEAS International Conference on Fuzzy
Systems, ACM, pp. 33-38, 2006.