Survey of Machine Learning Techniques in Anomaly
Detection Based IDPS
Abdul Ahad, Soham Ghosh, Anil Kumar Gupta
[email protected]
,
[email protected]
,
[email protected]
Mechanical Design and Engineering Group (MDEG)
Centre for Development of Advance Computing (C-DAC)
Pune, India
Abstract—As network attacks have increased in number and
severity over the past few years, intrusion detection system
(IDS) is increasingly becoming a critical component to secure
the network. Due to large volumes of security audit data as
well as complex and dynamic properties of intrusion
behaviors, optimizing performance of IDS becomes an
important open problem that is receiving more and more
attention from the research community. Intrusion poses a
serious security risk in a network environment. The ever
growing new intrusion types pose a serious problem for their
detection. Existing intrusion detection systems rely heavily on
human analysts to differentiate intrusive from non-intrusive
network traffic. The human labeling of the available network
audit data instances is usually tedious,
time consuming and expensive. The large and growing amount
of data confronts the analysts with an overwhelming task,
making the automation of aspects of this task necessary.
Whether complete automation is possible or even desirable is
debatable.
Also the pattern matching in intrusion detection has
traditionally been simple, looking for exploitive activity such
as connections from certain IP addresses with histories of
intrusive behavior. However, an intrusion into a computer
network can be more complex, with the complexity being both
spatial and temporal. An example of this type of intrusion is a
„low and slow‟ attack consisting of intrusive behavior over
hours, days or weeks that may originate from multiple
network sources.
Machine learning can be applied to this problem to extend
human pattern recognition. Automated techniques are ideal for
this application because they can monitor and correlate vast
numbers of intrusive signatures.
This paper compares the performance of Intrusion
Detection System (IDS) Classifiers using various feature
reduction techniques. To enhance the learning capabilities and
reduce the computational intensity of competitive learning
comparing the performance of the algorithms is performed
respectively, different dimension reduction techniques have
been proposed. These includes classifying and clustering
Algorithms Naïve Bayes, Simple k-mean, Decision tree and
J48, Linear Discriminate Analysis, and Independent
Component Analysis. Many Intrusion Detection Systems are
based on neural networks. However, they are computationally
very demanding. In order to mitigate this problem, dimension
reduction techniques are applied to a given dataset to extract
important features. This paper provides a review on current
trends in intrusion detection together with a study on
technologies implemented by some researchers in this research
area. This paper also gives a brief overview of an application
named NEDAA (Network Exploitation Detection Analyst
Assistant) developed at Applied Research Laboratories of the
University of Texas at Austin (ARL:UT) which help network
analysts by enhancing knowledge of with machine learning to
create rules for an intrusion detection expert system. In their
paper they have described some of the successes and problems
encountered in applying these techniques to computer network
intrusion detection.
Keywords— Supervised Machine Learning, Unsupervised
Machine Learning, Network Intrusion Detection, Network Security
I. INTRODUCTION
The field of intrusion detection has received increasing
attention in recent years. One reason for this is the explosive
growth of the Internet and the large number of networked
systems that exist in all types of organizations. The increase in
the number of networked machines has lead to an increase in
unauthorized activity, not only from external attackers, but
also from internal attackers, such as disgruntled employees
and people abusing their privileges for personal gain. Security
is a big issue for all networks in today‟s enterprise
environment. Both commercial and open source products are
now available for this purpose. Many vulnerability assessment
tools are also available in the market that can be used to assess
different types of security holes present in your network.
A secure network must provide the following:
• Confidentiality: Data that are being transferred through the
network should be accessible only to those that have been
properly authorized.
• Integrity: Data should maintain their integrity from the
moment they are transmitted to the moment they are actually
received. No corruption or data loss is accepted either from
random events or malicious activity.
• Availability: The network should be resilient to Denial of
Service attacks.
The organization of this paper is as follows. Section II
provides an overview of machine learning. Section III gives a
brief summary of intrusion detection. Section IV provides an
overview of Anomaly detection. Section V describes how
machine learning can be used in anomaly detection. Section
VI gives a detailed description of unsupervised anomaly
detection and what work has been done in field of anomaly
detection using unsupervised learning. Section VII provides an
overview of other machine learning techniques. Section VIII
talks about future plans and finally Section IX highlights
challenges and deployment issues.
II. MACHINE LEARNING
Machine Learning is a field of study that gives computers the
ability to learn without being explicitly programmed (Arthur
Samuel (1959)).Another Definition of machine learning is, “A
computer program is said to learn from experience E with
respect to some task T and some performance measure P, if its
performance on T, as measured by P improves with
experience E.”
Machine Learning is a vast domain of computer science but
in this paper we have focused only on Anomaly Based
Intrusion Detection and Prevention system.
Machine Learning = algorithm + predictions +data.
Records in database are called data instances (data) in machine
learning while Column in database are called features and data
instance is a vector of features and in machine learning we
predict feature vector. Another definition of machine learning
is:
“Machine Learning is about building a compressed
representation of your data. Expressing what is present in
data in compressed format and making predictions about new
data.”
Machine Learning develops algorithms for making predictions
from data which are classified into two broad categories.
Supervised learning: In this type of learning algorithm the
program is “trained” on a pre-defined set of “training
examples”, which then facilitate its ability to reach an accurate
conclusion when given new data. In supervised learning the
idea is to teach the computers how to do something. The term
supervised learning refers to the fact that we gave the
algorithm a data set in which all the “right answers” are given.
Suppose that prices of house in a particular city are to be
predicted based on available data as shown in graph
Price
($) in
1000
Size in feet2
Figure 1: House price prediction graph (figure)
Here the learning algorithm can help by drawing a straight line
through the data and based on that, prices of houses can be
predicted with given size in square feet (here 750
feet2).Instead of straight line there could be quadratic function
or any other function. This is an example of Regression
problem in which continuous valued output is predicted and if
discrete valued output is to be predicted then it is referred as
Classification.
Consider another graph shown below which shows two types
of breast cancer i) Malignant ii)benign and based on the size
of tumor it can belong to one of the two categories ,this is an
example of classification.
Figure 2: cancer graph
Unsupervised Learning is another classification of machine
learning algorithms where the program is given a bunch of
data and it must find patterns and relationships therein. In
unsupervised learning we allow computer to learn by itself.
“We don’t classify data in unsupervised learning.”
Clustering used in Google news is an example of
unsupervised learning.
III. INTRUSION DETECTION
An intrusion attempt or a threat is a deliberate and
unauthorized attempt to (i) access information, (ii) manipulate
information, or (iii) render a system unreliable or unusable.
For example, (a) Denial of Service (DoS) is an attempt to
make a machine or network resource unavailable to its
intended users, which are needed to function correctly during
processing; (b) Worms and viruses exploit other hosts through
the network; and (c) Compromises obtains privileged access to
a host by taking advantages of known vulnerabilities [1].
Every attack leaves its signature. A signature in the world
of cyber-crime can be defined as signature is a set of rules that
an IDS and an IPS use to detect typical intrusive activity, such
as DoS attacks. Some of the methods that can be used to
identify signature are:
1. Connection attempt from a reserved IP address.
This is easily identified by checking the source address field in
an IP header.
2. Packet with an illegal TCP flag combination. This can be
found by comparing the flags set in a TCP header against
known good or bad flag combinations.
3. Email containing a particular virus. The IDS can
compare the subject of each email to the subject associated
with the virus-laden email, or it can look for an attachment
with a particular name.
4. DNS buffer overflow attempt contained in the payload
of a query. By parsing the DNS fields and checking the length
of each of them, the IDS can identify an attempt to perform a
buffer overflow using a DNS field. A different method would
be to look for exploit shell code sequences in the payload.
5. Denial of service attack on a POP3 server caused by
issuing the same command thousands of times. One signature
for this attack would be to keep track of how many times the
command is issued and to alert when that number exceeds a
certain threshold.
6. File access attack on an FTP server by issuing file and
directory commands to it without first logging in. A state-
tracking signature could be developed which would monitor
FTP traffic for a successful login and would alert if certain
commands were issued before the user had authenticated
properly.
IV. ANOMALY BASED DETECTION
Anomaly Based Detection also named as "Behavior- Based
Detection" is described as a network IDS which models the
behavior of the network, users, and computer systems and
raises an alarm whenever there is a deviation from this normal
behavior. Anomaly detection is assumed to be able to detect a
new attack or any new potential attacks. It works on the
principle of distance measurement by constructing profiles
representing normal usage and then comparing it with the
current behavior of data to find out a likely mismatch. It
detects any action that significantly deviates from the normal
behavior based on normal behavior, profile and thresholds
calculated Anomaly based detection mechanism detects any
traffic that is new or unusual, and is particularly good at
identifying sweeps and probes towards network hardware. It
can, therefore, give early warnings of potential intrusions
because probes and scans are the predecessors of all attacks.
And this applies equally to any new service installed on any
item of hardware. An anomaly-based IDS is a perfect
mechanism to detect anything from port anomalies and web
anomalies to mis-formed attacks, where the URL is
deliberately mistyped. But the problem occurs when an
intrusion (noise) data in the training data, makes a
misclassification which leads to generate a lot of false positive
alarms.
The general architecture of an anomaly based methodology
is shown in fig. 2. This architecture consists of preprocessing
to extract information then build the pattern of the connection
if it deviates from the normal behavior rise an alarm.
Pattern
Network Datasets with
Pre- Pattern Outlier
traffic outliers
processing Buildin Detection
g measurement xi(t) is taken when the network is known to
Figure 3: Anomaly Detection Block Diagram
However, based on the literature survey, each of the
techniques has some limitations. Signature based detection
techniques fail to detect zero-day attacks. Continuous updation
in signature database is a major technical concern. In anomaly
based detection techniques, different extraction notions of
anomaly for different application domains produce high false
alarm-rates. In literature, numbers of anomaly detection
systems are developed based on many different machine
learning techniques. For example, some studies apply single
learning techniques, such as neural networks, genetic
algorithms, support vector machines, etc. On the other hand,
some systems are based on combining different learning
techniques, such as hybrid or ensemble techniques. In
particular, these techniques are developed as classifiers, which
are used to classify or recognize whether the incoming Internet
access is the normal access or an attack.
Machine learning techniques have ability to implement a
system that can learn from data. For example, a machine
learning system could be trained on incoming packets to learn
to distinguish between intrusive and normal packet. After
learning, it can then be used to classify new incoming packets
into intrusive and normal packets.
V. MACHINE LEARNING IN ANOMALY DETECTION
Machine learning approaches attempt to obtain an anomaly
detection that adapts to measurements, changing network
conditions, and unseen anomalies. What is a machine learning
view of network-anomaly detection? Let X(t) 2 Â (X in short)
be an n-dimensional random feature vector at time t 2 [0; t].
Consider the simplest scenario that there are two underlying
states of a network, wi; i = 0;1, where w0 = 0 corresponds to
normal network operation, and w1 =1 corresponds to “unusual
or anomalous” network state. Detecting anomaly can be
considered as deciding whether a given observation x of
random feature vector X is a symptom of an underlying
network state w0 or w1. That is, a mapping needs to be
obtained between X and wi for i = 0,1. Note that an anomalous
network state may and may not correspond to abnormal
network operation. For example, flash crowd, which is a surge
of user activities, may result from either an installment of new
software under a normal network operation or an abnormal
network state due to DDOS or Worm attacks.
Due to the complexity of networks, such a mapping is
usually unknown but can be learned from measurements.
Assume that a set D of m measurements is collected from a
network as observations on X, i.e., D = {xi(t)}mi=1, where
xi(t) is the i-th observation for t ∈ [0,t]. xi(t) is called a training
sample in machine learning. In addition, another set D l = {yq}
kl=1 of k measurements is assumed to be available in general
that are samples ( yq = 0,1) on ωi‟s. yq‟s are called labels in
machine learning. A pair (xi(t), yi) is called a labeled
Alert measurement in machine learning, where observation xi(t) is
obtained when a network is in a known state. For example ,if
operate normally, yi = 0 and (xi(t),0) is considered as a sample
for normal network operation. If xi(t) is taken when the
network is known to operate abnormally, yi = 1 and (xi(t),1) is
considered as a “signature” in anomaly detection. In general
xi(t) is considered as an unlabeled measurement, meaning the
observation xi(t) occurs when the network state is unknown.
Hence, three types of network measurements are: (a) normal
data Dn = {xi(t),0}k−ui=1, (b) unlabeled data D = {xj(t)}mj=1,
and (c) anomalous data Dl = {xr(t),1}ur=1 . A training set
consists of all three types of data in general although a
frequent scenario is that only D and Dn are available.
Examples of D include raw measurements on end-end flows,
packet traces, and data from MIB variables. Examples of D n
and Dl can be such measurements obtained under normal or
anomalous network conditions, respectively.
Given a set of training samples, a machine learning view of
anomaly detection is to learn a mapping f(.) using the training
set, where f(.) : Training Set → ωi, so that a desired
performance can be achieved on assigning a new sample x to
one of the two categories. Fig. 4 illustrates the learning
problem.
A training set determines the amount of information
available, and thus categorizes different types of learning
algorithms for anomaly detection. Specifically, when only D is
available, learning and thus anomaly detection is
unsupervised. When D and Dn are available, learning/anomaly
detection can, be viewed as unsupervised. When Dl and Dn are
both available, learning/anomaly detection becomes
supervised, since we have labels or signatures. f(.) determines
the architecture of a “learning machine”, which can either be a
model with an analytical expression or a computational
algorithm. When f(.) is a model, learning algorithms for
anomaly detection are parametric, i.e., model-based;
otherwise, learning algorithms are non-parametric ,i.e., non-
model-based.
VI. UNSUPERVISED ANOMALY DETECTION
We now focus on unsupervised learning for anomaly
detection, where Dl is not available, a mapping f(.) is learned
using raw measurements D and normal data Dn. Unsupervised
learning is the most common scenario in anomaly detection
due to its practicality: Networks provide a rich variety and a
huge amount of raw measurements and normal data. One
unsupervised learning approach for anomaly detection is
behavioral-based. That is, Dn together with D is learned to
characterize a normal network behavior. A deviation from the
norm is considered as an anomaly
performance
Training Set
Learning
. Wi
f( )
Fig 4: Machine Learning View of Anomaly Detection
A. Clustering
Clustering is another class of algorithms in unsupervised
anomaly detection. Clustering algorithms [18] characterize
anomalies based on dissimilarities. The premise is that
measurements that correspond to normal operations are similar
and thus cluster together. Measurements that do not fall in the
“normal clusters” are considered as anomalies.
A similarity measure is a key parameter in a clustering
algorithm that distinguishes the normal from anomalous
clusters. “Similarity” measures distances among the input xi‟s.
Euclidian distance is a commonly-used similarity measure for
network measurements. When samples lie with distances
below a chosen threshold, they are grouped into one cluster
[18]. Such an approach has been applied in the following
examples: (a) to cluster network flows from the Abilene
network [17] to detect abrupt changes in the traffic distribution
over an entire network, and (b) to cluster BGP update
messages and detect unstable prefixes that experience frequent
route changes [19]. More sophisticated algorithms are applied
such as hierarchical clustering to group BGP measurements
based on coarse-to-fine distances [21]. An advantage of
hierarchical clustering is computational efficiency, especially
when applied to large network-data sets [21]. Other more
sophisticated clustering algorithms improve local convergence
using fuzzy-k-mean and swam-k-mean algorithms, and are
applied to detecting network attacks [12]
Mixture models provide a model-based approach for
clustering [18]. A mixture model is a linear combination of
basis functions. Gaussian basis functions with different
parameters are commonly used to represent individual
clusters. The basis functions are weighted and combined to
form the mapping. Parameters of the basis functions and the
weighting coefficients can be learned using measurements
[18]. For example, [21] uses Gaussian mixture models to
characterize utilization measurements.
Parameters of the model are estimated using Expectation-
Maximization (EM) algorithm and anomalies are detected
corresponding to network failure events. One limitation of
clustering algorithms is that they do not provide an explicit
representation of the statistical dependence exhibited in raw
measurements. Such a representation is important for
correlating multiple variables in detection, and diagnosis of
anomalies.
B. Bayesian Belief Networks
Bayesian Belief Networks (mapping f (.)) provides the
capability to capture the statistical dependence or causal-
relations among variables and anomalies.
An early work [9] applies Bayesian Belief Networks to
MIB variables in proactive network fault detection. The
premise is that many variables in a network may exhibit
anomalous behavior upon the occurrence of an event, and can
be combined to result in a network-wide view of anomalies
that may be more robust and result in a more accurate
detection. Specifically, the Bayesian Belief Networks [9] first
combines MIB variables within a protocol layer, and then
aggregates intermediate variables of protocol layers to form a
network-wide view of anomalies. Combinations are done
through conditional probabilities in the Bayesian Belief
Networks. The conditional probabilities were determined a
priori.
Recent work [10] uses Bayesian Belief Networks to
combine and correlate different types of measurements such as
traffic volumes, ingress/egress packets, and bit rates.
Parameters in the Bayesian Belief Network are learned using
measurements. The performance of the Bayesian Belief
Network compares favorably with that of wavelet models and
time-series detections, especially in lowering false alarm rates
[10].
[11] Provides an example of Bayesian Networks in
unsupervised anomaly detection at the application layer. In
this work a node in a graph represents a service and an edge
represents a dependency between services. The edge weights
vary with time, and are estimated using measurements.
Anomaly detection is conducted from a time sequence of
graphs with different link weights. The paper shows that
service anomalies are detected with little information on
normal network-behaviors.
1) Bayesian Network
A Bayesian network is a model that encodes probabilistic
relationships among the variables of interest. This technique is
generally used for intrusion detection in combination with
statistical schemes. The naïve Bayesian (NB) algorithm is
used for learning task, where a training set with target class is
provided. Training set is described by attributed A1 through
An, and each attribute is described by attribute 𝑎1, 𝑎2 … 𝑎𝑛
associated with class C. The objective is to classify an unseen
example, whose class value is unknown but attribute values
are known. The Bayesian approach to classifying the unseen
example is to assign the most probable target class. 𝐶𝑚𝑎𝑝 Given
the attribute values (𝑎1, 𝑎2, … … …, 𝑎𝑛) that describes the
example. . 𝐶𝑚𝑎𝑝 = 𝑎𝑟𝑔𝑚𝑎𝑥 𝐶𝑗 𝛴 𝐶𝑃 𝐶𝑗𝑎1, 𝑎2 … … …) the
expression can be rewrite using Bayesian theorem as 𝐶𝑚𝑎𝑝
=𝑎𝑟𝑔𝑚𝑎𝑥 𝐶𝑗𝛴 (𝑎1, 𝑎2 … … … 𝑎𝑛| 𝐶 )(𝐶𝑗 ) (1)
It is easy to estimate each of the P (Cj) simply by counting
the frequency with which each target class Cj occurs in the
training set. The naïve Bayesian algorithm is based on the
simplifying assumption that given the target class of the
example, the probability of observing the conjunction 𝑎1, 𝑎2
… 𝑎𝑛 is just the product of the probabilities for the individual
attributes: : 𝑃(𝑎1, 𝑎2 … … … 𝑎𝑛|𝐶𝑗 ) =• 𝑖 𝑃(𝑎𝑖|𝐶𝑗).
Substituting this into equation 1, we get get 𝐶𝑁𝐵 = 𝑎𝑟𝑔𝑚𝑎𝑥
𝐶𝑗𝛴 (𝐶𝑗 • 𝑖 (𝑎𝑖)|𝐶𝑗 ) (2) Where 𝐶𝑁𝐵, denote the target class
predicate by the naïve Bayesian classifier. In naïve Bayesian
algorithm, the probability values of equation 2 are estimated
from the given training data. These estimated values are then
used to* classify unknown examples. a procedure that yields
several advantages, including the capability of encoding
interdependencies between variables and of predicting events,
as well as the ability to incorporate both prior knowledge and
data [12][13].
VII. OTHER MACHINE LEARNING APPROACHES
Using information theoretical measures is another approach
for unsupervised anomaly detection. Information theoretical
measures are based on probability distributions. Hence
information from distributions that are estimated from the data
is used in anomaly detection.
[15] Provides several information theoretical measures for
anomaly detection of network attacks. The measures include
entropy and conditional entropy as well as information
gain/cost for anomaly detection. The entropy measures are
applied to several data sets for network security including call
data and “tcpdump” data. The entropy measures also assist in
selecting parameters for detection algorithms. [13] applies
information theoretical measures in behavioral-based anomaly
detection. First, the Maximum Entropy principle is applied to
estimate the distribution for normal network operation using
raw data. Second, the relative entropy of the network traffic is
applied with respect to the distribution of the normal behavior.
The approach detects anomalies that not only cause abrupt
changes but also gradual changes in network traffic.
[22] Uses entropy measures to flow data, and develops
algorithms for estimating the entropy of streaming algorithms.
Hidden Markov Model is another approach in unsupervised
anomaly detection. For example, [23] uses a Hidden Markov
Model to correlate observation sequences and state transitions
so that the most probable intrusion sequences can be
predicted. The approach is applied to intrusion detection data
sets (KDDCUP99) and shown to reduce the false alarm rates
effectively.
The current implementation of NEDAA contains rule
generation modules that interface with two ARL:UT arti-
ficial intelligence (AI) software packages: a genetic algorithm
tool set and a decision tree generator. These modules can be
customized for specific applications and data sources. The
choice of AI techniques employed stemmed from previous
experience with genetic algorithms, and literature research
into other applicable methods. The genetic algorithm software
package was a logical platform from which to tackle the
difficult problem of intrusion detection. The use of decision
trees for rule generation was made to provide a deterministic
alternative to genetic algorithms. VulcanRG, the machine
learning component of the NEDAA system, generates rules for
compilation into intrusion detection systems. These rules are
generated by the genetic algorithm and by decision tree
packages developed at ARL:UT. Currently VulcanRG is used
to generate rules for one deployed IDS and one experimental
system. Many of the examples presented in this paper are
derived from actual runs of the machine learning components
of NEDAA.
A. Genetic Algorithms
Genetic algorithms are a family of problem-solving
techniques based on evolution and natural selection. They are
essentially a type of search algorithm that finds an
approximate solution to an optimization task - inspired from
biological, evolution process and natural genetics and
proposed by Holland (1975). GA uses hill climbing method
from an arbitrary selected number of genes. GA has four
operators: initialization, selection, crossover and mutation and
as such, can be used to solve a wide variety of problems. This
section gives a brief overview of genetic algorithms. The goal
of genetic algorithms is to create optimal solutions to
problems. Potential solutions to the problem to be solved are
encoded as sequences of bits, characters or numbers. The unit
of encoding (usually a single bit in traditional genetic
algorithms) is called a gene, and the encoded sequence is
called a chromosome. The genetic algorithm begins with a set
(population) of these chromosomes and an evaluation function
that measures the fitness of each chromosome, i.e. the
„goodness‟ of the problem
GA has been used in different ways in IDS. There are
many researchers that used evolutionary algorithms and
especially GAs in IDS to detect malicious intrusion from
normal use. Genetic algorithm based intrusion detection
system is used to detect intrusion based on past behavior. A
profile is created for the normal behavior based on that genetic
algorithm learns and takes the decision for the unseen patterns.
Genetic algorithms also used to develop rules for network
intrusion detection. A chromosome in an individual contains
genes corresponding to attributes such as the service, flags,
logged in or not, and super-user attempts. These attacks that
are common can be detected more accurately compared to
uncommon attributes. Genetic algorithms are capable of
deriving classification rules and selecting optimal parameters
for detection process.
Genetic Algorithms are applied in the current version of
NEDAA, to evolve simple rules for monitoring network
traffic. These rules are simple single-connection patterns for
differentiating normal from abnormal network connections.
The rules are evolved by creating patterns which match a set
of anomalous connections and a set of normal connections (as
reported by an analyst). These patterns are used as the firing
conditions of rules of the form if < pattern matched > then <
generate alert >.2 The goal is to develop rules which match
only the anomalous connections. Such rules can then be used
to filter historical records and new connections so that the
analyst can concentrate on those which are suspicious.
The patterns created by the genetic algorithm corresponds
to the format of incoming connections and are combinations of
specific connection attribute values and „wild cards‟.
Examples of attributes used in the current version of NEDAA
include: source IP address, destination IP address, source IP
port, destination IP port, and network protocol.
The initial population is comprised of random rules; an
example is shown in Table 3. The chromosome for a rule is
comprised of 29 genes: 8 for source IP (2 hexadecimal digits
per address field), 8 for destination IP, 6 for source port, 6 for
destination port, and 1 for protocol. Each gene can be either a
specific numeric value in the appropriate range for the field or
a wild card. The chromosome for the rule in Table 1 is shown
in Figure 5 When a rule is used to filter connections, each
connection is converted to a 29-field format corresponding to
the gene structure of a rule as described above. A rule matches
a connection if and only if every non-wildcard gene in the rule
matches the corresponding field in the connection
Attribute Value
Source IP 42.22.e5.bc(66.34.229.188)
Destination IP 15.b*.6e.76(21.176+?.110.118)
Source Port 047051
Destination Port 912320
Protocol TCP
Table 1: Sample rule
(4,2,2,2,14,5,11,12,1,5,11,-1,6,14,7,6,0,4,7,0,5,1,2,3,2,0,17)
Figure 5: Chromosome for rule in Table 1
The evolutionary process of the genetic algorithm requires
some form of fitness measure on individual population
members. In NEDAA, this fitness measure is based on the
actual performance of each rule on a pre-classified data set.
Each rule is used to filter a data set comprised of connections
marked as either anomalous or normal by an analyst, and the
fitness function rewards partial matches of training
connections that have been designated as anomalous. If a rule
completely matches an anomalous connection it is awarded a
bonus; if it matches a normal connection it is penalized. As a
result, succeeding populations are biased toward rules that
match intrusive connections only. After a certain number of
generations, the genetic algorithm is stopped, and the best
unique rules are selected.
The classic genetic algorithm described earlier tends to
converge on a single „best‟ solution to any given problem. In
the case of a rule set, however, it is generally not sufficient to
find a single rule. Multiple rules are generally needed to
identify unrelated types of anomalies; several „good‟ rules are
more effective than a single „best‟ one. In mathematical terms,
this requirement translates to the concept of finding local
maxima as opposed to the global maximum of the fitness
function. Genetic algorithms evolve solutions which maximize
(or minimize) the fitness function. A traditional genetic
algorithm will attempt to find a global maximum of the fitness
function, and will continue until all solutions in the population
have converged to this maximum. In contrast, the problem of
discovering multiple rules to filter incoming connections
based on different criteria is essentially that of discovering
multiple local maxima of the fitness function.
In order to find local maxima of the fitness function, and
hence multiple rules, we employed niching techniques.
Conceptually, niching in genetic algorithms is similar to that
in nature; different species that share an environment
generally inhabit different niches in order to exploit resources
and minimize competition. In genetic algorithms, niching
strategies attempt to create subpopulations which converge on
local maxima. The two standard ways of niching are sharing
and crowding[4]. Sharing degrades the fitness of solutions
based on the number of other solutions which are nearby
(similar). When the fitness is degraded in this manner,
overcrowded niches become less hospitable, forcing solutions
to other local maxima which may be less populated. In
crowding, solutions which are generated by the crossover of
two „parent‟ solutions replace the nearest (most similar)
solutions in the population.
Both sharing and crowding use the concept of nearness ,or
similarity ,in order to maintain population diversity. A
distance metric must be imposed either on the space of
solutions or on the space of chromosomes in order to use
either of these niching methods. Unless a domain specific
distance metric is determined for the problem, the Hamming
distance is used[4]. The Hamming distance between two
chromosomes is the number of genes which differ between the
two chromosomes. We use the Hamming distance and a
variation of crowding in order to generate a diverse rule set.
B. Neural Networks
Artificial neural networks consists of a collection of
processing elements that are highly interconnected and
transform a set of inputs to a set of desired outputs that is
inspired by the way biological nervous systems, such as the
brain, process information. The technique of Neural Networks
NN follows the same theories of how the human brains works.
The Multilayer Perceptions MLP has been widely used neural
network for intrusion detection. They are capable of
approximating to arbitrary accuracy, any continuous function
as long as they contain enough hidden units. This means that
such models can form any classification decision boundary in
feature space and thus act as non-linear discriminate function.
When the NN is used for packets classification, there is one
input node for each element of the feature vector. There is
usually one output node for each class to which a feature may
be assigned (shown in Fig. 6). The hidden nodes are connected
to input nodes and some initial weight assigned to these
connection. These weights are adjusted during the training
process. MPL NN Structure One learning algorithm used for
MLP is called back-propagation rule. This is a gradient
descent method and based on an error function that represents
the difference between the network‟s calculated output and the
desired output. This error function is defined, based on the
Mean Squared Error MSE. The MSE can be summed over the
entire training set. In order to successfully learn, the network‟s
true output should approach the desired output by
continuously reducing the value of this error. The back
propagation rule calculates the error for a particular input and
then back- Propagates the error from one layer to the
previous one. The connection weights, between the nodes, are
adjusted according to the back-propagated error so that the
error is reduced and the network learns. The input, output, and
hidden layers neurons are variable. Input/output neurons are
changed according to the input/output vector and hidden layer
neurons are adjusted as per performance requirement,
more hidden layers neurons more complex MLP. The neural
network intrusion detection system consists of three phases:
 Using automated parsers to process the raw TCP/IP
dump data in to machine-readable form or use some
benchmark dataset contain parsed connection
records.
 Training: neural network is trained on different types
of attacks and normal data. The input has 41 features
and the output assumes one of two values: intrusion
(22 different attack types), and normal data.
 Testing: performed on the test dataset.
Figure 6: Simple Architecture of MLP
Neural network based intrusion detection system, intended to
classify the normal and attack patterns and the type of the
attack. It is observed that the long training time of the neural
network was mostly due to the huge number of training
vectors of computation facilities. However, when the neural
network parameters were determined by training,
classification of a single record was done in a negligible time.
Therefore, the neural network based IDS can operate as an
online classifier for the attack types that it has been trained
for. The only factor that makes the neural network off-line is
the time used for gathering information necessary to compute
the features.[3][6].
C. Support Vector Machine
In classification and regression, Support Vector Machines
SVM is the most common and popular method for machine
learning tasks. In this method, a set of training examples is
given with each example is marked belonging into one of two
categories. Then, by using the Support Vector Machines
algorithm, a model that can predict whether a new example
falls into one categories or other is built [4]. For classification
using SVM we need to select the training samples and carry
out attribute extraction on samples, generally, we select a
network connection as a sample or benchmark datasets like
KDD99 which have collection of network connections
attributes captured from variance networks. It is needed to
define an input space x. For each network connection,
choosing n attribute characteristics. The one-dimensional
vector x can be Used to express a network connection 𝑥 = {𝑥1,
𝑥2, … … … , 𝑥𝑛} in which 𝑥𝑖, 𝑖 =1,2, … … . . 𝑛 ,refers to the i
characteristic value of the sample x. Defining Y as output
domain, as we only judge whether it is normal for each
network connection, only two states are enough to express the
problem, therefore, it can be defined that Y = (+1,−1) . When
Y = +1 it is normal connection and when Y = −1 it is
abnormal connection. A simple SVM classification diagram
shown in Fig. 7.
In this only classes are there +1and -1 for normal and
abnormal connections. It maps sample space to a higher
dimensional even an infinite dimensional character space by
the use of nonlinear mapping function ф (xi). Support Vector
Machine is a classification method possessing better learning
ability for small samples, which has been widely applied in connects either two nodes or a node and a leaf. Leaves are
many fields such as Network Intrusion Detection, web page labeled with a decision value for categorization of the data.
identification and face identification. Support Vector Machine
applied in intrusion detection possesses such advantages as IP Port System Name Category
high training rate and decision rate, insensitiveness to 004020 Artemis Normal
004020 Apollo Intrusion
dimension of input data, continuous correction of various 002210 Artemis Normal
parameters with increase in training data which endows the 002210 Apollo Intrusion
system with self-learning ability, and so on. Besides, it is also 000010 Artemis Normal
capable of solving many practical classification problems, 000010 Apollo Normal
such as problem involving small samples and non-linear
problem. Therefore, Support Vector Machine will become Table 2: Example Intrusion Data
increasingly popular in network security

Figure 8: Example Intrusion Decision Tree

This decision tree could be turned into the following rule

(in C++ form):
Figure 7: Simple Architecture of SVM classification if(System Name == Artemis){
intrusion = false;
}
D. Decision Trees
else if(System Name == Apollo){
Decision Tree algorithm is normally used for classification if(IP Port == 002210){
problem. In this algorithm, the data set is learnt and modeled. intrusion = true;
Therefore, whenever a new data item is given for }
classification, it will be classified accordingly learned from the else if(IP Port == 004020){
previous dataset. Decision Tree algorithm can also be used for intrusion = true;
Intrusion Detection. For this reason, the algorithm will also }
learn and models data based on the training data. As a result, else if(IP Port == 000010){
the model can classify which attack types does a future data intrusion = false;
belongs to based on the model built. One of the strength of }
Decision Tree is it can works well with huge data sets. This is }
important as large amount of data flow can be found across the
computer networks. In real-time Intrusion Detection, it works In NEDAA Quinlan‟s[7] ID3 algorithm is used to construct
well because Decision Tree gives the highest detection decision trees from structured data (such as the data in Table
performance and can construct and interpret model easily. 2). The ID3 algorithm uses information theoretic precepts to
Another useful property of Decision Tree in Intrusion create efficient decision trees. Given a structured data set, a
Detection model is its generalization accuracy. This is due to list of attributes describing each data element, and a set of
the trends in the future where there will always be some new categories to partition the data into, the ID3 algorithm
attacks, and by having generalized accuracy provided by determines which attribute most accurately categorizes the
Decision Tree, these attacks can be detected [5]. data. A node is established and labeled by this attribute. The
edges coming from this node are labeled with the possible
Decision trees are structures used to classify data with values of the partitioning attribute. The data set is then divided
common attributes. Each decision tree represents a rule which into subsets by the values of this attribute. If a subset is
categorizes data according to these attributes. A decision tree completely categorized, then the edge terminates in a leaf
consists of nodes, leaves, and edges. A node of a decision tree labeled by the categorization. Otherwise the subset is
specifies an attribute by which the data is to be partitioned. subdivided further by creating a new node and repeating this
Each node has a number of edges which are labeled according process recursively.
to a possible value of the attribute in the parent node. An edge
 1) Applying Decision Trees

In NEDAA the ID3 algorithm is used to create decision trees

which classify connections based on the attributes listed in
Table 3. The generated decision tree can be pruned to
determine connections which have similar attributes to those
in Table 3. In this way decision trees generalize information
learned during their construction. A pruned decision tree
Figure 9: Pruned Decision Tree generated by the ID3 algorithm based on data in Table 3 is
shown in Figure 10.
Decision trees constructed by the ID3 algorithm are based on
the training set used to construct them. In order for a decision
tree to generalize the information learned, the decision tree
must be pruned. Pruning replaces certain nodes with leaves. A
simple example of pruning involves removing all nodes and
leaves which terminate in a default category. In Figure 9 we
show the tree of Figure 8 after it has been pruned. All
connections are assumed to be normal if they are not classified
as intrusions. The pruned decision tree can be turned into the
following code:

intrusion = false;
if(System Name == Apollo){
if((IP Port==002210)||(IP Port==004020)){ Figure 10: Intrusion Detection Decision Tree
intrusion = true;
}} The rules produced by the decision trees are of a slightly
The NEDAA machine learning approach uses analyst created different nature than those produced by genetic algorithms.
training sets for rule development and analyst decision The genetic algorithms use niching to create a population of
support. In the current implementation the training unique rules; ideally each rule at its own local maxima.
information is comprised of database views queried from the Decision trees on the other hand create a single rule with a
archived network events (Table 3). number of different clauses. Each clause is equivalent to a
From this training data the machine learning modules single rule in the genetic algorithm population. Each element
generate rules of the form: of training data falls into one of the clauses in the decision tree
if < condition > then < action > and hence is represented in the final rule. The „completeness‟
These rules can be compiled into the expert system for of the final rule, with respect to the training data, is an
intrusive event detection, or used to simplify the analyst‟s task advantage that decision trees have over genetic algorithms,
by summarizing large sets of training data into simple rule and dispenses with the need for niching in the decision tree
sets. It is important to note that the quality of the synthesized component.
rules depends on the quality of the training set. Any The rules developed by the decision tree component, like
classification errors in the training set will propagate into the the genetic algorithm rules, are sensor level rules. These rules
resulting rule set. are used to filter single connections. Currently, the generated
decision trees provide an elaboration of the „Hot IP‟ list; a list
Source IP Dest IP Source Dest Pr Intru which enumerates IP addresses with previous anomalous
Port Port ot sion activity. This extension of the „Hot IP‟ list allows an intrusion
oc detection system to differentiate between normal and
ol
s
anomalous activity from a Hot IP address.
123.202.72.109 225.142.187.12 001360 000080 IP True
123.202.72.109 225.142.187.12 001425 000080 IP True The following table describes comparison of various machine
123.202.72.109 225.142.187.12 001488 000080 IP True learning techniques which are discussed so far along with their
123.202.72.109 225.142.187.12 001559 000080 IP True
pros and cons.
123.202.72.109 225.142.187.12 001624 000080 IP True
255.142..147.75 150.216.191.119 001624 000080 IP True
255.142.187.19 125.250.187.19 004207 000025 IP True S.No Machine Pros Cons
233.167.15.65 255.142.187.12 004607 000025 IP False Learning
233.167.15.65 255.142.187.12 004690 000025 IP False Technique
139.61.51.70 255.142.187.12 001052 000021 IP False 1 Neural Ability to generalize Slow training
Networks from limited, noisy process
142.142.5.113 255.142.187.12 001572 000080 IP false
and incomplete data. so not suitable for
Table 3 : Example Training Data realtime detection.
 Does not need expert time. Ideally these rules will be able to detect the „low and
knowledge and it can Over-fitting may slow‟ attack. There are many ways to build rules that are
find unknown or novel happen during
intrusions. neural based on a number of connections, events, etc. One way is to
network training. create rules which can cause other rules to be activated. This
2 Bayesian Encodes probabilistic Harder to handle method, known as rule chaining, allows complex sequences of
Networks relationships among continuous features. events to be detected [3]. Given a number of rules of the form
the variables of May not contain
interest. any good classifiers if < predicate > then < action >g, the execution of one rule‟s
if prior knowledge action during a cycle may trigger the successful evaluation of
Ability to incorporate is wrong. another rule‟s predicate on subsequent cycles In this way rules
both Prior knowledge may communicate with each other to detect complex behavior.
and data
3 Support Vector Better learning ability Training takes a
Incoming connections may activate certain rules, which in turn
Machine for small samples. long time. may activate other rules. This process may continue
High training rate and Mostly used binary indefinitely until a message triggers an alarm to the intrusion
decision rate, classifier which detection system, or until no new messages are created. We
insensitiveness to cannot give
dimension of input additional
are investigating the alteration of the genetic algorithm
data. information about component to create rules which chain in this manner. The
detected type of ID3 algorithm builds decision trees from an annotated data set.
attack. If the data set is augmented, a new decision tree must be built
4 Genetic Capable of deriving Genetic algorithm
Algorithm best classification cannot assure
to encompass the changes. Building a decision tree is
rules and Selecting constant computationally intensive. In order to avoid this computation
optimal parameters. optimization new algorithms have been developed to update existing
response times. decision trees based on new information[2]. This allows us to
Biologically inspired
and employs Over-fitting.
build scalable decision trees, and thus continually refine the
evolutionary rule set as new information becomes known to the analyst. We
algorithm. will investigate scalable decision tree construction as an
5 Fuzzy Logic Reasoning is High resource enhancement to our current system. . Decision trees can be
Approximate rather consumption used to cluster network events into similar categories based on
than precise. Involved.
common attributes
Effective, especially Reduced, relevant
against port scans and rule subset IX. CHALLENGES AND DEPLOYMENT ISSUES
probes. identification
and dynamic rule
From the above study of the different anomaly detection
updation at runtime approaches that are available today, it is clear that a black box
is a difficult task. anomaly detector may indeed be a utopian dream [50] for two
6 Decision Trees Decision Tree works Building a decision main reasons: (1) the nature of the information that is fed to
well with huge data tree is the anomaly detector could be varied both in format and range,
sets. computationally
intensive task. and (2) the nature of the anomaly, its frequency of occurrence
High detection and resource constraints clearly dictates the detection method
accuracy. of choice. In [25] the authors propose an initial prototype
anomaly detector that transforms the input data into some
Table 4: Comparasion of Machine Learning Techniques common format before choosing the appropriate detection
methodology. This is clearly an area where further research is
an important contribution, especially for deployment in
VIII. FUTURE PLANS service provider environments where it is necessary to build
The goal of machine learning as applied to network multiple anomaly detectors to address the myriad monitoring
intrusion detection is to generate a minimal rule set which can requirements.
detect intrusion signatures generalized from previous activity. Some of the challenges encountered when employing
We want a minimal number of rules for rapid response and machine learning approaches or statistical approaches is the
efficiency in the expert system. Rule complexity must mirror multiple time scales in which different network events of
complexity of attacks; as hackers become more skilled our AI interest occur. Capturing the characteristics of multi time scale
techniques need to create correspondingly complex rules. Our anomalies is difficult since the time scale of interest could be
primary near-term goal is to extend the machine learning different for different anomaly types and also within an
components to correlate and filter sets of connections as anomaly type depending on the network conditions. In [38]
opposed to single connections. We will combine connection the authors describe the influence of the regularity of data on
filtering with other information the IDS records (events, the performance of a probabilistic detector. It was observed
strings matched etc.) to create complex rules based on data that false alarms increase as a function of the regularity of the
annotated by analysts. More complex rules will look for data. The authors also show that the regularity of the data is
connection patterns which are extensive in both space and not merely a function of user type or environments but also
differs within user sessions and among users. Designing
anomaly detectors that can adapt to the changing nature of
input data is an extremely challenging task. Most anomaly
detectors employed today are affected by the inherent changes
in the structure of the data that is being input to the detector
and therefore does affect performance parameters such as
probability of hits and misses, and false alarm rates. Sampling
strategies for multi time scale events with resource constraints
is another area where there is a need for improved scientific
understanding that will aid the design of anomaly detection
modules. [26] Discovered that most sampling methods
employed today introduce significant bias into measured data,
thus possibly deteriorating the effectiveness of the anomaly
detection. Specifically, Mai et al use packet traces obtained
from a Tier-1 IP-backbone using four sampling methods
including random and smart sampling. The sampled data is
then used to detect volume anomalies and port scans in
different algorithms such as wavelet models and hypothesis
testing. Significant bias is discovered in these commonly-used
sampling techniques, suggesting possible bias in anomaly
detection. Often, the detection of network anomalies requires
the correlation of events across multiple correlated inputs data
sets. Using statistical approaches it is challenging to capture
the statistical dependencies observed in the raw data. When
using streaming algorithms it is also impossible to capture
these statistical dependencies unless there are some rule based
engines that can correlate or couple queries from multiple
streaming algorithms. Despite the challenges, the
representation of these dependencies across multiple input
data streams is necessary for the detailed diagnosis of network
anomalies. To sum up, there still remain several open issues to
improve the efficiency and feasibility of anomaly detection.
One of the most urgent issues is to understand what
information can best facilitate network anomaly detection. A
second issue is to investigate the fundamental tradeoffs
between the amount/complexity of information available and
the detection performance, so that computationally efficient
real-time anomaly detection is feasible in practice. Another
interesting problem is to systematically investigate each
anomaly detection method and understand when and in what
problem domains these methods perform well
The task of finding attacks is fundamentally different from
other applications, making it significantly harder for the
intrusion detection community to employ machine learning
effectively. We believe that a significant part of the problem
already originates in the premise, found in virtually any
relevant textbook, that anomaly detection is suitable for
finding novel attacks; we argue that this premise does not hold
with the generality commonly implied. Rather, the strength of
machine-learning tools is finding activity that is similar to
something previously seen, without the need however to
precisely describe that activity up front (as misuse detection
must). we identify further characteristics that our domain
exhibits that are not well aligned with the requirements of
machine-learning. These include: (i) a very high cost of errors;
(ii) lack of training data; (iii) a semantic gap between results
and their operational interpretation; (iv) enormous variability
in input data; and (v) fundamental difficulties for conducting
sound evaluation. While these challenges may not be
surprising for those who have been working in the domain for
some time, they can be easily lost on newcomers. To address
them, we deem it crucial for any effective deployment to
acquire deep, semantic insight into a system‟s capabilities and
limitations, rather than treating the system as a black box as
unfortunately often seen
REFERENCES
[1] Roger Gallion, Daniel C. St. Clair, Chaman L. Sabharwal, W.E. Bond
(1993). “Dynamic ID3: A Symbolic Learning Algorithm for Many-Valued
Attribute Domains,” SAC: 14- 20.
[2] Johannes Gehrke, Venkatesh Ganti, Raghu Ramakrishnan, Wei-Yin Loh
(1999). “BOAT - Optimistic Decision Tree Construction,” To appear in
Proceedings of 1999 SIGMOD Conference.
[3] David E. Goldberg (1989). Genetic Algorithms in Search, Optimization
and Machine Learning. Addison-Wesley, Reading,MA.
[4] Brad L. Miller, Michael J. Shaw (1996). “Genetic Algorithms with
Dynamic Niche Sharing for Multimodal Function Optimization,” IEEE
International Conference on Evolutionary Computation : 786-791.
[5] Lyn Pierce, Stan Young (1998). “YAGATS: A Toolset for Genetic
Manipulation of Finite-State Machines,” Applied Research Laboratories
Technical Report No. 99-1 (ARLTD- 99-1), Applied Research Laboratories,
The University of Texas at Austin.
[6] Lyn Pierce, Chris Sinclair (1999). “YAGATS IR&D Report,” Applied
Research Laboratories Technical Report No. 98-1 (ARL-TD-98-1), Applied
Research Laboratories, The University of Texas at Austin.
[7] J. Ross Quinlan (1993). C4.5 Programs for Machine Learning. Morgan
Kaufmann Publishers, SanMateo, CA.
[8] Lane B. Warshaw, Lance Obermeyer, Daniel P. Miranker, Sara P.
Matzner (1999). “VenusIDS: An Active Database Component for Intrusion
Detection,” Submitted to 1999 Annual Computer Security Applications
Conference.
[9] Hood C.S., Ji C.: Proactive Network Fault Detection. IEEE Tran.
Reliability. Vol. 46 3, 333-341 (1997)
[10] Kline K., Nam S., Barford P., Plonka D., Ron A.: Traffic Anomaly
Detection at Fine Time Scales with Bayes Nets. To appear in the International
Conference on Internet Monitoring and Protection (2008)
[11] Ide T., Kashima H.: Eigenspace-Based Anomaly Detection in Computer
Systems. Proc. Of the tenth ACM SIGKDD international conference on
Knowledge discovery and data mining, Seattle, 440 - 449 (2004)
[12] Ensafi R., Dehghanzadeh S., Mohammad R., Akbarzadeh T.: Optimizing
Fuzzy K-Means for Network Anomaly Detection Using PSO. Computer
Systems and Applications, IEEE/ACS International Conference, 686-693
(2008)
[13] Gu Y., McCallum A., Towsley D.: Detecting Anomalies in Network
Traffic Using Maximum Entropy Estimation. Proc. of IMC (2005)
[14] Lall S., Sekar V., Ogihara M., Xu J., Zhang H.: Data Streaming
Algorithms for Estimating Entropy of Network Traffic. Proc. of ACM
SIGMETRICS (2006)
[15] Lee W., Xiang D.: Information-Theoretic Measures for Anomaly
Detection. Proc. of IEEE Symposium on Security and Privacy (2001)
[16] Yang Y., Deng F., Yang H.: An Unsupervised Anomaly Detection
Approach using Subtractive Clustering and Hidden Markov Model.
Communications and Networking in China. 313-316(2007)

[17] Ahmed T., Coates M., Lakhina A.: Multivariate Online Anomaly
Detection Using Kernel Recursive Least Squares. Proc. of 26th IEEE
International Conference on Computer Communications(2007)

[18] Duda R. O., Hart P., Stork D.: Pattern Classification, 2nd edn. John
Willy and Sons (2001)

[19] Zhang J., Rexford J., Feigenbaum, J: Learning-Based Anomaly

Detection in BGP Updates. Proc. of ACM SIGCOMM MineNet workshop
(2005)
[20] Ensafi R., Dehghanzadeh S., Mohammad R., Akbarzadeh T.: Optimizing
Fuzzy K-Means for Network Anomaly Detection Using PSO. Computer
Systems and Applications, IEEE/ACS International Conference, 686-693
(2008)

[21] Andersen D., Feamster N., Bauer S., Balaskrishman H.: Topology
inference from BGP routing dynamics. Proc. SIGCOM Internet Measurements
Workshop, Marseille, France (2002)

[22] Lall S., Sekar V., Ogihara M., Xu J., Zhang H.: Data Streaming
Algorithms for Estimating Entropy of Network Traffic. Proc. of ACM
SIGMETRICS (2006)

[23] Yang Y., Deng F., Yang H.: An Unsupervised Anomaly Detection
Approach using Subtractive Clustering and Hidden Markov Model.
Communications and Networking in China. 313-316 (2007)

[24] Chris Sinclair, Lyn Pierce, Sara Matzner: An Application of Machine

Learning to Network Intrusion Detection

[25] Venkataraman S., Caballero J., Song D., Blum A., Yates J.: Black-box
Anomaly Detection: Is it Utopian?” Proc. of the Fifth Workshop on Hot
Topics in Networking (HotNets-V), Irvine, CA (2006)

[26] Mai J., Chuah C., Sridharan A., Ye T., Zang H.: Is Sampled Data
Sufficient for Anomaly Detection?
Proc. of 6th ACM SIGCOMM conference on Internet measurement, Rio de
Janeriro, Brazil. 165 - 176 (2006)