Enhancing effectiveness of intrusion detection
systems: A hybrid approach
Basant Subba , Santosh Biswas, Sushanta Karmakar
Department of Computer Science & Engineering
Indian Institute of Technology, Guwahati
Assam, India 781039
Email: s.basant@iitg.ernet.in, santosh biswas@iitg.ernet.in , sushantak@iitg.ernet.in
AbstractIntrusion Detection Systems (IDSs) proposed in the
literature can broadly be classified as either signature based or
anomaly based. Although both these classes of IDSs effectively
detect wide range of network attacks, they have their own set
of drawbacks. Signature based IDSs are incapable of detecting
new attacks and produce a large number of false positive alarms
when operated with default settings. On the other hand, anomaly
based IDSs require extensive training before deployment and
are computationally expensive. In this paper, we aim to address
these issues by proposing an efficient hybrid intrusion detection
framework with high detection rate and low false alarm rate.
A novel false alarm minimization technique is used to reduce
the false alarm rate of the signature based component and
a simple header based anomaly detection module is used to
minimize the computational overhead of the anomaly based
component. Experimental results on the benchmark DARPA
IDEVAL dataset and an in-house test bed dataset show that the
proposed framework achieves a high detection rate and accuracy
across a wide range of network attacks, while at the same time
minimizes the overall computational overhead.
KeywordsIntrusion Detection Systems (IDSs), DARPA IDE-
VAL dataset, False alarms, Snort, PHAD
I. I NTRODUCTION
Rapid proliferation of heterogeneous networking devices
that can seamlessly communicate and interact with each other
has significantly increased the complexity of the network secu-
rity. Most of these devices have inherent design flaws that leads
to various security threats. Various preventive mechanisms
like cryptography, authentication, data encryption, firewall etc.,
have been proposed in the literature as a first line of defense
to prevent network intrusions. However, these mechanisms
have their limitations and attackers are increasingly finding
their way around them to gain unauthorized access to the
network and launch attacks. Moreover, these mechanisms
cannot detect inside attacks, where the attacker is a legitimate
part of the network. To address these security issues, Intrusion
Detection System (IDS) has been proposed in the literature
as a complementary second line of defense[1] [2] [3] [4].
IDS monitors network for sign of intrusions and raises an
alarm whenever any malicious or intrusive network activities
are detected. Therefore, IDS helps to contain the network
breach by taking appropriate preventive measure (raising alarm
and reporting to network administrator) before any significant
damage can be inflicted on the network by the intruder.
Based on their mode of detection, IDSs can broadly be
classified into following two categories namely, signature
based and anomaly based. Signature based IDSs monitor data
packets on the network and compares them against a database
of well known attack signatures. The attack signatures are
combination of the packet header feature values and packet
content descriptions intended for identification of anomalous
data traffic. The main advantage of signature based IDSs is
that they have fairly high accuracy and detection rate against
known attacks. However, they fail to detect new attacks whose
signatures has not yet been updated in the databases. In
addition, most of the commercially available signature based
IDSs like Snort [2], Bro [3] etc. uses regular expressions
instead of using an exact matching string when specifying
attack signatures. This results in a large number of false alarm
generation when they are deployed with default settings.
On the other hand, anomaly based IDSs consist of two
distinct phases namely, the training phase and the testing
phase. During the training phase the normal profile of the
network is learned by the anomaly based IDSs and during
the testing phase the learned model of normal profile is
applied to the current network traffic to detect intrusions.
Depending on the methods employed, anomaly based IDSs
can be categorized into statistics based [5], machine learning
based [6] [7] and data-mining based [8] [9] [10] IDSs. The
main advantage of anomaly based IDSs is that unlike the
signature based IDSs they do not rely on any predefined attack
signatures to detect network intrusions and are therefore able to
detect novel attacks. However, the main drawback of anomaly
based IDSs is the difficulty involved in defining the normal
network profile against which the traffic being monitored are
correlated to detect network intrusions. Estimating and defining
the normal network profile, especially in a dynamic network,
where the traffic pattern varies at regular interval is a difficult
task. Another key issue of anomaly based IDSs is their high
computational overhead. Most of the anomaly based IDSs
employ a deep level packet inspection which increases their
computational overhead and limits their performance in a high
speed networks.
In this paper, we aim to address these issues of signature
and anomaly based IDSs by proposing a new hybrid IDS
framework. The proposed hybrid framework combines the
desirable properties of both the signature and anomaly based
IDSs, while eliminating the drawbacks associated with them.
The signature based component of the proposed framework
uses a novel false alarm minimization technique to minimize
the overall false positive alarm rate while the anomaly based
component uses a simple packet header anomaly detector
(PHAD) [4] module to minimize the overall computational
overhead. PHAD inspects only the packets header field with-
out performing any in-depth payload inspection. In addition,the
proposed framework is capable of detecting network attacks
that the signature and anomaly based IDSs cannot detect alone
in isolation. Experimental results on the benchmark DARPA
IDEVAL dataset and the testbed dataset show that the proposed
framework achieves a high detection rate and accuracy against
wide range of attacks while at the same time minimizes the
overall computational overhead.
The rest of the paper has been structured in following ways.
Section II discusses the related works on false alarm mini-
mization and computational overhead optimization of IDSs.
Section III presents the overall description of the proposed
hybrid intrusion detection framework. Section IV presents the
experimental results and finally we conclude with conclusion
and future works in section V.
II. R ELATED W ORK
IDS frameworks that correlate alarms generated by the
signature based IDS with network vulnerabilities based on
their reference numbers are proposed in [11] [12]. In these
frameworks, various vulnerability scanners are employed to
develop the Vulnerability Threat Profile of the network. IDS
alarms are then correlated with vulnerabilities in the Vulner-
ability Threat Profile based on their reference numbers. If
the IDS alarm cannot be correlated with any of the network
vulnerabilities then it is treated as false positive alarm and
ignored. However, the drawback of these schemes is that
some of the IDS alarms may not have an associated reference
numbers and therefore, they cannot be correlated with any of
the network vulnerabilities. This increases the false negative
rate and hence lowers the detection rate of the IDS.
Valdes et al. [13] applied Bayesian networks to detect
anomalies on burst of traffic. Their Bayesian network assigns
a probabilistic relationship to various variables of the data traf-
fic and is capable of determining interdependencies between
various variable of the data traffic. They showed that their
scheme is capable of detecting the DDoS attack that will not be
detected if each of the attack components were to be examined
separately. Dickerson et al. [9] proposed a simple data mining
technique that processes the network data traffic and generates
a set of fuzzy rules for every feature under observation which
detects individual attacks based on each of the features. The
main drawback of theses schemes are their high computational
overhead.
Barford et al. [14] proposed a statistical anomaly based IDS
which operates under the assumption that the characteristics
of the anomalous network traffic significantly deviates from
the normal pattern, in terms of the number of data bytes
exchanged, packets transmitted, heavy usage of certain set of
IP addresses and ports etc. Their scheme was successful in
identifying large traffic changes such as bandwidth flooding
attacks. However, the drawback of their scheme is that it
fails to detect attacks if the attacker is smart enough to keep
the disruptions caused by the attacks below certain threshold
levels.
IDS scheme that uses entropy as a tool to summarize vari-
ous traffic features was proposed by Lakhina et al. [15]. They
showed that the network traffic feature distributions analysis
leads to an accurate anomaly detection model. Their scheme
was able to detect wide range of anomalies with fairly high
sensitivity and accuracy. Kim et al. [16] proposed IDS scheme
that uses address correlation properties to detect anomalies.
Their scheme examines the packet headers rather than the
packet payload, to look for the correlation between various
header fields using the wavelet analysis. The drawbacks of
these IDS schemes are their high computational overhead.
Yen et al. proposed a hybrid IDS framework for wireless
sensor networks [17]. Their framework consists of a mis-
use detection model, back propagation network (BPN) based
anomaly detection model and decision making modules. In
their proposed framework, the data packets are first analyzed
by the anomaly detection model. If any anomalies are detected
in the data packets then they are forwarded to both the misuse
based model and the decision making model. The misuse based
model analyzes the data packets further for sign of intrusions.
Finally, the decision making module combines the outputs of
both models to determine whether or not the data packets are
anomalous. In case of intrusion, the decision making module
reports to the base station. However, the drawback of this
scheme is its high computational overhead.
Summarizing the related works, we found that the false
alarm minimization techniques proposed in the literature de-
creases the detection rate of the signature based IDSs. We
also found that most of the anomaly based IDSs proposed
in the literature are computation intensive due to their deep
level packet inspections which puts a severe limitation on their
performance in a high speed network. The main contribution
of this paper are as follows:
1) Propose a hybrid intrusion detection framework with
high accuracy and detection rate.
2) Reduce the overall false alarm rate of the IDS by
proposing a novel false alarm minimization scheme.
3) Minimize the computational overhead of IDS by
analyzing only the data packets header field using
a Packet Header Anomaly Detector (PHAD).
III. P ROPOSED H YBRID I NTRUSION D ETECTION
FRAMEWORK
In this section, we provide a detailed description of the
proposed hybrid intrusion detection framework. The proposed
framework comprises a signature based and an anomaly based
components. Various enhancement mechanisms are employed
to fine tune the performance of both these components to
minimize the overall false alarm rate and the computational
overhead of the proposed framework. A detailed descriptions
about each of these components are provided in subsequent
sections.
A. Signature based component
Most of the signature based IDSs use regular expressions
instead of an exact matching string when specifying attack
signatures. Therefore, they produce a large number of false
positive (FP) alarms when operated with default settings. To
address this issue, we propose a novel false alarm minimization
technique to reduce the overall false alarm rate of the signature
based IDS. The overall architecture of the signature based
 Fig. 1: Architecture of the signature based component

TABLE I: Snapshot of alarms generated by signature based IDS

Src IP Addr Src port Dest IP Addr Dest port Ref No. Protocol Content OS
EXTERNAL NET 80 172.16.112.0/24 4502 CVE-1999-0874 TCP cmd.exe Windows
... ... ... ... ... ... ... ...
EXTERNAL NET 22 172.16.112.0/24 90 CVE-2001-0731 TCP s|00|p|00| |00|s|00| Solaris
EXTERNAL NET 25 172.16.112.0/24 1503 IP Microsoft Windows Windows
EXTERNAL NET 23 172.16.112.0/24 110, 25 CVE-1999-0146 IP Microsoft Windows Windows

TABLE II: Snapshot of vulnerabilities in the Vulnerability Threat Profile

Src IP Addr Src port Dest IP Addr Dest port Ref No. Protocol Content OS
EXTERNAL NET any HOME NET 4502, 25, 80 CVE-1999-0874 TCP cmd.exe Windows
... ... ... ... ... ... ... ...
EXTERNAL NET any HOME NET 3302, 403, 80 CVE-2003-0316 TCP | 5C|../|00 00 00| Linux
EXTERNAL NET any HOME NET 90,22, 25 CVE-2001-0731 TCP s|00|p|00| |00|s|00| Solaris
EXTERNAL NET any HOME NET 1402, 80, 22 CVE-2002-0012 TCP /bin Redhat
EXTERNAL NET any HOME NET 25,80 NessusID: 10280 TCP /root SunOS

component of the proposed framework is shown in Fig. 1. A
brief description about its various modules are provided below:
Packet sniffer: This module captures the incoming
data packets for intrusion detection analysis. It uses
the Libpcap and Wincap libraries for capturing data
packets.
Signature Based IDS: This module correlates the
data packets captured by the packet sniffer module
with attack signatures in the signature database. If
the captured packet matches with one or more attack
signatures in the database, an alarm is raised by the
IDS. Snort [2] is used as a default signature based IDS
in our study.
IDS Alarms: It is output of the signature based
IDS and contains both the relevant and non-relevant
alarms. Table I shows the snapshot of alarms generated
by the signature Based IDS.
Vulnerability Database: This module contains attack
signatures populated from various sources such as
CVE database [18], Bugtraq [19] etc.
Vulnerability Scanner: This module scans the net-
work to identify various vulnerabilities present in the
network. Different vulnerability scanners like Nessus
[20], Nmap [21], Rapid7 Nexpose etc., are used to
obtain an exhaustive list of all the network vulnera-
bilities.
Vulnerability Threat Profile: The network vulner-
abilities detected by the vulnerability scanners are
augmented with various network context information
parameters like reference numbers, IP addresses, port
numbers, protocols, traffic types etc., to create the
Vulnerability Threat Profile of the network. Alarms
raised by the signature based IDS are correlated with
vulnerabilities in the Vulnerability Threat Profile. Ta-
ble II shows the snapshot of the vulnerabilities in the
Vulnerability Threat Profile.
Binary Correlation Vector (BCV): Signature based
IDS alarms are correlated with vulnerabilities in the
Vulnerability Threat Profile to obtain the BCV. Let
the ith alarm raised by the signature based IDS be
represented by an alarm vector Ai = ha1 , a2 , ...., an i.
Similarly, let the jth vulnerability in the Vulnerability
Threat Profile be represented by the vulnerability
vector V j = hv1 , v2 , ...., vn i. The positional match or
mismatch between Ai and V j is represented by the
BCV of the form C = hc1 , c2 , ...., cn i, where ci = 0,
if (ai == vi ), else it is set to 1.
Global Vector Table (GVT): This module consists
of set of BCVs corresponding to valid attacks on the
network. Each BCV in the GVT of Table III is a binary
vector corresponding to the following tuple hDest IP,
Dest port, Src IP, Src port, Ref No, Protocol, Content,
OSi. If the BCV generated after correlating the IDS
 TABLE III: Global Vector Table with a list of BCVs
corresponding to valid attacks
Binary Correlation Vector Description
h 0, 0, 0, 0, 0, 0, 0, 0 i All feature matches
h 0, 1, 0, 0, 0, 0, 0, 0 i Mismatch in Dest Port No.
h 0, 0, 1, 0, 0, 0, 0, 0 i Mismatch in Src IP address
h 0, 0, 0, 1, 0, 0, 0, 0 i Mismatch in Src Port No.
h 0, 0, 0, 0, 1, 0, 0, 0 i Mismatch in Reference No.
h 0, 0, 0, 0, 0, 1, 0, 0 i Mismatch in Protocol
h 0, 0, 0, 0, 0, 0, 1, 0 i Mismatch in Content
alarm with vulnerabilities in the Vulnerability Threat
Profile has a corresponding entry in the GVT, then
the alarm corresponding to that BCV is marked as
true positive (TP) alarm, else it is ignored as a false
positive alarm. In general, IDS alarms are flagged as
a TPs if they satisfy the following conditions:
1) The source IP address of the IDS alarm and
the vulnerability being correlated matches.
2) The OS type of the IDS alarm and the vulner-
ability being correlated matches.
3) There is at most one mismatch in any other
features between the IDS alarm and the vul-
nerability being correlated.
B. Anomaly based component
The anomaly based component of the proposed hybrid IDS
framework uses the Packet Header Anomaly Detector (PHAD)
[4] to detect anomalous data packets. PHAD inspects only the
packets header field without performing any in-depth payload
inspection. It learns the normal range of values of different
fields of the packets header at the transport (TCP, UDP),
network (IP) and data link (Ethernet) layers during its training
phase. It operates under the assumption that rarer events are
more likely to be intrusive and hostile. If an event occurs with a
probability q, PHAD assigns it a score of 1/q. PHAD assumes
that if an event last occurred t seconds ago, then the probability
that it will occur in the next one second is given by 1/t.
Each packet header feature containing an anomalous value is
assigned an anomalous score given by score f eat = tn/r, where n
is the count of number of times the given features are observed
during the training phase and r is the number of distinct values
observed for this feature during the training phase. Finally,
the packet is scored by summing up the individual anomaly
scores of the features present in the packet, i.e. score packet =
ti ni /ri , where anomalous features are the features
ianomaly f eat
with values not observed during the training phase.
C. Overall architecture of the proposed framework
Fig. 2 shows the overall architecture of the proposed hybrid
intrusion detection framework. As shown in the figure, the
incoming data packets are analyzed by both the signature
based component (Snort) and the anomaly based component
(PHAD) simultaneously. If the data packets being analyzed
by the signature based component matches with one or more
attack signatures in the database then an alarm is raised. These
alarms are then re-evaluated using the false alarm minimization
technique discussed earlier to filter out the false positive
alarms. Only those alarms which can be correlated with one
or more vulnerabilities in the Vulnerability Threat Profile are
treated as True Positives (TPs) while others are discarded as
False Positives (FPs). On the other hand, the anomaly based
component analyzes the header fields of the data packets for
sign of anomalies. Data packets marked as anomalous by the
anomaly based component (PHAD) are treated as true alarms.
IV. E XPERIMENTAL R ESULTS
The performance of the proposed hybrid intrusion detection
framework was tested on the benchmark DARPA IDEVAL
dataset [22] and an in house test bed dataset. Accuracy and
detection rate were used as parameters for the evaluation of
the proposed framework.
A. Performance analysis on the test bed dataset
To create the testbed dataset, a heterogeneous test bed
network comprising of several hosts with various operating
systems like Windows 2000 Server, Windows XP, Windows
7, Ubuntu 12.04, Redhat 7.2 and Fedora 12 running various
applications such as Telnet, SSH, FTP server, SQL server
etc. was set up. Nmap [12] and Nessus [8] vulnerability
scanners were used to scan the test bed network and build
the Vulnerability Threat Profile. Some of the machines in the
test bed was used to generate attacks using the metasploit [23],
which is a freely available open source exploit toolbox. The
types of attack considered in the test bed setup were Denial of
Service (DoS) attack, probing attack, remote code execution,
SQL injection, Microsoft server exploits etc.
Wireshark [24] was used as packet sniffer to record the
data traffic information of the testbed network (as pcap files).
Two different set of datasets were generated from the given
testbed network. The first dataset comprising of only the
normal network traffic without any attacks was used to train
the PHAD. The second dataset, which consists of both the
normal data traffic and attacks was used as a test dataset for
both the signature and the anomaly based components.
A total of 48 attack instances are present in the test dataset
of the test bed network. Table IV shows the performance
analysis of the proposed hybrid IDS framework on the test
bed dataset. As shown in the table, 37 attack instances were
detected by the anomaly based component while producing 13
false positive alarms. On the other hand, a total of 93 alarms
were generated by the signature based component initially.
However, after application of the false alarm minimization
technique the number of alarms was reduced to 35. Out of
these 35 alarms, 32 were true positives while 3 of them
were false positives. In general, a total of 43 attack instances
were detected by the proposed hybrid IDS framework with 27
common attacks that were detected by both the signature and
anomaly based components. The accuracy (ACC) and detection
rate (DR) of the proposed hybrid IDS framework on the test
bed dataset was found to be 72.88% and 89.58%, respectively.
B. Performance analysis on the DARPA IDEVAL dataset
To analyze the performance of the proposed hybrid IDS
framework on the benchmark DARPA IDEVAL dataset, the
anomaly based component (PHAD) was trained on 5 days of
attack free network traffic of the third week dataset. The trained
model was then tested on 9 days of dataset from week 4 and
 Fig. 2: Oveall architecture of the proposed hybrid IDS framework

TABLE IV: Performance of the proposed hybrid IDS TABLE VI: Performance analysis of Snort on 4th and 5th
framework on test-bed dataset week of IDEVAL Test dataset
Anomaly Based Signature Based Performance Day No of alarms Alarms after Corr. TP FP
Component Component Analysis
No. of No. of Alarms after Mon4 87 8 6 2
TP FP TP FP ACC DR Wed4 107 9 5 4
Alarms Alarms correlation
Thu4 91 13 7 6
50 37 13 93 35 32 3 72.88% 89.58%
Fri4 109 11 8 3
Mon5 116 12 7 5
Tue5 97 10 6 4
Wed5 83 15 9 6
week 5 during which there were 201 instances of about 56 Thu5 113 7 4 3
types of attacks. Table V lists various attacks detected and Fri5 102 14 5 9
the false positive alarms generated by PHAD based on the
anomaly values observed in the given packet header field. Out
of 201 attack instances, 65 attacks were detected by PHAD TABLE VII: Performance analysis of different IDS
while generating a total of 102 false positive alarms. frameworks on the IDEVAL Test dataset
IDS scheme TP alarms FP alarms ACC DR
TABLE V: Performance analysis of PHAD on 4th and 5th Snort 57 813 6.55% 28.36%
PHAD 65 102 38.92% 32.34%
week of IDEVAL dataset HYB IDS 113 144 43.96% 56.22%

Field TP FP
Ethernet Size 1 1
Ethernet Dest Hi 1 5 PHAD and the proposed hybrid intrusion detection framework
Ethernet Src Hi 0 7
IP TOS 0 6 (HYB IDS) on the 9 days of IDEVAL test dataset. It can be
IP Packet Length 2 3 observed from the Table that the performance of Snort on the
IP TTL 31 19 DARPA IDEVAL dataset was very poor. One of the reason
IP Frag Ptr 7 4
IP Source Address 4 1 for this poor performance could be the fact that attacks of
IP Dest Address 2 9 the IDEVAL dataset are obsolete and Snort no longer includes
TCP Acknowledgment 0 0
TCP Flags UAPRSF 7 3
rules to detect them. In addition, Snort also generated a large
TCP Window Size 0 1 number of FP alarms (813). It can be observed from the
TCP Checksum 1 28 Table that the proposed HYB IDS framework has the highest
TCP URG Ptr 3 5
TCP Options 2 3 accuracy (ACC) and detection rate (DR) among the three
UDP Length 0 6 schemes.
UDP Checksum 2 0
ICMP Checksum 2 1 Summarizing the result, we found that the number of
attacks detected by the Snort is comparatively low (57), while
Table VI shows the list of attacks detected and the false it generates a significantly large number of false positive
alarms generated by Snort on the IDEVAL test dataset be- alarms (813). The performance of PHAD was better than Snort.
fore and after the application of the proposed false alarm It detected 65 attacks and generated only 102 false positive
minimization technique. The Vulnerability Threat Profile of alarms. Finally, the proposed HYB IDS framework detected
the IDEVAL network was developed by running Nessus and 113 attacks while generating a total of 144 FP alarms (42
Nmap vulnerability scanners on various operating systems from Snort and 102 from PHAD). The high detection rate of
(Redhat, Solaris, SunOS, Windows NT, Windows 95 etc.) of the HYB IDS framework can be attributed to the fact that the
the IDEVAL network. It can be observed from the table that type of attacks detected by the Snort and PHAD are relatively
the proposed false alarm minimization scheme significantly different with a limited number of common attacks detected
reduces the number of alarms generated by the Snort. between them. Similarly, the proposed HYB IDS framework
achieves the highest accuracy among all the schemes since
Table VII shows the performance analysis of Snort, most of the false positive alarms generated by its signature
 TABLE VIII: Performance comparison of various intrusion detection frameworks on the DARPA IDEVAL dataset
IDS models Snort [2] PHAD [4]
Detection rate Very Low Low
False alarm rate Very High Low
Computational overhead Low Low
High detection rate Detects both known and unknown
Advantage
against known attacks attacks with low computational overhead
Very high false alarm rate,
Disadvantage Limited detection capability
cannot detect new attacks
based component (Snort) are filtered out by the false alarm
minimization module.
Performance comparison of the proposed HYB IDS frame-
work with other intrusion detection frameworks on the DARPA
IDEVAL dataset is shown in tabular form in Table VIII.
V. C ONCLUSION AND F UTURE W ORK
Both signature and anomaly based IDSs have their own set
of drawbacks. Signature based IDSs are incapable of detecting
new attacks and produce a large number of false positive
alarms when operated with default settings, while anomaly
based IDSs are computationally intensive. To address these
issues, we proposed a new hybrid intrusion detection frame-
work with high level of performance and low computational
overhead. The proposed hybrid intrusion detection framework
uses a novel false alarm minimization technique to reduce the
overall false alarm rate of its signature based component and
a simple header based anomaly detection module to minimize
the computational overhead of its anomaly based component.
For our future work, we aim to further enhance the detection
rate and accuracy of both the anomaly and the signature
based components of the proposed framework through various
refinement processes.
R EFERENCES
[1] A. Abduvaliyev, A.-S. Pathan, J. Zhou, R. Roman, and W.-C. Wong,
On the Vital Areas of Intrusion Detection Systems in Wireless Sensor
Networks, IEEE Communications Surveys Tutorials, vol. 15, no. 3, pp.
12231237, 2013.
[2] M. Roesch, Snort - Lightweight Intrusion Detection for Networks, in
Proceedings of the 13th USENIX Conference on System Administration,
1999, pp. 229238.
[3] V. Paxson, Bro: A System for Detecting Network Intruders in Real-
time, Computer Networks, vol. 31, no. 23-24, pp. 24352463, Dec.
1999.
[4] M. V. Mahoney and P. K. Chan, PHAD: Packet Header Anomaly
Detection for Identifying Hostile Network Traffic, Florida Institute of
Technology, Tech. Rep., 2001.
[5] A. Qayyum, M. Islam, and M. Jamil, Taxonomy of statistical based
anomaly detection techniques for intrusion detection, in Proceedings
of the IEEE Symposium on Emerging Technologies, Sept 2005, pp. 270
276.
[6] E. Eskin, A. Arnold, M. Prerau, L. Portnoy, and S. Stolfo, A Geometric
Framework for Unsupervised Anomaly Detection, in Applications of
Data Mining in Computer Security, 2002, vol. 6, pp. 77101.
[7] A. K. Ghosh, A. Schwartzbard, and M. Schatz, Learning Program
Behavior Profiles for Intrusion Detection, in Proceedings of the 1st
Conference on Workshop on Intrusion Detection and Network Monitor-
ing - Volume 1, 1999, pp. 66.
HYB IDS Pure anomaly based IDS [8] [7]
High Very High
Low Very Low
Low Very High
Low computational overhead Very high detection rate
with high detection rate and very low false alarm rate
Moderate false alarm rate Very high computational overhead
[8] Y. Yu and H. Wu, Anomaly intrusion detection based upon data
mining techniques and fuzzy logic, in IEEE International Conference
on Systems, Man, and Cybernetics, Oct 2012, pp. 514517.
[9] J. Dickerson and J. Dickerson, Fuzzy network profiling for intrusion
detection, in 19th International Conference of the North American
Fuzzy Information Processing Society, 2000, pp. 301306.
[10] S. M. Bridges and R. B. Vaughn, Fuzzy Data Mining And Genetic
Algorithms Applied To Intrusion Detection, in Proceedings of the
National Information Systems Security Conference (NISSC, 2000, pp.
1619.
[11] F. Massicotte, M. Couture, L. Briand, and Y. Labiche, Model-Driven,
Network-Context Sensitive Intrusion Detection, in Model Driven En-
gineering Languages and Systems, 2007, vol. 4735, pp. 6175.
[12] S. Neelakantan and S. Rao, A Threat-Aware Anomaly-Based Intrusion-
Detection Approach for Obtaining Network-Specific Useful Alarms,
in Proceedings of the 10th International Conference on Distributed
Computing and Networking, 2009, pp. 175180.
[13] A. Valdes and K. Skinner, Adaptive, Model-Based Monitoring for
Cyber Attack Detection, in Recent Advances in Intrusion Detection,
ser. Lecture Notes in Computer Science, 2000, vol. 1907, pp. 8093.
[14] P. Barford, J. Kline, D. Plonka, and A. Ron, A Signal Analysis of Net-
work Traffic Anomalies, in Proceedings of the 2nd ACM SIGCOMM
Workshop on Internet Measurment, ser. IMW 02, 2002, pp. 7182.
[15] A. Lakhina, M. Crovella, and C. Diot, Mining Anomalies Using Traffic
Feature Distributions, SIGCOMM Comput. Commun. Rev., vol. 35,
no. 4, pp. 217228, Aug. 2005.
[16] S. Kim, A. Reddy, and M. Vannucci, Detecting Traffic Anomalies
through Aggregate Analysis of Packet Header Data, in Networking
2004, ser. Lecture Notes in Computer Science, 2004, vol. 3042, pp.
10471059.
[17] K. Q. Yan, S. C. Wang, S. S. Wang, and C. W. Liu, Hybrid Intrusion
Detection System for enhancing the security of a cluster-based Wireless
Sensor Network, in 3rd IEEE International Conference on Computer
Science and Information Technology (ICCSIT), vol. 1, July 2010, pp.
114118.
[18] CVE-common vulnerabilities and exposures, 2013.
[19] F. Massicotte, M. Couture, and Y. Labiche, Context-Based Intrusion
Detection Using Snort, Nessus and Bugtraq Databases. in PST, 2005.
[20] J. Beale, R. Deraison, H. Meer, R. Temmingh, and C. V. D. Walt, Nessus
Network Auditing. Syngress Publishing, 2004.
[21] G. F. Lyon, Nmap Network Scanning: The Official Nmap Project Guide
to Network Discovery and Security Scanning. Insecure, 2009.
[22] M. Mahoney and P. Chan, An Analysis of the 1999 DARPA/Lincoln
Laboratory Evaluation Data for Network Anomaly Detection, in Recent
Advances in Intrusion Detection, 2003, vol. 2820, pp. 220237.
[23] D. Kennedy, J. OGorman, D. Kearns, and M. Aharoni, Metasploit: The
Penetration Testers Guide, 2011.
[24] A. Orebaugh, G. Ramirez, J. Burke, and L. Pesce, Wireshark & Ethereal
Network Protocol Analyzer Toolkit (Jay Beales Open Source Security).
Syngress Publishing, 2006.