Skip to main content
SpringerLink
Log in
Book cover

European Conference on the Applications of Evolutionary Computation

EvoApplications 2016: Applications of Evolutionary Computation pp 315–331Cite as

A Distributed Intrusion Detection Framework Based on Evolved Specialized Ensembles of Classifiers

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 9597))

Abstract

Modern intrusion detection systems must handle many complicated issues in real-time, as they have to cope with a real data stream; indeed, for the task of classification, typically the classes are unbalanced and, in addition, they have to cope with distributed attacks and they have to quickly react to changes in the data. Data mining techniques and, in particular, ensemble of classifiers permit to combine different classifiers that together provide complementary information and can be built in an incremental way. This paper introduces the architecture of a distributed intrusion detection framework and in particular, the detector module based on a meta-ensemble, which is used to cope with the problem of detecting intrusions, in which typically the number of attacks is minor than the number of normal connections. To this aim, we explore the usage of ensembles specialized to detect particular types of attack or normal connections, and Genetic Programming is adopted to generate a non-trainable function to combine each specialized ensemble. Non-trainable functions can be evolved without any extra phase of training and, therefore, they are particularly apt to handle concept drifts, also in the case of real-time constraints. Preliminary experiments, conducted on the well-known KDD dataset and on a more up-to-date dataset, ISCX IDS, show the effectiveness of the approach.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    https://www.caida.org/data/.

  2. 2.

    http://ita.ee.lbl.gov/index.html.

  3. 3.

    http://www.icir.org/enterprise-tracing/.

  4. 4.

    http://www.ll.mit.edu/ideval/data/.

  5. 5.

    http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html.

  6. 6.

    http://mutrics.iitis.pl/flowcalc.

  7. 7.

    MOA prerelease 2014.01; http://moa.cms.waikato.ac.nz/overview/.

  8. 8.

    http://www.sigkdd.org/kdd-cup-1999-computer-network-intrusion-detection.

References

  1. Bhuyan, M., Bhattacharyya, D., Kalita, J.: Network anomaly detection: methods, systems and tools. Commun. Surv. Tutorials IEEE 16, 303–336 (2014)

    Article  Google Scholar 

  2. Breiman, L.: Bagging predictors. Mach. Learn. 24, 123–140 (1996)

    MathSciNet  MATH  Google Scholar 

  3. Freund, Y., Shapire, R.: Experiments with a new boosting algorithm. In: Machine Learning, Proceedings of the Thirteenth International Conference (ICML 1996), Morgan Kaufmann, pp. 148–156 (1996)

    Google Scholar 

  4. Kuncheva, L.: Combining Pattern Classifiers: Methods and Algorithms. Wiley, Chichester (2004)

    Book  MATH  Google Scholar 

  5. Folino, G., Pizzuti, C., Spezzano, G.: A scalable cellular implementation of parallel genetic programming. IEEE Trans. Evol. Comput. 7, 37–53 (2003)

    Article  MATH  Google Scholar 

  6. Cuzzocrea, A., Folino, G., Sabatino, P.: A distributed framework for supporting adaptive ensemble-based intrusion detection. In: 2015 IEEE International Conference on Big Data, Big Data 2015, Santa Clara, CA, USA, 29 October - 1 November 2015, pp. 1910–1916 (2015)

    Google Scholar 

  7. Shiravi, A., Shiravi, H., Tavallaee, M., Ghorbani, A.A.: Toward developing a systematic approach to generate benchmark datasets for intrusion detection. Comput. Secur. 31, 357–374 (2012)

    Article  Google Scholar 

  8. Khasawneh, K.N., Ozsoy, M., Donovick, C., Abu-Ghazaleh, N., Ponomarev, D.: Ensemble learning for low-level hardware-supported malware detection. In: Bos, H. (ed.) Raid 2015. LNCS, vol. 9404, pp. 3–25. Springer, Heidelberg (2015)

    Chapter  Google Scholar 

  9. Folino, G., Pisani, F.S.: Combining ensemble of classifiers by using genetic programming for cyber security applications. In: Mora, A.M., Squillero, G. (eds.) EvoApplications 2015. LNCS, vol. 9028, pp. 54–66. Springer International Publishing, Switzerland (2015)

    Google Scholar 

  10. Acosta-Mendoza, N., Morales-Reyes, A., Escalante, H.J., Gago-Alonso, A.: Learning to assemble classifiers via genetic programming. IJPRAI 28, 19 (2014)

    Google Scholar 

  11. Tavallaee, M., Stakhanova, N., Ghorbani, A.: Toward credible evaluation of anomaly-based intrusion-detection methods. IEEE Trans. Syst. Man Cybern. Part C Appl. Rev. 40, 516–524 (2010)

    Article  Google Scholar 

  12. Mahoney, M.V., Chan, P.K.: An analysis of the 1999 DARPA/Lincoln laboratory evaluation data for network anomaly detection. In: Vigna, G., Kruegel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 220–237. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  13. McHugh, J.: Testing intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by lincoln laboratory. ACM Trans. Inf. Syst. Secur. 3, 262–294 (2000)

    Article  Google Scholar 

  14. Brown, C., Cowperthwaite, A., Hijazi, A., Somayaji, A.: Analysis of the 1999 DARPA/Lincoln laboratory IDS evaluation data with NetADHICT. In: Proceedings of the Second IEEE International Conference on Computational Intelligence for Security and Defense Applications. CISDA 2009, Piscataway, NJ, USA, pp. 67–73. IEEE Press (2009)

    Google Scholar 

  15. Tavallaee, M., Bagheri, E., Lu, W., Ghorbani, A.: A detailed analysis of the KDD CUP 99 data set. In: IEEE Symposium on Computational Intelligence for Security and Defense Applications, 2009. CISDA 2009, pp. 1–6 (2009)

    Google Scholar 

  16. Paxson, V.: Empirically derived analytic models of wide-area TCP connections. IEEE/ACM Trans. Netw. 2, 316–336 (1994)

    Article  Google Scholar 

  17. Foremski, P., Callegari, C., Pagano, M.: Waterfall: rapid identification of IP flows using cascade classification. In: Kwiecień, A., Gaj, P., Stera, P. (eds.) CN 2014. CCIS, vol. 431, pp. 14–23. Springer, Heidelberg (2014)

    Chapter  Google Scholar 

  18. Schapire, R.E.: The strength of weak learnability. Mach. Learn. 5, 197–227 (1990)

    Google Scholar 

  19. Schapire, R.E.: Boosting a weak learning by majority. Inf. Comput. 121, 256–285 (1995)

    Article  MathSciNet  Google Scholar 

  20. Kuncheva, L.: Combining Pattern Classifiers: Methods and Algorithms. Wiley-Interscience, New York (2004)

    Book  MATH  Google Scholar 

  21. Bahri, E., Harbi, N., Huu, H.N.: Approach based ensemble methods for better and faster intrusion detection. In: Herrero, A., Corchado, E. (eds.) CISIS 2011. LNCS, vol. 6694, pp. 17–24. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

Download references

Acknowledgment

This work has been partially supported by MIUR-PON under project PON03PE_00032_2 within the framework of the Technological District on Cyber Security.

Author information

Authors and Affiliations

  1. Institute of High Performance Computing and Networking (ICAR-CNR), Rende, Italy

    Gianluigi Folino, Francesco Sergio Pisani & Pietro Sabatino

Authors
  1. Gianluigi Folino
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Francesco Sergio Pisani
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Pietro Sabatino
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Gianluigi Folino .

Editor information

Editors and Affiliations

  1. Politecnico di Torino, Turin, Italy

    Giovanni Squillero

  2. Aalborg University, Copenhagen, Denmark

    Paolo Burelli

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Folino, G., Pisani, F.S., Sabatino, P. (2016). A Distributed Intrusion Detection Framework Based on Evolved Specialized Ensembles of Classifiers. In: Squillero, G., Burelli, P. (eds) Applications of Evolutionary Computation. EvoApplications 2016. Lecture Notes in Computer Science(), vol 9597. Springer, Cham. https://doi.org/10.1007/978-3-319-31204-0_21

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-31204-0_21

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-31203-3

  • Online ISBN: 978-3-319-31204-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation