On the capability of an SOM based intrusion detection system

  title={On the capability of an SOM based intrusion detection system},
  author={H. Kayacik and Ayse Nur Zincir-Heywood and Malcolm I. Heywood},
  journal={Proceedings of the International Joint Conference on Neural Networks, 2003.},
  pages={1808-1813 vol.3}
An approach to network intrusion detection is investigated, based purely on a hierarchy of Self-Organizing Feature Maps. Our principle interest is to establish just how far such an approach can be taken in practice. To do so, the KDD benchmark dataset from the International Knowledge Discovery and Data Mining Tools Competition is employed. This supplies a connection-based description of a factitious computer network in which each connection is described in terms of 41 features. Unlike previous… 

Figures and Tables from this paper

A hierarchical SOM-based intrusion detection system
An intrusion detection system model based on self-organizing map
Self-organizing map (SOM) neural network and pattern recognition methods were applied in this system, and it could provide a precise and efficient way for implementing the classifier in intrusion detection.
A New Approach of Network Intrusion Detection Using HVDM-Based SOM
A novel approach is presented for enhancing SOM's abilities of identifying temporal network attacks, which combine with FIR filter, and reconsider the heterogeneous dataset that composed of network connection's features, and select HVDM as the distance function determining the winning neuron during SOM's training and testing.
Similarity-based classification using specific features in network intrusion detection
Empirical results suggest that there is no generic feature subset which is suitable to represent all categories and different categories are best represented using different feature subsets.
After multiple techniques and methodologies are investigated, it is shown that properly trained neural networks are capable of fast recognition and classification of different attacks at the level superior to previous approaches.
Real-Time Intrusion Detection System Based on Self-Organized Maps and Feature Correlations
  • Hayoung Oh, K. Chae
  • Computer Science
    2008 Third International Conference on Convergence and Hybrid Information Technology
  • 2008
This paper proposes a real-time intrusion detection system based on SOM that groups similar data and visualize their clusters and labels the map produced by SOM using correlations between features.
A Review of Clustering Techniques Based on Machine learning Approach in Intrusion Detection Systems
This paper concludes many clustering techniques that were previously proposed to solve the inherent IDS problems, namely: data preprocessing, anomaly detection, and data projection/alarm filtering.
An Approach on Intrusion Detection System Using Supervised Learning Algorithms
This work considers network intrusion detection using supervised learning algorithm to classify attacks in the datasets and evaluates the IDS in terms of detection speed, detection rate and false alarm rate.
High Resolution SOM Approach to Improving Anomaly Detection in Intrusion Detection Systems
Experiments on a large and well established benchmark problem show that high resolution SOMs improve results while allowing a simple network architecture and allow the development of better understanding of the results and the problem domain.
An AODE-based intrusion detection system for computer networks
This paper proposes the application of AODE for intrusion detection and reports that AODE outperformed Naïve Bayes, which reported a detection rate of 97.3%, and a larger number of false positives.


Host-based intrusion detection using self-organizing maps
Hierarchical SOMs are applied to the problem of host based intrusion detection on computer networks and specific recommendations are made regarding the representation of time, network parameters and SOM architecture.
A data mining framework for building intrusion detection models
  • Wenke Lee, S. Stolfo, K. Mok
  • Computer Science
    Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344)
  • 1999
A data mining framework for adaptively building Intrusion Detection (ID) models is described, to utilize auditing programs to extract an extensive set of features that describe each network connection or host session, and apply data mining programs to learn rules that accurately capture the behavior of intrusions and normal activities.
A Geometric Framework for Unsupervised Anomaly Detection
A new geometric framework for unsupervised anomaly detection is presented, which are algorithms that are designed to process unlabeled data to detect anomalies in sparse regions of the feature space.
Intrusion detection systems and multisensor data fusion
The vast majority of security professionals would agree that real-time ID systems are not technically advanced enough to detect sophisticated cyberattacks by trained professionals, but these systems have not matured to a level where sophisticated attacks are reliably detected, verified, and assessed.
Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory
The purpose of this article is to attempt to identify the shortcomings of the Lincoln Lab effort in the hope that future efforts of this kind will be placed on a sounder footing.
Fuzzy Model Identification Based on Cluster Estimation
  • S. Chiu
  • Computer Science
    J. Intell. Fuzzy Syst.
  • 1994
We present an efficient method for estimating cluster centers of numerical data. This method can be used to determine the number of clusters and their initial values for initializing iterative
Bay, The UCI KDD Archive. Irvine, CA: University of California, Department of Information and Computer
  • 1999
Hcywood M.I., "Host-Bascd inlNSi0" dctcction using Sclf-Organizing Maps," IEEE 1nrer"ulionol Juinr Con/>rencr on Neural Nerwurks
  • 2002
Tcsting intrusion dclcction systcms: A cririquc of rhc
  • 1998