TY - GEN
T1 - Integration of Self-Organizing Map (SOM) and Kernel Density Estimation (KDE) for network intrusion detection
AU - Cao, Yuan
AU - He, Haibo
AU - Man, Hong
AU - Shen, Xiaoping
PY - 2009
Y1 - 2009
N2 - This paper proposes an approach to integrate the self-organizing map (SOM) and kernel density estimation (KDE) techniques for the anomaly-based network intrusion detection (ABNID) system to monitor the network traffic and capture potential abnormal behaviors. With the continuous development of network technology, information security has become a major concern for the cyber system research. In the modern net-centric and tactical warfare networks, the situation is more critical to provide real-time protection for the availability, confidentiality, and integrity of the networked information. To this end, in this work we propose to explore the learning capabilities of SOM, and integrate it with KDE for the network intrusion detection. KDE is used to estimate the distributions of the observed random variables that describe the network system and determine whether the network traffic is normal or abnormal. Meanwhile, the learning and clustering capabilities of SOM are employed to obtain well-defined data clusters to reduce the computational cost of the KDE. The principle of learning in SOM is to self-organize the network of neurons to seek similar properties for certain input patterns. Therefore, SOM can form an approximation of the distribution of input space in a compact fashion, reduce the number of terms in a kernel density estimator, and thus improve the efficiency for the intrusion detection. We test the proposed algorithm over the real-world data sets obtained from the Integrated Network Based Ohio University's Network Detective Service (INBOUNDS) system to show the effectiveness and efficiency of this method.
AB - This paper proposes an approach to integrate the self-organizing map (SOM) and kernel density estimation (KDE) techniques for the anomaly-based network intrusion detection (ABNID) system to monitor the network traffic and capture potential abnormal behaviors. With the continuous development of network technology, information security has become a major concern for the cyber system research. In the modern net-centric and tactical warfare networks, the situation is more critical to provide real-time protection for the availability, confidentiality, and integrity of the networked information. To this end, in this work we propose to explore the learning capabilities of SOM, and integrate it with KDE for the network intrusion detection. KDE is used to estimate the distributions of the observed random variables that describe the network system and determine whether the network traffic is normal or abnormal. Meanwhile, the learning and clustering capabilities of SOM are employed to obtain well-defined data clusters to reduce the computational cost of the KDE. The principle of learning in SOM is to self-organize the network of neurons to seek similar properties for certain input patterns. Therefore, SOM can form an approximation of the distribution of input space in a compact fashion, reduce the number of terms in a kernel density estimator, and thus improve the efficiency for the intrusion detection. We test the proposed algorithm over the real-world data sets obtained from the Integrated Network Based Ohio University's Network Detective Service (INBOUNDS) system to show the effectiveness and efficiency of this method.
KW - Anomaly-based network intrusion detection (ABNID)
KW - Kernel density estimation (KDE)
KW - Machine learning
KW - Self-organizing map (SOM)
UR - http://www.scopus.com/inward/record.url?scp=71549156238&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=71549156238&partnerID=8YFLogxK
U2 - 10.1117/12.834890
DO - 10.1117/12.834890
M3 - Conference contribution
AN - SCOPUS:71549156238
SN - 9780819477866
T3 - Proceedings of SPIE - The International Society for Optical Engineering
BT - Unmanned/Unattended Sensors and Sensor Networks VI
T2 - Unmanned/Unattended Sensors and Sensor Networks VI Conference
Y2 - 1 September 2009 through 3 September 2009
ER -