AN INTRUSION DETECTION SYSTEM USING DEEP NEURAL

NETWORK

A Thesis
Submitted in partial fulfilment of the Requirements for the award of the
Degree of

MASTER TECHNOLOGY
IN
COMPUTER SCIENCE
By
SARA NOOR
(MT/CS/15009/18)

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

BIRLA INSTITUTE OF TECHNOLOGY
MESRA, RANCHI, EXTENSION CENTRE PATNA – 800014
2019
 DECLARATION CERTIFICATE

This is to certify that the work presented in the thesis entitled “An Intrusion
Detection System using Deep Neural Network” In partial fulfilment of the
requirement for the award of degree of Master of Technology in Computer
Science of Birla Institute of Technology Mesra, Ranchi, Extension centre
Patna is an authentic work carried out under my supervision and guidance.

To the best of my knowledge the content of this thesis does not

form a basis for the award of any previous to anyone else.

Date: Prof. K.Lal

Dept. of Computer Science and Engineering
Birla Institute of Technology Mesra, Ranchi
Extension Centre: Patna

Prof. In charge
Dept. of CSE Director
Birla Institute of Technology Birla Institute of Technology
Mesra , Ranchi-835215 Mesra , Ranchi-835215
Extension Centre: Extension Centre:
Patna-800014 Patna-800014
 CERTIFICATE OF APPROVAL

The foregoing thesis entitled “An Intrusion Detection System using Deep
Neural Network” Is hereby approved as a creditable study of research topic
and has been presented in satisfactory manner to warrant its acceptance as
prerequisite to the degree for which it has been submitted.

It is understood that by this approval, the undersigned do not necessarily

endorse any conclusion drawn or opinion expressed therein, but approved
the thesis for the purpose for which it is submitted.

(Internal Examiner) (External Examiner)

(Chairman)

Head of the Department

 ACKNOWLEDGEMENT

I have taken efforts in this research work. However, it would not have been possible without
the kind support and help of many individuals and organizations. I would like to extent
sincere gratitude to all of them.

First of all I would like to extent my deep gratitude towards my guide, Birla
Institute of Technology, Mesra, Ranchi, Patna campus, under whose supervision this
research work has been carried out.

Along with this, I want to thank the director of my institution for providing a
supporting environment for education in the college premises. Without his support and
guidance, it would have been difficult to carry on this research work. Also, I want to express
my heartily gratitude to the head/In Charge department of Computer Science and
Engineering for his kind support and guidance throughout this research work.

I am highly indebted to all professors and staff member of Birla Institute of

Technology, Mesra, Ranchi, Patna campus, for their guidance and constant supervision as
well as for providing necessary information’s regarding the research work and also for their
support in completing the research work.

SARA NOOR
(MT/CS/15009/18)
 ABSTRACT
Machine learning techniques are being widely used to develop an intrusion detection
system (IDS) for detecting and classifying cyber-attacks at the network-level and host-level
in a timely and automatic manner. However, many challenges arise since malicious attacks
are continually changing and are occurring in very large volumes requiring a scalable
solution. However, no existing study has shown the detailed analysis of the performance
of various machine learning algorithms on various publicly available datasets. Due to the
dynamic nature of malware with continuously changing attacking methods, the malware
datasets available publicly are to be updated systematically and benchmarked. In this
paper, deep neural network (DNN), a type of deep learning model is explored to develop a
flexible and effective IDS to detect and classify unforeseen and unpredictable cyber-
attacks. The continuous change in network behaviour and rapid evolution of attacks makes
it necessary to evaluate various datasets which are generated over the years through static
and dynamic approaches. This type of study facilitates to identify the best algorithm which
can effectively work in detecting future cyber-attacks. A comprehensive evaluation of
experiments of DNNs and other classical machine learning classifiers are shown on various
publicly available benchmark malware datasets. The optimal network parameters and
network topologies for DNNs is chosen through following hyper parameter selection
methods with KDDCup 99 dataset. All experiments of DNNs are run till 1,000 epochs with
learning rate varying in the range [0.01-0.5]. The DNN model which performed well on
KDDCup 99 is applied on other datasets such as NSL-KDD, UNSW-NB15 and CICIDS 2017 to
conduct the benchmark. Our DNN model learns the abstract and high dimensional feature
representation of the IDS data by passing them into many hidden layers. Through a rigorous
experimental testing it is confirmed that DNNs perform well in comparison to the classical
machine learning classifiers. Finally, we propose a highly scalable and hybrid DNNs
framework, which can be used in real time to effectively monitor the network traffic and
host-level events to proactively alert possible cyber-attacks. A comprehensive evaluation
of experiments of DNNs and other classical machine learning classifiers are shown on
various publicly available benchmark malware datasets. The optimal network parameters
and network topologies for DNNs is chosen through following hyper parameter selection
methods with KDDCup 99 dataset. All experiments of DNNs are run till 100 epochs with
learning rate varying in the range [0.01-0.5]. The DNN model which performed well on
KDDCup 99 is applied on other datasets such as NSL-KDD, UNSW-NB15, Kyoto, WSN-DS and
CICIDS 2017 to conduct the benchmark. Our DNN model learns the abstract and high
dimensional feature representation of the IDS data by passing them into many hidden
layers. Through a rigorous experimental testing it is confirmed that DNNs perform well in
comparison to the classical machine learning classifiers. Finally, we will propose a highly
scalable and hybrid DNNs framework which will be used in real time to effectively monitor
the network traffic and host-level events to proactively alert possible cyber-attacks.
CONTENTS

INTRODUCTION
RELATED WORK
RESEARCH METHODOLOGY

CONCLUSION
REFRENCES
 1. INTRODUCTION

In the modern world, the fast-paced technological advancements have encouraged

every organization to adopt the integration of information and communication
technology (ICT). Hence creating an environment where every action is routed
through that system making the organization vulnerable if the security of the ICT
system is compromised.
Therefore, this call for a multi-layered detection and protection scheme that can
handle truly novel attacks on the system as well as able autonomously adapt to the
new data.
There are multiple systems that can be used for shielding such ICT systems from
vulnerabilities, namely anomaly detection and IDSs. A demerit of anomaly-detection
systems is the complexity involved in the process of defining rules. Each protocol
being analysed must be defined, implemented and tested for accuracy. Another
pitfall relating to anomaly detection is that harmful activity that falls within usual
usage pattern is not recognized. Therefore, the need for an IDS that can adapt itself
to the recent novel attacks and can be trained as well as deployed by using datasets
of irregular distribution becomes indispensable.
Intrusion Detect Systems (IDSs) are a range of cybersecurity-based technology
initially developed to detect vulnerabilities and exploits against a target host. The
sole use of the IDS is to detect threats. Therefore, it is located out-of-band on the
infrastructure of the network and is not in the actual real-time communication
passage between the sender and receiver of data. Instead, they solutions will often
make use of a TAP or SPAN ports to analyse the inline traffic stream’s copy and will
try to predict the attack based on a previously trained algorithm, hence making the
need of a human intervention trivial.
In the field of cybersecurity, algorithms of machine learning have played an essential
part. Especially, due to the incredible performance and potential of deep learning
networks in recent days in various problems from a wide variety of fields which were
considered unsolvable in past, the reliability of applying it for Artificial Intelligence
(AI) and unsupervised challenges have increased [39]. Deep-learning is nothing but
a partition of machine-learning that mimics the functions of the human brain and
hence the name artificial neural network. The concept of deep learning consists of
creating hierarchical representations that are complex that involve the creation of
simple building blocks to solving of high-level problems. In recent days the
application of deep learning methods are being studied a lot because of its high
accuracy rates.
Therefore, it becomes obvious that Deep neural networks and IDSs, when
combined together, can work at a superhuman level. Also, since the IDSs are out-
of-band on the infrastructure, common attacks like DoS which primarily aims at
choking the network band to gain access of the host, cannot bottleneck the
performance of it, hence this security layer cannot tamper with ease.
 2. RELATED WORK
The research on ID in network security has existed since the birth of the computer
architectures. The use of ML techniques and solutions to holistic IDS has become
common in recent days, but training data at hand is limited and are mostly used only
for bench-marking purposes. DARPA, KDD CUP99, UNSW 15, CICIDS 17 datasets
are one of the most comprehensive datasets available publicly. The data of tepdump
offered by the 1998 DARPA ID Evaluation network of 1998 was cleaned and utilized
for the KDD Cupcontest of 1999 at the 5th International Conference on Knowledge
Discovery and Data Mining. The job was to organize the records of the connections
that are already preprocessed into either traffic which is normal, or one of the
following categories of attack: ’DoS’, ’Probing’, ’R2L’ and ’U2R’.
The preprocessing of the KDDCup-’99’ competition’s data was done using the
MADAMID framework. The entries that used variants of decision trees showed only
marginal differences in performance occupied the first three places. The majority of
published results were tested and trained with only 10% training set observing the
feature reduction on the KDD CUP 99. Few researchers used custom built datasets,
with extracted from the 10% KDDCup-’99’ training set.
There are a number of interesting publications where the results are indirectly
compared due to the use of different training and test datasets. In a paper, genetic
algorithm and decision trees were used for automatic rule generation for an
intelligent system for enhancing the capability of an existing IDS. The integrated
utilization of neural networks in IDS was suggested and proposed an application of
recurrent neural networks (RNNs) and compared the neural network architectures’
performance for statistical anomaly detection to datasets from different scenarios.
Although the datasets of KDDCup-’99’ has various issues argues that they are still
an effective bench-marking dataset which is publicly available to compare different
intrusion detection methods.
The fundamental reason for the popularity of ML-based approaches is because of
its capability to attack the constantly evolving complex and diverse threats to
achieve an acceptable false positive rate of ID with the reasonable computational
cost. In early stages,used PNrule method which is derived from P-rules and N-rules
to figure out the existence and nonexistence of the class respectively. This has an
advantage due to the enhancement of the detection rate in the other types of attacks
except for the U2R category.
An extrapolation to traditional Feed Forward Networks (FFN) in the plane of taking
inspiration from biological elements, is a network named Convolutional Neural
Network (CNN). In early stages, CNN was used for processing of images by making
use of normal 2D layers, pooling 2D layers and completely connected layers,
studied the applications of CNN for IDS with the KDDCup of ’99’ dataset and
compared the results with several other bleeding-edge algorithms. After a broad
analysis, they have concluded the superiority of CNN over the other algorithms. The
study of the utilization of the Long Short-Term Memory (LSTM) classifier was
conducted with the same dataset. It has been stated that because of the capability
of LSTM to see into the past and relate the successive records of connections
demonstrates usefulness towards intrusion detection systems.
The ultimate motive of this paper is to add an artificial intelligence layer to the
network. Hence, by training the neural network with the existing cyber attacks data,
it can learn to predict an inbound attack easily and can either alert the system or
initiate a pre-programmed response which may abstain the attack from proceeding
further. As a result, millions worth, aftershock collateral damage and expensive data
leaks can be prevented just by simply adding an extra layer to the security system.
The benchmarking dataset used for training the networks are bygone and for a
better real-time robustness of the algorithm, more recent data must be used for
retraining before deploying in the field. The obligatory of this paper is to introduce
the essence of deep neural networks into the much rapidly evolving field of
cybersecurity.
2.1 WHAT IS MACHINE LEARNING?

Machine learning is an application of artificial intelligence (AI) that provides systems

the ability to automatically learn and improve from experience without being
explicitly programmed. Machine learning focuses on the development of computer
programs that can access data and use it learn for themselves.
The process of learning begins with observations or data, such as examples, direct
experience, or instruction, in order to look for patterns in data and make better
decisions in the future based on the examples that we provide. The primary aim is
to allow the computers learn automatically without human intervention or assistance
and adjust actions accordingly.
Supervised machine learning algorithms can apply what has been learned in the
past to new data using labelled examples to predict future events. Starting from the
analysis of a known training dataset, the learning algorithm produces an inferred
function to make predictions about the output values. The system is able to provide
targets for any new input after sufficient training. The learning algorithm can also
compare its output with the correct, intended output and find errors in order to modify
the model accordingly.
In contrast, unsupervised machine learning algorithms are used when the
information used to train is neither classified nor labelled. Unsupervised learning
studies how systems can infer a function to describe a hidden structure from
unlabelled data. The system doesn’t figure out the right output, but it explores the
data and can draw inferences from datasets to describe hidden structures from
unlabelled data.
Semi-supervised machine learning algorithms fall somewhere in between
supervised and unsupervised learning, since they use both labelled and unlabelled
data for training – typically a small amount of labelled data and a large amount of
unlabelled data. The systems that use this method are able to considerably improve
learning accuracy. Usually, semi-supervised learning is chosen when the acquired
labelled data requires skilled and relevant resources to train it / learn from it.
Otherwise, acquiring unlabelled data generally doesn’t require additional resources.
Reinforcement machine learning algorithms is a learning method that interacts with
its environment by producing actions and discovers errors or rewards. Trial and
error search and delayed reward are the most relevant characteristics of
reinforcement learning. This method allows machines and software agents to
automatically determine the ideal behaviour within a specific context in order to
maximize its performance. Simple reward feedback is required for the agent to learn
which action is best; this is known as the reinforcement signal.
Machine learning enables analysis of massive quantities of data. While it generally
delivers faster, more accurate results in order to identify profitable opportunities or
dangerous risks, it may also require additional time and resources to train it properly.
Combining machine learning with AI and cognitive technologies can make it even
more effective in processing large volumes of information.

2.2 DEEP NEURAL NETWORK

While traditional machine learning algorithms are linear, deep neural networks are
stacked in increasing hierarchy of complexity as well as abstraction. Each layer
applies a nonlinear transformation onto its input and creates a statistical model as
output from what it learns. In simple terms, the input layer is received by the input
layer and passed onto the first hidden layer. These hidden layers perform
mathematical computations on our inputs. One of the challenges in creating neural
networks is deciding the hidden layers’ count and the count of the neurons for each
layer. Each neuron has an activation function which is used to standardize the
output from the neuron. The ”Deep” in Deep learning refers to having more than one
layer which is hidden. The output layer returns the output data. Until the output has
reached an acceptable level of accuracy, epochs are continued.

Figure :1

We employ an deep neural network (DNN) approach as the computational model

since it is influenced by the characteristics of biological neural networks to
incorporate intelligence in our proposed method. Feed forward neural network
(FFN), a type of DNN is represented as a directed graph to pass various system
information along edges from one node to another without forming a cycle. We adopt
a multilayer perceptron (MLP) model which is a type of FFN having three or more
layers with one input layer, one or more hidden layers and an output layer in which
each layer has many neurons or units in mathematical notation. We select the
···
number of hidden layers by following a hyper parameter selection method. The
information is transformed from one layer to another layer in a forward direction with
neurons in each layer being fully connected. MLP is defined mathematically as O :
Rm × Rn where m is the size of the input vector x = x1, x2, , xm−1, xm and n is the
size of the output vector O(x) respectively. The computation of each
hidden layer hi is mathematically defined as
hi(x) = f (wiT x + bi) (1) where hi : Rdi −1 Rdi ,
f : R R,wi Rd×di−1 ,

2.3 INTRUSION DETECTION SYSTEM.

An Intrusion is an unauthorized access or malicious utilization of a computer

resource. Intrusion is used to reduce factors of a resource like integrity,
confidentiality and availability. An Intruder existing in the real-world attempts
for gaining the access to unauthorized data and performs damage to the
malicious activities present.
Intrusion Detection System (IDS) is used to detect all these kinds of malicious
activities happening on the network and indicates the network administrator
to get the data secured against these attacks. The growth of IDS has improved
the network security and protecting the data of an organization. Hence IDS is
a security system that observes network traffic and computer system. An IDS
provides security of firewall. A firewall safeguards an organization by
identifying malicious activities from the internet and IDS detects if any one
attempts to break firewall security or trying to have access and it immediately
alerts the administrator to take action. Hence IDS are the security systems
detecting various activities that attack on the network and keeps our systems
safe.
 Figure : 2

2.4TYPES OF ATTACKS

IDS play a major role in identifying different types of attacks. The main aim of
IDS is finding intrusion which is considered as classification problem. IDS is
divided into various attacks such as DOS, probe, U2R, R2L.
1. Denial of Service (DOS)

This means to shut down a system or a network by making inaccessible to its

users. Some of the attacks of this type are Back, Land, Mail blood Surf etc.
2. Probe

It is an attempt to gain access to a computer and its files through a known or

weak point in the computer system. The attacks of this type are Mscan, Nmap,
Saint, Satan and Ipsweep.
3. User to Root attack (U2R)

In this attack the person tries to exploit vulnerability for gaining root access.
Some attacks of this type are Eject, Ps, Perl, Fbconfig and others.
4. Remote to Login (R2L)
 It is an attempt in which the user gets an unauthorized access from a remote
machine. Some of the R2L attacks are Guest, Phf, Sendmail, Named and
others.

2.5 FUNCTIONS OF IDS

The functioning of IDS is done in four stages namely data collection, feature selection, analysis, and
action.

Data collection

Feature selection

Analysis

Action

Figure : 3 Functionality of IDS.

Data Collection

This particular module collects the data and sends it to IDS. Here the data is
saved and it is analyzed.
Feature Selection

This module selects a feature among the data which is present on the internet.
Example like IP addresses of source and destination can be taken as feature
for intrusion selection.
Analysis

Here Rule based IDS (RIDS) and Anomaly based IDS (AIDS) are used for
analyzing the data. RIDS analyzes the incoming traffic and AIDS analyzes the
system behavior.
Action

It describes about the attack of the system. It notifies the system

administrator against these attacks by giving an alarm notification or through
email.
 2.6TYPES OF IDS

1) Network based IDS

2) Host based IDS

Figure :4
3.RESEARCH METHODOLOGY

As DNNs are parametrized , the performance depends on the optimal parameters. The
optimal parameter determination for DNNs network parameter and DNNs network
topologies was done only for KDDCup 99 dataset. To identify the ideal parameter for the
DNNs, a medium sized architecture was used for experiments with a specific hidden units,
learning rate and activation function. A medium sized DNN contains 3 layers. One is input
layer, second one is hidden layer or fully connected layer and third one is output layer.
For KDDCup 99, the input layer contains 41 neurons, hidden layer contains 128, 256, 384,
512, 640, 768, 896 and 1,024 units and output layer contains 1 neuron in classifying the
connection record as either normal or attack. It contains 5 neurons in classifying the
connection record as either normal or attack and categorizing attack into corresponding
attack categories. The connection between the units between input layer and hidden
layer and hidden layer to output layer are fully connected. Initially, the train and test
datasets were normalized using L2 normalization. Two trials of experiments were run for
hidden units 128, 256, 384, 512, 640, 768, 896 and 1,024 with a medium sized DNN. The
experiment was run for each parameter with appropriate units and for 300 epochs. The
DNN with various units have learnt the patterns of normal connection records with
epochs 200 in comparison to the those with attacks. To capture the significant features
which can distinguish the attack connection record by DNN, 200 epochs were required.
After 200 epochs, the performance of normal connection records fluctuated due to
overfitting.

Using Hit & Trial method I will adjust the number of neurons in the hidden
layer to avoid the problem of overfitting and will produce the result without the problem
of overfitting and underfitting.

TABLE 1 m: Configuration of proposed DNN model

Layers Type Output shape Number of units Activation function Parameters

0-1 fully connected (None, 1,024) 1,024 ReLU 43,008
1-2 Batch Normalization (None, 1,024) 4,096
2-3 Dropout (0.01) (None, 1,024) 0
3-4 fully connected (None, 768) 768 ReLU 7,87,200
 4-5 Batch Normalization (None, 768) 3,072
5-6 Dropout (0.01) (None, 768) 0
6-7 fully connected (None, 512) 512 ReLU 3,93,728
7-8 Batch Normalization (None, 512) 2,048
8-9 Dropout (0.01) (None, 512) 0
9-10 fully connected (None, 256) 256 ReLU 1,31,328
10-11 Batch Normalization (None, 256) 1,024
11-12 Dropout (0.01) (None, 256) 0
12-13 fully connected (None, 128) 128 ReLU 32,896
13-14 Batch Normalization (None, 128) 512
14-15 Dropout (0.01) (None, 128) 0
Binary, Multi-class: 1,
KDDCup 99- 5-
NSL-KDD- UNSW- 1, 5- Sigmoid for Binary and
15-16 fully connected Softmax for Multi-class
NB15- 1, 10-
Kyoto- WSN- 1- classification
DS- 1, 5
CICIDS 2017- 1, 6

FINDING AN OPTIMAL NETWORK SVM-rbf 0.653 0.998 0.492 0.659

Binary classification - WSN-DS
TOPOLOGY OF NETWORK: LR 0.970 0.884 0.777 0.827
NB 0.831 0.324 0.765 0.455
KNN 0.943 0.699 0.666 0.682
The following network topologies were DT 0.991 0.949 0.951 0.950
AB 0.986 0.897 0.964 0.929
used to choose the best network topology RF 0.996 0.993 0.963 0.978
for training an IDS model with KDD- Cup SVM-rbf 0.915 0.997 0.083 0.153
Binary classification - CICIDS 2017
99.
LR 0.839 0.685 0.850 0.758
Algorithm Accuracy Precision Recall F-score
NB 0.313 0.300 0.979 0.459
Binary classification - KDDCup 99
KNN 0.910 0.781 0.968 0.865
LR 0.811 0.994 0.769 0.867
DT 0.935 0.839 0.965 0.898
NB 0.877 0.994 0.852 0.918
AB 0.941 0.887 0.918 0.902
KNN 0.925 0.998 0.909 0.952
RF 0.940 0.849 0.969 0.905
DT 0.929 0.997 0.915 0.954
SVM-rbf 0.799 0.992 0.328 0.493
AB 0.925 0.996 0.910 0.951
Binary classification – Kyoto
RF 0.927 0.999 0.911 0.953
LR 0.895 0.899 0.995 0.944
SVM-rbf 0.877 0.994 0.852 0.918
NB 0.534 0.922 0.526 0.670
Binary classification - NSL-KDD
KNN 0.856 0.932 0.905 0.918
LR 0.826 0.915 0.744 0.820
DT 0.830 0.925 0.883 0.903
NB 0.829 0.865 0.805 0.834
AB 0.889 0.906 0.978 0.940
KNN 0.910 0.926 0.905 0.915
RF 0.882 0.910 0.963 0.936
DT 0.930 0.928 0.943 0.935
SVM-rbf 0.895 0.899 0.995 0.944
AB 0.934 0.961 0.914 0.937
RF 0.929 0.946 0.919 0.933
SVM-rbf 0.837 0.769 0.993 0.867
Binary classification - UNSW-NB15 The performance of DNN 5 layers for
LR 0.743 0.955 0.653 0.775
NB 0.773 0.854 0.805 0.829
various Attack categories and Normal
KNN 0.810 0.932 0.778 0.848 category was good as compared to other
DT 0.897 0.982 0.864 0.919
AB 0.900 0.985 0.866 0.922
DNNs network topologies. By considering
RF 0.903 0.988 0.867 0.924 all these factors, we’ve decided to use 5
layer DNNs network for the remaining
experimentation process
 CONCLUSION
This paper will elaborately recapitulate the usefulness of DNNs in IDS
comprehensively. For the purpose of reference, other classical ML algorithms
will be accounted and compared against the results of DNN. The publicly
available KDDCup-’99’ dataset has been primarily used as the benchmarking tool
for the study, through which the superiority of the DNN over the other
compared algorithms have been documented clearly. For further refinement of
the algorithm, this paper will take into account of DNNs with different counts of
hidden layers.
We may claim that deep learning methods are a promising direction towards
cyber security tasks, but even though the performance on artificial dataset is
exceptional, application of the same on network traffic in the real-time which
contains more complex and recent attack types is necessary. Additionally,
studies regarding the flexibility of these DNNs in adversarial environments are
required. The increase in vast variants of deep learning algorithms calls for an
overall evaluation of these algorithms in regard to its effectiveness towards IDSs.
This will be one of the direction towards IDS research can travel and hence will
remain as a work of future.
 REFRENCES

[1] Larson, D. (2016). Distributed denial of service attacks-holding

back the flood. Network Security, 2016(3), 5-7.
[2] Staudemeyer, R. C. (2015). Applying long short-term memory
recurrent neural networks to intrusion detection. South African Computer
Journal, 56(1), 136-154.
[3] Venkatraman, S., Alazab, M. "Use of Data Visualisation for
Zero-Day Malware Detection," Security and Communication Networks,
vol. 2018, Article ID 1728303, 13 pages, 2018.
https://doi.org/10.1155/2018/1728303
[4] Mishra, P., Varadharajan, V., Tupakula, U., & Pilli, E. S. (2018). A
detailed investigation and analysis of using machine learning techniques
for intrusion detection. IEEE Communications Surveys & Tutorials.
[5] Azab, A., Alazab, M. & Aiash, M. (2016) "Machine Learning Based
Botnet Identification Traffic" The 15th IEEE International Conference on
Trust, Security and Privacy in Computing and Communications (Trustcom
2016), Tianjin, China, 23-26 August, pp. 1788-1794.
[6] Vinayakumar R. (2019, January 19). vinayakumarr/Intrusion-
detection v1 (Version v1). Zenodo.
http://doi.org/10.5281/zenodo.2544036
[7] Tang, M., Alazab, M., Luo, Y., Donlon, M. (2018) Disclosure of
cyber security vulnerabilities: time series modelling, International Journal
of Electronic Security and Digital Forensics. Vol. 10, No.3, pp 255 - 275.
[8] V. Paxson. Bro: A system for detecting network intruders in real-
time. Computer networks, vol. 31, no. 23, pp. 24352463, 1999. DOI
http://dx.doi. org/10.1016/S1389-1286(99)00112-7
[9] LeCun, Y., Bengio, Y., & Hinton, G. (2015). Deep learning. nature,
521(7553), 436.
[10] Xin, Y., Kong, L., Liu, Z., Chen, Y., Li, Y., Zhu, H., ... & Wang, C.
(2018). Machine Learning and Deep Learning Methods for Cybersecurity.
IEEE Access.
[12] Hofmeyr, S. A., Forrest, S., & Somayaji, A. (1998). Intrusion
detection using sequences of system calls. Journal of computer security,
6(3), 151180.
[13] Forrest, S., Hofmeyr, S. A., Somayaji, A., & Longstaff, T. A. (1996,
May). A sense of self for unix processes. In Security and Privacy, 1996.
Proceedings., 1996 IEEE Symposium on (pp. 120-128). IEEE.
[14] Hubballi, N., Biswas, S., & Nandi, S. (2011, January).
Sequencegram: n-gram modeling of system calls for program based
anomaly detection. In Communication Systems and Networks

Sadara - General Use Information

Sadara - General Use Information
 (COMSNETS), 2011 Third International Conference on (pp. 1-10). IEEE.
[15] Hubballi, N. (2012, January). Pairgram: Modeling frequency
information of lookahead pairs for system call based anomaly etection. In
Commu- nication Systems and Networks (COMSNETS), 2012 Fourth
International Conference on (pp. 1-10). IEEE.
[16] Kozushko, H. (2003). Intrusion detection: Host-based and network-
based intrusion detection systems. on September, 11.
[17] W. Lee and S. Stolfo. A framework for constructing features and
[18] models for intrusion detection systems. ACM transactions on
information and system security, vol. 3, no. 4, pp. 227261, 2000. DOI
http://dx.doi. org/10.1145/382912.382914
[19] Ozgur, A., Erdem, H.: A review of KDD99 dataset usage in intrusion
detection and machine learning between 2010 and 2015. PeerJ PrePrints
4 (2016) e195