A Survey of Data Mining and Machine Learning Methods for Cyber Security Intrusion Detection

IEEE Communications Surveys and Tutorials

Volumn 18, Issue 2, 2016, Pages 1153-1176

  Buczak, Anna L ^a   Guven, Erhan ^a  

^a JOHNS HOPKINS UNIVERSITY APPLIED PHYSICS LABORATORY   (United States)

Author keywords

Cyber Analytics; Data Mining; Machine Learning

Indexed keywords

ARTIFICIAL INTELLIGENCE; DATA MINING; INTRUSION DETECTION; MERCURY (METAL); SURVEYS;

CYBER ANALYTICS; CYBER SECURITY; LITERATURE SURVEY; MACHINE LEARNING METHODS;

LEARNING SYSTEMS;

EID: 84971516631     PISSN: None     EISSN: 1553877X     Source Type: Journal    
DOI: 10.1109/COMST.2015.2494502     Document Type: Article

References (113)

1. A. Mukkamala, A. Sung, and A. Abraham, "Cyber security challenges: Designing efficient intrusion detection systems and antivirus tools, " in Enhancing Computer Security with Smart Technology, V. R. Vemuri, Ed. New York, NY, USA: Auerbach, 2005, pp. 125-163.
2. M. Bhuyan, D. Bhattacharyya, and J. Kalita, "Network anomaly detection: Methods, systems and tools, " IEEE Commun. Surv. Tuts., vol. 16, no. 1, pp. 303-336, First Quart. 2014.
3. T. T. T. Nguyen and G. Armitage, "A survey of techniques for internet traffic classification using machine learning, " IEEE Commun. Surv. Tuts., vol. 10, no. 4, pp. 56-76, Fourth Quart. 2008.
4. P. Garcia-Teodoro, J. Diaz-Verdejo, G. Maciá-Fernández, and E. Vázquez, "Anomaly-based network intrusion detection: Techniques, systems and challenges, " Comput. Secur., vol. 28, no. 1, pp. 18-28, 2009.
5. A. Sperotto, G. Schaffrath, R. Sadre, C. Morariu, A. Pras, and B. Stiller, "An overview of IP flow-based intrusion detection, " IEEE Commun. Surv. Tuts., vol. 12, no. 3, pp. 343-356, Third Quart. 2010.
6. S. X. Wu and W. Banzhaf, "The use of computational intelligence in intrusion detection systems: A review, " Appl. Soft Comput., vol. 10, no. 1, pp. 1-35, 2010.
7. Y. Zhang, L. Wenke, and Y.-A. Huang, "Intrusion detection techniques for mobile wireless networks, " Wireless Netw., vol. 9, no. 5, pp. 545-556, 2003.
8. U. Fayyad, G. Piatetsky-Shapiro, and P. Smyth, "The KDD process for extracting useful knowledge from volumes of data, " Commun. ACM, vol. 39, no. 11, pp. 27-34, 1996.
9. C. Shearer, "The CRISP-DM model: The new blueprint for data mining, " J. Data Warehouse., vol. 5, pp. 13-22, 2000.
10. A. Guazzelli, M. Zeller, W. Chen, and G. Williams, "PMML an open standard for sharing models, " R J., vol. 1, no. 1, pp. 60-65, May 2009.
11. M. Hall, E. Frank, J. Holmes, B. Pfahringer, P. Reutemann, and I. Witten, "The WEKA data mining software: An update, " ACM SIGKDD Explor. Newslett., vol. 11, no. 1, pp. 10-18, 2009.
12. R Language Definition. (2000). R Core Team [Online]. Available: ftp://155.232.191.133/cran/doc/manuals/r-devel/R-lang.pdf, accessed on Nov. 2015.
13. M. Graczyk, T. Lasota, and B. Trawinski, "Comparative analysis of premises valuation models using KEEL, RapidMiner, and WEKA, " Computational Collective Intelligence. Semantic Web, Social Networks and Multiagent Systems. New York, NY, USA: Springer, 2009, pp. 800-812.
14. V. Jacobson, C. Leres, and S. McCanne, The Tcpdump Manual Page. Berkeley, CA, USA: Lawrence Berkeley Laboratory, 1989.
15. G. Combs. Wireshark [Online]. Available: http://www.wireshark.org, accessed on Jun. 2014.
16. Snort 2.0. Sourcefire [Online]. Available: http://www.sourcefire.com/technology/whitepapers.htm, accessed on Jun. 2014.
17. G. F. Lyon, Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. USA: Insecure, 2009.
18. R. Lippmann, J. Haines, D. Fried, J. Korba, and K. Das, "The 1999 DARPA offline intrusion detection evaluation, " Comput. Netw., vol. 34, pp. 579-595, 2000.
19. R. Lippmann et al., "Evaluating intrusion detection systems: The 1998 DARPA offline intrusion detection evaluation, " in Proc. IEEE DARPA Inf. Surviv. Conf. Expo., 2000, pp. 12-26.
20. S. J. Stolfo, KDD Cup 1999 Data Set, University of California Irvine, KDD repository [Online]. Available: http://kdd.ics.uci.edu, accessed on Jun. 2014.
21. M. Tavallaee, E. Bagheri, W. Lu, and A. Ghorbani, "A detailed analysis of the KDD Cup 1999 data set, " in Proc. 2nd IEEE Symp. Comput. Intell. Secur. Defense Appl., 2009, pp. 1-6.
22. K. Hornik, M. Stinchcombe, and H. White, "Multilayer feedforward networks are universal approximators, " Neural Netw., vol. 2, pp. 359-366, 1989.
23. F. Rosenblatt, "The perceptron: A probabilistic model for information storage and organization in the brain, " Psychol. Rev., vol. 65, no. 6, pp. 386-408, 1958.
24. J. Cannady, "Artificial neural networks for misuse detection, " in Proc. 1998 Nat. Inf. Syst. Secur. Conf., Arlington, VA, USA, 1998, pp. 443-456.
25. Internet Security Scanner (ISS). IBM [Online]. Available: http://www.iss.net, accessed on Feb. 2015.
26. B. Morel, "Artificial intelligence and the future of cybersecurity, " in Proc. 4th ACM Workshop Secur. Artif. Intell., 2011. pp. 93-98.
27. R. P. Lippmann and R. K. Cunningham, "Improving intrusion detection performance using keyword selection and neural networks, " Comput. Netw., vol. 34, pp. 597-603, 2000.
28. A. Bivens, C. Palagiri, R. Smith, B. Szymanski, and M. Embrechts, "Network-based intrusion detection using neural networks, " Intell. Eng. Syst. Artif. Neural Netw., vol. 12, no. 1, pp. 579-584, 2002.
29. R. Agrawal, T. Imielinski, and A. Swami, "Mining association rules between sets of items in large databases, " in Proc. Int. Conf. Manage. Data Assoc. Comput. Mach. (ACM), 1993, pp. 207-216.
30. C. M. Kuok, A. Fu, and M. H. Wong, "Mining fuzzy association rules in databases, " ACM SIGMOD Rec., vol. 27, no. 1, pp. 41-46, 1998.
31. L. Zadeh, "Fuzzy sets, " Inf. Control, vol. 8, no. 3, pp. 338-35, 1965.
32. H. Brahmi, B. Imen, and B. Sadok, "OMC-IDS: At the cross-roads of OLAP mining and intrusion detection, " in Advances in Knowledge Discovery and Data Mining. New York, NY, USA: Springer, 2012, pp. 13-24.
33. H. Zhengbing, L. Zhitang, and W. Junqi, "A novel network intrusion detection system (NIDS) based on signatures search of data mining, " in Proc. 1st Int. Conf. Forensic Appl. Techn. Telecommun. Inf. Multimedia Workshop (e-Forensics '08), 2008, pp. 10-16.
34. H. Han, X. Lu, and L. Ren, "Using data mining to discover signatures in network-based intrusion detection, " in Proc. IEEE Comput. Graph. Appl., 2002, pp. 212-217.
35. D. Apiletti, E. Baralis, T. Cerquitelli, and V. D'Elia, "Characterizing network traffic by means of the NetMine framework, " Comput. Netw., vol. 53, no. 6, pp. 774-789, Apr. 2009.
36. NetGroup, Politecnico di Torino, Analyzer 3.0 [Online]. Available: http://analyzer.polito.it, accessed on Jun. 2014.
37. E. Baralis, T. Cerquitelli, and V. D'Elia. (2008). Generalized Itemset Discovery by Means of Opportunistic Aggregation. Tech. Rep., Politecnico di Torino [Online] https://dbdmg.polito.it/twiki/bin/view/Public/NetworkTrafficAnalysis, accessed on Jun. 2014.
38. A. Tajbakhsh, M. Rahmati, and A. Mirzaei, "Intrusion detection using fuzzy association rules, " Appl. Soft Comput., vol. 9, pp. 462-469, 2009.
39. J. Luo and S. Bridges, "Mining fuzzy association rules and fuzzy frequency episodes for intrusion detection, " Int. J. Intell. Syst., vol. 15, no. 8, pp. 687-703, 2000.
40. D. Heckerman, A Tutorial on Learning with Bayesian Networks. New York, NY, USA: Springer, 1998.
41. F. V. Jensen, Bayesian Networks and Decision Graphs. New York, NY, USA: Springer, 2001.
42. C. Livadas, R. Walsh, D. Lapsley, and W. Strayer, "Using machine learning techniques to identify botnet traffic, " in Proc 31st IEEE Conf. Local Comput. Netw., 2006, pp. 967-974.
43. F. Jemili, M. Zaghdoud, and A. Ben, "A framework for an adaptive intrusion detection system using Bayesian network, " in Proc. IEEE Intell. Secur. Informat., 2007, pp. 66-70.
44. C. Kruegel, D. Mutz, W. Robertson, and F. Valeur, "Bayesian event classification for intrusion detection, " in Proc. IEEE 19th Annu. Comput. Secur. Appl. Conf., 2003, pp. 14-23.
45. S. Benferhat, T. Kenaza, and A. Mokhtari, "A Naïve Bayes approach for detecting coordinated attacks, " in Proc. 32nd Annu. IEEE Int. Comput. Software Appl. Conf., 2008, pp. 704-709.
46. K. Jain and R. C. Dubes, Algorithms for Clustering Data. Englewood Cliffs, NJ, USA: Prentice-Hall, 1988.
47. K. Leung and C. Leckie, "Unsupervised anomaly detection in network intrusion detection using clusters, " in Proc. 28th Australas. Conf. Comput. Sci., vol. 38, 2005, pp. 333-342.
48. P. W. Holland and S. Leinhardt, "Transitivity in structural models of small groups, " Comp. Group Stud., vol. 2, pp. 107-124, 1971.
49. J. Watts and S. Strogatz, "Collective dynamics of 'small-world' networks, " Nature, vol. 393, pp. 440-442, Jun. 1998.
50. R. Hendry and S. J. Yang, "Intrusion signature creation via clustering anomalies, " in Proc. SPIE Defense Secur. Symp. Int. Soc. Opt. Photonics, 2008, pp. 69730C-69730C.
51. M. Blowers and J. Williams, "Machine learning applied to cyber operations, " in Network Science and Cybersecurity. New York, NY, USA: Springer, 2014, pp. 55-175.
52. K. Sequeira and M. Zaki, "ADMIT: Anomaly-based data mining for intrusions, " in Proc 8th ACM SIGKDD Int. Conf. Knowl. Discov. Data Min., 2002, pp. 386-395.
53. R. Quinlan, "Induction of decision trees, " Mach. Learn., vol. 1, no. 1, pp. 81-106, 1986.
54. R. Quinlan, C4.5: Programs for Machine Learning. San Mateo, CA, USA: Morgan Kaufmann, 1993.
55. C. Kruegel and T. Toth, "Using decision trees to improve signature-based intrusion detection, " in Proc. 6th Int. Workshop Recent Adv. Intrusion Detect., West Lafayette, IN, USA, 2003, pp. 173-191.
56. L. Bilge, E. Kirda, C. Kruegel, and M. Balduzzi, "EXPOSURE: Finding malicious domains using passive DNS analysis, " presented at the 18th Annu. Netw. Distrib. Syst. Secur. Conf., 2011.
57. L. Bilge, S. Sen, D. Balzarotti, E. Kirda, and C. Kruegel, "2014 Exposure: A passive DNS analysis service to detect and report malicious domains, " ACM Trans. Inf. Syst. Secur., vol. 16, no. 4, Apr. 2014.
58. R. Polikar, "Ensemble based systems in decision making, " IEEE Circuits Syst. Mag., vol. 6, no. 3, pp. 21-45, Third Quart. 2006.
59. Y. Freund and R. Schapire, "Experiments with a new boosting algorithm, " in Proc. 13th Int. Conf. Mach. Learn., 1996, vol. 96, pp. 148-156.
60. P. Long and R. Servedio, "Boosting the area under the ROC curve, " Adv. Neural Inf. Process. Syst., pp. 945-952, 2007.
61. L. Breiman, "Random forests, " Mach. Learn., vol. 45, no. 1, pp. 5-32, 2001.
62. J. Zhang, M. Zulkernine, and A. Haque, "Random-forests-based network intrusion detection systems, " IEEE Trans. Syst. Man Cybern. C: Appl. Rev., vol. 38, no. 5, pp. 649-659, Sep. 2008.
63. F. Gharibian and A. Ghorbani, "Comparative study of supervised machine learning techniques for intrusion detection, " in Proc. 5th Annu. Conf. Commun. Netw. Serv. Res., 2007, pp. 350-358.
64. J. H. Friedman, "Multivariate adaptive regression splines, " Anal. Statist., vol. 19, pp. 1-141, 1991.
65. S. Mukkamala, A. Sunga, and A. Abraham, "Intrusion detection using an ensemble of intelligent paradigms, " J. Netw. Comput. Appl., vol. 28, no. 2, pp. 167-182, 2004.
66. L. Bilge, D. Balzarotti, W. Robertson, E. Kirda, and C. Kruegel, "Disclosure: Detecting botnet command and control servers through large-scale netflow analysis, " in Proc. 28th Annu. Comput. Secur. Appl. Conf. (ACSAC'12), Orlando, FL, USA, Dec. 3-7, 2012, pp. 129-138.
67. D. E. Goldberg and J. H. Holland, "Genetic algorithms and machine learning, " Mach. Learn., vol. 3, no. 2, pp. 95-99, 1988.
68. J. R. Koza, Genetic Programming: On the Programming of Computers by Means of Natural Selection. Cambridge, MA, USA: MIT Press, 1992.
69. H. G. Beyer and H. P. Schwefel, "Evolution strategies: A comprehensive introduction, " J. Nat. Comput., vol. 1, no. 1, pp. 3-52, 2002.
70. J. Kennedy and R. Eberhart, "Particle swarm optimization, " in Proc. IEEE Int. Conf. Neural Netw., 1995, vol. IV, pp. 1942-1948.
71. M. Dorigo and L. M. Gambardella, "Ant colony system: A cooperative learning approach to the traveling salesman problem, " IEEE Trans. Evol. Comput., vol. 1, no. 1, pp. 53-66, Apr. 1997.
72. J. Farmer, N. Packard, and A. Perelson, "The immune system, adaptation and machine learning, " Phys. D: Nonlinear Phenom., vol. 2, pp. 187-204, 1986.
73. W. Li, "Using genetic algorithms for network intrusion detection, " in Proc. U.S. Dept. Energy Cyber Secur. Group 2004 Train. Conf., 2004, pp. 1-8.
74. A. Abraham, C. Grosan, and C. Martin-Vide, "Evolutionary design of intrusion detection programs, " Int. J. Netw. Secur., vol. 4, no. 3, pp. 328-339, 2007.
75. J. Hansen, P. Lowry, D. Meservy, and D. McDonald, "Genetic programming for prevention of cyberterrorism through dynamic and evolving intrusion detection, " Decis. Support Syst., vol. 43, no. 4, pp. 1362-1374, Aug. 2007.
76. S. Khan, "Rule-based network intrusion detection using genetic algorithms, " Int. J. Comput. Appl., vol. 18, no. 8, pp. 26-29, Mar. 2011.
77. T. Jolliffe, Principal Component Analysis, 2nd ed. New York, NY, USA: Springer, 2002.
78. W. Lu and I. Traore, "Detecting new forms of network intrusion using genetic programming, " Comput. Intell., vol. 20, pp. 470-489, 2004.
79. A. Markov, "Extension of the limit theorems of probability theory to a sum of variables connected in a chain, " Dynamic Probabilistic Systems, vol. 1, R. Howard. Hoboken, NJ, USA: Wiley, 1971 (Reprinted in Appendix B).
80. L. E. Baum and J. A. Eagon, "An inequality with applications to statistical estimation for probabilistic functions of Markov processes and to a model for ecology, " Bull. Amer. Math. Soc., vol. 73, no. 3, p. 360, 1967.
81. A. Arnes, F. Valeur, G. Vigna, and R. A. Kemmerer, "Using Hidden markov models to evaluate the risks of intrusions: System architecture and model validation, " Lect. Notes Comput. Sci., pp. 145-164, 2006.
82. D. Ariu, R. Tronci, and G. Giacinto, "HMMPayl: An intrusion detection system based on hidden Markov models, " Comput. Secur., vol. 30, no. 4, pp. 221-241, 2011.
83. S. S. Joshi and V. V. Phoha, "Investigating hidden Markov models capabilities in anomaly detection, " in Proc. ACM 43rd Annu. Southeast Reg. Conf., 2005, vol. 1, pp. 98-103.
84. P. Dempster, N. M. Laird, and D. B. Robin, "Maximum likelihood from incomplete data via the EM algorithm, " J. Roy. Statist. Soc., Series B (methodological), pp. 1-38, 1977.
85. W. W. Cohen, "Fast effective rule induction, " in Proc. 12th Int. Conf. Mach. Learn., Lake Tahoe, CA, USA, 1995, pp. 115-123.
86. R. Michalski, "A theory and methodology of inductive learning, " Mach. Learn., vol. 1, pp. 83-134, 1983.
87. W. Lee, S. Stolfo, and K. Mok, "A data mining framework for building intrusion detection models, " in Proc. IEEE Symp. Secur. Privacy, 1999, pp. 120-132.
88. W. Fan, M. Miller, S. Stolfo, W. Lee, and P. Chan, "Using artificial anomalies to detect unknown and known network intrusions, " Knowl. Inf. Syst., vol. 6, no. 5, pp. 507-527, 2004.
89. I. H. Witten and E. Frank, Data Mining: Practical Machine Learning Tools and Techniques, 3rd ed. San Mateo, CA, USA: Morgan Kaufmann, 2011.
90. M. Panda and M. R. Patra, "Network intrusion detection using Naive Bayes, " Int. J. Comput. Sci. Netw. Secur., vol. 7, no. 12, pp. 258-263, 2007.
91. N. B. Amor, S. Benferhat, and Z. Elouedi, "Naïve Bayes vs. decision trees in intrusion detection systems, " in Proc ACM Symp. Appl. Comput., 2004, pp. 420-424.
92. R. Agrawal and R. Srikant, "Mining sequential patterns, " in Proc. IEEE 11th Int. Conf. Data Eng., 1995, pp. 3-14.
93. Y. Hu and B. Panda, "A data mining approach for database intrusion detection, " in Proc. ACM Symp. Appl. Comput., 2004, pp. 711-716.
94. Z. Li, A. Zhang, J. Lei, and L. Wang, "Real-time correlation of network security alerts, " in Proc. IEEE Int. Conf. e-Business Eng., 2007, pp. 73-80.
95. V. Vapnik, The Nature of Statistical Learning Theory. New York, NY, USA: Springer, 2010.
96. Y. Li, J. Xia, S. Zhang, J. Yan, X. Ai, and K. Dai, "An efficient intrusion detection system based on support vector machines and gradually feature removal method, " Expert Syst. Appl., vol. 39, no. 1, pp. 424-430, 2012.
97. F. Amiri, M. Mahdi, R. Yousefi, C. Lucas, A. Shakery, and N. Yazdani, "Mutual information-based feature selection for IDSs, " J. Netw. Comput. Appl., vol. 34, no. 4, pp. 1184-1199, 2011.
98. W. J. Hu, Y. H. Liao, and V. R. Vemuri, "Robust support vector machines for anomaly detection in computer security, " in Proc. 20th Int. Conf. Mach. Learn., 2003, pp. 282-289.
99. C. Wagner, F. Jérôme, and E. Thomas, "Machine learning approach for IP-flow record anomaly detection, " in Networking 2011. New York, NY, USA: Springer, 2011, pp. 28-39.
100. D. Brauckhoff, A. Wagner, and M. May, "Flame: A low-level anomaly modeling engine, " in Proc. Conf. Cyber Secur. Exp. Test, 2008.
101. T. Shon and J. Moon, "A hybrid machine learning approach to network anomaly detection, " Inf. Sci., vol. 177, no. 18, pp. 3799-3821, Sep. 2007.
102. T. Kohonen, Self-Organizing Map. New York, NY, USA: Springer, 1995.
103. V. Paxson. (2004). Bro 0.9 [Online]. Available: http://bro-ids.org, accessed on Jun. 2014.
104. R. Caruana and A. Niculescu-Mizil, "An empirical comparison of supervised learning algorithms, " in Proc. ACM 23rd Int. Conf. Mach. Learn., 2006, pp. 161-168.
105. J. Dean and S. Ghemawat, "MapReduce: Simplified data processing on large clusters, " Commun. ACM, vol. 51, no. 1, pp. 107-113, 2008.
106. H. Guang-Bin, D. H. Wang, and Y. Lan, "Extreme learning machines: A survey, " Int. J. Mach. Learn. Cybern., vol. 2, no. 2, pp. 107-122, 2011.
107. K. Jain, J. Mao, and K. M. Mohiuddin, "Artificial neural networks: A tutorial, " Computer, vol. 29, no. 3, pp. 31-44, 1996.
108. R. Agrawal, H. Mannila, R. Srikant, H. Toivonen, and A. I. Verkamo, "Fast discovery of association rules, " Adv. Knowl. Discov. Data Min., vol. 12, no. 1, pp. 307-328, 1996.
109. M. Ester, H. P. Kriegel, J. Sander, and X. Xu, "A density-based algorithm for discovering clusters in large spatial databases with noise, " Knowl. Discov. Data Min., vol. 96, pp. 226-231, 1996.
110. P. S. Oliveto, J. He, and X. Yao, "Time complexity of evolutionary algorithms for combinatorial optimization: A decade of results, " Int. J. Autom. Comput., vol. 4, no. 3, pp. 281-293, 2007.
111. G. D. Forney, "The Viterbi algorithm, " Proc. IEEE, vol. 61, no. 3, pp. 268-278, Mar. 1973.
112. J. C. Burges, "A tutorial on support vector machines for pattern recognition, " Data Min. Knowl. Discov., vol. 2, no. 2, pp. 121-167, 1998.
113. K. Ahsan and D. Kundur, "Practical data hiding in TCP/IP, " in Proc. ACM Multimedia Secur. Workshop, 2002, vol. 2, no. 7.