Computer Networks 57 (2013) 811–824
Contents lists available at SciVerse ScienceDirect
Computer Networks
journal homepage: www.elsevier.com/locate/comnet
Review Article
RePIDS: A multi tier Real-time Payload-based Intrusion Detection System
Aruna Jamdagni a,b, Zhiyuan Tan a,b, Xiangjian He a,⇑, Priyadarsi Nanda a, Ren Ping Liu b
a
b
Centre for Innovation in IT Services and Applications (iNEXT), University of Technology, Sydney, Australia
ICT Centre, CSIRO, Australia
a r t i c l e
i n f o
Article history:
Received 9 January 2012
Received in revised form 7 August 2012
Accepted 7 October 2012
Available online 26 October 2012
Keywords:
Intrusion detection
Data pre-processing
Principal component analysis
Mahalanobis Distance Map
Principal components
Iterative feature selection
a b s t r a c t
Intrusion Detection System (IDS) deals with huge amount of network traffic and uses large
feature set to discriminate normal pattern and intrusive pattern. However, most of existing
systems lack the ability to process data for real-time anomaly detection. In this paper, we
propose a 3-Tier Iterative Feature Selection Engine (IFSEng) for feature subspace selection.
Principal Component Analysis (PCA) technique is used for the pre-processing of data.
Mahalanobis Distance Map (MDM) is used to discover hidden correlations between the features and between the packets. We also propose a novel Real-time Payload-based Intrusion
Detection System (RePIDS) that integrates a 3-Tier IFSEng and the MDM approach. Mahalanobis Distance (MD) dissimilarity criterion is used to classify each packet as either a normal or an attack packet.
The effectiveness of the proposed RePIDS is evaluated using DARPA 99 dataset and Georgia Institute of Technology attack dataset. The traffic for Web-based application is considered for validating our model. F-value, a criterion, is used to evaluate the detection
performance of RePIDS. Experimental results show that RePIDS achieves better performance (high F-values, 0.9958 for DARPA 99 dataset and 0.976 for Georgia Institute of Technology attack dataset respectively, with only 0.85% false alarm rate) and lower
computational complexity when compared against two state-of-the-art payload-based
intrusion detection systems. Additionally, it has 1.3 time higher throughput in comparison
with real scenario of medium sized enterprise network.
Ó 2012 Elsevier B.V. All rights reserved.
1. Introduction
Computer security has become a critical issue with the
rapid development of business and transaction systems
over the Internet and has gained worldwide attention as
attacks to computer network systems become more widespread and sophisticated. Since traditional prevention
measures are imperfect, monitoring for security compromises is required. Intrusion Detection System (IDS) is an
important component of security mechanism. The goal of
an IDS is to provide a layer of defense against malicious
⇑ Corresponding author.
E-mail addresses: arunaj@it.uts.edu.au (A. Jamdagni), Zhiyuan.Tan@
uts.edu.au (Z. Tan), Xiangjian.He@uts.edu.au (X. He), Priyadarsi.Nanda@
uts.edu.au (P. Nanda), ren.liu@csiro.au (R.P. Liu).
1389-1286/$ - see front matter Ó 2012 Elsevier B.V. All rights reserved.
http://dx.doi.org/10.1016/j.comnet.2012.10.002
uses of computer systems by sensing and alerting operators the ongoing attacks. More sophisticated IDSs generally
fall into two categories: misuse detection (or signature
detection) and anomaly detection. Misuse-based IDSs, such
as SNORT and Bro, commonly rely on rules written by domain experts and look for a match of an attack signature.
Misuse detection systems have higher detection accuracies. However, the major problems of these systems are
that they fail to detect new attacks or attacks whose signatures are not known and require continual signature updates to detect the latest attacks. Comparatively,
anomaly-based IDSs learn the normal behavior of a user,
look for anomalous patterns as significant deviations from
the normal behavior of a user profile, and generate alarms.
These systems can detect new attacks and variants of
known attacks. Unfortunately, they are prone to false
812
A. Jamdagni et al. / Computer Networks 57 (2013) 811–824
positives which can be triggered by novel but nonmalicious traffic. False positives limit the performance of
anomaly-based IDSs.
Anomaly detection has been an active research area
for more than two decades since it was originally proposed
by Denning [1]. Reviews on Network-based Intrusion
Detection System (NIDS) are given in the literature [2–7].
Reviews indicate that most previous research works in
anomaly detection do not concern about the data preprocessing technique used in NIDS. Intrusion detection
algorithms are used directly on the rough network data
and do not mention criteria for selection of traffic features
for intrusion detection. For practical applications, data preprocessing is one of the most important stages in the
development of detection algorithm, and it directly impacts the accuracy and the capability of a classification
algorithm.
In an ideal situation, the purpose of an IDS is to detect
attacks at an early stage or in other words in real-time to
minimize the impacts of attacks. Hence, for real-time
intrusion detection, the system must detect an attack as
soon as it is commenced. However, in real practice, it is
very difficult to build such a system with low false alarm
rates and high detection accuracy. In general, IDS deals
with huge amount of data which contains irrelevant and
redundant features causing slow training and test processes, higher resource consumption as well as poor detection rates. Thus, selecting important and suitable features,
which characterize behavioral patterns of network traffic
and clearly distinguish normal and abnormal activities
from network traffic data, is one of the key challenges to
build a real-time IDS.
Though methods for deriving discriminating features
from packet headers are well established as demonstrated
in [8–12], approaches for packet payload are less well defined. From the reviewed research on payload-based
anomaly detection, n-grams [13] and libAnomaly [14] are
two commonly used methods. The drawbacks of these
methods are that they have to use very large size of feature
sets, so they fail to provide sufficient discriminative power
for correct traffic discrimination and lead to relatively high
false alarms rates. Furthermore, payload-based attacks are
computationally expensive to detect due to requiring deeper searches into network sessions and looking for huge
number of payload features. This challenge has motivated
our research work to build a real-time payload-based
intrusion detection system using suitable feature subset,
in order to detect attacks as soon as are commenced.
Therefore, in this paper, we address the issues related to
the quality of feature set and the curse of dimensionality
(data pre-processing). We also propose a real-time payload-based anomaly IDS using efficient iterative feature
selection scheme. The main contributions of our work in
this paper are as follows.
Firstly, we propose a 3-Tier Iterative Feature Selection
Engine (IFSEng) for feature subset selection. Analysis of
the raw dataset is conducted in Tier 1 using Principal Component Analysis (PCA) technique, which examines and rates
the importance of various components of a multi-dimensional feature space in terms of variance that a component
reserves. Mathematical solutions (cumulative power and
parallel analysis criteria) and non-mathematical solution
(scree test criterion) are applied independently at Tier 2
to determine the number of dominant Principal Components (PCs), which should be retained according the analysis results from Tier 1. The refinement of features
(dominant PCs), and the generation and the verification of
a normal training model are performed at Tier 3.
Secondly, we propose to use Mahalanobis Distance Map
(MDM) approach to identify patterns of packet payloads.
MDM is promising in extracting the hidden correlations
between features and the correlations among network
packet payloads. It also partially captures structural information of payload. These correlations and structural information help improve the detection performance and
reduce false positive rates.
Thirdly, we propose a Real-time Payload-based Network Intrusion Detection System (RePIDS), which detects
payload-based attacks on the network in real-time. As
the key components of RePIDS, 3-Tier IFSEng and MDM
facilitate effective and efficient detection to attack packets
in network traffic with low false rates and high detection
rates.
Fourthly, we employ F-value measure as a metric to
evaluate the performance of RePIDS. The definition of
F-value is presented in Section 3.2.3. The reason of using
F-value is that, the numbers of instances in the classes
(normal and anomaly) are not equally distributed. Thus,
the system is biased and attains an accuracy of more than
99%, if False Positive (FP), False Negative (FN), True Positive
(TP) and True Negative (TN) measures are used in evaluating the performance of the system. However, F-value,
based on Precision and Recall rates (detailed in Section
3.2.3), is independent of the sizes of the training and test
samples.
Finally, we examine the effectiveness of our proposed
system by conducting several experiments on DARPA 99
dataset [15] and Georgia Institute of Technology attack
dataset (GATECH 2007) [16]. We compare the detection
performance (F-value) and computational complexity of
our proposed real-time payload-based IDS with two
state-of-the-art payload-based IDSs, namely PAYL [17]
and McPAD [18]. Experimental results show that the processing speed of RePIDS can accommodate the speed of a
real scenario of medium size enterprise network. The rest
of this paper is organized as follows. In Section 2, the most
relevant research works are summarized. Section 3 discusses the framework of RePIDS. Experimental results
and discussion are presented in Section 4. Section 5 demonstrates the evaluation results of RePIDS in terms of computational complexity, and compares RePIDS with the
state-of-the-art PAYL and McPAD intrusion detection systems. Conclusions are drawn in Section 6.
2. Payload-based Network Intrusion Detection System
In this section, we provide a brief description of recent
researches on payload-based intrusion detection systems.
Due to the capability of detecting attacks carried out
purely using packet payloads, there has been recently an
increasing interest in payload-based approaches to build
A. Jamdagni et al. / Computer Networks 57 (2013) 811–824
detection models for Network Intrusion Detection Systems
(NIDSs). Several typical effective payload-based NIDSs,
namely PAYL, McPAD and GSAD, have been proposed in
the literature [17–19].
The previous research works carried out in anomaly
detection are based on simple statistics on application
layer payload to build normal profile of web applications.
A review of research works using n-gram analysis of network traffic payloads for feature construction is presented
in the remaining of this section.
Wang and Stolfo proposed PAYL [17], which used
1-gram to build a byte-frequency distribution model of
network traffic payloads. The pre-processing of packet payload using 1-byte sliding window creates a feature vector
containing the relative frequency count of each of the
256 possible 1-grams (bytes) in the payload. Simplified
Mahalanobis distance measure was used to compare new
incoming traffic against the model. The overall detection
rate was close to 60% with a false positive rate less than
1%. While PAYL method is effective at displaying abnormal
byte distributions, it does have several shortcomings. For
examples, it does not withstand mimicry attacks [18] and
considers the entire payload for anomaly detection which
presents a major problem in high-speed and high bandwidth network.
Bolzoni et al. proposed POSEIDON [20], a two-tier intrusion detection model. POSEIDON combined the Self Organizing Map (SOM) with the PAYL. In their paper, SOM
was used for processing of packet payload and PAYL was
used as a basis for detection. The aim of the SOM was to
identify similar payloads for a given destination address
and port. SOM improved detection accuracy. However,
both SOM and PAYL need to be trained separately, so they
could present difficulties with accuracy. For SOM, the number of neurons depends on the size of the network, and
hence computational load increases quadratically with
the number of neurons.
To model the structure of payload, Wang et al. proposed
ANAGRAM [21]. A value of n P 1 was used to extract byte
sequence information in a 256n dimensional feature space.
Supervised learning was employed to model normal traffic
and attack traffic by storing n-grams of normal packets and
attack packets into two separate Bloom Filters (BFs). However, according to Perdisci et al. [18], BFs would not work
in high bandwidth or high data rate networks, because
ANAGRAM stores n-grams within the BFs and generates a
score based on the number of unobserved and malicious
n-grams during detection phase. Unfortunately, it was
more difficult to construct an accurate model due to the
curse of dimensionality and possible computational problem. Perdisci et al. then proposed an IDS called McPAD
[18], which created 2v-grams by using a sliding window
to cover all sets of 2 bytes that are v positions away in a
network traffic payload. This generated a high dimensional
feature space (2562 = 65,536) because each byte could
have values in the range from 0 to 255 and n = 2. The
dimensionality of the feature space was then reduced
using a clustering algorithm. However, they did not explain
the criteria for the selection of number of clusters and one
class classifiers. A model [22] proposed by Rieck and Laskov
also extracted high-order n-grams language features from
813
connection payloads. The authors compared high order
n-grams and words in connection payloads using vectorial similarity measures such as kernel and distance
functions.
However, all the afore-discussed methods consider payload features independently and do not consider correlations between the features and among the payloads.
These result in high false alarm rates. To address this problem, we proposed GSAD model [19] to detect anomalies in
the packet payloads. This model used n-gram text categorization technique for data pre-processing and MDM to
determine the hidden correlations between payload features. Mahalanobis distance criterion was used to evaluate
the similarity between the profile generated for a new
incoming network traffic and the normal profile. This method was able to detect attacks with less than 1% false positive
rate. However, this model has high computational complexity, and hence limits its use for offline operations only.
Recently, there is an increasing interest towards the
development of high-speed monitoring technology. Network components use Deep Packet Inspection (DPI)
[23,24] as an analyser to inspect attacks on all the layers.
To identify and prevent malicious attacks, researchers are
exploring both the header and the payload of each incoming packet. In [25], researchers developed Network Intrusion Detection and Prevention systems (NIDPs) using DPI
technology. DPI searches the entire packet headers and
payloads for pattern matching and uses a large rule database to compare against the incoming packets. Unfortunately, memory consumption is prohibitively high when
traditional methods such as Deterministic Finite Automata
(DFA) are used for fast regular expression scanning. Due to
the complexity of rules and software-based implementation of DPI, the packet processing speed of a DPI-based
solution is very limited. For instance, SNORT (a network
intrusion detection system) has more than 4000 rules
and can handle link rates only up to 250 Mbps [25] under
normal traffic conditions. These rates are not sufficient to
meet the needs of even medium-speed access or edge
networks.
These existing software solutions of DPIs [25] are not
sufficient enough to protect networks from new attacks
and do not support high processing rates. Moreover, deep
packet inspection compares a packet payload with thousands of known signatures and cannot detect attacks for
which signatures are unavailable. Though both DPI and
our proposed GSAD model are based on analysing network
packet payloads, our scheme significantly differ from DPI
as we consider the normal profiles only, whereas DPI uses
attack signature database to classify a network packet as a
normal or an attack.
Unfortunately, payload based IDSs commonly suffer
from three major issues, namely higher false alarm rates
(especially the higher false positive rates), complexity of
high dimensional data and dynamic structuring of protocols. This is because payload-based IDS uses large number
of features to discriminate normal packets and anomalous
packets in the network traffic data. The presence of redundant and irrelevant features in the feature set results in
high false positive rate and this restricts the operation of
payload-based IDS to off-line processing of network traffic.
814
A. Jamdagni et al. / Computer Networks 57 (2013) 811–824
We propose RePIDS (an efficient payload-based anomaly intrusion detection system) in this paper. RePIDS uses
PCA [26], an efficient method which helps reduce dimensionality by providing a linear mapping of n-dimensional
feature space to a reduced m-dimensional feature space
(dominant PCs), to boost the detection performance and
may be suitable for real-time applications. In practice,
reducing complex relationship between the features and
discarding any irrelevant, redundant or less significant features from the original feature space are important for the
real-time application of IDS. On one hand, this will reduce
not only the volume of traffic but also processing time. On
the other hand, this will improve the detection rate too.
Although PCA has been applied to the field of headerbased intrusion detection [27–29] to achieve sensible feature reduction, to the best of our knowledge, no work has
been done on the data pre-processing using PCA for payload feature selection. Nwanze et al. [30] discussed modeling of packet payload using data mining technique based
on PCA. However, they ignored the main idea of PCA and
did not use the projection of original data on a new lower
dimensional feature space. Furthermore, they did not consider correlations between features.
The aims of this research conducted in this paper are to
reduce the dimensionality of feature space and false positive rate. We achieve our research aims through efficient
pre-processing of packet payload data and present data
in a suitable format so that it can be used for the real-time
intrusion detection.
3. Real-time Payload-based Network Intrusion
Detection System
In this section, we elaborate on our new approach.
Firstly, we present the framework of our real-time payload-based intrusion detection system. Then, we discuss
the modules in the framework, namely data preparation
module, n-gram text categorization module, 3-Tier Iterative Feature Selection Engine (IFSEng), profile generation
and traffic classification.
3.1. Framework of the Proposed Real-time Payload-based
Intrusion Detection System
The complete framework of our proposed intrusion
detection system has four stages as shown in Fig. 1. They
are data preparation, data pre-processing, model generation and anomaly detection.
The first stage of this IDS consists of data preparation
and n-gram text categorization [31]. For data preparation,
the incoming network traffic is filtered according to the
types of applications and payload length, and n-gram text
categorization converts the network traffic packet payloads into a series of feature vectors. These feature vectors
describe the patterns of the incoming traffic in original
high dimensional feature space.
In the second stage, a 3-Tier IFSEng, detailed in Section
3.2.3, is used for feature subset selection. Each Tier performs a specific task. At Tier 1, PCA technique [26] is used
to analyse network traffic. At Tier 2, selection of dominant
PCs (subsets of features) is performed using various methods as shown in [32,33]. Tier 3 refines optimal feature subset (PCs) and evaluates the discriminative power of the
feature subsets to represent packet payloads. MDM shown
in [19,34,35] (to be further discussed in Section 3.2.4) is
used to capture more complex non-linear correlations
among the selected features, and construct a distance
map which represents a network traffic profile.
In the third stage of the framework, the output of IFSEng
(finally selected PCs) is used to build a normal traffic profile. An MDM is created for normal network traffic as a normal profile, which is used for the classification of the new
incoming network traffic in the last stage.
In the last stage, Mahalanobis Distance criterion is used
to measure the dissimilarity between the pre-developed
normal profile and the profile of a new incoming network
packet. The packet is classified as a normal or an attack
packet depending upon the amount of deviation of its profile from the normal profile. Detailed description of each
module is given in the following subsections.
3.2. Framework modules
In this section, we provide a step-wise description and
technical details of all modules contained in our proposed
IDS framework.
3.2.1. Data preparation module
Data preparation is the first stage of the framework,
where different datasets are prepared. We group network
traffic into various categories using Wireshark [36], which
is a traffic analyser and separates the network traffic based
on types of services, destination address, payload length
and direction of network traffic flow. The source of network traffic can be real network (for real-time operation)
or collected tcpdump files. The prepared dataset is used
by next stage of intrusion detection system.
3.2.2. n-Gram text categorization module
n-Gram text categorization is responsible for payload
feature analysis and feature construction. It extracts raw
features using n-gram text categorization technique (here
n = 1) from the packet payload and converts observations
into a series of feature vectors. Each payload is represented
by a feature vector in a 256-dimensional feature space
using
Oi
fi ¼ P256
j¼1 Oj
;
ð1Þ
where Oi is the occurrence of ith n-gram. The overall value
of the relative frequencies is given by
256
X
fi ¼ 1:
ð2Þ
i¼1
Thus, a packet payload is then denoted by a relative frequency vector q = [f1 f2 f256]T, which represents a pattern
in the network payload in a 256-dimensional feature
space. Here, T stands for ‘‘transpose’’ of a matrix.
A. Jamdagni et al. / Computer Networks 57 (2013) 811–824
815
Fig. 1. Framework of real-time payload-based based intrusion detection system.
3.2.3. 3-Tier Iterative Feature Selection Engine
The 3-Tier Iterative Feature Selection Engine (IFSEng)
consists of Tier 1: Data Analysis Using PCA, Tier 2: Principal
Component Selection and Tier 3: Refinement of Feature
Selection and Generation and Verification of Model.
At Tier 1, PCA is used to analyse the original dataset. As
a linear mathematical system, PCA is developed based on
eigenvector-based multivariate analysis. It attempts to
efficiently represent data by converting a set of observations into a new orthonormalized coordinate system,
where the data are maximally decorrelated. The axes
(eigenvectors or principal components) that contain greater variations (eigenvalues) make more contributions to the
data representation. The first few most contributing axes
are usually used to construct a new lower dimensional feature space which is believed to give efficient representations for the data.
PCA is applied on a network traffic dataset, Q = [q1 q2 qm], where m is the number of observations and each
observation qi (1 6 i 6 m) is denoted by a 256-dimensional
T
i
feature vector qi ¼ f1i f2i f256
. First, zero-mean normalization is conducted on the dataset for all the observations
to make PCA work properly. The zero-mean dataset is represented by
3T
q1 q
7
6q q
6 2 7
7
¼6
6 .. 7 ;
4 . 5
2
Q sh
ð3Þ
qm q
P
¼ m1 m
where q
i¼1 qi . Then, the principal components are
obtained by analysing the sample covariance matrix CQ of
the dataset given in (4).
CQ ¼
1
Q QT :
m 1 sh sh
ð4Þ
Using eigen decomposition, the covariance matrix CQ can
be decomposed into a matrix W and a diagonal matrix k.
They satisfy the condition, kW = CQW. The columns of the
matrix W stand for the eigenvectors (called the principal
components) of the covariance matrix CQ, and the elements
along the diagonal of the matrix k are the ranked
eigenvalues associated with the corresponding eigenvectors in the matrix W.
PCA only demonstrates the contribution of different
components of a feature space in terms of data representation. It does not determine the number of principal components that should be retained. Thus, some other
supplementary techniques are applied at Tier 2 to decide
the optimal number of components to be retained based
on the analysis results from PCA.
At Tier 2, several techniques, such as cumulative energy
[32], scree test [33] and parallel analysis criteria, help
achieve one of the main goals of good pre-processing principle that is to retain as much relevant information as possible. Cumulative energy, scree test and parallel analysis
criteria are utilized independently and to select corresponding k1, k2 and k3 principal components (the eigenvectors of matrix W) respectively. k1, k2 and k3 are less or
equal to k, where k equals to 256. These mathematical
and non-mathematical criteria are used to verify the outcomes of each others. The subsets of principal components,
corresponding to the selected k1, k2 and k3, represent reduced feature spaces, which provide the best presentations
determined by the criteria for
By project a packet ipayload.
T
onto these seing the feature vector qi ¼ f1i f2i f256
lected reduced feature spaces, the dimension of the
feature vector can be reduced significantly to smaller values, namely k1, k2 and k3. In the meanwhile, the criteria
guarantee that the reduced feature vector can correctly
represent the packet payload. A brief explanation of individual criteria is given below.
Cumulative Energy. An energy associated with a component is represented by the corresponding eigenvalue. The
greater an eigenvalue is, the larger energy the corresponding component (eigenvector) has. Suppose that (k1,u1), (k2,
u2), , (kk, uk) are k eigenvalue–eigenvector pairs decomposed from the covariance matrix CQ. The cumulative energy of the first k1 components is defined by the sum of
the energies across the components from 1 through k1,
and it is computed using (5)
CE ¼
k1
X
kj ;
j¼1
ð5Þ
816
A. Jamdagni et al. / Computer Networks 57 (2013) 811–824
where k1 2 {1, , k} can be determined subject to the
objective function given in (6)
CE
Pk
j¼1 kj
P a;
ð6Þ
in which a is the ratio of variation in the subspace to the
total variation in the original space. This objective function
intends to obtain a value of k1 as small as possible while
achieving a reasonably high value of CE on a percentage
basis.
Scree Test is a graphical method, first proposed by
Cattell [32] in 1966. A scree plot where all eigenvalues are
plotted against all (k) principal components (eigenvectors)
in the descending order. In the scree plot, we look for the
k2th point, where sharp decrease in eigenvalues levels off
(the scree). This point is identified as an ‘‘elbow’’. After
the k2th point, the remaining (k k2) principal components (eigenvectors) are ignored and not used in the model. This is based on the arguments that the most significant
components extract a large proportion of the variances
from the covariance matrix, while the remaining insignificant (k k2) ones are associated with similar low value
variances. The criticisms of scree test criterion are that
there is no sharp transition where the scree begins, and
the decision is not robust and reproducible. Alternatively,
parallel analysis criterion is used to verify the selection of
principal components (feature subset).
Parallel Analysis (PA) is a modification of Cattell’s scree
test. PA alleviates the component indeterminacy problem
and determines which variable loadings are significant
for each component. This operation is repeated twice and
the obtained eigenvalues for each component are used to
calculate means and Standard Deviations (SDs) in the
two iterations. From the means and standard deviations,
the 95th percentiles are obtained (the 95th percentile
= mean + 1.65SD). If the eigenvalue of a component exceeds the 95th percentiles of the simulated values, then
the component is retained.
At Tier 3, feature refinement and evaluation module is
used. In the refinement stage, we extend the range of the
selected principal components, obtained from Tier 2, on
both the upper and lower sides. Then, we observe the discriminative power of the subsets of principal components
to represent packet payloads. Lastly, we select the final
kfinal 2 {k1, k2, k3} principal components through iterative
evaluation of normal training model using F-value defined
in
F-value ¼ ð1 þ b2 Þ Recall
Precision
b2 ðRecall þ PrecisionÞ
;
ð7Þ
where Precision defined in (8) shows how many events,
predicted by an IDS as being intrusive, are the actual intrusions. A low value of precision means a higher degree of
false positives and vice versa. Recall defined in (9) measures the missing part from the Precision, namely the percentage of the real intrusions covered by the classifier. A
lower value of recall represents a higher degree of false
negatives and vice versa.
TP
;
TP þ FP
TP
Recall ¼
:
TP þ FN
Precision ¼
ð8Þ
ð9Þ
In (8) and (9), TP (True Positive) indicates the number of attacks correctly detected by the intrusion detection system
as attacks, TN (True Negative) indicates the number of normal packets correctly classified by the intrusion detection
system as normal without making any mistake, FP (False
Positive) indicates the number of normal packets incorrectly classified by intrusion detection system as attacks,
and FN (False Negative) indicates the number of attacks
incorrectly classified by intrusion detection system as normal packets.
In (7), b corresponds to the relative importance of precision versus recall and is usually set to 1. On one hand,
when precision and recall have equal weights and are close
to 1, the model can achieve F-value close to 1, which indicates good performance meaning that the classifier has 0%
false alarms and 100% detection of attacks. On the other
hand, F-value close to 0 indicates poor performance. Thus,
the F-value of a classifier is desired to be as high as
possible.
The selected kfinal principal components are the one
which facilitates the classifier to achieve the greatest
F-value among the candidates k1, k2 and k3. Then, selected
kfinal principal components are used in the profile generation, which is briefly discussed in Section 3.2.4.
3.2.4. Profile generation using Mahalanobis Distance Map
Network traffic profile is generated using Mahalanobis
Distance Map (MDM) which captures complex non-linear
correlations of the data. By using MDM, the hidden correlations between the features of projected feature vector
½x1 x2 xkfinal , which is obtained from the projection of
original feature vector q = [f1 f2 f256]T onto the kfinal
dimensional feature subspace ½u1 u2 ukfinal (outcome
of IFSEng), and the correlations among packets are obtained as follows.
Ra ¼ ðxa lÞðxa lÞT ð1 6 a 6 kfinal Þ;
ð10Þ
T
dða;bÞ ¼
ðxa xb Þðxa xb Þ
ð1 6 a; b 6 kfinal Þ;
Ra þ Rb
dð1;1Þ
6
6 dð2;1Þ
6
D¼6
6
...
4
dðkfinal ;1Þ
2
dð1;2Þ
dð2;2Þ
..
.
dðkfinal ;2Þ
dð1;kfinal Þ
ð11Þ
3
7
dð2;kfinal Þ 7
7
7;
..
..
7
.
.
5
dðkfinal ;kfinal Þ
ð12Þ
where xa represents the ath projected feature in the projected feature vector, l denotes the average of each projected feature, d(a,b) defines the Mahalanobis distance
between the ath projected feature and the bth projected
feature, Ra is the covariance value of each projected feature, and finally D is the MDM (the pattern of a network
packet). Distance map D is used to generate the network
traffic profiles (normal and attack) of the training and test
data. These profiles are used for the classification of incoming network traffic.
A. Jamdagni et al. / Computer Networks 57 (2013) 811–824
3.2.5. Traffic classification
Mahalanobis distance is the criterion used to measure
the dissimilarity between the developed profiles and new
incoming network traffic profiles. Weight score w is calculated using (13) to detect an intrusive activity.
w¼
kfinal
2
X
ðdobjða;bÞ d
norða;bÞ Þ
a;b¼1
r2norða;bÞ
;
ð13Þ
2
where d
norða;bÞ and rnorða;bÞ are the average and the variance
of the (a, b)th element in the distance map of the normal
profile given in (14), and dobj(a, b) is the (a, b)th element
of the distance map of the new incoming packet shown
in (15).
Dnor ¼ ½dnorða;bÞ kfinal kfinal
ð14Þ
Dobj ¼ ½dobjða;bÞ kfinal kfinal
ð15Þ
If the weight score exceeds the threshold, the input packet
is considered as an intrusion.
4. Experimental results and analysis
In the following subsections, first, we present brief
information on the dataset and types of attacks. Then, we
discuss training and test of our model. Finally, we present
experimental results and analysis.
A Series of experiments on DARPA 99 [15] dataset and
Georgia Institute of Technology attack dataset (GATECH)
[16,19] are conducted to evaluate the performance of our
proposed model. Although the DARPA 99 dataset was criticized by McHugh [37] for many of its weaknesses, including the questionable collection of traffic data, attack
taxonomy and distribution, and evaluation criteria, DARPA
99 dataset is the only publicly available, large and well labeled dataset, and is still the most widely used public
benchmark for testing intrusion detection systems. The
GATECH attack dataset is also publicly available and contains traces of real attack traffic. These two datasets are
used by the state-of-the-art payload-based IDSs that we
will compare in this paper.
4.1. Dataset
4.1.1. Training (normal traffic) dataset
We extract Week 1 and Week 3 inbound ‘‘HTTP request’’ traffic from DARPA 99 dataset for the training of
our model. The extracted normal traffic corresponds to
two different HTTP servers. The total numbers of packets
used for training of the model after filtering are 13,933
and 10,464 for hosts marx and hume respectively.
4.1.2. Test (attack + normal traffic) dataset
In order to test the performance of our proposed
model in detecting known attacks and new attacks, we
use attacks contained in DARPA 99 dataset and GATECH
attack dataset. The labeled test data is further preprocessed to form two test datasets, which contains
instances that do not appear in our training dataset. For
our experiments, we focus on attacks coming through
HTTP service only.
817
HTTP-based attacks are mainly from the HTTP GET/
POST requests to web servers. There are several HTTPbased attack provided by DARPA 99 dataset, namely
Apache2 attack, CrashIIS attack and Phf attack. The
GATECH attack dataset has several non-polymorphic HTTP
attacks provided by Ingham and Inoue [16] and several
polymorphic HTTP attacks created using CLET engine generated by Perdisci et al. [18]. The attacks, namely Generic
attack, Shell-code attack and CLET attack (polymorphic attack), are placed in different groups, and each group has attacks of the same category for the presentation of results.
All HTTP request attack packets are used in our experiments, and the detailed explanation for the types of attacks
can be found in Appendix A.
4.2. Model training and testing process
The experimental approach involves following procedure for training and testing of model:
1. As discussed in Section 3.2.2, we parse 185 bytes of
packet payload of a HTTP GET request using a sliding
window of length 1-byte and represent it by a feature
vector q in a 256-dimensional feature space.
2. As discussed in Section 3.2.3, Tier 1 uses the PCA technique to analyse raw data, namely ASCII character
occurrence frequencies, in the training dataset, by projecting raw data on a reduced feature space. At Tier 2
of IFSEng, selection of dominant Principal Components
(PCs) is done by means of cumulative energy, scree
test and parallel analysis criteria on the outcome of
PCA.
First, cumulative energy criterion is applied for the
selection, in which we consider 93% of cumulative
energy level for (6). A k1 equal to 7 is obtained,
which means that the first seven principal components are selected as the best subspace to represent
the data by cumulative energy criterion.
Then, we use scree test to draw scree plot as a variance captured by a given principal component and
to select another set of principal components.
Fig. 2a shows full scree plot, where we use k
(k = 256 in our case) principal components (X-axis)
of a particular dataset and the corresponding variances, namely eigenvalues (Y-axis), to draw a scree
plot. The principal components are sorted in
descending order with respect to the values of the
corresponding variances. In Fig. 2a, we look for an
‘‘elbow’’, a flattening out of the curve. To provide
better vision, we magnify the scree plot and show
the first 25 principal components in Fig. 2b. It can
be observed from Fig. 2b that there is a sharp
decrease of variance in the front part of the plot
and then it starts flattening out after the 6th principal component. In Fig. 2b, we can observe the
‘‘elbow’’ somewhere in the range from 6 to 9 principal components and the first k2 = 6 principal components are able to capture about 92% of the variance.
After the k2th point, the remaining (k k2) principal
components capture only around 8% of the total variance and are ignored.
818
A. Jamdagni et al. / Computer Networks 57 (2013) 811–824
−3
1
x 10
0.9
Eigenvalues
0.75
0.6
0.45
0.3
0.15
0
0
50
100
150
200
250
The Indexes of Eigenvectors
−3
1
x 10
0.9
Eigenvalues
0.75
0.6
0.45
0.3
X: 6
Y: 8.19e−05
0.15
0
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
The Indexes of Eigenvectors
Fig. 2. Scree test plot.
We use k2 = 6 as dominant principal components in
our case. However, from Fig. 2b, we have observed
a range of principal components from 6 to 9, and it
is not very clear that what is the most appropriate
value of k2. To overcome this ambiguity, we use parallel analysis criterion as described in the following
and to verify the selection of k2.
We verify the outcome of scree plot by using parallel analysis criterion as discussed in Section 3.2.3
on the same dataset. The result of parallel analysis
also suggests a selection of first seven principal
components, which are same as what have been
obtained using cumulative energy criterion. The
results of three feature selection criteria are given
in Table 1.
3. Although these are the dominant principal components,
further refinement of dominant principal components
needs to be done at Tier 3 of IFSEng (as presented in
Section 3.2.3) because of the ambiguity in these results.
In addition, generation and evaluation of training model
at Tier 3 are performed using F-value metric defined in
(7). The MDM represents the correlations between the
features obtained from the projection of the original
feature vector onto the finally selected principal
819
A. Jamdagni et al. / Computer Networks 57 (2013) 811–824
Table 1
Principal Component (PC) celection.
PC selection method
Cumulative energy (0.93)
Scree test
Parallel analysis
Number of PCs
7
6
7
components and between packets. These principal components help represent normal behavior profile in the
low dimensional feature space.
4. For testing, we project the extracted feature vector of an
incoming packet payload on the reduced feature space
(the finally selected principal components) and use
Mahalanobis distance dissimilarity criterion to detect
intrusive behaviors. The performance of RePIDS in
detecting attacks is evaluated using F-value.
In the experimentation, the 10 days normal ‘‘HTTP GET
request’’ traffic from DARPA 99 dataset is used. The normal
traffic is randomly divided into three subsets. One of the
subset is selected randomly and used for training the model. The remaining two subsets are reserved for the test of
the model.
In the testing stage, an attack is detected as long as one
of its attack packets is identified as abnormal. We conduct
our experiments using the features obtained from the projection of original feature vectors onto the optimal principal
components determined by the IFSEng for various types of
attacks (Apache2, Phf, CrashIIS and Back attacks) present in
DARPA 99 attack dataset. We further evaluate our model on
GATECH attack dataset, which is comprised of generic,
polymorphic (CLET) and shell-code attacks. The experiments are conducted on a computer with two 3.33 Ghz
8 MB cache Quad Core Xeon CUPs and 48 GB DDR3-1333
ECC memory. This is a shared computational environment
for heavy mathematical calculation and modeling experimentation. The performance is heavily influenced by the
number of processes running simultaneously. Matlab is
used for the simulation.
4.3. Results and analysis
Experimental results are explained in two steps. In the
first step of the experiments, we obtain the optimal subset
of principal components. Then, we design a number of
experiments based on Fig. 1 to determine the performance
of RePIDS when using various subsets of principal components varying from five components to nine components.
Experiments are also conducted for different values of
threshold varying from 2r to 3.5r. Results are presented
in Table 2 for various feature subsets and 3.5r as the optimal value of threshold.
Table 2 shows the variation of FP, TN, TP and FN rates
along the change of the number of principal components.
To obtain the optimal number of principal components,
F-value is calculated for each feature subspace (principal
components) using (7). Fig. 3 shows variation of F-value
with the number of principal components. The results
show that the best F-value is achieved with seven principal
components. In other words, the feature subspace of seven
principal components has good representation, discriminative power and high accuracy. The increase and decrease of
the eigenvectors both dilute the performance of RePIDS.
It can be concluded that PCA and the three selection criteria help reduce the dimensionality of dataset from 256 to
7. The amount of information extracted using IFSEng is
high in the selected 7-dimensional feature space, which
helps create more accurate normal traffic profiles using
MDM that is used for traffic classification.
To demonstrate how MDM presents the correlations between the features, the MDMs of normal HTTP payload and
some attack payloads generated using projected features,
the optimal 7-dimensional space, are given in Figs. 4 and
5 respectively. It can be seen from Figs. 4 and 5 that a
MDM is a symmetric matrix and the values of the elements
along its diagonal are all equal to zeros. This is because the
correlation of a feature to itself is always zero. MDMs also
demonstrate that the correlations between normal projected features are different from the correlations between
attack projected features. Besides, the 7-dimensional space
is able to help differentiate normal payload and various attack payloads efficiently and accurately. Fig. 4 shows the
MDM of normal HTTP payload (normal profile), and
Fig. 5a–c shows the MDMs of the attack profiles for
Apache2, CrashIIS and Phf attacks.
Although we can directly compare the normal profile
(model) and attack profiles (MDMs) to confirm the differences between normal and various attack payloads, it is a
time-consuming task. Having MDM profiles for training
dataset and a new incoming packet, the weight score w
is calculated. If the deviation in weight score w is greater
than the pre-selected threshold, then the incoming packet
is classified as an attack packet.
Moreover, to evaluate the robustness of RePIDS in recognizing unknown attacks (Generic, Shell-code and Polymorphic (CLET) attacks), we conduct experiments on
GATECH attack dataset using the same setup. Table 3
Table 2
Performance scores corresponding to the number of Principal Components (PCs).
False Positive (FP) rate
True Negative (TN) rate
True Positive (TP) rate
False Negative (FN) rate
5 PCs (%)
6 PCs (%)
7 PCs (%)
8 PCs (%)
9 PCs (%)
1.37
98.63
98.70
1.30
0.67
99.33
99.50
0.50
0.85
99.15
100
0
1.31
98.69
100
0
1.99
98.01
99.97
0.03
820
A. Jamdagni et al. / Computer Networks 57 (2013) 811–824
Fig. 3. Trend of F-value.
Fig. 4. MDM of normal HTTP payload.
Fig. 5. MDMs of attack HTTP payloads.
A. Jamdagni et al. / Computer Networks 57 (2013) 811–824
Table 3
Performance scores.
Performance score
7 Eigenvectors (%)
False positive (FP) rate
True negative (TN) rate
True positive (TP) rate
False negative (FN) rate
F-value
0.85
99.15
96.29
3.71
0.976
reports the FP rate, TN rate, TP rate, FN rate and F-value on
the optimal 7-dimensional space. It can be concluded from
Table 3 that RePIDS has a high detection rate, a low false
positive rate and a low false negative rate. The F-value
achieved is 0.976, which confirms that the model can detect attacks with high accuracy and demonstrates its good
performance.
In conclusion, the proposed RePIDS is able to detect novel attacks very well with a high F-value (0.976) and a low
FP rate.
5. Comparison of RePIDS
In this section, comparisons between RePIDS and the
state-of-the-art PAYL and McPAD anomaly based intrusion
detection systems are presented. Then, we further compare
throughput of our proposed model with that of a real scenario of a medium sized enterprise network.
5.1. Detection performance
In order to provide a reasonable comparison for these
payload-based IDSs, the detection performance of RePIDS,
PAYL and McPAD anomaly based intrusion detection systems is first compared. Thus, we use the results of false positive rate and detection rate from [18]. From Figs. 6 and 7
in [18], we estimate average detection rates for generic,
shell-code and polymorphic attacks. We use false positive
rate of 1% to calculate F-values for PAYL and McPAD on
GATECH attack dataset respectively. As mentioned in
[18], their results for DARPA 99 dataset are similar to those
for GATECH attack dataset. Table 4 shows comparison of Fvalues for PAYL, McPAD and RePIDS on DARPA 99 dataset
and GATECH attack dataset. From Table 4, we can conclude
that RePIDS shows better F-value in comparison with PAYL
and McPAD on DARPA 99 and GATECH attack datasets.
5.2. Complexity analysis
In this section, we provide an analysis of the computational complexities of the algorithms used in RePIDS, PAYL
Table 4
Performance comparison.
RePIDS
DARPA 99
GATECH
0.9958
0.976
PAYLa
0.969
0.969
a
McPADa
0.953a
0.953
a
F-values for DARPA 99 dataset and GATECH attack dataset for PAYL
and McPAD have been derived from [18].
821
and McPAD. Only the computation involved in the test
phase is taken into account in the analysis, because the
training of the algorithms can be performed off-line,
which does not affect efficiency of the algorithms in
detection.
Given a payload P of length n and a fixed value of v, the
occurrence frequencies of 1-gram and 2v-grams can both
be computed in O(n). The numbers of extracted features
in these algorithms are constant regardless of the actual
values of n and v (28 features extracted by RePIDS and
PAYL, and 216 features extracted by McPAD).
The feature reduction process of the RePIDS can be completed by 28 2 7 = 3584 simple operations including
multiplications and additions. In contrast, McPAD algorithm reduces features by mapping the occurrence frequency distribution of 2v-grams to the k feature clusters
using a simple look-up table and a number of sum operations that is always less than 216 (regardless of the value
of k). Therefore, the feature reduction processes of RePIDS
and McPAD can be computed in O(1). However, no feature
reduction is performed in PAYL.
Thus, the complete computational complexities of data
pre-processing of the RePIDS, PAYL and McPAD algorithms
can be obtained by adding up the computational complexities of the feature extraction and reduction processes.
Since RePIDS uses a fixed payload length (185 bytes) to extract the occurrence frequency, the complete computational complexity of data pre-processing is O(1). PAYL has
a complete computational complexity of data pre-processing equal to O(n), because no feature reduction is required.
For McPAD, it has to be repeated m (representing the number of different one class classifiers used to make a decision
about each payload P) times and to choose a different value
of v every time. Hence, the complete computational complexity of data pre-processing of McPAD can be accomplished in O(nm).
Once the features have been extracted and the dimensionality has been reduced to k, each payload has to be
classified according to each of the m classifiers. To classify
a payload P, RePIDS computes the Mahalanobis distance
between the payload and the pre-determined normal profile. Given the number of features equal to 7 as determined
and a single classifier used in classification, the computational complexity of the classification process of RePIDS
is O(1). Similarly, PAYL uses a single classifier to classify
the payload P represented by 256 features. Therefore, the
classification process of PAYL can be accomplished in
O(1) as well. Compared to RePIDS and PAYL, McPAD has
m classifiers. Each classifier computes the distance between the payload P represented by k feature clusters
and each of the support vector s obtained during training.
Therefore, the classification of a payload using McPAD
can be computed in O(ks). McPAD has to repeat the classification process m times and the results are then combined. Thus, the overall classification process of McPAD
can be computed in O(mks). The detailed break-down of
the computational complexities of the algorithms is given
in Table 5.
As shown in Table 5, the overall computational complexities of RePIDS, PAYL and McPAD are O(1), O(n) and
O(nm + mks) respectively. This proves that our RePIDS has
822
A. Jamdagni et al. / Computer Networks 57 (2013) 811–824
Table 5
Computational complexities of RePIDS, PAYL and McPAD.
Complexity of data pre-processing
Complexity of classification
Overall complexity
RePIDS
PAYL
McPAD
O(1)
O(1)
O(1)
O(n)
O(1)
O(n)
O(nm)
O(mks)
O(nm + mks)
the lowest computational complexity in comparison with
PAYL and McPAD.
We also evaluate the efficiency of our scheme by comparing the throughput of RePIDS with a similar environment used within a medium size enterprise network
with a gateway speed of 1 GB. Our throughput comparison
is based on the number of packets processed through such
a network against the packet processing speed of our
scheme considering the most ideal parameters. On one
hand, the throughput calculated for a medium sized enterprise network, considering ideal parameters is 25,600
packets in one second. However, we expect in actual
(real-time), throughput will be much less than what we
have used for comparison. On the other hand, our proposed
scheme could process 33,146 packets per second, which is
1.3 times more than the packet processing speed on the
enterprise network, indicating our scheme has potential
to be implemented in real-time. However such consideration involving real throughput analysis with most ideal
network parameters is beyond the scope of this paper
and we intend to extend it for our future work.
Summarizing the overall performance in terms of detection accuracy and computational complexities of algorithms, RePIDS performs better than the state-of-the-art
PAYL and McPAD anomaly based intrusion detection systems. Furthermore, in terms of throughput, RePIDS can
process more packets per second than the throughput of
a medium sized enterprise network with a gateway speed
of 1 GB. Hence, our model, RePIDS, is expected to be capable of processing packets in real time operation.
structural information of the payload partially, which improves the performance of our proposed model.
Experimental results indicate that the method is effective in detecting attacks with high detection rates and
low false positive rates. Using the proposed method, the
number of features required to generate network profile
are very few. This shows low computational complexity
and low training and testing processing time of our proposed scheme. We have also shown that our approach
has good potential to be used in real-time too. RePIDS
has been thoroughly tested on the normal traffic of DARPA
99 dataset, and on two different datasets of attacks,
namely DARPA 99 and GATECH datasets. GATECH dataset
contains the real traces of attacks collected from various
sites. RePIDS has achieved high F-value, 0.9958 on DARPA
99 dataset and 0.976 on GATECH dataset respectively. This
demonstrates that RePIDs is capable of differentiating normal and attack instances accurately. In particular, we have
demonstrated that RePIDS performs better in comparison
with the state-of-the-art PAYL and McPAD. In addition,
we have also shown that the computational complexity
of RePIDS for the classification of a new incoming traffic
payload is lower than PAYL and much less than McPAD.
The reason of improvement in computational complexity
of RePIDS algorithms is because of reduced feature space.
Thus, our model decreases the average computation cost
per payload while maintaining a high detection rate at
low false positive rate.
Finally, in terms of throughput, RePIDS can process
more packets per second than the throughput of a medium
sized enterprise network with a gateway speed of 1 GB.
Hence, our model, RePIDS, is expected to be capable of processing packets in real time operation.
Although RePIDS has shown good performance in protection of network against intrusion, it is used for intrusion
detection of unencrypted (plain text) payload data only. It
does not look into encrypted data. However, it can detect
attacks coming through encrypted data when used at the
host machine using an appropriate encryption key.
6. Conclusions
Acknowledgement
In this paper, we have proposed an efficient payloadbased intrusion detection system (RePIDS) to detect attacks against Web applications through the analysis of
HTTP payloads using 3-Tier Iterative Feature Selection Engine (IFSEng) and Mahalanobis Distance Map (MDM).
Mahalanobis distance criterion is used for classification of
network data. The proposed model uses selected, smallsized feature subspace to detect generic, shell-code and
CLET attacks. Also, RePIDS is capable of discriminating normal patterns and attack patterns in real-time.
The proposed 3-Tier IFSEng is used to select an optimal
feature subspace and to reduce the dimensionality of the
data. This is because data being used in payload-based
intrusion detection inherit a problem of high dimensions
in nature, which significantly influence the detection
efficiency.
In addition, the use of MDM offers benefits in exploring
hidden correlations between features and also between
packet payloads. Furthermore, MDM is able to capture
This work was supported by the Australian Postgraduate Awards (APA), the University of Technology Sydney
(UTS) International Research Scholarship (IRS) and the
Commonwealth Scientific and Industrial Research Organisation (CSIRO) Information and Communication Technologies (ICT) Centre Top-up Scholarships.
Appendix A
Generic Attacks. This dataset includes all the HTTP
attacks plus a shell-code attack that exploits vulnerability (MS03-022) in Windows Media Service (WMS). Generic attacks are applicable to any group. For example,
attacks cause Information Leakage and Denial of Service
(DoS).
Shell-code Attacks. This dataset contains 11 shell-code
attacks from the generic attacks dataset. Shell-code
attacks are dangerous because they inject executable
A. Jamdagni et al. / Computer Networks 57 (2013) 811–824
code and hijack the normal execution of the target
application. For example, Code-Red worm uses shellcode attacks to propagate.
CLET Attacks. This dataset contains 96 polymorphic
attacks generated using the polymorphic engine CLET
[8]. Polymorphic attacks are polymorphic version of
known attacks. Examples are: Code-Red (a famous
worm that exploits vulnerability in Windows IIS
(MS01-044)), DDK (an exploit to a buffer overflow vulnerability in Windows IIS (MS01-033)), etc.
Apache2 Attack. Denial of service attack against an
apache web server where a client sends a request with
many MIME headers. These requests will cause the server to slow down, and may eventually crash it.
Back Attack. Denial of service attack against apache web
server where a client requests a URL containing many
backslashes. As the server tries to process these
requests it will slow down and be unable to process
other requests.
Phf Attack. Any CGI program which relies on the CGI
function escape shell cmd () to prevent exploitation of
shell-based library calls may be vulnerable to attack. In
particular, this includes the phf program which is distributed with the example code. The phf program allows
remote users to run arbitrary commands on the server.
Crashiis Attack. Denial of Service attack against the NT
IIS web server. The attacker sends a malformed GET
request via telnet to port 80 on the NT victim. The command ‘‘GET ../..’’ crashes the web server (and sometimes
crashes the ftp and gopher daemons as well).
References
[1] D.E. Denning, An intrusion-detection model, IEEE Transactions on
Software Engineering SE-13 (1987) 222–232.
[2] L. Ertz, E. Eilertson, A. Lazarevic, P.N. Tan, V. Kumar, J. Srivastava, P.
Dokas, The MINDS – Minnesota Intrusion Detection System, in: Next
Generation Data Mining, MIT Press, Boston, 2004, pp. 1–21.
[3] J.M. Estevez-Tapiador, P. Garcia-Teodoro, J.E. Diaz-Verdejo,
Stochastic protocol modeling for anomaly based network intrusion
detection, in: Proceedings. First IEEE International Workshop on
Information Assurance, 2003, pp. 3–12.
[4] A. Patcha, J.-M. Park, An overview of anomaly detection techniques:
existing solutions and latest technological trends, Computer
Networks 51 (2007) 3448–3470.
[5] A. Lazarevic, V. Kumar, J. Srivastava, Intrusion detection: a survey, in:
V. Kumar, J. Srivastava, A. Lazarevic (Eds.), Managing Cyber Threats,
Springer, US, 2005, pp. 19–78.
[6] J. Early, C. Brodley, Behavioral features for network anomaly
detection, in: M. Maloof (Ed.), Machine Learning and Data Mining
for Computer Security, Springer, London, 2006, pp. 107–124.
[7] S. Axelsson, Intrusion detection systems: a survey and taxonomy, in:
Technical Report, 2000, pp. 1–27.
[8] S. Kotsiantis, D. Kanellopoulos, P. Pintelas, Data preprocessing for
supervised leaning, International Journal of Computer Science 1
(2006) 111–117.
[9] M. Mahoney, P.K. Chan, PHAD: packet header anomaly detection for
identifying hostile network traffic, in: Florida Institute of Technology
Technical Report 2001, pp. 1–17.
[10] P. Garca-Teodoro, J. Daz-Verdejo, G. Macia-Fernandez, E. Vazquez,
Anomaly-based network intrusion detection: techniques, systems
and challenges, Computers & Security 28 (2009) 18–28.
[11] A. Lakhina, M. Crovella, C. Diot, Mining anomalies using traffic
feature distributions, in: Proceedings of the 2005 Conference on
Applications, Technologies, Architectures, and Protocols for
Computer Communications, ACM, Philadelphia, Pennsylvania USA,
2005, pp. 217–228.
823
[12] W. Lee, S.J. Stolfo, A framework for constructing features and models
for intrusion detection systems, ACM Transactions on Information
and System Security 3 (2000) 227–261.
[13] M. Damashek, Gauging similarity with N-grams: languageindependent categorization of text, Science 267 (1995) 843–848.
[14] J.J. Davis, A.J. Clark, Data preprocessing for anomaly based network
intrusion detection: a review, Computers & Security 30 (2011) 353–
375.
[15] R. Lippmann, J.W. Haines, D.J. Fried, J. Korba, K. Das, The 1999 DARPA
off-line intrusion detection evaluation, Computer Networks 34
(2000) 579–595.
[16] K. Ingham, H. Inoue, Comparing anomaly detection techniques for
HTTP, in: C. Kruegel, R. Lippmann, A. Clark (Eds.), Recent Advances
in Intrusion Detection, Springer, Berlin, Heidelberg, 2007, pp. 42–62.
[17] K. Wang, S. Stolfo, Anomalous payload-based network intrusion
detection, in: E. Jonsson, A. Valdes, M. Almgren (Eds.), Recent
Advances in Intrusion Detection, Springer, Berlin, Heidelberg, 2004,
pp. 203–222.
[18] R. Perdisci, D. Ariu, P. Fogla, G. Giacinto, W. Lee, McPAD: a multiple
classifier system for accurate payload-based anomaly detection,
Computer Networks 53 (2009) 864–881.
[19] A. Jamdagni, Z. Tan, P. Nanda, X. He, R. Liu, Intrusion detection using
geometrical structure, in: Fourth International Conference on
Frontier of Computer Science and Technology, 2009, pp. 327–333.
[20] D. Bolzoni, S. Etalle, P. Hartel, POSEIDON: a 2-tier anomaly-based
network intrusion detection system, in: Fourth IEEE International
Workshop on Information Assurance 2006, pp. 156–165.
[21] K. Wang, J.J. Parekh, S.J. Stolfo, Anagram: a content anomaly detector
resistant to mimicry attack, in: Proceedings of the 9th International
Conference on Recent Advances in Intrusion Detection, SpringerVerlag, Hamburg, Germany, 2006, pp. 226–248.
[22] K. Rieck, P. Laskov, Language models for detection of unknown
attacks in network traffic, Journal in Computer Virology 2 (2007)
243–256.
[23] Y.-M. Chu, Deep packet inspection in network intrusion detection
and prevention systems, in: Institute of Communications
Engineering, National Tsing Hua University, 2010.
[24] T. Porter, The Perils of Deep Packet Inspection, in: Security Focus,
2005.
[25] F. Yu, High speed deep packet inspection with hardware support, in:
EECS Department, University of California, Berkeley, 2006.
[26] I. Jolliffe, Principal Component Analysis, Wiley Online Library, 2005.
[27] Y. Bouzida, F. Cuppens, N. Cuppens-Boulahia, S. Gombault, Efficient
intrusion detection using principal component analysis, in: 3me
Confrence sur la Scurit et Architectures Rseaux (SAR), La Londe,
France, 2004.
[28] Y. Bouzida, S. Gombault, Eigenconnections to Intrusion Detection, in:
Y. Deswarte, F. Cuppens, S. Jajodia, L. Wang (Eds.), Security and
Protection in Information Processing Systems, Springer, US, 2004,
pp. 241–258.
[29] W. Wang, X. Guan, X. Zhang, Processing of massive audit data
streams for real-time anomaly intrusion detection, Computer
Communications 31 (2008) 58–72.
[30] N. Nwanze, K. Sun-il, D.H. Summerville, Payload modeling for
network intrusion detection systems, in: Military Communications
Conference, 2009, MILCOM 2009., IEEE, 2009, pp. 1–7.
[31] Y. Liao, V.R. Vemuri, Using text categorization techniques for
intrusion detection, in: Proceedings of the 11th USENIX Security
Symposium, USENIX Association, 2002, pp. 51–59.
[32] L.R. Nelson, Some observations on the scree test, and on coefficient
alpha, Thai Journal of Educational Research and Measurement 3 (1)
(2005) 1–17.
[33] R.B. Cattell, The scree test for the number of factors, Multivariate
Behavioral Research 1 (1966) 245–276.
[34] A. Jamdagni, Z. Tan, P. Nanda, X. He, R.P. Liu, Intrusion detection
using GSAD model for HTTP traffic on web services, in: Proceedings
of the 6th International Wireless Communications and Mobile
Computing Conference, ACM, Caen, France, 2010, pp. 1193–1197.
[35] Z. Tan, A. Jamdagni, X. He, P. Nanda, Network Intrusion Detection
based on LDA for Payload Feature Selection, in: GLOBECOM
Workshops (GC Wkshps), 2010, pp. 1545–1549.
[36] L. Chapell, Wireshark Network Analysis: The Official Wireshark
Certified Network Analyst Study Guide, Protocol Analysis Institute,
2010.
[37] J. McHugh, Testing intrusion detection systems: a critique of the
1998 and 1999 DARPA intrusion detection system evaluations as
performed by Lincoln Laboratory, ACM Transactions on Information
and System Security 3 (2000) 262–294.
824
A. Jamdagni et al. / Computer Networks 57 (2013) 811–824
Aruna Jamdagni is a PhD student at the Faculty
of Engineering and Information Technology
(FEIT) of the University of Technology, Sydney
(UTS), also a research member of Research
Centre for Innovation in IT Services and Applications (iNEXT). Her research interests include
Computer and Network Security and on Pattern
Recognition techniques and fuzzy set theory.
Priyadarsi Nanda joined UTS in 2001. He is
Senior Lecturer, in the School of Computing
and Communications, and Core Research
Member, Centre for Innovation in IT Services
Applications (iNEXT). His research interests
are Network QoS, Network securities, Assisted
health care using sensor networks, and
Wireless networks. He has published 38
referred publications including two journals,
four book chapters, one conference tutorial
and 31 referred conference papers.
Zhiyuan Tan is a PhD student at the Faculty of
Engineering and Information Technology
(FEIT) of the University of Technology, Sydney
(UTS), also a research member of Research
Centre for Innovation in IT Services and
Applications (iNEXT). His research interests
are on Computer and Network Security and on
Pattern Recognition techniques for efficient
Network Intrusion Detection and anomalous
behavior detection in P2P overlay network.
Ren Ping Liu is a principal scientist of networking technology in CSIRO ICT Centre,
Australia and Adjunct Associate Professor,
Macquarie University. His interests include
scheduling, QoS modeling and performance
analysis of wireless networks, including IEEE
802.11, Wireless Mesh Networks, Wireless
Sensor Networks, LTE, and Cognitive Radio
Networks. He delivered networking solutions
to government and industrial customers,
including Optus, AARNet, Nortel, Queensland
Health, CityRail, Rio Tinto, and DBCDE.
Xiangjian He is a Professor of Computer Science, School of Computing and Communications. He is also Director of Computer Vision
and Pattern Recognition group, and a Deputy
Director of Research Centre for Innovation in
IT Services and Applications (iNEXT) at the
University of Technology, Sydney (UTS). He is
an IEEE Senior Member. He has been awarded
‘Internationally Registered Technology Specialist’ by International Technology Institute
(ITI). His research interests are image processing, pattern recognition, computer vision
and Network security. He is in the editorial boards of seven international
journals. He has received various research grants including four national
Research Grants awarded by Australian Research Council (ARC).