You are here: Home Contents V3 N1 V3N1_Ye.html
Personal tools

An Evaluation of Size-based Traffic Feature for Intrusion Detection



Full text

Journal of Information Systems Security
Volume 3, Number 1 (2007)
Pages 1938
ISSN 1551-0123 (Print)
ISSN 1551-0808 (Online)
Ming Ye — Iowa State University, USA
G. Premkumar — Iowa State University, USA
Dan Zhu — Iowa State University, USA
Information Institute Publishing, Washington DC, USA




Network attacks have become a significant threat to organizations and effective intrusion detection systems have to be developed detect these attacks before they inflict harm to the internal network infrastructure. Denial of service (DoS) and probing attacks are the most common attacks. While time-based traffic features provide information to identify attacks, size-based traffic features enhance the identification accuracy. In this study, we add a size-based feature to an existing timebased feature intrusion detection system. The system is tested on a data set that includes both normal traffic and attack traffic from different types of attacks. The results indicate that size-based feature increases the accuracy of prediction. We also used meta-classification schemes such as bagging and boosting to examine if they improve the performance. The improvement in accuracy was only marginal compared to the combined model that includes both time-based and size-based features.




Intrusion Detection, Network Security, Data Mining, Network Attacks, Induction Tree Algorithm




Allen, J., Christie, A., Fithen, W., McHugh, J., Pickel, J., and Stoner, E., et al. (2000), ‘State of the Practice of Intrusion Detection Technologies,’ Software Engineering Institute, Carnegie Mellon University, (CMU/SEI-SIM-010). Pittsburgh, PA.

Anderson, J. (1980), ‘Computer Security Threat Monitoring and Surveillance,’ Fort Washington, PA: James P. Anderson Co. 

Bauer, E., and Kohav, R. (1999). ‘An Empirical Comparison of Voting Classification Algorithms: Bagging, Boosting, and Variants,’ Machine Learning, 36, 105-139.

Carrettoni, F., Castano, S., Martella, G., and Samarati, P. (1991), ‘RETISS: A Real Time Security System for the threat Detection Using Fuzzy Logic,’Proceedings of 25th IEEE International Carnahan Conference on Security Technology. October Taipei, Taiwan ROC.

Chan, P. K., and Stolfo, S. J. (1993), ‘Toward Parallel and Distributed Learning by Meta-learning,’ AAAI Workshop in Knowledge Discovery in Database, 227-240.

Denning, D.E. (1987), “An intrusion-detection model,” IEEE Transaction on Software Engineering, 12(2), 222-232.

Drucker, H., Cortes, C., Jackel, L., LeCun, Y., and Vapnik, V. (1994), “Boosting and other ensemble methods,” Neural Computation, 6(6), 1289-1301.

Durst, R., Champion, T., Witten, B., Miller, E., Spagnuolo, L. (1999), “Testing and Evaluating: Computer Intrusion Detection Systems,” Communications of the ACM, 42(7), 53-61.

Fan, W., Wang, H., Yu, P., and Stolfo, S. (2002), ‘A fully distributed framework for cost-sensitive data mining,’ Proceedings of 22nd International Conference on Distributed Computing Systems. July. Vienna, Austria.

Garvey, T. D., and Lunt, T. F. (1991), ‘Model Based Intrusion Detection,’ Proceedings of the 14th National Computer Security Conference, October, 372-385.

Hettich, S. and Bay, S. D. (1999), ‘The UCI KDD Archive,’, Department of Information and Computer Science, University of California, Irvine, CA.

Hofmeyr, S.A., Forrest, S., and Somayaji, A. (1998), “Intrusion Detection Using Sequences of System Calls,” Journal of Computer Security, 6, 151-180.

Ilgun, K., Kemmerer, R.A., and Porras, P.A. (1995), “State Transition Analysis: A Rule-Based Intrusion Detection Approach,” IEEE Transactions on Software Engineering, 21(3), March, 1-22.

Cabrera, J. B. D., Lewis, L., Qin, X., Lee, W., and Mehra, R.K. (2002), “Proactive Intrusion Detection and Distributed Denial of Service Attacks - A Case Study in Security Management,” Journal of Network and Systems Management, 10(2).

Kumar, S., and Spafford, E. H. (1995), ‘A Software Architecture to Support Miscues Intrusion Detection,’ Proceeding of the 18th National Information Security Conference, 194-204.

Lee, W., Stolfo, S. J., and Chan, P. K. (1999), ‘Learning Patterns from Unix Process Execution Traces for Intrusion Detection,’ AAAI Workshop: AI Approaches to Fraud Detection and Risk Management, AAAI Press, 50-56.

Lee, W., and Stolfo, S. (2000), “A Framework for Constructing Features and Models for Intrusion Detection Systems,” ACM Transactions on Information and System Security, 3(4).

Lippmann, R., Haines, J.W., Fried, D.J., Korba, J., and Das, K. (2000), “The 1999 DARPA off-line intrusion detection evaluation,” Computer Networks, 34, 579-595.

Lippmann, R., and Cunningham, R. K. (2000), ‘Improving intrusion detection performance using keyword selection and neural networks,’ Computer Networks. 34, 597-603.

Lunt, T., Tamaru, A., Gilham, F., Jagannathan, R., Neumann, P., Javitz, H, Valdes, A., and Garvey, T. (1992), ‘A Real-time Intrusion Detection Expert System (IDES) – Final Technical Report,’ Computer Science Laboratory, SRI International, Menlo Park, California.

NSA (2002), “Therminator to watch for cyber attacks”, Federal Computer Week, Dec. 13, 2002.

Optiz, D, and Maclin, R. (1999), “Popular Ensemble Methods: An Empirical Study,” Journal of Artificial Intelligence Research, 11, 169-198.

Paxson, V. (1998), ‘Bro: A System for Detecting Network Intruders in Real-Time,’ Proceedings of 7th USENIX Security Symposium. San Antonio, TX, January 1998 [online]. Available at>.

Porras, P.A., and Neumann, P. G. (1997), ‘EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances,’ Proceedings of 20th National Information Systems Security Conference, October 7-10, Baltimore, MD.

Porras, P. A., and Valdes, A. (1998). ‘Live Traffic Analysis of TCP/IP Gateways,’ Proceedings of the Network and Distributed System Security Symposium, March 11-13, San Diego, CA.

Quinlan, J. R. (1993), C4.5: Programs for Machine Learning, Morgan Kaufmann.

Quinlan, R. (1996), ‘Boosting, bagging and C4.5’, Proceedings of 13 National Conference on Artificial Intelligence (AAAI 96), AAAI Press, 725-730.

Richardson, R. (2005), ‘10th CSI/FBI Computer Crime and Security Survey,’, July 14, 2005.

Teng, H. S., Chen, K., and Lu, S. C. (1990), ‘Security Audit Trail Analysis Using Inductively Generated Predictive Rules,’ Proceedings of the 11th National Conference on Artificial Intelligence Applications, 24-29 March.

Wagner, D., and Dean, D. (2001), ‘Intrusion Detection via Static Analysis,’ Proceedings of the 2001 IEEE Symposium on Security and Privacy.

Witten, I. H., and Eibe, F. (2000), Data Mining: Practical machine learning tools with Java implementations, Morgan Kaufmann, San Francisco.

Huang, Y., Fan , W., Lee, W., and Yu, P.S. (2003), ‘Cross-Feature Analysis for Detecting Ad-Hoc Routing Anomalies,’ Proceedings of the 23rd International Conference on Distributed Computing Systems (ICDCS), May, Providence, RI.

Zhu, D., Premkumar, G., Zhang, X., and Chu, C. (2001), “Data Mining for Network Intrusion Detection A Comparison of Alternative Methods”, Decision Sciences, 32(4), Fall, 635-660.