Outside the Closed World: On Using Machine Learning for Network Intrusion Detection

  title={Outside the Closed World: On Using Machine Learning for Network Intrusion Detection},
  author={Robin Sommer and Vern Paxson},
  journal={2010 IEEE Symposium on Security and Privacy},
In network intrusion detection research, one popular strategy for finding attacks is monitoring a network's activity for anomalies: deviations from profiles of normality previously learned from benign traffic, typically identified using tools borrowed from the machine learning community. [] Key Result We support this claim by identifying challenges particular to network intrusion detection, and provide a set of guidelines meant to strengthen future research on anomaly detection.

Bridging the Last-Mile Gap in Network Security via Generating Intrusion-Specific Detection Patterns through Machine Learning

An LCC-RF-RFEX feature selection approach is proposed to select optimal features of the specific type of attacks from dataset, and an intrusion-specific approach is introduced to convert them into detection patterns that can be used by the nonmachine-learning detector for the corresponding specific attack detection in the real-world network environment.

Network Anomaly Detection: A Machine Learning Perspective

Examining numerous attacks in detail, the authors look at the tools that intruders use and show how to use this knowledge to protect networks.

Use case study on machine learning for network anomaly detection

The most common applications of machine learning used for anomaly detection are reviewed and how they were implemented in recent research are explained and possible ways to overcome them are proposed.

Analysis of Anomalies in the Internet Traffic Observed at the Campus Network Gateway

This study explores the nature of anomalies found in U-Tokyo Network using cooperatively Bro and Snort IDS among other resources and reports the anomalies observed in real, up-to-date traffic from a large academic network environment.

Inductive Intrusion Detection in Flow-Based Network Data Using One-Class Support Vector Machines

A novel inductive network intrusion detection system that is suited for the load of large-scale networks and is less affected by typical problems of ordinary anomaly detection systems is proposed.

A learning system for discriminating variants of malicious network traffic

A system that leverages machine learning to provide a network intrusion detection capability that analyzes behaviors in channels of communication between individual computers and can be trained to discriminate between traffic types is described.

Anomaly Detection and Machine Learning Methods for Network Intrusion Detection : an Industrially Focused Literature Review

It is not possible to objectively select the best algorithm, and the low base-rate of attacks on computer networks compared with benign traffic means that effective detection systems will consist of many detection algorithms working simultaneously.

The practice on using machine learning for network anomaly intrusion detection

  • Yuxin Meng
  • Computer Science
    2011 International Conference on Machine Learning and Cybernetics
  • 2011
This paper implements and compares machine learning schemes of neural networks, SVM and decision trees in a uniform environment with the purpose of exploring the practice and issues of using these approaches in detecting abnormal behaviors and claims that the real performance of machine learning algorithms depends heavily on practical context.

A Framework for Network Intrusion Detection using Network Programmability and Data Stream Clustering Machine Learning Algorithms

This paper presents an anomaly-based framework that uses network programmability and machine learning algorithms over continuous data stream and shows that the technique attains an Accuracy of 98.98%, a Recall of 60%, a Precision of 60% and an FPR of 0.48%.



Viable network intrusion detection in high-performance environments

This work set out to understand the trade-offs involved in network intrusion detection, and to mitigate the impact of their choice on operational security monitoring, and devise several new mechanisms which allow to choose this trade-off according to the policy of a particular environment.

Challenging the anomaly detection paradigm: a provocative discussion

The purpose of questioning the old paradigm of anomaly detection as a strategy for network intrusion detection is to reconfirm the paradigm as sound or begin the process of replacing it with a new paradigm in light of changes in the operating environment.

Evading network anomaly detection systems: formal reasoning and practical techniques

This paper presents a formal framework for the open problem: given an anomaly detection system and an attack, can one automatically generate its PBA instances and suggests how the IDS can be improved to prevent the PBA.

An application of machine learning to network intrusion detection

This paper built an application which enhances domain knowledge with machine learning techniques to create rules for an intrusion detection expert system, and employs genetic algorithms and decision trees to automatically generate rules for classifying network connections.

Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection

Three classes of attacks which exploit fundamentally problems with the reliability of passive protocol analysis are defined--insertion, evasion and denial of service attacks--and how to apply these three types of attacks to IP and TCP protocol analysis is described.

An Intrusion-Detection Model

  • D. Denning
  • Computer Science
    IEEE Transactions on Software Engineering
  • 1987
A model of a real-time intrusion-detection expert system capable of detecting break-ins, penetrations, and other forms of computer abuse is described. The model is based on the hypothesis that

Robust Support Vector Machines for Anomaly Detection in Computer Security

Using the 1998 DARPA BSM data set collected at MIT’s Lincoln Labs to study intrusion detection systems, the performance of robust support vector machines (RVSMs) was compared with that of

Anomaly detection of web-based attacks

An intrusion detection system that uses a number of different anomaly detection techniques to detect attacks against web servers and web-based applications and derives automatically the parameter profiles associated with web applications from the analyzed data.

"Why 6?" Defining the operational limits of stide, an anomaly-based intrusion detector

  • K. TanR. Maxion
  • Computer Science
    Proceedings 2002 IEEE Symposium on Security and Privacy
  • 2002
An evaluation framework is presented that maps out stide's effective operating space, and identifies the conditions that contribute to detection capability, particularly detection blindness, and a theoretical justification explains the effectiveness of sequence lengths of six and above.

Robust Anomaly Detection Using Support Vector Machines

Using the 1998 DARPA BSM data set collected at MIT’s Lincoln Labs to study intrusion detection systems, the performance of robust support vector machines (RSVMs) was compared with that of