Intrusion Detection System via a Machine Learning Based Anomaly Detection Technique

Transcription

1 1143 Intrusion Detection System via a Machine Learning Based Anomaly Detection Technique Adedoyin Adeyinka*, and Oloyede Muhtahir O.** Department of Info. and Comm. Science, University of Ilorin, Ilorin, Nigeria ABSTRACT Intrusion Detection Systems are gaining more territory in the field of secure networks bringing new ideas and concepts as the intrusion detection process keep surfacing. The aim of this research is to look into packet header anomaly detection system (PHAD) time-based model and introduce a new model into PHAD time-based model such that when a novel value r is observed, the probability that the novel value will occur exactly once during the testing session will be r/2. The 1999 DARPA intrusion detection system evaluation data set was used to train and analyze the performances of this model. On the 1999 Defense Advanced Research Projects Agency (DARPA) evaluation data sets, the introduced PHAD time-based model detected 31 novel attacks at a threshold of 1000 false alarm rate after training the model for 300secs. Keywords: Network Security, Intrusion detection system, Anomaly detection Model. 1 INTRODUCTION Intrusion Detections Systems (IDS) is a new path of security systems that provides efficient approaches to secure computer networks. Although some of these approaches rely on Learned Algorithms to provide the network with an efficient classifier to recognize and detect intrusions actions [1]. Hence, with increasing advancement and sophistication of these attack techniques as technology changes, there is the need to keep these algorithms accurate, and abreast of the latest network attacks [2]. A CSI survey report [3] stated that about 97% and 94% of most organizations use security tools such as antivirus and firewall respectively against their attackers, but they have being found to be imperfect. This is because majority of these tools relies on technologies that attempt to identify known and broadly distributed attacks that have recognizable patterns in them. Overtime attackers /developers have been gradually increasing the sophistication of their methods and are arriving at points where it is possible to bypass these tools more or less at will, within a limited time frame. These makes the stringent rules set by security personnel for firewall and antivirus systems insufficient [4]. However due to increased advancement and sophistication of these attack techniques as technology changes, there is the need to have an effective and efficient intrusion detection system that will detect this inevitable attacks in real time bases, so as to stop an attack progress [5]. 1.1 Anomaly Detection System Anomaly detection system detects a network intrusion by creating a normal profile of the network or host under observation and flags any deviation from the normal profile as probable intrusions [6]. In anomaly IDS, attacks are detected without prior knowledge of exactly what the attack looks like because they stand out sufficiently from normal network traffic [7]. An anomaly detection system operates by monitoring and registering the users activities during the operation of the computer system. These data s are being used as the normal profile of the network or host under observation [8]. Anomaly detection systems are known to have the ability to detect previously unknown and insider attacks [9]. Figure 1 below is a block diagram showing the mode of operation of a typical anomaly detection system [10]: Figure 1: A typical anomaly detection system [10] 2 RELATED WORKS Network anomaly detection system like Nextgeneration Intrusion Detection Expert System (NIDES) is a statistical model that learns normal network traffic and flags any deviations from this model. NIDES use a frequency-based model in which the probability of an event is estimated by its average frequency during training. The model is based on the distribution of source and destination IP addresses and ports per transaction. NIDES models ports and addresses, and

2 1144 flags the differences between short and long term behavior [5]. The Event Monitoring Enabling Responses to Anomalous Live Disturbances (EMERALD) is a system that contains a statistical component called estat. This statistical component maintains short and long-term distribution information for several types of measures using a decay mechanism to age out less recent events. It also has a component that combines signature and anomaly-based approaches called Ebayes. Ebayes uses a belief network to determine from a number of features whether the values of those features fit with some normal behavior like http, ftp e.t.c, some predefined bad behavior (mailbomb, ipsweep, e.t.c ), or neither of these (other) [11]. Packet Header Anomaly Detector (PHAD) [12], Learning Rules for Anomaly Detector (LERAD) [13], Application Layer Anomaly Detector (ALAD) [14] and Detecting Network Intrusions via a Statistical Analysis of Network Packet Features [15] use a time based model in which the probability of an event depends on the time since it last occurred. PHAD, ALAD and LERAD differ in the attributes that they monitor. PHAD monitors 33 attributes from the Ethernet, IP and transport-layer packet headers. While ALAD and LERAD models incoming server TCP requests; source and destination IP addresses and ports opening and closing TCP flags, and the list of commands in the application payload. Depending on their attribute, they build separate models for each target host, port number or host/port combination. 2.1 Data Source The experiments were performed using the 1999 DARPA Intrusion Detection Evaluation off-line data sets at Massachusetts Institute of Technology, Lincoln Lab ( This data were used to configure the models and train free parameters. The week three attack-free inside sniffer data, which contains 7 days of traffic (consist of 2.5GB tcpdump files), was downloaded to train the packet header anomaly detection system. Furthermore to test the anomaly detection system, week 4 and 5 inside sniffer data sets were also downloaded which contains 201 attacks. Although, week 4 day 2 data was missing, thus reducing the number of available attacks in the data sets to 183. The inside sniffer traffic was chosen to be used for these experiment because the inside data contains evidence of attacks from both inside and outside the network [12]. 2.2 PHAD PHAD is an anomaly detection system that learns the normal ranges of values for each packet header field at the data link (Ethernet), network layer (Internet Protocol(IP)), and transport/control layers (Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Internet Control Message Control (ICMP)) [12]. PHAD as two distinct features from other conventional network-based anomaly detection systems; firstly it models protocols rather than the user behaviors. This allows PHAD to detect two of the four attack categories described by Kendall (1998) [16]. Secondly, it uses a time-based model, which assumes that network statistics can change rapidly in a short period of time. When a series of recurring anomaly is detected, PHAD flags only the first anomaly it detects as an alert. This feature helps in regulating the flood of alarms that would otherwise be caused by spurt of anomalous events [17]. PHAD uses only syntactic knowledge to parse the header into fields, and then figures out which fields are important ; it models Ethernet, IP, TCP, UDP and ICMP packet header fields without making distinction between the incoming and outgoing traffic [18]. PHAD examines 33 packet header fields, which correspond to packet header fields with 1 to 4 bytes. Fields smaller than 8 bits (such as the TCP flags) are grouped into a single byte field while, fields that are larger than 4 bytes (such as the 6 byte Ethernet addresses) are split. The attributes are as follows: Ethernet header, IP header, TCP header, UDP header and ICMP header [16]. 3 PHAD TIME BASED MODEL Packet header anomaly detection [12] uses the rate of anomalies during training period to estimate the probability of an anomaly while in detection mode. It is based on the concept that if a packet field is observed n times with r distinct values with the assumption that there must have been r anomalies that occurred during the training period. If this rate continues, the probability that the next observation will be anomalous is given by: P = r/n (1) Where n is the number of packet and r is the number of anomalous values seen during training. To study the dynamic behavior of real-time traffic, PHAD uses a non-stationary model while in its detection mode. This model is based on the fact that if an anomaly is detected in a network traffic t seconds ago, the likelihood that it will occur in the next one second is approximately given by the probability of an

3 1145 anomalous is inversely proportional to the time since it last occurred i.e p = 1/t (2) To apply time-based modeling to packet header anomaly detection based on assumption; PHAD assigns an anomaly score of 1/p for each packet field containing an anomalous value i.e Field Score = 1/p (3) Substituting equation (1) and (2) into (3) Packet Score= 1/ (1/t) x (r/n) = tn/r (4) During the training period, the anomaly scores of an instance more than one anomalous attributes is given by Packet Score = tini/r i.. (5) Where the summation in equation (5) is over the anomalous attributes Note: there is no theoretical justification for summing up of the inverse probabilities during the training period because the attributes are neither independent nor fully dependent and it was found experimentally that a summation works better in practice [12]. 3.1 The Introduced PHAD Time based Model Packet header anomaly detection [12] uses the rate of anomalies during training period to estimate the probability of an anomaly while in detection mode. It is based on the concept that if a packet field is observed n times with r distinct values with the assumption that there must have been r anomalies that occurred during the training period. If this rate continues, the probability that the next observation will be anomalous is approximated by r/n. This model is equally consistent with the Posterior Predictive Model Checking (PPMC), one of the models used in predicting novel values in data compression algorithm and it is assumed to be an overestimate. PPMC doesn t require an event to be independent like the PHAD [16, 19]. M.V Mahoney and P.K Chan [20] compared inbound client traffic from IDEVAL inside sniffer traffic from weeks 1 and 3 with the real traffic and found that many attributes have a higher value of r in real traffic due to greater variation in the protocols. This implies that the attribute would generate more false alarms in real traffic. However in order to improve the performance of this model, so as to reduce the number of generated false alarm the Good -Turing probability for novel event by Gale and Sampson (1995) [21] will be introduced. They suggested that if n is the number of observations of a random variable and r novel values is observed, and then the expected number of novel value occurring exactly once will be r/2. Thus the probability that the next value of any discrete random variable will be novel will be: From equation (1) P=r/n But r1 =r/2 from Good-Turing Therefore p= r/2/n r/2n.. (6) Therefore an anomaly score of tn/2r from equation (4) will be assigned to the modified model. This implies that the probability of detecting a novel event more than once will be half the number observed novel event [19]. This is assumed to reduce the number of false alarm generated by PHAD, which will be verified in the experiment. 3.2 Clustering and Tuning of PHAD Clustering is the grouping of similar objects from a given set of inputs [22]. In order to store potentially large packet field values such as the source or destination address during the training period, PHAD treats different field attributes as being continuous and clusters them into a maximum of K ranges i.e up to some limit of K. Whenever the number of clusters exceeds K, PHAD sorts out the adjacent ranges and merge the two closest ranges of clusters together. The distance between clusters is the smallest difference between two cluster elements. For instance, if we have the following sets of field ranges {32-64, , , , } and if K=4, the smallest gap is between and These would then be merged to form a new cluster {32-365}. [12, 16] In order to improve the performance of PHAD on the DARPA evaluation data set, the clustering value K=32 and K=1000 was used in tuning the experiment during the training and testing period. This implies that PHAD-K32 and K1000 stores the observed values for each field in a list of 32 and 1000 ranges respectively [9]. According to M.V Mahoney and P.K Chan [9] in a survey report they made a conclusion that whether a cluster value of K=32 or K=1000 was used in PHAD; it detects the same number of attacks. However for this project in order to improve the performance of PHAD on the DARPA evaluation data set, clustering value with the range 32, 64, will be used in tuning the algorithms to verify M.V Mahoney and P.K Chan statement stated above.

4 EVALUATION PROGRAM By DARPA criteria, to evaluate any kind of intrusion detection system on the 1999 DARPA Lincoln Laboratory data sets a software program known as EVAL program is recommended [23], which will be used in evaluating this research work. The EVAL program [23] interprets a sim.file (e.g file name.sim); the output file of an intrusion detection system generated during the training/testing of the IDS on the 1999 DARPA data sets. It reports the number of attacks detected in the.sim file at the lowest threshold and considers an attack has being detected when the flagged alarm identifies the address of a targeted host (i.e IP address) within the period of 60 seconds. The target addresses as specified in the 1999 DARPA truth table is any address on the networks x.x or x.x. In EVAL program any flagged alarm with no identified attack is always regarded as a false alarm. EVAL program uses two options in printing out the results of the evaluated model; a reporing level (0-4) and the threshold in number of false alarms (by default is 100) otherwise a different number can be specified. EVAL reporing level (0-4) is as described below: i. Level 0 prints out warning list about flagged alarms containing errors which are ignored. ii. Level 1 prints a table of detected attacks at a specified false alarm rate (by default 100), listing and categorizing them into the different categories of attacked described by Kendal (1998). iii. Level 3 also prints the list of each detected attack in descending order of the highest scoring alarm that detected it. iv. Level 4 prints the list of all alarms above the threshold of the specified false alarm limit [23]. 5 EXPERIMENTAL SET-UP Simulations were conducted to compare and evaluate the performance of the modified PHAD timebased model with the PHAD time-based model. The modified PHAD time-based model as well as the PHAD time-based model were implemented and simulated in offline manner using the downloaded PHAD source code as illustrated in Figure 2. The source codes were implemented on Intel centrino Duo processor laptop with 4GB of RAM, 120GB of hard disk space and running the Linux operating system. The algorithms were evaluated using data from the DARPA evaluation data set. PHAD Time model Training of the algorithm Output DARPA Week 3 Attack free inside sniffer network traffic.sim file Evaluation of the Output Eval Program Testing of the algorithm DARPA Week 4 & 5 inside sniffer network traffic Figure 2: Format of the Experimental Set-up 5.1 Implementation of PHAD time based Model PHAD [13] time based model was tested on the 1999 DARPA/Lincoln Labs IDS data set. PHAD algorithm was trained using the week 3 inside sniffer traffic, which contains 7 days attack free traffic data 2.5 GB in size, all in tcpdump format. The data s were inputted in chronological order i.e the order in which they were captured and then outputted in a.sim file (i.e PHAD file extension). The model was trained for 300secs. After the training, it was then tested using the week 4 and 5 data, which contains 183 attacks. During the training and testing period, in order to improve the performance of PHAD, the clustering value K was tuned between the ranges of K=32, 64, 128, 356, 712 and After the training and testing session, the model was then evaluated using EVAL program as recommended [23] to identify and list out attack information. A reporing level of 4 and a threshold in the number of false alarms of 1000 was used for the EVAL program. e.g. eval phad.sim (detections at 1000 false alarms) Where eval is the compiled eval source code, phad.sim is the output extension file from the training and testing session, 4 is the reporing level (i.e reporing the results from level 0 to 4 as described in section 4) and 1000 is the specified end point for EVAL program. i.e once the number of evaluated alarm reaches 1001, the evaluation process will be stopped in order to count the number detections between 1000 and The basis of using 1000 is because if a lower value such as 100 is used, only the alarms with the highest scoring alarms will be evaluated and thus leaving large number of other anomalous field s not evaluated [13, 23]. The basic idea of these experiments was gotten from M.V

5 1147 Mahoney and P.K Chan technical report on PHAD [12]. 5.2 Implementation of the Modified PHAD time based model The modified PHAD time based model was trained using the 1999 DARPA/Lincoln Labs IDS data set. The whole experimental process discussed in section 3.1 above was repeated using the modified PHAD time based model. In order to improve its performance during the training and testing session, the clustering value K was also tuned from 32 to The output sim file was then evaluated using EVAL program. 6 EXPERIMENTAL RESULT During the evaluation phase the threshold in the number of false alarm was set to The basis behind these was that when a lower value was used, some of the packet fields were left unevaluated. The Eval program stops evaluation and discard any other alarms after a false alarm limit 1000 is reached i.e its stops at The DARPA Eval data set was used in training the modified PHAD time-based model and at k=32, 31 attacks out of the 183 attacks were detected. Below is the table of detections at 1000 false alarms: Detections/Total at 1000 false alarms (weeks 4-5 only except row W2) Table 1: Table of detections for the modified PHAD time-based model at 1000 false alarm All Probe DOS R2L U2R Data New Stealthy W45 31/201 6/37 16/65 5/56 3/37 2/16 11/62 5/36 IT 27/177 4/34 16/60 5/54 2/27 0/7 7/52 3/30 OT 21/151 5/32 11/44 3/46 2/26 0/11 4/38 2/23 BSM 3/38 0/1 1/12 0/10 1/11 1/6 1/8 1/6 NT 6/33 1/3 2/7 1/10 2/12 1/4 4/26 0/0 FS 28/189 6/37 15/62 5/56 2/31 0/11 9/54 5/34 Pascal 7/55 2/8 3/20 0/12 1/11 1/6 1/11 1/9 Hume 8/48 2/7 3/15 1/12 2/13 1/5 4/31 0/2 Zeno 5/22 1/7 4/9 0/3 0/3 0/1 0/2 0/6 Marx 6/44 1/6 3/17 2/18 0/2 0/2 2/11 2/10 Poor 10/72 1/21 4/17 4/15 1/18 1/7 7/38 3/29 W2 0/43 0/9 0/13 0/6 0/12 0/3 0/0 0/0 31 detections, 1506 alarms, 37 true, 1001 false, 468 not evaluated. From table 1, each cell lists the number of detections out of the total number of various combinations of the 201 attacks listed on the DARPA truth table e.g Out of the 60 DoS attacks with evidence in the inside sniffer traffic (IT), 16 were detected. Also there are 37 alarms detected alarms, but 6 of this detected attack have already being detected by another alarm, thus summing up the total detected attack to 31. An attack may appear twice under two overlapping attacks if it detects both. The results of the generated alarms were outputted in Eastern day time; this was achieved by changing the time zone of my computer to EDT (-5hrs form of GMT). The notations before the list of various categories of attacks are [23]: W45 shows the number week 4 and 5 attacks types found. IT - represents the number of inside sniffer traffic attacks. OT- shows evidence of outside sniffer traffic attacks. BSM shows evidence of attacks in Solaris BSM system call traces. NT shows evidence of attacks in NT audit logs (LOG + hume). FT shows evidence in file system dumps. Poor shows evidence of attacks that were poorly detected in the 1999 evaluation. DOS shows evidence of denial of service attacks R2L shows evidence of remote to local attacks U2R shows evidence of user to root attacks Probe shows evidence of probe attacks New shows evidence of new attacks

6 Attacks detected Table 2, shows the packet fields that contributed to the 31 detected attacks along with the names of the attacks. The numbers in front of the attack names shows the total number of each of the attacks that was found in the 31 detections. Table 2: Packet fields attributes and attacks that contributed to the 31 detections Packet Field Attributes IP Protocol IP Time of Service IP Fragment pointer TCP flag TCP Urgent pointer UDP Checksum TCP Option TCP Checksum Attacks Crashiis(1),snmpget(2),portsweep(1) ntinfoscan(1),queso(1),geusstelnet. casesen(1),ncftp(2),ntfsdos(1), secret(1), warezclient(1) teardrop(3),pod(3) dosnuke(1),portsweep(1),ps(1) smurf(1) dosnuke(2),insidesniffer(1) udpstorm(2) mailbomb(1),processtable(1) insidesniffer(1) Table 3: Percentage of Packet fields attribute that contributed to the detections Packet Field Attributes Total no of % Contribution Attacks IP Protocol IP Fragment pointer IP Time of Service TCP flags TCP Urgent pointer UDP Checksum TCP Option TCP Checksum Table 3 above, shows the percentage contribution of each of the attributes to the 31 detected attacks in descending order. 6.2 Categories of Attacks Detected Table 4, list of the attacks being detected in the 1999 Lincoln Labs IDS Evaluation data in categories, according to Kendal (1998) [13] taxonomy of these attacks. Table 4: Categories of attacks detected in 1999 Lincoln Labs IDS Evaluation data Probe DoS U2R R2L queso(1) crashiis(1) casesen (1) guesstelnet(1) insidersniffer(2) dosnuke(3) ntfsdos(1) ncftp(2) ntinfoscan(1) mailbomb(1) ps(1) snmpget(2) portsweep(2) processtable(1) teardrop(3) pod(3) smurf(1) udpstorm(2) warezclient(1) - - Table 5: Percentage of attack categories that contributed to the detection Attack Categories Total no of Attacks % Contribution Probes 6 20 DOS U2R 3 10 R2L Table 5, shows the percentage of each of the attack categories that was found in the 31 detections at threshold of 1000 false alarms. The modified PHAD time-based model detects mostly DOS attacks that exploits the protocols that it analysis, which accounts for 53.33% of the detected attacks. It does poorly for the probes and U2L attacks and misses most of the U2R attacks which are difficult to detect in network traffic [13]. 6.3 Results of Tuning the Clustering value The clustering values (K) are used in storing the observed values for each field in the list of K- ranges. However with aim of improving the performance of PHAD algorithm on the evaluation data sets the clustering value K was tuned during the training session and the results can be seen in Figure 3.

7 1149 training and testing sections using different clustering values as shown in Table 6: Table 6: the number of attacks detected by the two models with different clustering values Number of P sc =tn/r P sc =tn/2r Clusters Figure 3: Summary of numbers of detections using different clustering values A clear representation of this can be seen from Figure 5: According to Mathew V.M (2003) [13] the method of approximating large sets is not critical, because it only affects attributes with large r and that PHAD detects the same number of attacks whether it uses a cluster value of K=32 or K=1000. These can be verified from figure 3 that both models detected the same number of attacks when the clustering value was varied between the ranges of 32, 64, 128, 356, 712, and A clear illustration of this can be seen in Figure 4: Figure 5: the number of attacks detected by the two PHAD models with different clustering values. From Figure 5, it can be deduced that the modified PHAD model detected more attacks than the original PHAD model; this implies that the modified PHAD tends to be more sensitive in terms of its rate of detection than the original PHAD model. Thus, this makes it a better model in terms of rate of attack detection. Figure 4: Detection line graph for the two models with different clustering values 6.4 The modified PHAD time-based model The modified PHAD time-based model was implemented on the DARPA evaluation data sets along with the original PHAD time-based model and the following sets of results were obtained after the 6.5 False positive alarm detected by the models Looking at the result of the modified model with the original model in terms of the number of false positive alarms generated, it can be seen from Table 7, that the modified model generated more false positive alarms than the original PHAD model. Although tuning of the clustering values did not have much effect on the models; the same numbers of false positive alarms

8 1150 were generated by both models as the clustering values were tuned. This implies that the models are not that sensitive to increase in the clustering value ranges. Table 7: Summary of the number of false positive alarms Number of Psc= tn/r Psc= tn/2r Clusters A clear illustration of this can be seen in Figure 6. it can be deduced that the modified PHAD model generated more true positive alarms than the original PHAD model. Table 8 below gives the summary of the result. Table 8: Summary of the number of True positive alarms Number of Psc= tn/r Psc= tn/2r Clusters A clear illustration of this is as demonstrated in Figure 7: Figure 6: showing rate of false positive alarms Analyzing the results in the Figure 6, it can be seen that the margin between the number of alarms that was flagged by the modified model and the original model is extremely high. This means that the modified model false fully flags a high percentage of anomalous events that are not intrusive as being intrusive. Thus an assumption can be made by this, that the modified model seems to be highly sensitive to anomaly behaviors in network traffic, but in an ideal case a high false positive alarm rate is not practicable. However this makes the original PHAD model a better model in terms of the number of false positive alarms it generates, but not in terms of its rate of detection. 6.6 True positive alarm detected Table 8, shows the results of both models based on the number of true positive alarms they generate. However Figure 7: showing the true positive alarms Comparing the result of the modified model with the original PHAD model from Figure 7, it can be deduced that the modified model recorded a better true positive detection than the original PHAD model. Although tuning the cluster values did not have any effect on both models. However, a conclusion can be reached that the modified model is more sensitive than the original PHAD model in terms of its response when analyzing events or activities that tend to or leads to an attack. 6.7 Detection - False Alarm Tradeoff In the previous sections the PHAD model was analyzed using a threshold of 1000 false alarm and the reason why that rate was used was also explained. Figure 8 demonstrates the effects of varying the threshold in the

9 1151 rate false alarm being generated by the two models against their detection rate [13]. Figure 8: Detection line graph for 200 to 1000 false alarms From Figure 8, it can be deduced that i. As the threshold is adjusted, there is a tradeoff between the threshold in the number of false alarm and the missed attacks. As the threshold his increased the number of detection of both models increased between 200 and 400, then becomes stable between 400 and 600. However after 600 the number of detections for both models starts increasing. ii. Between 200 and 800, the two models had the same number of detections but after 800 the number of detections of the modified model began to out pass that of the original model. 7 CONCLUSION Overall, the implementation of the modified PHAD time-based model was successful in its efforts to detect novel events in network traffic. Although the model seems not to be sensitive to the tuning of the clustering value ranges which was experimented in the bid to improve its performance. The modified model outperformed the original PHAD model with a detection rate of 31 attacks to 28 attacks. However in spite of its overall high detection rates of novel events, the false alarm rates being generated seems not to be practicable. From the results of the experiment, the modified model recorded a high number of false positive alarms when compared with the original model. This means that the modified model false fully flags a high percentage of anomalous events that are not intrusive as being intrusive. Thus an assumption can be made by this, that the modified model seems to be highly sensitive to anomaly behaviors in network traffic, but in an ideal case a high false positive alarm rate is not practicable. However this makes the original PHAD model a better model in terms of the number of false positive alarms it generates, but not in terms of its rate of detection. Also the modified model recorded a better true positive detection than the original PHAD model. Although tuning the cluster values did not have any effect on the number of true positive alarms generated by both models. However, a conclusion can be reached that the modified model is more sensitive than the original PHAD model in terms of its response when analyzing events or activities that tend to or leads to an attack. REFERENCES 1. Lamees Alhazzaa; Intrusion detection Systems using Genetic Algorithms ; King Saud University Computer Science Collage CSC590 [Online] Available at : 4.pdf 2. Lu Sheng, Gong Jian, RUI Suying (2003); A Load Balancing Algorithm for High Speed Intrusion Detection ; Department of Computer Science and Engineering, Southeast University, Nanjing,China [Online] Available at : 3. Robert Richardson, CSI Computer Crime & Security Survey (2008) [Online] Available from: 4. Wun-Hwa Chen, Sheng-Hsun Hsu, Hwang-pin Shen, Application of SVM and ANN for intrusion detection ; Science Direct Computers & Operations Research Vol.32 (2005) pages D. Anderson, T.F Lunt, H. Javitz, A. Tamaru and A. Valdes (1995); Detecting Unusual Program Behavior Using the Statistical Component of the Next-generation Intrusion Detection Expert System (NIDES) ; SRI Computer Science Laboratory, SRI- CSL-95-06, Available at: 6. Animesh Patcha and Jung-Min Park, Network anomaly detection with incomplete audit data, Science Direct, Computer Networks Vol.51, Issue 12 (2007), Pages Azzedine Boukerche, Renato B. M, Kathia R.L,Mirela S.M.A Notare; An agent based and biological inspired real-time intrusion detection and

10 1152 security model for computer network operation ; Science Direct; Computer Communications Vol.30 (2007) pages W. Haines, R.P. Lippmann, D.J. Friend, M.A. Zissman; 1999 DARPA Intrusion Detection Evaluation: Design and Procedures ; Master s thesis, Massachusetts Institute of Technology. [Online] Available at: les/tr-1062.pdf 9. Animesh Patcha and Jung-Min Park, An overview of anomaly detection techniques: Existing solutions and latest technological trends, Science Direct Computer Networks Vol.51, Issue 12 (2007), Pages Aurobindo Sundaram; An Introduction to Intrusion Detection ; ACM, Special Issue on computer security; Vol. 2 Issue 4 (1996),pages 3-7. [Online] Available at: P.A Porras and P.G Neumann (2005); EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances ; Computer Science Laboratory SRI International. 12. M.V Mahoney and P.K Chan; PHAD: Packet Header Anomaly Detection for Identifying Hostile Network Traffic ; Florida Institute of Technology Technical Report CS , Available at: Matthew V. Mahoney, Philip K. Chan; Learning Nonstationary Models of Normal Network Traffic for Detecting Novel Attacks ; SIGKDD 2002, Available at: Matthew V. Mahoney and Philip K. Chan; Learning Models of Network Traffic for Detecting Novel Attacks ; Technical Report CS , Florida Institute of Technology. Available at: Mathew V.M (2003); A Machine Learning Approach to Detecting Attacks by Identifying Anomalies in Network Traffic ; Doctorate thesis on Philosophy, Florida Institute of Technology; Available at: M. Ali Aydin, A. Halim Zaim and K. Gokhan Ceylan; A hybrid intrusion detection system design for computer network security ; Science Direct, Computers & Electrical Engineering vol.35 (2009), pages Mahoney V. Mahoney, Philip K. Chan; Detecting Novel Attacks by Identifying Anomalous Network Packet Headers ; Technical Report CS ,Florida Institute of Technology. 19. T. Bell, Ian H. Witten and John G. Cleary; Modeling for Text Compression ; ACM Computing Surveys (CSUR) vol. 21, Issue 4 (December 1989) pages M. V Mahoney and P.k Chan; An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection ; Florida Institute of Technology; TR CS W.A Gale and Geoffrey Sampson; Good- Turing Frequency Estimation Without Tears ; Journal of Quantitative Linguistics (1995), vol.2, No 3, pp S. Zanero and S.M Savaresi; Unsupervised Learning Techniques for an intrusion detection system, 2004 ACM Symposium on Applied Computing; pp M.V Mahoney and P.K Chan ( ); Network Anomaly Intrusion Detection Research at Florida Technology Available at: Eric Chiejina(2008), Detecting Network Intrusions via a Statistical Analysis of Network Packet Features; University of Hertfordshire School of Computer Science.