Anomalies classification approach for network-based intrusion detection system

Research output: Contribution to journalArticle

6 Citations (Scopus)

Abstract

Anomaly based intrusion detection system (A-IDS) is considered to be a better option than signature based system since it does not require prior knowledge of attack signature before it can be used to detect an intrusion. However managing alarms generated by this system is more difficult than signature-based intrusion detection systems (SIDSs). This is due to the fact that S-IDS generates rich information along with the reported alarms whereas AIDS may just identify the connection stream that is detected as malicious. A-IDS raises an alarm every time it detect an activity that deviates from the baseline model of the normal behaviour. Therefore, the cause of the anomaly itself is unknown to the intrusion detection system. This brings in a substantial challenge problem in managing IDS alarms and recognizing false positive from true alarms. Therefore, determining the class of an attack detected by anomaly-based detection systems is a significant task. This paper serves two folds; firstly, it presents a set of network traffic features that deemed to be the most relevant features in identifying wide range of network anomalies. Secondly, the paper presents an A-IDS alarm classifier based on machine learning technologies to automatically classify activities detected by a packet header-based anomaly detection system. Evaluation experiments showed that machine learning algorithms are capable of classifying malicious activities in an effective and efficient means.

Original languageEnglish
Pages (from-to)1159-1172
Number of pages14
JournalInternational Journal of Network Security
Volume18
Issue number6
Publication statusPublished - 2016

Fingerprint

Intrusion detection
Learning systems
Alarm systems
Learning algorithms
Classifiers
Experiments

Keywords

  • Alarm classification
  • Anomaly-based
  • Feature selection
  • Machine learning

ASJC Scopus subject areas

  • Computer Networks and Communications

Cite this

Anomalies classification approach for network-based intrusion detection system. / Qassim, Qais Saif; Mohd. Zin, Abdullah; Ab Aziz, Mohd Juzaiddin.

In: International Journal of Network Security, Vol. 18, No. 6, 2016, p. 1159-1172.

Research output: Contribution to journalArticle

@article{1ce0de22ba7a4b09b0485de32fd97527,
title = "Anomalies classification approach for network-based intrusion detection system",
abstract = "Anomaly based intrusion detection system (A-IDS) is considered to be a better option than signature based system since it does not require prior knowledge of attack signature before it can be used to detect an intrusion. However managing alarms generated by this system is more difficult than signature-based intrusion detection systems (SIDSs). This is due to the fact that S-IDS generates rich information along with the reported alarms whereas AIDS may just identify the connection stream that is detected as malicious. A-IDS raises an alarm every time it detect an activity that deviates from the baseline model of the normal behaviour. Therefore, the cause of the anomaly itself is unknown to the intrusion detection system. This brings in a substantial challenge problem in managing IDS alarms and recognizing false positive from true alarms. Therefore, determining the class of an attack detected by anomaly-based detection systems is a significant task. This paper serves two folds; firstly, it presents a set of network traffic features that deemed to be the most relevant features in identifying wide range of network anomalies. Secondly, the paper presents an A-IDS alarm classifier based on machine learning technologies to automatically classify activities detected by a packet header-based anomaly detection system. Evaluation experiments showed that machine learning algorithms are capable of classifying malicious activities in an effective and efficient means.",
keywords = "Alarm classification, Anomaly-based, Feature selection, Machine learning",
author = "Qassim, {Qais Saif} and {Mohd. Zin}, Abdullah and {Ab Aziz}, {Mohd Juzaiddin}",
year = "2016",
language = "English",
volume = "18",
pages = "1159--1172",
journal = "International Journal of Network Security",
issn = "1816-353X",
publisher = "National Chung Hsing University",
number = "6",

}

TY - JOUR

T1 - Anomalies classification approach for network-based intrusion detection system

AU - Qassim, Qais Saif

AU - Mohd. Zin, Abdullah

AU - Ab Aziz, Mohd Juzaiddin

PY - 2016

Y1 - 2016

N2 - Anomaly based intrusion detection system (A-IDS) is considered to be a better option than signature based system since it does not require prior knowledge of attack signature before it can be used to detect an intrusion. However managing alarms generated by this system is more difficult than signature-based intrusion detection systems (SIDSs). This is due to the fact that S-IDS generates rich information along with the reported alarms whereas AIDS may just identify the connection stream that is detected as malicious. A-IDS raises an alarm every time it detect an activity that deviates from the baseline model of the normal behaviour. Therefore, the cause of the anomaly itself is unknown to the intrusion detection system. This brings in a substantial challenge problem in managing IDS alarms and recognizing false positive from true alarms. Therefore, determining the class of an attack detected by anomaly-based detection systems is a significant task. This paper serves two folds; firstly, it presents a set of network traffic features that deemed to be the most relevant features in identifying wide range of network anomalies. Secondly, the paper presents an A-IDS alarm classifier based on machine learning technologies to automatically classify activities detected by a packet header-based anomaly detection system. Evaluation experiments showed that machine learning algorithms are capable of classifying malicious activities in an effective and efficient means.

AB - Anomaly based intrusion detection system (A-IDS) is considered to be a better option than signature based system since it does not require prior knowledge of attack signature before it can be used to detect an intrusion. However managing alarms generated by this system is more difficult than signature-based intrusion detection systems (SIDSs). This is due to the fact that S-IDS generates rich information along with the reported alarms whereas AIDS may just identify the connection stream that is detected as malicious. A-IDS raises an alarm every time it detect an activity that deviates from the baseline model of the normal behaviour. Therefore, the cause of the anomaly itself is unknown to the intrusion detection system. This brings in a substantial challenge problem in managing IDS alarms and recognizing false positive from true alarms. Therefore, determining the class of an attack detected by anomaly-based detection systems is a significant task. This paper serves two folds; firstly, it presents a set of network traffic features that deemed to be the most relevant features in identifying wide range of network anomalies. Secondly, the paper presents an A-IDS alarm classifier based on machine learning technologies to automatically classify activities detected by a packet header-based anomaly detection system. Evaluation experiments showed that machine learning algorithms are capable of classifying malicious activities in an effective and efficient means.

KW - Alarm classification

KW - Anomaly-based

KW - Feature selection

KW - Machine learning

UR - http://www.scopus.com/inward/record.url?scp=84991780946&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84991780946&partnerID=8YFLogxK

M3 - Article

VL - 18

SP - 1159

EP - 1172

JO - International Journal of Network Security

JF - International Journal of Network Security

SN - 1816-353X

IS - 6

ER -