No full-text available
To read the full-text of this research,
you can request a copy directly from the author.
Using Artificial Intelligence in Intrusion Detection Systems
Abstract
Artificial Intelligence could make the use of Intrusion Detection Systems a lot easier than it is today. They could learn the preferences of the security officers and show the kind of alerts first that the officer has previously been most interested. As always, the hardest thing with learning AIs, is to make them learn the right things. AIs could learn the same things as a rule-based system by watching a security officer work. AIs could also link together events that, by themselves, are insignificant but when combined may indicate that an attack is underway. In this article I'll compare AI-based solutions to traditional IDS solutions, and analyze how the AIs could be taught.
... Researchers designed algorithms used by AIDS to automatically keep learning normal behaviour in the network [13]. AIDS has seen rapid advancements in building descriptive profiles of regular traffic in the IPv6 network [14][15][16]. There are two types of AIDS: rule-based and Artificial Intelligence-based. ...
... The main challenge with the topic of DDoS Attacks is how to select the most relevant feature which can provide the highest accuracy rate [14]. For that, many researchers proposed different techniques for selecting the best features one of these techniques is using metaheuristic algorithms such as the flower pollination algorithm (FPA) [12]. ...
... In this work, FPA with SVM is proposed for detecting ICMPv6 DDoS. Real datasets are used to test the performance of the proposed method which was collected at the National Advanced IPv6 Centre (NAv6), Universiti Sains Malaysia [14]. ...
Internet Protocol version 6 (IPv6) is the latest version of IP that goal to host 3.4 × 10 38 unique IP addresses of devices in the network. IPv6 has introduced new features like Neighbour Discovery Protocol (NDP) and Address Auto-configuration Scheme. IPv6 needed several protocols like the Address Auto-configuration Scheme and Internet Control Message Protocol (ICMPv6). IPv6 is vulnerable to numerous attacks like Denial of Service (DoS) and Distributed Denial of Service (DDoS) which is one of the most dangerous attacks executed through ICMPv6 messages that impose security and financial implications. Therefore, an Intrusion Detection System (IDS) is a monitoring system of the security of a network that detects suspicious activities and deals with a massive amount of data comprised of repetitive and inappropriate features which affect the detection rate. A feature selection (FS) technique helps to reduce the computation time and complexity by selecting the optimum subset of features. This paper proposes a method for detecting DDoS flooding attacks (FA) based on ICMPv6 messages using a Binary Flower Pollination Algorithm (BFPA-FA). The proposed method (BFPA-FA) employs FS technology with a support vector machine (SVM) to identify the most relevant, influential features. Moreover, The ICMPv6-DDoS dataset was used to demonstrate the effectiveness of the proposed method through different attack scenarios. The results show that the proposed method BFPA-FA achieved the best accuracy rate (97.96%) for the ICMPv6 DDoS detection with a reduced number of features (9) to half the total (19) features. The proven proposed method BFPA-FA is effective in the ICMPv6 DDoS attacks via IDS. 554 CSSE, 2023, vol.47, no.1
... The trend of integrating AI into anomaly-based IDS has shown potentials in surveys [8,9]: flexibility (vs threshold definition of traditional technique), adaptability (vs specific rules of conventional technique), fast computing (fast classification of events), pattern recognition and self-learning ability. However, this approach also pose several challenges: ...
... • Consumption: Training neural networks in Deep Learning approach may cost a considerable amount of computing time and resource consumption [11] • Ambiguity: Neural networks in Deep Learning approach are black boxes, outputting results without clear rules or explanation about the process or the reasons leading to results, which raise question of reliability for the model [9] • Adversarial AI: The use of malicious AI is growing, in which a bad actor can potentially use AI to make a series of small changes to the network environment that could lead to significant changes to the overall ML cybersecurity system over time [10] • Labeling: Supervised learning for an AI model in a real network environment requires labeling all traffic flows, which can be labor intensive and inaccurate. [11] • Generalizability: A learning model can demonstrate quite different performance on different test datasets, which might be caused by the data deficiency of the training dataset. ...
An alarming number of cyber attacks have been witnessed in recent years, especially during COVID-19 epidemic. Many prevention measures have been proposed as a defense line for a network infrastructure, including Intrusion Detection System (IDS). A variance of IDS using Machine Learning and Deep Learning to detect network anomalies is gaining promising results. However, this approach also poses limitations regarding the indigenous dataset acquisition or the ability to apply a model learned from a benchmark dataset to different network infrastructures. Therefore, this paper proposes a reliable automatic labeling method for a new network dataset, and a Deep Transfer Learning model to detect both known and unknown attacks across different network infrastructures, then compares with other approaches. Network attacks detection using auto-labeling and network-based Deep Learning The obtained results reveal an outstanding performance of Transfer-Learning model, in comparison with non Transfer-Learning method, on two benchmark datasets (NSL-KDD, CIC-IDS2017) and a self-captured simulated network dataset using the auto-labeling approach. Furthermore, the model is verified to retain both new and old knowledge after the transfer learning process, which has not been mentioned in other studies, focusing only on learning new knowledge ability.
... In addition, the attack can be mitigated by using encryption algorithms in order to secure the mobility of data [31]. In general, many approaches are currently for detection ICMPv6-DDoS attacks such as anomaly detection which divided to rule-based detection [32] and AI-based detection using [29], [30], for example machine learning-based detection (MLIDS) [13], [33] data Mining-based detection (DNIDS) [34], [35]. Entropy-based detection (EIDS) [36], [37] and deep learning-based detection [38]- [40]. ...
... Wherefore, this gap is a favorable area for research to construct or devise a model regarding the behaviors of DDoS attacks. For this reason, there are several approaches that had not focused on detection ICMPv6-DDoS attacks are proposed which is based on anomaly detection [13], [33], [41], [42]. Additionally, must design a model detection the ICMPv6-DDoS patterns in IPv6 network depends the review outlines the features and protection constraints of IPv6 detection systems focusing mainly on ICMPv6-DDoS attacks. ...
Security network systems have been an increasingly important discipline since the implementation of preliminary stages of Internet Protocol version 6 (IPv6) for exploiting by attackers. IPv6 has an improved protocol in terms of security as it brought new functionalities, procedures, i.e., Internet Control Message Protocol version 6 (ICMPv6). The ICMPv6 protocol is considered to be very important and represents the backbone of the IPv6, which is also responsible to send and receive messages in IPv6. However, IPv6 Inherited many attacks from the previous internet protocol version 4 (IPv4) such as distributed denial of service (DDoS) attacks. DDoS is a thorny problem on the internet, being one of the most prominent attacks affecting a network result in tremendous economic damage to individuals as well as organizations. In this paper, an exhaustive evaluation and analysis are conducted anomaly detection DDoS attacks against ICMPv6 messages, in addition, explained anomaly detection types to ICMPv6 DDoS flooding attacks in IPv6 networks. Proposed using feature selection technique based on bio-inspired algorithms for selecting an optimal solution which selects subset to have a positive impact of the detection accuracy ICMPv6 DDoS attack. The review outlines the features and protection constraints of IPv6 intrusion detection systems focusing mainly on DDoS attacks. © 2021 Institute of Advanced Engineering and Science. All rights reserved.
... The software utilizes automated learning to define a normal behavior of the system [52]. According to [30], [53], this has seen more development in anomaly-based IDS to detect IPv6 attacks. It is essential to build descriptive profiles of each normal behavior in a network. ...
... AI can learn new attack behaviors and build new rules. Therefore, new or similar attacks can be detected based on these rules [30], [53]. ...
... This detection method is also known as Signature Base Detection which relies on ruleset which is already prepared before detection service start. According to (Manninen, 2007), traditional detection method has two type scenario events. There are allowed scenario, and denied scenario. ...
... Since AI-based detection does not depend on ruleset, but make the IDS recognize the intrusion based on their behavior on the network. According to (Manninen, 2007), AI-based detection method is available in several AI types such as Fuzzy Logic, Probabilistic ...
Recent growth of internet users which almost reach the limit of IPv4 address space, make
engineers must implement IPv6 to the system. However, the implementation of IPv6 is not
easy due to many reasons like compatibility of hardware. Hence, transition mechanisms were
proposed to help migration process from IPv4 to IPv6 network. However, there are security
considerations of this mechanism due to the double encapsulation of packets. Basically, this
mechanism encapsulates IPv6 packets with IPv4 datagram to allow transmission. Attacker
from IPv6 network can use this tunneling mechanism to send intrusion without being
detected by Network Intrusion Detection System. Normally NIDS only capable to
decapsulate packet once, and NIDS like Snort cannot detect payload with protocol 41. Thus,
a new approach is needed to handle decapsulation of second layer of packet, and extraction
for the needed information for detection. This design adds a secondary decapsulation process
of NIDS when NIDS detects a 6to4 packets. The design will decapsulate the second layer,
and extract the information from the payload and continue to the detection process. The
detection process itself is signature-based, where intrusions’ unique and repetitive
information are defined inside the ruleset. The design implemented to Java-based NIDS for
testing purpose, and run under attack simulations. According to the test, all attacks are
detected as True Positive detection with several reply packets detected as False Negative
detection.
... Therefore, AIDS has a major advantage over SIDS in detecting new (zero-day) attacks if their activities fall out of the normal predefined profile without any need for signature matching [30]. These AIDSs are classified into two main categories: rulebased AIDS which defines and applies rules of the denied or allowed events, and Learning-based AIDS which implements Learning techniques to build their detection models [31]. ...
... Instead of using manually defined rules to detect attacks, Learning techniques are utilized to automatically build detection models. Learning techniques give the IDS the ability to learn the attacks' behaviors based on training dataset to detect similar behaviors [31]. Moreover, Learning-based techniques (such as Data Mining) proved their efficiency in detecting IPv4 attacks [18]; therefore, it has been applied to AIDSs to detect IPv6 attacks including ICMPv6-based DDoS attacks. ...
The Internet Control Message Protocol version Six (ICMPv6) is categorized as the most important part of the Internet Protocol version Six (IPv6) due to its core functionalities. However, ICMPv6 protocol is vulnerable to different types of attacks such as Distributed Denial of Services (DDoS) attacks that are based on ICMPv6 messages. ICMPv6-based DDoS attacks are the most performed attacks against IPv6 networks and considered a grave problem of today Internet. Intrusion Detection Systems (IDSs) under different categories have been proposed to detect ICMPv6-based DDoS attacks. However, these IDSs are inefficient in detecting the attacks due to their limitations. The main limitation of the existing IDSs is the dependency on packet-based representation and features which are unsuitable for detecting DDoS attacks as experimentally proven. Therefore, this research proposes a new IDS, based on a flow-based representation of traffic, and a set of novel features for detecting the attacks. This is the first time a flow-based representation and features are proposed to detect ICMPv6-based DDoS attacks. Cross-validation and supplied set testing approaches have been applied to evaluate the proposed IDS using seven classifiers. The evaluation experiments were conducted based on real datasets and showed that the proposed flow-based IDS with the proposed novel features is efficient and reliable in detecting ICMPv6-based DDoS attacks with acceptable detection accuracies and false positive rates.
... Detecting attack anomalies depends on building descriptive profiles of the allowed behaviours in a network. Based on the way of building these profiles, there are two main categories of AIDS which are Artificial Intelligence-based AIDS which uses AI-techniques to build its detection model and Rulebased AIDS which depends on defining rules for denying or allowing events and scenarios [38]. In this section, IPv6 ...
... AI-based techniques have been applied in many different areas including network security to build AIDSs. The main difference between AI-based and Rulebased AIDSs is its ability to learn the behaviours of the attacks and build rules, and these rules have the ability to detect new similar attacks [38]. Moreover, deployment of an AI-based AIDS is easier and less costly compared to a Rule-based AIDS. ...
Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks are thorny and a grave problem of today’s Internet, resulting in economic damages for organizations and individuals. DoS and DDoS attacks that are using Internet Control Message Protocol version six (ICMPv6) messages are the most common attacks against the Internet Protocol version six (IPv6). They are common because of the necessary inclusion of the ICMPv6 protocol in any IPv6 network to work properly. Intrusion Detection Systems (IDSs) of the Internet Protocol version four (IPv4) can run in an IPv6 environment, but they are unable to solve its security problems such as ICMPv6-based DDoS attacks due to the new characteristics of IPv6, such as Neighbour Discovery Protocol and auto-configuration addresses. Therefore, a number of IDSs have been either exclusively proposed to detect IPv6 attacks or extended from existing IPv4 IDSs to support IPv6. This paper reviews and classifies the detection mechanisms of the existing IDSs which are either proposed or extended to tackle ICMPv6-based DDoS attacks. To the best of the authors’ knowledge, it is the first review paper that explains and clarifies the problems of ICMPv6-based DDoS attacks and that classifies and criticizes the existing detection.
... Furthermore, the authors [16] have concentrated on a detailed idea of ML and DL along with a brief idea of machine and deep learning and analyzed a Network-based Intrusion Detection System (NIDS) diligently. Likewise, the authors [17] and [18] have portrayed valuable information on the implementations, necessity and significance of AI-related IDS techniques. Nevertheless, there is one more term similar to this concept. ...
Cybersecurity has become major progress in the digital era. Contraction is an important component of the cyber analysts’ management of information technology, as several government organizations and commercial enterprises are moving to dispersed systems. A cyber security analyst is most importantly responsible for protecting the network against damage. Attacks on networks are becoming more complex and sophisticated every day. The number of connected workplaces leads to heavy traffic, more security attack vectors, security breaches and raises more issues than the cyber area can handle by using human intervention while there is not enough sizable automation. Network Intrusion, thus, becomes the biggest concern of this generation. Intrusion Detection and Prevention System (IDPS) has become a vital complement to almost all organizations' security infrastructure. This chapter includes three network monitoring tools concentrating on the immediate impact and output of cyber assaults on the network. This helps to better comprehend the many directions in the area of network monitoring and cybersecurity research. In general, this chapter aims to study the different network monitoring techniques that can be used in support of various servers and network devices to better understands the effect of cyber-attacks on the network and monitor it through tools such as cacti, weather-map and smokeping. It also sheds light on techniques like artificial intelligence, machine learning, neural networks, fuzzy logic, next-generation firewall and how they can be coupled with Intrusion Detection System (IDS) to detect attacks on private networks.KeywordsIDPSNetwork monitoring toolsCyber-attacks monitoringCybersecurityNext generation firewall
... compare wireless network traffic with malicious traffic, and wireless traffic with traditional traffic, and visualize network landscape presenting Botnet in wireless and wired network P2P Botnet Anomaly - Training neural networks is important and may require considerable effort. Even though neural network was the prominent technique used in intrusion detection, training neural network required extensive amount of computing time, cause to higher computing specifications requirements [44][45]. FES has the potential to overcome the limitations. ...
The purpose of this study was to review various machine learning techniques for Botnet detection system by looking at their advantage and limitation, and propose our Botnet detection system. In this paper, we summarized different machine learning techniques used in previous research. Recently, machine learning has become prominent in developing Botnet detection system especially peer to peer Botnet, and most of them are capable to detect decentralized Botnet. Further study has been made on Fuzzy Expert System (FES) and Self Organizing Map (SOM) techniques because we believe both techniques have the capability to fulfill the features required in our Botnet detection system which are autonomous, high accuracy and real time detection. Then, there will be method proposed for future work. The method is divided into six phases and in the future, we will conduct the experiments to assess and prove the effectiveness of these techniques in Botnet detection system.
... Matti Manninen en[13], compara soluciones de Inteligencia Artificial aplicadas a los IDS con respecto a soluciones tradicionales en los mismos, analizando cómo las que son basadas en Inteligencia Artificial pueden ser más eficaces. Se reflejan diferentes técnicas de Inteligencia Artificial que pueden ser utilizadas en los mismos, entre ellas: Lógica Difusa, Razonamiento Probabilístico, Redes Neuronales y Algoritmos Genéticos. ...
La Seguridad Informática se encuentra en constante evolución y dinamismo. La aplicación de técnicas de Inteligencia Artificial se convierte en una práctica indispensable en el tratamiento y detección de amenazas a que se encuentran expuestas las organizaciones. Este artículo se enfoca en un estudio bibliográfico relacionado con la aplicación de técnicas de Inteligencia Artificial en la Seguridad Informática, enfatizando en los Sistemas Detectores de Intrusos, detección de correo no deseado o spam, antivirus, así como otras aplicaciones en las que la utilización de la Inteligencia Artificial se considera importante.
... These rules are tested and after each iteration the rules with higher fitness factor are selected and modified to create new rules till desired detection rate is not achieved. [13][14] [15] Pros: 1. Unknown attack detection rate is increased by using combination of genetic algorithm with signature based intrusion detection system. ...
... Genetic algorithm can be used to keep the number of iterations as well as possible. Genetic algorithm randomize values for each sets and mix and differentiate values from each of these this continued until the desired result is reached or the maximum number of generation has passed [27]. ...
exponential growth and development of the internet has created many problems on network security. Current intrusion detection system has failed to fully protect system against sophisticated attacks. This research work explores some dedicated methodologies such as Artificial Neural Network (ANN), Fuzzy Logic, and Genetic Algorithms applied to Intrusion Detection Systems but attacks against networks and information systems are still successful. We proposed Neuro- fuzzy Genetic Intrusion Detection System which is a fusion of the three Artificial Intelligence techniques. We foresee they would stand a fighting chance against any sophisticated attack, improve accuracy, precision rate and reduce the false positive rate and would protect data integrity, confidentiality and availability. We also discuss the dataset for evaluating the system. In this work we have identified a new research direction in the related field. Keywords-fuzzy, Genetic algorithm, Artificial Neural Network, Fuzzy logic, intrusion detection system and Dataset.
... In [11] Manninen, broadly discuss about how IDS are almost incomplete without applying any of the Artificial Intelligence (AI) technique. Indeed AI plays an important role in improving the overall performance of IDS. ...
The security of the networks has been an important concern for any organization. This is especially important for the defense sector as to get unauthorized access to the sensitive information of an organization has been the prime desire for cyber criminals. Many network security techniques like Firewall, VPN Concentrator etc. are deployed at the perimeter of network to deal with attack(s) that occur(s) from exterior of network. But any vulnerability that causes to penetrate the network's perimeter of defense, can exploit the entire network. To deal with such vulnerabilities a system has been evolved with the purpose of generating an alert for any malicious activity triggered against the network and its resources, termed as Intrusion Detection System (IDS). The traditional IDS have still some deficiencies like generating large number of alerts, containing both true and false one etc. By automatically classifying (correlating) various alerts, the high-level analysis of the security status of network can be identified and the job of network security administrator becomes much easier. In this paper we propose to utilize Self Organizing Maps (SOM); an Artificial Neural Network for correlating large amount of logged intrusion alerts based on generic features such as Source/Destination IP Addresses, Port No, Signature ID etc. The different ways in which alerts can be correlated by Artificial Intelligence techniques are also discussed. . We've shown that the strategy described in the paper improves the efficiency of IDS by better correlating the alerts, leading to reduced false positives and increased competence of network administrator.
Security issues, like network intrusion and viruses, have been increased widely with the growth of computer applications and networks. Therefore, it becomes necessary to develop methods to protect information from malicious attacks within the different environments. One of these methods is to use intrusion detection system for the detection of different interventions. The research was presented a way to detect misuse intrusion (Misuse Detection System), as was performed classification of events, which will be either the events of Normal Events or Intrusion Events. This classification process has been based on one of the String Pattern matching Algorithms, which is Brute_Force algorithm. Brute_Force algorithm is used after making a comparison between this algorithm and another two algorithm (Knuth – Morris – Pratt String Matching and Boyer-Moore Algorithm). Data processed in the work is taken from the KDD list. The written version of this data, which will be similar to the data format in the comma separated values files (CSV), This data has been converted to tables and then a comparison between these tables is made for the purpose of categorizing events based on the algorithm mentioned above. Java language has been used in this work as one of the most powerful programming languages, has been the adoption of Eclipse environment to write Java classes used in the work.
Network security, amongst other security issues, essentially requires implementing Internet Protocol version 6 (IPv6). Cybercriminals always hunted for methods and means to unfairly benefit from this new technology. IPv6 is an improved protocol because it has built-in security mechanisms compared to Internet Protocol version 4 (IPv4). However, IPv6 has similar susceptibilities, which are inherited from several features of IPv4. Another issue involves that the new functionalities and procedures, which are found in IPv6, depend on Internet Control Message Protocol version 6 (ICMPv6). A common vulnerability is the Denial of Service (DoS) attack. A combination of zombie hosts can form a Distributed Denial of Service (DDoS). The DoS and DDoS attacks often represent substantial hazards in today’s Internet as they can cause serious damages to organizations and disrupts Internet services. This research aims to provide a brief review of the latest studies and investigates on the detection in IPv6 networks using ICMPv6 messages and DoS, as well as DDoS attacks. Moreover, this work aims to introduce the proposed techniques, which utilized the Intrusion Detection System (IDS) in an effort to combat cyber-attacks.
In this paper, we consider the issue of detecting a missing member of malicious codes named backdoors. We developed a novel approach for revealing them based on two clustered, system behavior and network traffic. Backdoors can easily be installed on the victim system aiming its exploit, detecting them requires considerable policies. Using Artificial Intelligence (AI) has revolutionized all security providing systems. Hence, our proposed method acquired a tunable idea using Artificial Neural Network (ANN) for classifying system features and predicting the percentage of backdoor existing probability and Genetic Algorithm (GA) in order to give a deterministic answer to the issue. Using ANN incorporation with the GA guarantees how precise our approach could be.
Intrusion detection is known as an essential component to secure the systems in information and communication technology (ICT). In this paper, two mechanisms are used to achieve a fast intrusion detection system (IDS): 1) the training speed of neural attack classifier is improved by using output weight optimization-hidden weight optimization (OWO-HWO) training algorithm, 2) a feature relevance analysis is performed to decrease the number of input features and size of neural classifier. Experimental results show that the proposed system improves classification rates, especially for remote-to-local (R2L) attack category and is effective in terms of detection rate (DR) and cost per example (CPE). False alarm rate (FAR) of the proposed system is comparable with other intrusion detection systems, as well.
With the rapid expansion of computer networks during the past decade, security has become a crucial issue for computer systems. Different soft-computing based methods have been proposed in recent years for the development of intrusion detection systems. This paper presents a neural network approach to intrusion detection. A Multi Layer Perceptron (MLP) is used for intrusion detection based on an off-line analysis approach. While most of the previous studies have focused on classification of records in one of the two general classes -normal and attack, this research aims to solve a multi class problem in which the type of attack is also detected by the neural network. Different neural network structures are analyzed to find the optimal neural network with regards to the number of hidden layers. An early stopping validation method is also applied in the training phase to increase the generalization capability of the neural network. The results show that the designed system is capable of classifying records with about 91% accuracy with two hidden layers of neurons in the neural network and 87% accuracy with one hidden layer.
With the continuous evolution of the types of attacks against computer networks, traditional intrusion detection systems, based on pattern matching and static signatures, are increasingly limited by their need of an up-to-date and comprehensive knowledge base. Data mining techniques have been successfully applied in host-based intrusion detection. Applying data mining techniques on raw network data, however, is made di#cult by the sheer size of the input; this is usually avoided by discarding the network packet contents. In this paper, we introduce a two-tier architecture to overcome this problem: the first tier is an unsupervised clustering algorithm which reduces the network packets payload to a tractable size. The second tier is a traditional anomaly detection algorithm, whose e#ciency is improved by the availability of data on the packet payload content.
The term Soft Computing (SC) represents the combination of emerging problem-solving technologies such as Fuzzy Logic (FL), Probabilistic Reasoning (PR), Neural Networks (NNs), and Genetic Algorithms (GAs). Each of these technologies provide us with complementary reasoning and searching methods to solve complex, real-world problems. After a brief description of each of these technologies, we will analyze some of their most useful combinations, such as the use of FL to control GAs and NNs parameters; the application of GAs to evolve NNs (topologies or weights) or to tune FL controllers; and the implementation of FL controllers as NNs tuned by backpropagation-type algorithms.
Misuse detection is the process of attempting to identify instances of network attacks by comparing current activity against the expected actions of an intruder. Most current approaches to misuse detection involve the use of rule-based expert systems to identify indications of known attacks. However, these techniques are less successful in identifying attacks which vary from expected patterns. Artificial neural networks provide the potential to identify and classify network activity based on limited, incomplete, and nonlinear data sources. We present an approach to the process of misuse detection that utilizes the analytical strengths of neural networks, and we provide the results from our preliminary analysis of this approach. Keywords: Intrusion detection, misuse detection, neural networks, computer security. 1. Introduction Because of the increasing dependence which companies and government agencies have on their computer networks the importance of protecting these systems from at...
Intrusion Detection systems (IDSs) have previously been built by hand. These systems have difficulty successfully classifying intruders, and require a significant amount of computational overhead making it difficult to create robust real-time IDS systems. Artificial Intelligence techniques can reduce the human effort required to build these systems and can improve their performance. Learning and induction are used to improve the performance of search problems, while clustering has been used for data analysis and reduction. AI has recently been used in Intrusion Detection (ID) for anomaly detection, data reduction and induction, or discovery, of rules explaining audit data. We survey uses of artificial intelligence methods in ID, and present an example using feature selection to improve the classification of network connections. The network connection classification problem is related to ID since intruders can create "private" communications services undetectable by normal mea...
Hierarchical SOMs are applied to the problem of host based
intrusion detection on computer networks. Unlike systems based on
operating system audit trails, the approach operates on real-time data
without extensive off-line training and with minimal expert knowledge.
Specific recommendations are made regarding the representation of time,
network parameters and SOM architecture
Tuning an ids -learning the security officer's preferences
- M Almgren
- E Jonsson
M. Almgren and E. Jonsson. Tuning an ids -learning the
security officer's preferences. In 11th Nordic Workshop
on Secure IT Systems -Nordsec 06, pages 43–52, 2006.