Abstract
Modern intrusion detection systems must handle many complicated issues in real-time, as they have to cope with a real data stream; indeed, for the task of classification, typically the classes are unbalanced and, in addition, they have to cope with distributed attacks and they have to quickly react to changes in the data. Data mining techniques and, in particular, ensemble of classifiers permit to combine different classifiers that together provide complementary information and can be built in an incremental way. This paper introduces the architecture of a distributed intrusion detection framework and in particular, the detector module based on a meta-ensemble, which is used to cope with the problem of detecting intrusions, in which typically the number of attacks is minor than the number of normal connections. To this aim, we explore the usage of ensembles specialized to detect particular types of attack or normal connections, and Genetic Programming is adopted to generate a non-trainable function to combine each specialized ensemble. Non-trainable functions can be evolved without any extra phase of training and, therefore, they are particularly apt to handle concept drifts, also in the case of real-time constraints. Preliminary experiments, conducted on the well-known KDD dataset and on a more up-to-date dataset, ISCX IDS, show the effectiveness of the approach.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
MOA prerelease 2014.01; http://moa.cms.waikato.ac.nz/overview/.
- 8.
References
Bhuyan, M., Bhattacharyya, D., Kalita, J.: Network anomaly detection: methods, systems and tools. Commun. Surv. Tutorials IEEE 16, 303–336 (2014)
Breiman, L.: Bagging predictors. Mach. Learn. 24, 123–140 (1996)
Freund, Y., Shapire, R.: Experiments with a new boosting algorithm. In: Machine Learning, Proceedings of the Thirteenth International Conference (ICML 1996), Morgan Kaufmann, pp. 148–156 (1996)
Kuncheva, L.: Combining Pattern Classifiers: Methods and Algorithms. Wiley, Chichester (2004)
Folino, G., Pizzuti, C., Spezzano, G.: A scalable cellular implementation of parallel genetic programming. IEEE Trans. Evol. Comput. 7, 37–53 (2003)
Cuzzocrea, A., Folino, G., Sabatino, P.: A distributed framework for supporting adaptive ensemble-based intrusion detection. In: 2015 IEEE International Conference on Big Data, Big Data 2015, Santa Clara, CA, USA, 29 October - 1 November 2015, pp. 1910–1916 (2015)
Shiravi, A., Shiravi, H., Tavallaee, M., Ghorbani, A.A.: Toward developing a systematic approach to generate benchmark datasets for intrusion detection. Comput. Secur. 31, 357–374 (2012)
Khasawneh, K.N., Ozsoy, M., Donovick, C., Abu-Ghazaleh, N., Ponomarev, D.: Ensemble learning for low-level hardware-supported malware detection. In: Bos, H. (ed.) Raid 2015. LNCS, vol. 9404, pp. 3–25. Springer, Heidelberg (2015)
Folino, G., Pisani, F.S.: Combining ensemble of classifiers by using genetic programming for cyber security applications. In: Mora, A.M., Squillero, G. (eds.) EvoApplications 2015. LNCS, vol. 9028, pp. 54–66. Springer International Publishing, Switzerland (2015)
Acosta-Mendoza, N., Morales-Reyes, A., Escalante, H.J., Gago-Alonso, A.: Learning to assemble classifiers via genetic programming. IJPRAI 28, 19 (2014)
Tavallaee, M., Stakhanova, N., Ghorbani, A.: Toward credible evaluation of anomaly-based intrusion-detection methods. IEEE Trans. Syst. Man Cybern. Part C Appl. Rev. 40, 516–524 (2010)
Mahoney, M.V., Chan, P.K.: An analysis of the 1999 DARPA/Lincoln laboratory evaluation data for network anomaly detection. In: Vigna, G., Kruegel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 220–237. Springer, Heidelberg (2003)
McHugh, J.: Testing intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by lincoln laboratory. ACM Trans. Inf. Syst. Secur. 3, 262–294 (2000)
Brown, C., Cowperthwaite, A., Hijazi, A., Somayaji, A.: Analysis of the 1999 DARPA/Lincoln laboratory IDS evaluation data with NetADHICT. In: Proceedings of the Second IEEE International Conference on Computational Intelligence for Security and Defense Applications. CISDA 2009, Piscataway, NJ, USA, pp. 67–73. IEEE Press (2009)
Tavallaee, M., Bagheri, E., Lu, W., Ghorbani, A.: A detailed analysis of the KDD CUP 99 data set. In: IEEE Symposium on Computational Intelligence for Security and Defense Applications, 2009. CISDA 2009, pp. 1–6 (2009)
Paxson, V.: Empirically derived analytic models of wide-area TCP connections. IEEE/ACM Trans. Netw. 2, 316–336 (1994)
Foremski, P., Callegari, C., Pagano, M.: Waterfall: rapid identification of IP flows using cascade classification. In: Kwiecień, A., Gaj, P., Stera, P. (eds.) CN 2014. CCIS, vol. 431, pp. 14–23. Springer, Heidelberg (2014)
Schapire, R.E.: The strength of weak learnability. Mach. Learn. 5, 197–227 (1990)
Schapire, R.E.: Boosting a weak learning by majority. Inf. Comput. 121, 256–285 (1995)
Kuncheva, L.: Combining Pattern Classifiers: Methods and Algorithms. Wiley-Interscience, New York (2004)
Bahri, E., Harbi, N., Huu, H.N.: Approach based ensemble methods for better and faster intrusion detection. In: Herrero, A., Corchado, E. (eds.) CISIS 2011. LNCS, vol. 6694, pp. 17–24. Springer, Heidelberg (2011)
Acknowledgment
This work has been partially supported by MIUR-PON under project PON03PE_00032_2 within the framework of the Technological District on Cyber Security.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Folino, G., Pisani, F.S., Sabatino, P. (2016). A Distributed Intrusion Detection Framework Based on Evolved Specialized Ensembles of Classifiers. In: Squillero, G., Burelli, P. (eds) Applications of Evolutionary Computation. EvoApplications 2016. Lecture Notes in Computer Science(), vol 9597. Springer, Cham. https://doi.org/10.1007/978-3-319-31204-0_21
Download citation
DOI: https://doi.org/10.1007/978-3-319-31204-0_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-31203-3
Online ISBN: 978-3-319-31204-0
eBook Packages: Computer ScienceComputer Science (R0)