A preview of this full-text is provided by Springer Nature.
Content available from Cognitive Computation
This content is subject to copyright. Terms and conditions apply.
Cognitive Computation (2018) 10:848–863
https://doi.org/10.1007/s12559-018-9564-y
Anomaly-Based Intrusion Detection Using Extreme Learning Machine
and Aggregation of Network Traffic Statistics in Probability Space
Buse Gul Atli1·Yoan Miche2·Aapo Kalliola2·Ian Oliver2·Silke Holtmanns2·Amaury Lendasse3
Received: 1 November 2017 / Accepted: 22 May 2018 / Published online: 5 June 2018
©Springer Science+Business Media, LLC, part of Springer Nature 2018
Abstract
Recently, with the increased use of network communication, the risk of compromising the information has grown
immensely. Intrusions have become more sophisticated and few methods can achieve efficient results while the network
behavior constantly changes. This paper proposes an intrusion detection system based on modeling distributions of network
statistics and Extreme Learning Machine (ELM) to achieve high detection rates of intrusions. The proposed model
aggregates the network traffic at the IP subnetwork level and the distribution of statistics are collected for the most frequent
IPv4 addresses encountered as destination. The obtained probability distributions are learned by ELM. This model is
evaluated on the ISCX-IDS 2012 dataset, which is collected using a real-time testbed. The model is compared against leading
approaches using the same dataset. Experimental results show that the presented method achieves an average detection
rate of 91% and a misclassification rate of 9%. The experimental results show that our methods significantly improve the
performance of the simple ELM despite a trade-off between performance and time complexity. Furthermore, our methods
achieve good performance in comparison with the other few state-of-the-art approaches evaluated on the ISCX-IDS 2012
dataset.
Keywords Intrusion detection ·Network behavior analysis ·Probability density function ·Hierarchical clustering ·
Extreme learning machine
Introduction
In recent years, the advances in networking technology,
especially cloud services and the Internet of Things (IoT),
have created new businesses and connected the world by
converting it into a massive information system. This also
has drawn attention of hackers, since more and more
personal and private information have been stored in hosting
devices [6]. Therefore, security practices have been the
focus of intense research due to the requirement for a safe,
secure environment.
Yoan Miche
yoan.miche@nokia-bell- labs.com
1Department of Signal Processing and Acoustics,
Aalto University, Espoo, Finland
2Nokia Bell Labs, Espoo, Finland
3The University of Iowa, Iowa City, IA 52242, USA
Network behavior analysis (NBA) and intrusion detec-
tion systems (IDS) play an important role in cybersecurity.
They are potential defense mechanism layers to monitor
network and detect intrusions when user identification and
authentication mechanisms fail to do so. Intrusion detec-
tion systems are capable of recognizing malicious activities
by triggering an alert or logging the results [4]. Anomaly-
based intrusion detection systems analyze network events
and capture security problems by finding unusual activities
which do not conform to the normal baseline. In order to
support anomaly detection systems, NBA tools are deployed
for capturing, aggregating and comparing different network
behaviors [38].
Anomaly-based intrusion detection has been the focus
of intense research in recent years [24,30]. Despite the
significant number of existing studies in this area, more
research is needed due to the continuously evolving nature
of the attacks. In order to solve this problem, a practical
intrusion detection system should be able to update itself to
detect novel and stealthier attacks, as well as handle large
amount of streaming data [11,37].
Content courtesy of Springer Nature, terms of use apply. Rights reserved.