Research Article Network Anomaly Detection System with ...downloads.hindawi.com/journals/tswj/2014/753659.pdf · Research Article Network Anomaly Detection System with Optimized DS

Research ArticleNetwork Anomaly Detection System withOptimized DS Evidence Theory

Yuan Liu1 Xiaofeng Wang2 and Kaiyu Liu1

1 School of Digital Media Jiangnan University Wuxi Jiangsu 214122 China2 School of Internet of Things Engineering Jiangnan University Wuxi Jiangsu 214122 China

Correspondence should be addressed to Yuan Liu lyuan1800sinacom

Received 24 April 2014 Revised 28 July 2014 Accepted 12 August 2014 Published 31 August 2014

Academic Editor Iftikhar Ahmad

Copyright copy 2014 Yuan Liu et alThis is an open access article distributed under the Creative Commons Attribution License whichpermits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

Network anomaly detection has been focused on bymore people with the fast development of computer network Some researchersutilized fusion method and DS evidence theory to do network anomaly detection but with low performance and they did notconsider features of networkmdashcomplicated and varied To achieve high detection rate we present a novel network anomalydetection system with optimized Dempster-Shafer evidence theory (ODS) and regression basic probability assignment (RBPA)function In this model we add weights for each senor to optimize DS evidence theory according to its previous predict accuracyAnd RBPA employs sensorrsquos regression ability to address complex network By four kinds of experiments we find that our novelnetwork anomaly detection model has a better detection rate and RBPA as well as ODS optimization methods can improve systemperformance significantly

1 Introduction

With the development of computer network technology andthe increasing of the networks scale computer networksare under the threat of attack from hackers and othertechnologies so the security status of the computer networksis becoming the focus of peoplersquos attention Intrusion detec-tion technology protecting the network security behind thefirewall is becoming the research focus in the recent networksecurity field As the emphasis and difficulty of the net-work intrusion detection technology [1] network anomalydetection technology has the deficiency of the low detectionrate high false positive rate and high false negative rate atpresent So in this domain many researchers proposed lotsof useful algorithms [2ndash8] but these methods are so simpleand single that they cannot be fully adapted to complicatedand changeable network Thus a novel network anomalydetection mechanism is required to solve the above troublingproblems

Recently some researches cope with network anomalydetection utilized by Dempster-Shafer (DS) evidence theory[9 10] proposed by Dempster in 1976 and then improvedby his student Shafer which has been widely used in many

fields of data fusion such as expert advisory system forecast-ing image processing artificial intelligence and identifyingclassification Intrusion detection is a problem of multi-classification essentially which divides network data intonormal data and various types of attacking data Since simpledetection algorithms always suffer from limitations such aslow detection rate and high false alarm rate many researchersapply DS evidence theory into intrusion detection systemsFor example some researchers divide the characteristics ofnetwork data into the basic feature set the content feature setand the traffic feature set Then they utilize detection algo-rithm to detect these three feature sets and fuse data throughDS evident theory to get the final results Though the IDStheory based onDS evidence theory has a gooddetection ratemost of these studies based on the classic DS evidence theoryshould assume that the intercepted data is independent ofeach other without confliction However conflicts betweennetwork data are inevitable so those researches will lead tounreasonable fusion result high false alarm rate and missalarm rate

To better solve this serious issue we present a novelnetwork anomaly detection mechanism based on optimizedDS evidence theory (ODS) which also can achieve better

Hindawi Publishing Corporatione Scientific World JournalVolume 2014 Article ID 753659 13 pageshttpdxdoiorg1011552014753659

2 The Scientific World Journal

reasonable result in network conflict data unlike conven-tional DS evidence theory In this mechanism we employODS to merge 3 classifiers support vector machine classifier(SVM) [11 12] biasedminimax probability machine classifier(BMPM) [13] and back propagation network classifier (BP)[14] Unlike the original fusion rule using the classificationfeature of those classifiers the new one utilizes its regressionfeature because regression feature can better reflect real-timenetwork environment Note that since network environmentis almost complicated and varied inDS evidence theory eachsensor cannot be equally computed So we assign differentweights for each sensor respectively according to its previousprediction accuracy In addition based on different distancesizes between network connections we present a new con-struction method for basic probability assignment function(BPA) based on regression ability regression BPA (RBPA)unlike simple BPA (SBPA) Finally through comparison of4 fusion methods and 3 single methods the experimentalresults with KDD99 [15] show that the ODS algorithm canovercome the conflict problem among the evidences and theproposed module can improve the detection performance ofthe anomaly detection system

The reminder of this paper is organized as follows InSection 2 we will introduce class DS evidence theory analyzeits limitation and present an optimized DS evidence theorywith weights for each sensor Then we propose a novelnetwork anomaly detection model with ODS in Section 3 InSection 4 we introduce 4 key issues how to combine ODSevidence theory with network anomaly detection how toconstruct and decide BPA value in ODS evidence theoryhow to decide weight 119908

119894in fusion rules of ODS evidence

theory and how to train 6 classifiers With data set KDD99we evaluate our novel network anomaly detection modelby 4 kinds of experiments in Section 5 Next Section 6introduces related work Finally we conclude our main workand propose future work in Section 7

2 Optimized DS Evidence Theory

21 Class DS Evidence Theory DS evidence theory [9 10] isconsidered as a general extension of the traditional classicalprobabilistic inference theory in the finite field Unlike theconventional Bayes inference method DS evidence theorywithout a priori probability still can be used to deal withuncertainty and imprecision information So we can see thatDS evidence theory has greater flexibility

DS evidence theory is considered as theory built on anonempty finite field Θ called the recognition frameworkwhich includes a limited number of independent system state1198601 1198602 119860

119899 An element in119875(Θ) as a power set of system

state Θ is called a system state hypothesis 119867119894 Through the

observation results 1198641 1198642 119864

119898for system state by each

sensor DS evidence theory can merge these results andinfer the former state of system Here it mainly involves thefollowing concepts

Definition 1 Basic probability assignment function (BPA) isdefined as a map from a power set of Θ to [0 1] intervalIt is represented as 119898 119875(Θ) rarr [0 1] 119898(Φ) = 0

sum119860isin119875(Θ)

119898(119860) = 1 where 119898(119860) is called confidence valuewhich means that current sensor decides hypothesis 119860 thedegree of confidence according to the observation results

Definition 2 Belief function is defined as

Belief119894 (119860) = sum

119864119896sube119860

119898119894(119864119896) (1)

This function represents the degree of confidence forhypothesis 119860 And the function result is composed of basicconfidence values of observation results 119864

119896which supports

hypothesis 119860

Definition 3 Plausibility function is defined as

Plausibility119894(119860) = 1 minus sum

119864119896cap119860=Φ

119898119894(119864119896) (2)

This function represents the degree of plausibility forhypothesis 119860 And the function result is composed of basicconfidence values of observation results 119864


hypothesis 119860

Definition 4 DS fusion rules for any hypothesis 119860 defining119898119894and119898

119895as the basic probability assignment function (BPA)

of two evidences respectively state that one obtains basicbelief assignment function of the combination evidence fromtwo evidences above as follows

(119898119894oplus 119898119895) (119860) =

sum119864119896cap1198641198961015840=119860

119898119894(119864119896)119898119895(1198641198961015840)

1 minus sum119864119896cap1198641198961015840=0

119898119894(119864119896)119898119895(1198641198961015840)

(3)

Likewise one can achieve DS general synthesis rules forthe combination evidence from 119899 evidences as follows

1198981sdotsdotsdot119899 (

119860) =

sumcap119894119864119894=119860

1198981(1198641)1198982(1198642) sdot sdot sdot 119898

119899(119864119899)

sumcap119894119864119894 =119860

1198981(1198641)1198982(1198642) sdot sdot sdot 119898

119899(119864119899)

(4)

22 Drawback of Class DS Evidence Theory The advantageof DS evidence theory mainly focuses on several parts asfollows it can satisfy axiom system that is weaker than theprobability distinguish unknown and uncertainty situationand continuously shrink the hypothesis set in the light of theaccumulation of evidences

The disadvantage of DS evidence theory is that whendealing with the issue with confidence degree tending to 0the result computed by DS evidence theory will conflict withexpectation result That is to say when confidence degreeis too small or 0 the results achieved are very different Inthe same way BPA is required to give so many results thatcalculation is also more complicated If the hypothesis set istoo large the calculation complexity of evidence theory willincrease exponentially

23 OptimizedDSEvidenceTheory From formula (4) we cansee that the confidence degree of each sensor is the sameThat is each sensor has the same accuracy Obviously itdoes not fit the facts for example with doctor for treatment

The Scientific World Journal 3

A doctor considers that this patient may be suffering from Xdisease with 99 or Y disease with 1 However B doctorconsiders that this patient may be suffering from Y diseasewith 1 or Z disease with 99 Then we can achieve thispatient suffering from Y disease according to formula (4)merging these different two pieces evidence But this result isfully fault and does not match realityTherefore the synthesisrule from formula (4) only applies to the case with the sameprecision in all sensors

To solve this serious issue we present a novel methodto change with conventional DS evidence theory That iswe combine weights with DS evidence theory The detailedimplementation is that we add weight value to each sensoraccording to its previous predict accuracy So we define 119898

119894

as the basic confidence values obtained by sensor 119878119894 and 119908

119894

as the previous predict accuracy of sensor 119878119894 similarly 119898

119895as

the basic confidence values obtained by sensor 119878119895 and 119908

119895as

the previous predict accuracy of sensor 119878119895 The DS evidence

theory combination with weights as follows

(119898119894oplus 119898119895) (119860)

=

sum119864119896cap1198641198961015840=119860

[119908119894119898119894(119864119896) sdot 119908119895119898119895(1198641198961015840)]

1 minus sum119864119896cap1198641198961015840=0

[119908119894119898119894(119864119896) sdot 119908119895119898119895(1198641198961015840)]

(5)

3 ODS Network AnomalyDetection Model Design

In this paper we present a novel network anomaly detectionmodule based on optimized DS evidence theory mergingwith several kinds of classifiers In this module we utilizeBMPM SVM and BP network as classifiers Unlike theoriginal fusion rule using the classification feature of thoseclassifiers the new one utilizes its regression feature becauseregression feature can better reflect real-time network envi-ronmentThen we consider themerged result as one parame-ter used to construct BPAofDS evidence theory And thenwewill introduce this novel network anomaly detectionmodel indetail which is depicted in Figure 1

As shown in Figure 1 this module mainly consists offive modules network connection record module featureextraction module data preprocessing module early detec-tion module and ODS fusion module respectively

Network connection record module utilizes some net-work sniffer tools for example Sniffer to collect networkpackets in the network where network anomaly detectionhost is and then stores itThat is thismodule is used to collectnetwork data

Feature extraction module is used to extract some fea-tures impacting network anomaly detection which are inthe network packets stored by network connection recordmodule And then we record corresponding features into afeature vector in order to preprocessing module to use itSimilarly this module gets rid of unconcerned features fornetwork anomaly detection Essentially this module is usedto complete feature reduction

Data preprocessing module is used to cope with featurevector after feature extraction In addition some futures in

one feature vector are discrete type such as protocol typeservice type and logo and others are continuous type suchas connection time type the length of data sent and thelength of data received Since discrete data needs inputtinginto detection module in early phase in order to followingwork continuous features need to be discretized At thesame time these feature vectors also need to be standardizedand normalized in order for these vectors to be normallyoperated in BP network In essence this module is used todo data normalization discretization and standardization

Early detection module is employed to detect the featurevectors that have processed by data preprocessing moduleand gives the corresponding detection results for DS fusionmodule later It is composed of 3 sensors SVM BMPMand BP To fit with complicated network environment weoptimize sensors that is add weights into each sensorand construct 6 classifiers BMPM N BMPM A SVM NSVM A BP N and BP A (Section 43) Then we train theseclassifiers according to distance theory [16] (Section 44)Finally we achieve several results when a network record iscoming

ODS fusion module will utilize ODS evidence theoryto merge and analyze these detection results from earlydetection module That is according to regression ability ofsensors we fuse these results by (15) and give decision resultsthat is whether the attack or not

4 ODS Network AnomalyDetection Model Implementation

In ODS network anomaly detection model we should solveseveral key issues how to combineODS evidence theory withnetwork anomaly detection how to construct anddecide BPAvalue in ODS evidence theory how to decide weight 119908

119894in

fusion rules of ODS evidence theory and how to train 6classifiers in detail and so forthTherefore in this section wewill introduce the solutions for these serous issuesmentionedabove in detail

41 Combining ODS Evidence Theory with Network AnomalyDetection Since in ODS network anomaly detection modelsystem judges that whether current connection is unusualonly according to network feature observed we only defineODS evidence theory identification framework with twoelements normal status and abnormal status

Therefore according to DS evidence theory we defineODS evidence theory identification framework as 119873119860where119873 represents normal status and119860 represents abnormalstatus We can see that status 119873 and 119860 are mutual exclusionthat is 119873 cap 119860 = 0 Similarly we can redefine BPA functionas 119898 119875(119873119860) rarr [0 1] 119898(0) = 0 119898(119873119860) + 119898(119873) +

119898(119860) = 1 In above formula119898(119873) represents the observationresults of current feature by current sensor and considers thatreliability of current status belongs to abnormal status On theother hand 119898(119873119860) represents the observation results ofcurrent feature by current sensor and cannot decide reliabilityof current status belongs to normal or abnormal status Wewill introduce detailed BPA function in next subsection


TCPIP data packets

Network connection

recordsFeature

extractionData

preprocessing

ODS fusion

Decision result

BMPM N

BMPM A

SVM N

SVM A

BP N

BP A

m1(N)

m1(A)

m2(N)

m2(A)

m3(N)

m3(A)

Figure 1 A novel network anomaly detection model with ODS evidence theory

42 RegressionBPA In this subsectionwe first give a hypoth-esis about network connection status for BPA value and thendepict sensorsrsquo regression ability and how to compute RBPAvalue in detail

421 Hypothesis and Discussion for Network Connection Sta-tus Reference [16] said that the distance between abnormalnetwork connection andnormal network connection is largerthan that between normal network connection and normalnetwork connection That is for classifiers the distance ofdifferent data is larger than that of same data According tothis rule here we give a hypothesis for a network connectionto be seen (unknown) the prediction result will be 119898(119873)

with N-classifier That is to say N-classifier considers allthe network connection as normal network connection allthe time but only gives corresponding different supportdegrees according to difference of real network connectionhigh support degree for real normal network connection andlow support degree for real abnormal connection Throughthis hypothesis we can see that for a real normal networkconnection the prediction result 119898(119873) computed by N-classifier is larger than 119898(119860) computed by A-classifier andvice versa

From Figure 1 three kinds of classifiers in early detectionmodule such as SVM BMPM and BP are also consideredas three sensors SVM N and SVM A are respectivelyrepresented support degree of normal and abnormal networkconnection from SVM sensor Similarly this rule is alsosuitable for BMPM and BP So when we assign the sameparameter for SVM N and SVM A respectively they can beconsidered as a whole sensor And this whole sensor can givedifferent support degrees to normal and abnormal networkconnection respectively Similarly this is suitable for BMPMand BP sensor Therefore in this novel model the fusion partis considered as ODS evidence theory combining with threekinds of sensors SVM BMPM and BP If a normal networkconnection needs processing no matter which senor (SVMBMPM and BP) the support degrees119898(119873) and119898(119860) for thisnetwork connection are respectively achieved by the chosensensor And these results satisfy the objective fact of thisnetwork connectionThat is inODS evidence theory if119898(119873)

is larger than119898(119860) this network connection is considered asa normal one

Based on this hypothesis above if this novel model isrequired to automatically give current network connectionsupport degree of normal and abnormal status by each sensorand this result can also satisfy the objective fact of realnetwork connection we will utilize the features of sensorssuch as study ability regression ability associative memoryability and generalization ability That is because sensors(eg BMPM SVM and BP) can achieve similar result aftertraining learning and regression operations which is almostequal to the actual result So we see that sensors with theirfeatures can reflect the real network environment

422 The Features of Sensors In the above subsection wesaid that some features of sensors will be selected to helpwith BPA function construction so here we utilize regressionability supervised learning ability of SVM BMPM and BPsensor That can be explained in detail as follows here wedefine one class of data as normal network connection data119873and its corresponding training data 119873119879 and define anotherclass of data as abnormal network connection data 119860 andits corresponding training data 119860119879 Then these two kindsof data and their corresponding training data are used totrain these classifiers depicted in Figure 1 As long as the twokinds of data distribution and training data have obviousdifference when a data record satisfies any kinds of datamentioned above we can estimate the value of this datarecord (119873119879 or119860119879 correspondingwith training data) utilizingthe regression ability of these classifiers In addition theestimate values show obvious difference due to data recordsatisfying different kinds of data distribution

423 BPA Based on Regression Ability Since network con-nection status can be represented as normal or abnormalstatus by different sensors which give different supportdegrees for them with this rule we construct BPA functionin ODS network anomaly detection model When ODS evi-dence theory is combined with network anomaly detectionassuming that the current network connection is a normalone corresponding BPA value can be different achieved bydifferent sensors (various classifiers in fusion model) Andthe BPA values are corresponding with hypothesis 119873 119860 or119873119860 Similarly we also expect that the BPA value of normal


network connection assigned by hypothesis 119873 is larger buton the contrary the BPA value assigned by hypothesis 119860

(abnormal status) or hypothesis 119873119860 (unknown status)should be smaller

After training N-classifier and A-classifier (training clas-sifiers will be introduced in Section 44) we can computeBPA value in ODS evidence theory Currently SVM N andSVM A can be considered as a whole one a SVM sensorFor a network connection record the regression estimatesvalue 119898(119873) computed by SVM N and 119898(119860) computed bySVM A Due to associated ability of SVM classifier if thisrecord is a normal network connection record 119898(119873) willbe larger than 119898(119860) vice versa In addition this rule is alsosuitable for BMPM and BP Therefore these three sensorsSVM BMPM andBP in system can assess current status for acoming network connection That is we can achieve supportdegrees 119898(119873) and 119898(119860) for normal status and abnormalstatus respectively

Noticeably in this paper we present a novel method todeal with unknown network connection status as follows

119898(119873119860) =

1 minus 119898 (119873) minus 119898 (119860) 119898 (119873) + 119898 (119860) lt 1

0 119898 (119873) + 119898 (119860) ge 1

(6)

From formula (6) we can see that when 119898(119873) + 119898(119860) lt

1 we define 119898(119873119860)119898(119873119860) Similarly when 119898(119873) +

119898(119860) ge 1 the value of 119898(119873119860) is 0 119898(119873) and 119898(119860)

should be normalized at the same time Thus this is suitablefor the requirement of ODS evidence theory119898(119873) + 119898(119860) +

119898(119873119860) = 1 and the computation of RBPA function iscompleted in ODS evidence theory

43 Weights for Each Sensor In the traditional networkanomaly detection system the performance is decided by anestimate parameter F-Score which reflects that an intrusiondetection systemperformance is good or bad And the greaterthe F-Score indicates that the better performance of thissystem So in this paper we extend this important parameterF-Score and propose two new parameters F-Score-N andF-Score-A Since with ODS evidence theory the 119908

119894value

depends on its previous accuracy in the process of sensorprediction we utilize these new parameters to add weightsfor each senor Then we will introduce these new parametersin detail

Here we define several parameters respectively as fol-lows

(i) TP the number of abnormal connection detectedby anomaly detection system (abnormal connectionitself)

(ii) FN the number of normal connection detectedby anomaly detection system (abnormal connectionitself)

(iii) FP the number of abnormal connection detected byanomaly detection system (normal connection itself)

(iv) TN the number of normal connection detected byanomaly detection system (normal connection itself)

(v) Precision the proportion of true abnormal connec-tions of abnormal connections detected by anomalydetection system

(vi) Recall the proportion of abnormal connectionsdetected by anomaly detection system of true abnor-mal connections

(vii) F-Score a balance average parameter for Precisionand Recall used to estimate a network anomalydetection system

With these parametersmentioned above the formulas aredepicted as follows

Precision =

TPTP + FP

Recall = TPTP + FN

119865-119878119888119900119903119890 =

2 lowast Precision lowast RecallPrecision + Recall

(7)

But these conventional formulas do not satisfy this novelnetwork anomaly detection system presented in this paper sowe propose these new parameters as follows

(i) Precision A The proportion of abnormal connec-tions of abnormal connections detected by anomalydetection system (abnormal connection itself)

(ii) Recall A The proportion of abnormal connectionsdetected by anomaly detection system of all trueabnormal connections (abnormal connection itself)

(iii) Precision N The proportion of normal connectionsof abnormal connections detected by anomaly detec-tion system (normal connection itself)

(iv) Recall N The proportion of normal connectionsdetected by anomaly detection system of all truenormal connections (normal connection itself)

(v) F-Score-N The accuracy for normal connections esti-mated by sensors that is N-classifiersrsquo weights

(vi) F-Score-A The accuracy for abnormal connectionsestimated by sensors that is A-classifiersrsquo weights


Precision A =

TPTP + FP

(8)

Precision N =

TNTN + FN

(9)

Recall A =

TPTP + FN

(10)

Recall N =

TNTN + FP

(11)

119865-119878119888119900119903119890-119873 =

2 lowast Precision N lowast Recall NPrecision N + Recall N

(12)

119865-119878119888119900119903119890-119860 =

2 lowast Precision A lowast Recall APrecision A + Recall A

(13)


44 Training Classifiers In this subsection we mainly intro-duce how to train 6 different classifiers including collectingtraining data set preprocessing training data set and trainingclassifiers

441 Collecting Training Data Set First collecting trainingdata set is introduced in detail Here we simulate networkattack to attack this system and implement network connec-tion record module at the same time And then these recordsare stored The detailed process is depicted as follows

(1) We utilize corresponding attack software to simulateall kinds of attacks for example DOS attack whichcan be simulated by the combination DOS attacksimulator with ping command and others also can beachieved by this way

(2) Before these abnormal connections attacking systemwe should record IP address and attack types of attackhosts respectively IP address of destination hostsand simultaneously implement network connectionrecord module in network anomaly detection systemto record network packets Here the time window forattack time is 1 hour and network connection recordmodule also records all the network packets in thisperiod

(3) Based on these network packets recorded we filterthese network packets according to effective networkattack packet standard corresponding with IP addressand attack type of attack host recorded before attack-ing Then these filtered network packets should bediscretized standardized and normalized by featureextraction module and data preprocessing modulerespectively in Figure 1 Finally we can obtain differ-ent kinds of network connection feature vectors suchas Normal Dos Probe R2L and U2R

442 Preprocessing Training Data Set According to the rulementioned in [16] we utilize this different distance for sameor different kinds of network connection to define BPA valuein ODS evidence theory Before train 6 classifiers we mustpreprocess this training data set

As shown in Figure 1 we can see that six basic classifiersin early detection module can be divided into two categoriesnamely N-classifier and A-classifier Before training N-classifier and A-classifier we should preprocess training dataset and this will be introduced in detail First we analyzetraining N-classifier as follows

(1) When a training data set includes normal connec-tions N-Train and abnormal connections A-Train itshould be processed before trainingN-classifier Firstwe compute clustering center N-CORE of N-Train intraining data set

(2) Then we should compute the distance between thisnormal connection and N-CORE and define this dis-tance value as a positive value which also correspondswith this normal connection

(3) Then we should compute the distance between thisabnormal connection and N-CORE and define thisdistance value as a negative value which also corre-sponds with this abnormal connection

(4) Finally the results from (2) and (3) are stored intoN-Dist which corresponds with connection recordsAnd this list N-Dist will be normalized from0 to 1 andis considered as a training label to train N-classifier

After processing above distance corresponding with nor-mal connection is larger than that with abnormal connectionin training data set If these distance values are used as super-vised learning training label when training classifiers theseclassifiers will learn this phenomenon through associatedability So we can see that the regression value for normalnetwork connection will be larger than that for abnormalnetwork connection when a normal network connection andan abnormal network connection need processing Indeedthis rule mentioned above is also suitable for training A-classifier

Then we will train 6 classifiers N-classifiers utilizingtraining data set and corresponding N-Dist A-classifiersutilizing training data set and corresponding A-Dist

443 Training Classifiers In this phase we mainly train6 classifiers in early detection module and compute someparameters in ODS fusion module Here we divide networkconnection feature vectors (Normal Dos Probe R2L andU2R) into two parts according to attack type Each partincludes processed training data set and corresponding list(N-Dist A-Dist) stored distance value

(1) One part is used to train 6 classifiers SVM NSVM A BMPM N BMPM A BP N and BP A andthen these classifiers trained will be stored to doprediction in future

(2) Another part is employed to predict these trainedclassifiers and it should record these results includingall kinds of attacks and normal connections that isthese results for TP TN FP and FN depicted inSection 43

(3) Then we can get weights F-Score-N and F-Score-Aof all sensors SVM BMPM and BP computed byformulas (12) and (13) Finally these values are storedinto array F-Score-N and F-Score-A respectively

45 Execution Flow of ODS Network Anomaly Detection Sys-tem After training 6 classifiers introduced in Section 44 wecan easily get weights for each sensor (in Section 43) As thesame the BPA values of each sensor support degree 119898(119873)119898(119860) and 119898(119873119860) can be achieved easily introduced inSection 42 In this section execution flow of ODS networkanomaly detection system will be introduced in detail

(1) First we can get a network connection packet bynetwork connection record module and then a net-work connection feature vector can be obtained byfeature extraction module and data preprocessing


modulewhich process the network connection packetachieved one by one

(2) Then this network connection feature vector will beprocessed to do regression estimate by 6 classifiers(3 sensors) in early detection module So we canobtain support degree 119898

1(119873) and 119898

1(119860) for normal

network connection status and abnormal networkconnection status after sensor SVM processing thisnetwork connection Next computed by formula (6)support degree119898

1(119873119860) for unknown status is also

achieved easily(3) In this way we can be easy to obtain 119898

2(119873) 119898

2(119860)

and 1198982(119873119860) corresponding with BMPM and

1198983(119873) 119898

3(119860) and 119898

3(119873119860) corresponding with

BP(4) Here we achieve an ODS evidence theory with

weights for 119899-sensors inferred by formulas (4) and (5)


119860)

=

sumcap119894119864119894=119860

1199081sdot 1198981(1198641) sdot 1199082sdot 1198982sdot (1198642) sdot sdot sdot sdot 119908

119899sdot 119898119899(119864119899)

sumcap119894119864119894 =119860


119899sdot 119898119899(119864119899)

(14)

In this novel model we choose SVM BMPM andBP as sensors so the parameter 119894 is define from 1 to3 By formula (14) we can obtain the support degreeof this network connection 119898

123(119873) 119898

123(119860) and

119898123

(119873119860) through fusion 3 sensors This processneeds that we should bring support degree for 119873119860 and 119873119860 computed by SVM BMPM and BPsensors and weight vector F-Score-N and F-Score-Ainto formula (14)

(5) The final decision result by system is depicted in

Decision (119909) =

normal (if 119898123 (

119873)

= max 119898123 (

119873)119898123 (119860)

119898123 (

119873119860))

abnormal (if 119898123 (

119860)

= max 119898123 (

119873)119898123 (119860)

119898123 (

119873119860))

uncertain (if 119898123 (

119873119860)

= max 119898123 (

119873)119898123 (119860)

119898123 (

119873119860))

(15)

The final decision result can be explained in detailif 119898123

(119873) is larger than 119898123

(119860) and 119898123

(119873119860)this system considers current network connectionas a normal one as the same if 119898

123(119860) is larger

than119898123

(119873) and119898123

(119873119860) this system considerscurrent network connection as an abnormal one if119898123

(119873119860) is larger than119898123

(119860) and119898123

(119873) thissystem cannot judge current network connection as anormal or abnormal one

5 Experiments and Analysis

In this section wewould verify the effectiveness of combiningODS evidence theory with SVM BMPM and BP sensors andprove that this novel ODS network anomaly detection modelcan get higher detection rate (DR) and lower false positiverate (FR) for not only traditional attacks but also new attacks

51 Data Set

511 KDD99 Data Set The KDD-Cup99 data set from UCIrepository has been widely used as the benchmark datafor network anomaly detection evaluation It consists ofseveral components depicted in Table 1 As in the case ofthe International Knowledge Discovery and Data MiningTools Competition only the ldquo10KDDrdquo data is employed forthe purposes of training This contains 22 attack types andis essentially a more concise version of the ldquoWhole KDDrdquodata set So in our experiments we apply its 10 trainingdata consisting of 494 021 connection records for trainingEach connection record represents a sequence of packettransmission starting and ending at a time period and canbe classified as normal traffic or one of 22 different classesof attacks All attacks fall into four main categories

(i) Denial-of-service (Dos)mdashdenial of the service thatare accessed by legitimate users for example SYNflooding

(ii) Remote-to-local (R2L)mdashunauthorized access from aremote machine for example password guessing

(iii) User-to-root (U2R)mdashunauthorized access to gainlocal super-user (root) privileges for example bufferoverflow attack

(iv) Probing (Probe)mdashsurveillance and probing for infor-mation gathering for example port scanning

The test data set has not the same probability distributionas the training data set There are 4 new U2R attack types inthe test data set that are not presented in the training dataset These new attacks correspond to 9290 (189228) of theU2R class in the test data set On the other hand there are7 new R2L attack types corresponding to 63 (1019616189)of the R2L class in the data set In addition there are only104 (out of 1126) connection records presented in the trainingdata set corresponding to the known R2L attacks presentedsimultaneously in the two data sets However there are 4 newDos attack types in the test data set corresponding to 285(6555229853) of the Dos class in the test data set and 2 newProbing attacks corresponding to 4294 (17894166) of theProbing class in the test data set

512 Data Set Preprocessing Since a connection record inKDD99 includes not only symbol feature but also continuousand discrete features wemust cope with these features beforedo experiments Here Naıve algorithm in Rosetta software[17] is used to deal with continuous feature and symbol fea-ture can be discretized by general mapping method directlyThen in order to remove different features of various data and


Table 1 KDD data set

Data set Total Normal () DOS () Probe () U2R () R2L ()10 KDD 494020 1979 792 08 001 02Test KDD 311029 1958 739 13 002 52Whole KDD 4898430 198 793 084 0001 002

achieve general feature and same weights for discretized datathese data should be standardized and these standardizationformulas are introduced as follows

I119890119895=

1

119899

119899

sum

119894=1

I119894119895

I120575119895= radic

1

119899

119899

sum

119894=1

(I119894119895minus I119890119895)

2

I1015840119895=

I119895minus I119890119895

I120575119895

(16)

52 Experimental Design In order to prove that networkanomaly detection system with ODS and RBPA has betterperformance we design 4 kinds of experiments

The first experiment is that we choose 3 single methods(SVMBMPM andBP) and4 fusionmethods (DSwith SBPADS with RBPA ODS with SBPA and ODS with RBPA) to dodetection in the same data set In this data set 4000 networkconnections of each connection type (Normal Dos Probeand R2L) are selected and 249 network connections are chosefrom U2R type These data chosen constructed a data setwhich is divided into 2 parts training data set and test dataset This experiment is used to prove that the method wepresented can detect various attacks and has higher DR andlower FR

The second experiment is that we also choose these7 network anomaly detection methods to do detection inR2L data set which has 4000 network connections And theformer 2000 network connections are normal connectionsand the later 2000 network connections are abnormal con-nectionsThis experiment is utilized to prove that themethodwith RBPA outperforms the method with ODS and twooptimization methods we presented can be used in networkanomaly detection simultaneously with better performance

The third experiment is that we also choose these 7network anomaly detection methods to do detection in thesame data set like the first experiment But we compareseveral parameters mentioned in Section 43 such as Pre-cious Recall and F-Score In addition we utilize ROC curvewhich shows DR and FR of correspondingmethod and AUCwhich represents the area under corresponding ROC curveto estimate the performance of network anomaly detectionsystem

The fourth experiment is that we choose 2 networkanomaly detection methods (ODS with RBPA and DS withSBPA) to do detection But here we choose 10 KDD99 dataas training data set and test data setmentioned in Section 511

Table 2 The detection result of all the attacking types with SVM(FR = 191)

Attack type Attack number Attack number detected DR ()DOS 2000 1989 9945Probe 2000 1992 996U2R 124 102 8064R2L 2000 1950 8220Total 6124 6033 9851

Variance 976

Table 3The detection result of all the attacking types with BP (FR =

190)


Variance 990

as test data set This experiment is used to estimate the newmodelrsquos detection ability for new attack type

521 Experiments with 4 Attack Types From Tables 2 34 5 6 and 7 we can see that the false positive rate (FR)of single detection model such as SVM BMPM and BPis higher than that of fusion detection model This reflectsthat fusion detection method can effectively reduce the FRin the anomaly detection system From detection rate (DR)and attack number detected by anomaly detection methodsthe DR of fusion detection method outperforms that ofsingle method and fusion method will bring lower FR Inaddition compared to fusion detectionmodel the variance ofalmost single detection model is larger meaning that fusiondetection model is not easy to shake that is relatively stableThough the DR of some models for various attacks is highits FR is still high for example BMPMmodelTherefore thisnovel model with ODS and regression BPA outperforms thanothers and it has lower FR and better DR

Here we not only analyze the whole performance ofthis novel model but also discuss ODS with weights andregression BPA performance According to whether BPA andDS evidence theory redesigned we can achieve 4 resultsfor different combinations shown in Tables 5 6 7 and 8respectively including DS with Simple BPA (SBPA) ODSwith SBPA DS with regression BPA (RBPA) and ODS withRBPA


Table 4 The detection result of all the attacking types with BMPM(FR = 132)


Variance 272

Table 5 The detection result of all the attacking types with classicDS evidence theory fusion of simple BPA method (FR = 062)


Variance 260

Table 6 The detection result of all the attacking types with ODSevidence theory fusion of Simple BPA method (FR = 059)


Variance 190

Table 7 The detection result of all the attacking types with classicDS evidence theory fusion of regression BPAmethod (FR = 032)


Variance 274

According to whether DS evidence theory redesigned(whether adding weights into DS) we can divide thesemodels into two groups without considering BPA design oneis Tables 5 and 6 and another is Tables 7 and 8 In this waywe can compare the performance of ODS DS with weights(F-Score value as weights) with that of DS From these twogroups we can see that the FRofODS is lower than that ofDSand the total DR of ODS is also lower than that of DS Clearlymost of DR of various attack types with ODS outperform thatwith DS Thus ODS with weights is effective compared withDS

Table 8 The detection result of all the attacking types with ODSevidence theory fusion of regression BPAmethod (false positive rate= 027)


Variance 169

Similarly according to whether BPA redesigned (whetherwith sensorsrsquo regression ability) we can divide these modelsinto two groups without considering DS design one is Tables5 and 7 and another is Tables 6 and 8 In this way we cancompare the performance of RBPA with that of SBPA ForFR and total DR RBPA is better than SBPA significantly SoRBPA with sensorsrsquo regression ability is effective comparedwith SBPA

522 Experiments with R2L Attack In this subsection wemainly focus on the novel model for single attack typeaccording to formula (15) From Figures 2 3 4 and 5 we cansee that they are achieved by different groups with redesignedor conventional BPA and DS In these figures correspondingwith119898

123(119873) in formula (15) parameterMNP represents the

support degree of normal connection for current networkconnection after it is detected by SVM BMPM and BP sen-sors andmerged by ODS On the contraryMAP correspondswith 119898

123(119860) By formula (15) if MNP is larger than MAP

current network connection is considered as a normal oneand vice versa In this experiment there are 4000 networkconnections in each figure and the former 2000 networkconnections are normal connections and others are abnormalconnections

First we analyze and compare Figures 4 and 5 in onegroup In Figure 4 some normal connections of the former2000 network connections overlap together for MNP andMAP Significantly some parts ofMAP are aboveMNP thatis this normal network connection is wrongly considered asan abnormal one leading to a higher FR On the contrary theoverlap in Figure 5 is less than that in Figure 4 In this wayFigure 3 outperforms Figure 2 withMNP andMAP Withoutconsidering BPA design ODS with weights is further effec-tive

Next we analyze and compare Figures 2 and 4 in onegroup In Figure 2 almost all the normal connections (theformer 2000) overlap together forMNP andMAP Howeverthis overlap is further less in Figure 4 Clearly this also occursin the later 2000 connections abnormal connections Inthe same way Figure 5 is better than Figure 3 In essencethis shows that RBPA method outperforms SBPA methodwith lower FR and higher DR This conclusion is consistentwith the results from Tables 5 and 7 or Tables 5 and 8Without considering DS design RBPA with regression isfurther effective compared with SBPA


0 500 1000 1500 2000 2500 3000 3500 40000

01

02

03

04

05

06

07

08

09

1

MNP

MAP

Figure 2 Results of classic DS evidence theory fusion of SBPA

0

01

02

03

04

05

06

07

08

09

1

0 500 1000 1500 2000 2500 3000 3500 4000

MNP

MAP

Figure 3 Results of ODS evidence theory fusion of SBPA

Moreover based on Figure 2 we compare Figure 3 withFigure 4 We can see that the results of MNP and MAP aredistinguished easily and are suitable for real network betterin Figure 4 But the opposite results are obtained in Figure 3meaning that fuzzy and unseparated results This leads ahigher FR Only verifying a condition DS or BPA designwe can get Figure 3 with ODS optimization and Figure 4with RBPA optimization From Figures 3 and 4 we conclude

0

01

02

03

04

05

06

07

08

09

1

0 500 1000 1500 2000 2500 3000 3500 4000

MNP

MAP

Figure 4 Results of classic DS evidence theory fusion of RBPA

0

01

02

03

04

05

06

07

08

09

0 500 1000 1500 2000 2500 3000 3500 4000

MNP

MAP

Figure 5 Results of ODS evidence theory fusion of RBPA

that RBPA method is better than ODS method in networkanomaly detection system

Similarly based on Figure 2 we compare Figures 3 and4 with Figure 5 We can see that the result of Figure 5 isbetter than both Figures 3 and 4 significantly Comparedwith Figure 2 Figure 5 is improved enormously In aword nomatter which one system chooses the performance of opti-mized network anomaly detection system will be improvedclearly Specially these two optimization methods can be uti-lized by network anomaly detection system simultaneouslyleading a better result than the one with either optimizationmethod


1

09

08

07

06

05

04

03

02

01

0

10minus4

10minus3

10minus2

10minus1

100

True

pos

itive

rate

False positive rate

ROC

BMPMSVMBPDS + SBPA

ODS + SBPADS + RBPAODS + RBPA

Figure 6The ROC curve of BMPM SVM BP DS with SBPA ODSwith SBPA DS with RBPAS and ODS with RBPA

Table 9 Comparison of BMPM SVM BP DS ODS SBPA andRBPA

Detection method Precision Recall 119865-119878119888119900119903119890 AUCBMPM 09835 09263 09540 09851SVM 09752 09851 09801 09780BP 09753 09839 09796 09781DS with SBPA 09926 09748 09836 09934ODS with SBPA 09933 09749 09840 09940DS with RBPA 09957 09910 09934 09962ODS with RBPA 09964 09930 09947 09968

523 Experiments Based on ROC and AUC Table 9 showsthat the results of all network normal and abnormal con-nections used by various anomaly detection methods Andthe ROC curve of each method is depicted in Figure 6 Inthese two experiments we employ ROC curve that showsthe relationship of FR and DR and AUC that representsthe area under ROC curve Here several parameters areutilized to estimate network anomaly detection system suchas Precious Recall and F-Score which are introduced inSection 43 Specially the larger the values of parameters (F-Score AUC) are the better the performance of correspondingsystem is

First compared single detection methods SVM BMPMand BP with fusion detection methods we can see that singledetection methods have smaller values of F-Score and AUCfrom Table 9 that is the performance of single detectionmethods is lower than that of fusion methods Ensuring aninvariable condition in 4 fusion methods we can analyze theeffectiveness of RBPA and ODS In this way compared DSwith SBPA andDSwith RBPAODSwith SBPA andODSwith

RBPA we can see that themethods with RBPA have higher F-Score and AUC values As the same the methods with ODShave higher F-Score and AUC values

From Figure 6 that shows the ROC curve of 7 networkanomaly detection methods the network anomaly detectionmethod merged with ODS and RBPA has the largest areaunder corresponding ROC curve (the largest AUC value inTable 9) When they have the same DR FR of the networkanomaly detection method merged with ODS and RBPA isthe smallest one Similarly when they have the same FR DRof the network anomaly detection method merged with ODSand RBPA is the highest one So this fusionmethod is the bestone in these 7 fusion methods

524 Experiments with New Attacks In this experiment weutilize 3 network anomaly detection systems (BP DS withSBPA and ODS with RBPA) to detect new attacks Unlikeexperiments mentioned above the data set used in thisexperiment is 10KDD99 and test data set with 17 new attacktypes in Section 511

From Table 10 we can see that the performance of singlemethod is lower than that of fusion method Most of newattack connections DR are higher than BP but there stillexist some abnormal DR ldquosqlattackrdquo for example With ODSand RBPA optimization this novel method we presentedmakes up this defect which has a better new attack detectionperformance than others

6 Related Work

The use of data fusion in the field of network anomalydetection is presented by Siaterlis and Maglaris [18] TheDempster-Shafer theory of evidence is used as the mathe-matical foundation for the development of a novel anomalydetection engine The detection engine is evaluated using thereal network trafficThe superiority of data fusion technologyapplied to intrusion detection systems is presented in thework of Wang et al [19] This method used informationcollected from the network and host agents and applicationof Dempster-Shafer theory of evidence Another work incor-porating the Dempster-Shafer theory of evidence is by Hu etal [20] Wu et al [21] proposed a framework of client-serverarchitecture where the mobile agent continuously extractedvarious features and send to the server to detect anomalyusing anomaly detectors They used multiple distributedservers with different machine learning as a detector foranalyzing the feature vector and D-S Evidence theory ofinformation fusion is used to fuse the results of detectors alsoproposed a cycle-based statistical approach to find anomalyactivity Zhouzhou et al [22] presented a new algorithmbased on D-S evidence theory to reduce energy consumptionin wireless sensors network which modifies D-S evidencetheory and fuses it on cluster-head selection phase and adjustsoperation periodTheDempster-Shafer theory of evidence indata fusion is observed to solve the problem of how to analyzethe uncertainty in a quantitative way


Table 10 Comparison of BP DS with SBPA and ODS with RBPA for new attacks

Attack name Total connections Detected connections DR ()BP DS + SBPA ODS + RBPA BP DS + SBPA ODS + RBPA

Apache2 794 792 794 794 9975 10000 10000httptunnel 158 155 157 158 9810 9937 10000mailbomb 5000 4893 5000 500 9786 10000 10000mscan 1053 1050 1050 1052 9972 9972 9991named 17 16 17 17 9412 10000 10000processtable 759 758 759 759 9987 10000 10000ps 16 16 16 16 10000 10000 10000saint 736 736 735 736 10000 9986 10000sendmail 17 14 16 17 8235 9412 10000snmpgetattack 7741 7704 7716 7739 9952 9968 9997snmpguess 2406 2404 2404 2406 9992 9992 10000sqlattack 2 2 1 2 10000 5000 10000udpstorm 2 0 2 2 000 10000 10000worm 2 2 2 2 10000 10000 10000xlock 9 7 6 8 7778 6667 8889xsnoop 4 3 4 4 7500 10000 10000xterm 13 13 13 13 10000 10000 10000

Average 8965 9467 9934

Reference [11] presented a novel intrusion detectionapproach combining SVM and KPCA to enhance the detec-tion precision for low-frequent attacks and detection stabilityIn order to shorten the training time and improve the perfor-mance of SVM classification model an improved radial basiskernel function (N-RBF) based on Gaussian kernel functionis developed and GA is used to optimize the parameters ofSVM [14] proposed a flow-based anomaly detection systemwhich is trained with a flow-based data set In this new sys-tem multilayer Perceptron neural network with one hiddenlayer is used which is added interconnection weights by aGravitational Search Algorithm Giacinto et al [23] utilizedgeneral classifiers to divide various feature subspaces fromthe same data set and then merged voting mean algorithmBayes and decision module together However there existsless analysis about detection algorithm and fusion methodAnother drawback of this model is higher false alarm rateThe formulation of the intrusion detection problem as apattern recognition task using data fusion approach basedon multiple classifiers is attempted by Didaci et al [24]The work confirms that the combination reduces the overallerror rate but may also reduce the generalization capabilitiesAmbareen Siraj et al [25] brought fuzzy cognitive mapinto fusion network anomaly detection and presented anintelligent network anomaly detection model Thomas andBalakrishnan [26ndash28] selected artificial neural network asfusion algorithm and constructed fusion network anomalydetection model based on SNORT PHAD and ALAD thatare open source detection systems Although it was proved asan effective system but its detection rate for some attacks waslower In [29] performance of this fusion model is decided

by diversity of various classifiers [30] presented a novelnetwork anomaly detection system with DS evidence theoryand regression neural network but its detection rate is lower

7 Conclusion and Future Work

In this paper we present a novel network anomaly detectionmodel with ODS evidence theory and RBPA When applyingDS evidence theory on network anomaly detection modelwe set weight for each sensor And the weight value isfrom prior knowledge F-Score-N and F-Score-N which areextended by F-Score Another key contribution is a new BPAfunction We utilize regression ability of classifiers SVMBMPM and BP to compute various support degrees (119898(119873)119898(119860) and119898(119873119860)) for each status (normal abnormal andunknown) Finally we design 4 kinds of experiments to provethat this novel network anomaly detection model has higherDR and lower FR

To further improve the performance of this new modelwe will choose other sensors as classifiers to cope withcomplicated network records And we will also utilize newattacks to evaluate this model Finally we will try to optimizeDS evidence theory according to features of sensors

Conflict of Interests

The authors declare that there is no conflict of interestsregarding the publication of this paper


Acknowledgments

This work was supported by The National Natural ScienceFoundation of China (Grant no 61103223) and the Key Pro-gram for Basic Research of Jiang Su (Grant no BK2011003)

References

[1] A G Tartakovsky A S Polunchenko andG Sokolov ldquoEfficientcomputer network anomaly detection by changepoint detectionmethodsrdquo IEEE Journal on Selected Topics in Signal Processingvol 7 no 1 pp 4ndash11 2013

[2] S Staniford J A Hoagland and J M McAlerney ldquoPracticalautomated detection of stealthy portscansrdquo Journal of ComputerSecurity vol 10 no 1-2 pp 105ndash136 2002

[3] SM Bridges and R B Vaughn ldquoFuzzy datamining and geneticalgorithms applied to intrusion detectionrdquo in Proceedings of23rd National Information Systems Security Conference pp 13ndash31 2000

[4] A H Sung and S Mukkamala ldquoIdentify important features forintrusion detection using support vector machines and neuralnetworksrdquo in Proceedings of the Symposium on Application andthe Internet pp 209ndash216 2003

[5] G Zhu and J Liao ldquoResearch of intrusion detection based onsupport vector machinerdquo in Proceedings of the InternationalConference on Advanced Computer Theory and Engineering(ICACTE rsquo08) pp 434ndash438 December 2008

[6] W Ren J Cao and X Wu ldquoApplication of network intrusiondetection based on Fuzzy C-means clustering algorithmrdquo inProceedings of the 3rd International Symposium on IntelligentInformation Technology Application (IITA rsquo09) vol 3 pp 19ndash22Nanchang China November 2009

[7] T Li and J Wang ldquoResearch on network intrusion detectionsystem based on improved k-means clustering algorithmrdquo inProceedings of the International Forum on Computer Science-Technology andApplications (IFCSTA rsquo09) pp 76ndash79 December2009

[8] C-M Bao ldquoIntrusion detection based on one-class SVMand SNMP MIB datardquo in Proceeding of the 5th InternationalConference on Information Assurance and Security (IAS 09) vol2 pp 346ndash349 Xian China September 2009

[9] L Lin X Xie and S Zhong ldquoA multiple classification methodbased on theDS evidence theoryrdquo in Proceedings of the 9th Inter-national Symposium on Linear Drives for Industry Applicationsvol 271 of Lecture Notes in Computer Science pp 587ndash596 2014

[10] W Hu J Li and Q Gao ldquoIntrusion detection engine basedon Dempster-Shaferrsquos theory of evidencerdquo in Proceedings ofthe International Conference on Communications Circuits andSystems (ICCCAS 06) pp 1627ndash1631 Guilin China June 2006

[11] F Kuang W Xu and Z Siyang ldquoA novel hybrid KPCA andSVM with GA model for intrusion detectionrdquo Applied SoftComputing vol 18 pp 178ndash184 2014

[12] C-C Chang and C-J Lin LIBSVM A Library for Support Vec-tor Machines 2010 httpwwwcsientuedutwsimcjlinlibsvm

[13] Y Haiqin and H Kaizhu ldquoMATLAB Toolbox for Biased Min-imax Probability Machinerdquo 2004 httpappsrvcsecuhkeduhksimmiplabmempm toolboxindexhtm

[14] Z Jadidi V Muthukkumarasamy E Sithirasenan and MSheikhan ldquoFlow-based anomaly detection using neural net-work optimizedwithGSA algorithmrdquo inProceedings of the IEEE33rd International Conference onDistributedComputing Systems

Workshops (ICDCSW rsquo13) pp 76ndash81 Philadelphia PaUSA July2013

[15] ldquoKDD Cup 1999 Datardquo 1999 httpkddicsuciedudatabaseskddcup99kddcup99html

[16] J Zhuge D Wang Y Chen Z Ye and W Zou ldquoNetworkanomaly detector based on the D-S evidence theoryrdquo Journalof Software vol 17 no 3 pp 463ndash471 2006

[17] The ROSETTA Homepage 1998 httpwwwlcbuusetoolsrosetta

[18] C Siaterlis and B Maglaris ldquoTowards multisensor data fusionfor DoS detectionrdquo in Proceedings of the ACM Symposium onApplied Computing pp 439ndash446 March 2004

[19] Y Wang H Yang X Wang and R Zhang ldquoDistributedintrusion detection system based on data fusion methodrdquo inProceddings of the 5th World Congress on Intelligent Control andAutomation (WCICA 04) vol 5 pp 4331ndash4334 June 2004

[20] W Hu J Li and Q Gao ldquoIntrusion detection engine basedon Dempster-Shaferrsquos theory of evidencerdquo in Proceedings ofthe International Conference on Communications Circuits andSystems (ICCCAS rsquo06) pp 1627ndash1631 June 2006

[21] Z Wu X Zhou and J Xu ldquoA result fusion based distributedanomaly detection system for android smartphonesrdquo Journal ofNetworks vol 8 no 2 pp 273ndash282 2013

[22] L Zhouzhou W Fubao and W Wei ldquoA clustering algorithmbased on D-S evidence theory for wireless sensor networksrdquoInformation Technology Journal vol 13 no 13 pp 2211ndash22172014

[23] G Giacinto F Roli and L Didaci ldquoFusion ofmultiple classifiersfor intrusion detection in computer networksrdquo Pattern Recogni-tion Letters vol 24 no 12 pp 1795ndash1803 2003

[24] L Didaci G Giacinto and F Roli ldquoIntrusion detection in com-puter networks bymultiple classifiers systemsrdquo in Proceedings ofthe International Conference on Pattern Recognition 2002

[25] A Siraj R B Vaughn and S M Bridges ldquoIntrusion sensor datafusion in an intelligent intrusion detection system architecturerdquoin Proceedings of the Hawaii International Conference on SystemSciences pp 4437ndash4446 January 2004

[26] C Thomas and N Balakrishnan ldquoAdvanced sensor fusiontechnique for enhanced intrusion detectionrdquo in Proceedings ofthe IEEE International Conference on Intelligence and SecurityInformatics (ISI rsquo08) pp 173ndash178 Taipei Taiwan June 2008

[27] CThomas andN Balakrishnan ldquoPerformance enhancement ofintrusion detection systems using advances in sensor fusionrdquo inProceedings of the 11th International Conference on InformationFusion (FUSION rsquo08) pp 1ndash7 July 2008

[28] C Thomas and N Balakrishnan ldquoImprovement in intrusiondetection with advances in sensor fusionrdquo IEEE Transactionson Information Forensics and Security vol 4 no 3 pp 542ndash5512009

[29] J Kittler M Hatef R P W Duin and J Matas ldquoOn combiningclassifiersrdquo IEEE Transactions on Pattern Analysis and MachineIntelligence vol 20 no 3 pp 226ndash239 1998

[30] Y Yuan S Shang and L Li ldquoNetwork intrusion detection usingD-S evidence combination with generalized regression neuralnetworkrdquo Journal of Computational Information Systems vol 7no 5 pp 1802ndash1809 2011

Submit your manuscripts athttpwwwhindawicom

Computer Games Technology

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014


Distributed Sensor Networks


Advances in

FuzzySystems

Hindawi Publishing Corporationhttpwwwhindawicom

Volume 2014


ReconfigurableComputing

Hindawi Publishing Corporation httpwwwhindawicom Volume 2014


Applied Computational Intelligence and Soft Computing

thinspAdvancesthinspinthinsp

Artificial Intelligence

HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014

Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014


Electrical and Computer Engineering

Journal of

Journal of

Computer Networks and Communications


Hindawi Publishing Corporation

httpwwwhindawicom Volume 2014

Advances in

Multimedia


Biomedical Imaging


ArtificialNeural Systems

Advances in


RoboticsJournal of



Computational Intelligence and Neuroscience

Industrial EngineeringJournal of


Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014


Human-ComputerInteraction

Advances in

Computer EngineeringAdvances in



reasonable result in network conflict data unlike conven-tional DS evidence theory In this mechanism we employODS to merge 3 classifiers support vector machine classifier(SVM) [11 12] biasedminimax probability machine classifier(BMPM) [13] and back propagation network classifier (BP)[14] Unlike the original fusion rule using the classificationfeature of those classifiers the new one utilizes its regressionfeature because regression feature can better reflect real-timenetwork environment Note that since network environmentis almost complicated and varied inDS evidence theory eachsensor cannot be equally computed So we assign differentweights for each sensor respectively according to its previousprediction accuracy In addition based on different distancesizes between network connections we present a new con-struction method for basic probability assignment function(BPA) based on regression ability regression BPA (RBPA)unlike simple BPA (SBPA) Finally through comparison of4 fusion methods and 3 single methods the experimentalresults with KDD99 [15] show that the ODS algorithm canovercome the conflict problem among the evidences and theproposed module can improve the detection performance ofthe anomaly detection system

The reminder of this paper is organized as follows InSection 2 we will introduce class DS evidence theory analyzeits limitation and present an optimized DS evidence theorywith weights for each sensor Then we propose a novelnetwork anomaly detection model with ODS in Section 3 InSection 4 we introduce 4 key issues how to combine ODSevidence theory with network anomaly detection how toconstruct and decide BPA value in ODS evidence theoryhow to decide weight 119908

119894in fusion rules of ODS evidence

theory and how to train 6 classifiers With data set KDD99we evaluate our novel network anomaly detection modelby 4 kinds of experiments in Section 5 Next Section 6introduces related work Finally we conclude our main workand propose future work in Section 7

2 Optimized DS Evidence Theory

21 Class DS Evidence Theory DS evidence theory [9 10] isconsidered as a general extension of the traditional classicalprobabilistic inference theory in the finite field Unlike theconventional Bayes inference method DS evidence theorywithout a priori probability still can be used to deal withuncertainty and imprecision information So we can see thatDS evidence theory has greater flexibility

DS evidence theory is considered as theory built on anonempty finite field Θ called the recognition frameworkwhich includes a limited number of independent system state1198601 1198602 119860

119899 An element in119875(Θ) as a power set of system

state Θ is called a system state hypothesis 119867119894 Through the

observation results 1198641 1198642 119864

119898for system state by each

sensor DS evidence theory can merge these results andinfer the former state of system Here it mainly involves thefollowing concepts

Definition 1 Basic probability assignment function (BPA) isdefined as a map from a power set of Θ to [0 1] intervalIt is represented as 119898 119875(Θ) rarr [0 1] 119898(Φ) = 0

sum119860isin119875(Θ)

119898(119860) = 1 where 119898(119860) is called confidence valuewhich means that current sensor decides hypothesis 119860 thedegree of confidence according to the observation results

Definition 2 Belief function is defined as

Belief119894 (119860) = sum

119864119896sube119860

119898119894(119864119896) (1)

This function represents the degree of confidence forhypothesis 119860 And the function result is composed of basicconfidence values of observation results 119864


hypothesis 119860

Definition 3 Plausibility function is defined as

Plausibility119894(119860) = 1 minus sum

119864119896cap119860=Φ

119898119894(119864119896) (2)

This function represents the degree of plausibility forhypothesis 119860 And the function result is composed of basicconfidence values of observation results 119864


hypothesis 119860

Definition 4 DS fusion rules for any hypothesis 119860 defining119898119894and119898

119895as the basic probability assignment function (BPA)

of two evidences respectively state that one obtains basicbelief assignment function of the combination evidence fromtwo evidences above as follows

(119898119894oplus 119898119895) (119860) =

sum119864119896cap1198641198961015840=119860

119898119894(119864119896)119898119895(1198641198961015840)

1 minus sum119864119896cap1198641198961015840=0

119898119894(119864119896)119898119895(1198641198961015840)

(3)

Likewise one can achieve DS general synthesis rules forthe combination evidence from 119899 evidences as follows


119860) =

sumcap119894119864119894=119860

1198981(1198641)1198982(1198642) sdot sdot sdot 119898

119899(119864119899)

sumcap119894119864119894 =119860

1198981(1198641)1198982(1198642) sdot sdot sdot 119898

119899(119864119899)

(4)

22 Drawback of Class DS Evidence Theory The advantageof DS evidence theory mainly focuses on several parts asfollows it can satisfy axiom system that is weaker than theprobability distinguish unknown and uncertainty situationand continuously shrink the hypothesis set in the light of theaccumulation of evidences

The disadvantage of DS evidence theory is that whendealing with the issue with confidence degree tending to 0the result computed by DS evidence theory will conflict withexpectation result That is to say when confidence degreeis too small or 0 the results achieved are very different Inthe same way BPA is required to give so many results thatcalculation is also more complicated If the hypothesis set istoo large the calculation complexity of evidence theory willincrease exponentially

23 OptimizedDSEvidenceTheory From formula (4) we cansee that the confidence degree of each sensor is the sameThat is each sensor has the same accuracy Obviously itdoes not fit the facts for example with doctor for treatment




119894


119894


119895as


119895as



(119898119894oplus 119898119895) (119860)

=

sum119864119896cap1198641198961015840=119860

[119908119894119898119894(119864119896) sdot 119908119895119898119895(1198641198961015840)]

1 minus sum119864119896cap1198641198961015840=0

[119908119894119898119894(119864119896) sdot 119908119895119898119895(1198641198961015840)]

(5)












119894in






TCPIP data packets

Network connection

recordsFeature

extractionData

preprocessing

ODS fusion

Decision result

BMPM N

BMPM A

SVM N

SVM A

BP N

BP A

m1(N)

m1(A)

m2(N)

m2(A)

m3(N)

m3(A)















119898(119873119860) =

1 minus 119898 (119873) minus 119898 (119860) 119898 (119873) + 119898 (119860) lt 1

0 119898 (119873) + 119898 (119860) ge 1

(6)







119894value











Precision =

TPTP + FP

Recall = TPTP + FN

119865-119878119888119900119903119890 =


(7)









Precision A =

TPTP + FP

(8)

Precision N =

TNTN + FN

(9)

Recall A =

TPTP + FN

(10)

Recall N =

TNTN + FP

(11)

119865-119878119888119900119903119890-119873 =


(12)

119865-119878119888119900119903119890-119860 =


(13)
























1(119873) and 119898





2(119873) 119898

2(119860)


1198983(119873) 119898

3(119860) and 119898





119860)

=

sumcap119894119864119894=119860


119899sdot 119898119899(119864119899)

sumcap119894119864119894 =119860


119899sdot 119898119899(119864119899)

(14)


123(119873) 119898

123(119860) and

119898123



Decision (119909) =

normal (if 119898123 (

119873)

= max 119898123 (

119873)119898123 (119860)

119898123 (

119873119860))


119860)

= max 119898123 (

119873)119898123 (119860)

119898123 (

119873119860))


119873119860)

= max 119898123 (

119873)119898123 (119860)

119898123 (

119873119860))

(15)


(119873) is larger than 119898123

(119860) and 119898123


123(119860) is larger

than119898123

(119873) and119898123


(119873119860) is larger than119898123

(119860) and119898123




51 Data Set












I119890119895=

1

119899

119899

sum

119894=1

I119894119895

I120575119895= radic

1

119899

119899

sum

119894=1

(I119894119895minus I119890119895)

2

I1015840119895=

I119895minus I119890119895

I120575119895

(16)








Variance 976


190)


Variance 990







Variance 272



Variance 260



Variance 190



Variance 274




Variance 169










0 500 1000 1500 2000 2500 3000 3500 40000

01

02

03

04

05

06

07

08

09

1

MNP

MAP


0

01

02

03

04

05

06

07

08

09

1

0 500 1000 1500 2000 2500 3000 3500 4000

MNP

MAP



0

01

02

03

04

05

06

07

08

09

1

0 500 1000 1500 2000 2500 3000 3500 4000

MNP

MAP


0

01

02

03

04

05

06

07

08

09

0 500 1000 1500 2000 2500 3000 3500 4000

MNP

MAP





1

09

08

07

06

05

04

03

02

01

0

10minus4

10minus3

10minus2

10minus1

100

True

pos

itive

rate

False positive rate

ROC

BMPMSVMBPDS + SBPA











6 Related Work






Average 8965 9467 9934









Acknowledgments


References







































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in






119894


119894


119895as


119895as



(119898119894oplus 119898119895) (119860)

=

sum119864119896cap1198641198961015840=119860

[119908119894119898119894(119864119896) sdot 119908119895119898119895(1198641198961015840)]

1 minus sum119864119896cap1198641198961015840=0

[119908119894119898119894(119864119896) sdot 119908119895119898119895(1198641198961015840)]

(5)












119894in






TCPIP data packets

Network connection

recordsFeature

extractionData

preprocessing

ODS fusion

Decision result

BMPM N

BMPM A

SVM N

SVM A

BP N

BP A

m1(N)

m1(A)

m2(N)

m2(A)

m3(N)

m3(A)















119898(119873119860) =

1 minus 119898 (119873) minus 119898 (119860) 119898 (119873) + 119898 (119860) lt 1

0 119898 (119873) + 119898 (119860) ge 1

(6)







119894value











Precision =

TPTP + FP

Recall = TPTP + FN

119865-119878119888119900119903119890 =


(7)









Precision A =

TPTP + FP

(8)

Precision N =

TNTN + FN

(9)

Recall A =

TPTP + FN

(10)

Recall N =

TNTN + FP

(11)

119865-119878119888119900119903119890-119873 =


(12)

119865-119878119888119900119903119890-119860 =


(13)
























1(119873) and 119898





2(119873) 119898

2(119860)


1198983(119873) 119898

3(119860) and 119898





119860)

=

sumcap119894119864119894=119860


119899sdot 119898119899(119864119899)

sumcap119894119864119894 =119860


119899sdot 119898119899(119864119899)

(14)


123(119873) 119898

123(119860) and

119898123



Decision (119909) =

normal (if 119898123 (

119873)

= max 119898123 (

119873)119898123 (119860)

119898123 (

119873119860))


119860)

= max 119898123 (

119873)119898123 (119860)

119898123 (

119873119860))


119873119860)

= max 119898123 (

119873)119898123 (119860)

119898123 (

119873119860))

(15)


(119873) is larger than 119898123

(119860) and 119898123


123(119860) is larger

than119898123

(119873) and119898123


(119873119860) is larger than119898123

(119860) and119898123




51 Data Set












I119890119895=

1

119899

119899

sum

119894=1

I119894119895

I120575119895= radic

1

119899

119899

sum

119894=1

(I119894119895minus I119890119895)

2

I1015840119895=

I119895minus I119890119895

I120575119895

(16)








Variance 976


190)


Variance 990







Variance 272



Variance 260



Variance 190



Variance 274




Variance 169










0 500 1000 1500 2000 2500 3000 3500 40000

01

02

03

04

05

06

07

08

09

1

MNP

MAP


0

01

02

03

04

05

06

07

08

09

1

0 500 1000 1500 2000 2500 3000 3500 4000

MNP

MAP



0

01

02

03

04

05

06

07

08

09

1

0 500 1000 1500 2000 2500 3000 3500 4000

MNP

MAP


0

01

02

03

04

05

06

07

08

09

0 500 1000 1500 2000 2500 3000 3500 4000

MNP

MAP





1

09

08

07

06

05

04

03

02

01

0

10minus4

10minus3

10minus2

10minus1

100

True

pos

itive

rate

False positive rate

ROC

BMPMSVMBPDS + SBPA











6 Related Work






Average 8965 9467 9934









Acknowledgments


References







































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in




TCPIP data packets

Network connection

recordsFeature

extractionData

preprocessing

ODS fusion

Decision result

BMPM N

BMPM A

SVM N

SVM A

BP N

BP A

m1(N)

m1(A)

m2(N)

m2(A)

m3(N)

m3(A)















119898(119873119860) =

1 minus 119898 (119873) minus 119898 (119860) 119898 (119873) + 119898 (119860) lt 1

0 119898 (119873) + 119898 (119860) ge 1

(6)







119894value











Precision =

TPTP + FP

Recall = TPTP + FN

119865-119878119888119900119903119890 =


(7)









Precision A =

TPTP + FP

(8)

Precision N =

TNTN + FN

(9)

Recall A =

TPTP + FN

(10)

Recall N =

TNTN + FP

(11)

119865-119878119888119900119903119890-119873 =


(12)

119865-119878119888119900119903119890-119860 =


(13)
























1(119873) and 119898





2(119873) 119898

2(119860)


1198983(119873) 119898

3(119860) and 119898





119860)

=

sumcap119894119864119894=119860


119899sdot 119898119899(119864119899)

sumcap119894119864119894 =119860


119899sdot 119898119899(119864119899)

(14)


123(119873) 119898

123(119860) and

119898123



Decision (119909) =

normal (if 119898123 (

119873)

= max 119898123 (

119873)119898123 (119860)

119898123 (

119873119860))


119860)

= max 119898123 (

119873)119898123 (119860)

119898123 (

119873119860))


119873119860)

= max 119898123 (

119873)119898123 (119860)

119898123 (

119873119860))

(15)


(119873) is larger than 119898123

(119860) and 119898123


123(119860) is larger

than119898123

(119873) and119898123


(119873119860) is larger than119898123

(119860) and119898123




51 Data Set












I119890119895=

1

119899

119899

sum

119894=1

I119894119895

I120575119895= radic

1

119899

119899

sum

119894=1

(I119894119895minus I119890119895)

2

I1015840119895=

I119895minus I119890119895

I120575119895

(16)








Variance 976


190)


Variance 990







Variance 272



Variance 260



Variance 190



Variance 274




Variance 169










0 500 1000 1500 2000 2500 3000 3500 40000

01

02

03

04

05

06

07

08

09

1

MNP

MAP


0

01

02

03

04

05

06

07

08

09

1

0 500 1000 1500 2000 2500 3000 3500 4000

MNP

MAP



0

01

02

03

04

05

06

07

08

09

1

0 500 1000 1500 2000 2500 3000 3500 4000

MNP

MAP


0

01

02

03

04

05

06

07

08

09

0 500 1000 1500 2000 2500 3000 3500 4000

MNP

MAP





1

09

08

07

06

05

04

03

02

01

0

10minus4

10minus3

10minus2

10minus1

100

True

pos

itive

rate

False positive rate

ROC

BMPMSVMBPDS + SBPA











6 Related Work






Average 8965 9467 9934









Acknowledgments


References







































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in








119898(119873119860) =

1 minus 119898 (119873) minus 119898 (119860) 119898 (119873) + 119898 (119860) lt 1

0 119898 (119873) + 119898 (119860) ge 1

(6)







119894value











Precision =

TPTP + FP

Recall = TPTP + FN

119865-119878119888119900119903119890 =


(7)









Precision A =

TPTP + FP

(8)

Precision N =

TNTN + FN

(9)

Recall A =

TPTP + FN

(10)

Recall N =

TNTN + FP

(11)

119865-119878119888119900119903119890-119873 =


(12)

119865-119878119888119900119903119890-119860 =


(13)
























1(119873) and 119898





2(119873) 119898

2(119860)


1198983(119873) 119898

3(119860) and 119898





119860)

=

sumcap119894119864119894=119860


119899sdot 119898119899(119864119899)

sumcap119894119864119894 =119860


119899sdot 119898119899(119864119899)

(14)


123(119873) 119898

123(119860) and

119898123



Decision (119909) =

normal (if 119898123 (

119873)

= max 119898123 (

119873)119898123 (119860)

119898123 (

119873119860))


119860)

= max 119898123 (

119873)119898123 (119860)

119898123 (

119873119860))


119873119860)

= max 119898123 (

119873)119898123 (119860)

119898123 (

119873119860))

(15)


(119873) is larger than 119898123

(119860) and 119898123


123(119860) is larger

than119898123

(119873) and119898123


(119873119860) is larger than119898123

(119860) and119898123




51 Data Set












I119890119895=

1

119899

119899

sum

119894=1

I119894119895

I120575119895= radic

1

119899

119899

sum

119894=1

(I119894119895minus I119890119895)

2

I1015840119895=

I119895minus I119890119895

I120575119895

(16)








Variance 976


190)


Variance 990







Variance 272



Variance 260



Variance 190



Variance 274




Variance 169










0 500 1000 1500 2000 2500 3000 3500 40000

01

02

03

04

05

06

07

08

09

1

MNP

MAP


0

01

02

03

04

05

06

07

08

09

1

0 500 1000 1500 2000 2500 3000 3500 4000

MNP

MAP



0

01

02

03

04

05

06

07

08

09

1

0 500 1000 1500 2000 2500 3000 3500 4000

MNP

MAP


0

01

02

03

04

05

06

07

08

09

0 500 1000 1500 2000 2500 3000 3500 4000

MNP

MAP





1

09

08

07

06

05

04

03

02

01

0

10minus4

10minus3

10minus2

10minus1

100

True

pos

itive

rate

False positive rate

ROC

BMPMSVMBPDS + SBPA











6 Related Work






Average 8965 9467 9934









Acknowledgments


References







































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in


























1(119873) and 119898





2(119873) 119898

2(119860)


1198983(119873) 119898

3(119860) and 119898





119860)

=

sumcap119894119864119894=119860


119899sdot 119898119899(119864119899)

sumcap119894119864119894 =119860


119899sdot 119898119899(119864119899)

(14)


123(119873) 119898

123(119860) and

119898123



Decision (119909) =

normal (if 119898123 (

119873)

= max 119898123 (

119873)119898123 (119860)

119898123 (

119873119860))


119860)

= max 119898123 (

119873)119898123 (119860)

119898123 (

119873119860))


119873119860)

= max 119898123 (

119873)119898123 (119860)

119898123 (

119873119860))

(15)


(119873) is larger than 119898123

(119860) and 119898123


123(119860) is larger

than119898123

(119873) and119898123


(119873119860) is larger than119898123

(119860) and119898123




51 Data Set












I119890119895=

1

119899

119899

sum

119894=1

I119894119895

I120575119895= radic

1

119899

119899

sum

119894=1

(I119894119895minus I119890119895)

2

I1015840119895=

I119895minus I119890119895

I120575119895

(16)








Variance 976


190)


Variance 990







Variance 272



Variance 260



Variance 190



Variance 274




Variance 169










0 500 1000 1500 2000 2500 3000 3500 40000

01

02

03

04

05

06

07

08

09

1

MNP

MAP


0

01

02

03

04

05

06

07

08

09

1

0 500 1000 1500 2000 2500 3000 3500 4000

MNP

MAP



0

01

02

03

04

05

06

07

08

09

1

0 500 1000 1500 2000 2500 3000 3500 4000

MNP

MAP


0

01

02

03

04

05

06

07

08

09

0 500 1000 1500 2000 2500 3000 3500 4000

MNP

MAP





1

09

08

07

06

05

04

03

02

01

0

10minus4

10minus3

10minus2

10minus1

100

True

pos

itive

rate

False positive rate

ROC

BMPMSVMBPDS + SBPA











6 Related Work






Average 8965 9467 9934









Acknowledgments


References







































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in






1(119873) and 119898





2(119873) 119898

2(119860)


1198983(119873) 119898

3(119860) and 119898





119860)

=

sumcap119894119864119894=119860


119899sdot 119898119899(119864119899)

sumcap119894119864119894 =119860


119899sdot 119898119899(119864119899)

(14)


123(119873) 119898

123(119860) and

119898123



Decision (119909) =

normal (if 119898123 (

119873)

= max 119898123 (

119873)119898123 (119860)

119898123 (

119873119860))


119860)

= max 119898123 (

119873)119898123 (119860)

119898123 (

119873119860))


119873119860)

= max 119898123 (

119873)119898123 (119860)

119898123 (

119873119860))

(15)


(119873) is larger than 119898123

(119860) and 119898123


123(119860) is larger

than119898123

(119873) and119898123


(119873119860) is larger than119898123

(119860) and119898123




51 Data Set












I119890119895=

1

119899

119899

sum

119894=1

I119894119895

I120575119895= radic

1

119899

119899

sum

119894=1

(I119894119895minus I119890119895)

2

I1015840119895=

I119895minus I119890119895

I120575119895

(16)








Variance 976


190)


Variance 990







Variance 272



Variance 260



Variance 190



Variance 274




Variance 169










0 500 1000 1500 2000 2500 3000 3500 40000

01

02

03

04

05

06

07

08

09

1

MNP

MAP


0

01

02

03

04

05

06

07

08

09

1

0 500 1000 1500 2000 2500 3000 3500 4000

MNP

MAP



0

01

02

03

04

05

06

07

08

09

1

0 500 1000 1500 2000 2500 3000 3500 4000

MNP

MAP


0

01

02

03

04

05

06

07

08

09

0 500 1000 1500 2000 2500 3000 3500 4000

MNP

MAP





1

09

08

07

06

05

04

03

02

01

0

10minus4

10minus3

10minus2

10minus1

100

True

pos

itive

rate

False positive rate

ROC

BMPMSVMBPDS + SBPA











6 Related Work






Average 8965 9467 9934









Acknowledgments


References







































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in







I119890119895=

1

119899

119899

sum

119894=1

I119894119895

I120575119895= radic

1

119899

119899

sum

119894=1

(I119894119895minus I119890119895)

2

I1015840119895=

I119895minus I119890119895

I120575119895

(16)








Variance 976


190)


Variance 990







Variance 272



Variance 260



Variance 190



Variance 274




Variance 169










0 500 1000 1500 2000 2500 3000 3500 40000

01

02

03

04

05

06

07

08

09

1

MNP

MAP


0

01

02

03

04

05

06

07

08

09

1

0 500 1000 1500 2000 2500 3000 3500 4000

MNP

MAP



0

01

02

03

04

05

06

07

08

09

1

0 500 1000 1500 2000 2500 3000 3500 4000

MNP

MAP


0

01

02

03

04

05

06

07

08

09

0 500 1000 1500 2000 2500 3000 3500 4000

MNP

MAP





1

09

08

07

06

05

04

03

02

01

0

10minus4

10minus3

10minus2

10minus1

100

True

pos

itive

rate

False positive rate

ROC

BMPMSVMBPDS + SBPA











6 Related Work






Average 8965 9467 9934









Acknowledgments


References







































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in






Variance 272



Variance 260



Variance 190



Variance 274




Variance 169










0 500 1000 1500 2000 2500 3000 3500 40000

01

02

03

04

05

06

07

08

09

1

MNP

MAP


0

01

02

03

04

05

06

07

08

09

1

0 500 1000 1500 2000 2500 3000 3500 4000

MNP

MAP



0

01

02

03

04

05

06

07

08

09

1

0 500 1000 1500 2000 2500 3000 3500 4000

MNP

MAP


0

01

02

03

04

05

06

07

08

09

0 500 1000 1500 2000 2500 3000 3500 4000

MNP

MAP





1

09

08

07

06

05

04

03

02

01

0

10minus4

10minus3

10minus2

10minus1

100

True

pos

itive

rate

False positive rate

ROC

BMPMSVMBPDS + SBPA











6 Related Work






Average 8965 9467 9934









Acknowledgments


References







































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in




0 500 1000 1500 2000 2500 3000 3500 40000

01

02

03

04

05

06

07

08

09

1

MNP

MAP


0

01

02

03

04

05

06

07

08

09

1

0 500 1000 1500 2000 2500 3000 3500 4000

MNP

MAP



0

01

02

03

04

05

06

07

08

09

1

0 500 1000 1500 2000 2500 3000 3500 4000

MNP

MAP


0

01

02

03

04

05

06

07

08

09

0 500 1000 1500 2000 2500 3000 3500 4000

MNP

MAP





1

09

08

07

06

05

04

03

02

01

0

10minus4

10minus3

10minus2

10minus1

100

True

pos

itive

rate

False positive rate

ROC

BMPMSVMBPDS + SBPA











6 Related Work






Average 8965 9467 9934









Acknowledgments


References







































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in




1

09

08

07

06

05

04

03

02

01

0

10minus4

10minus3

10minus2

10minus1

100

True

pos

itive

rate

False positive rate

ROC

BMPMSVMBPDS + SBPA











6 Related Work






Average 8965 9467 9934









Acknowledgments


References







































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in







Average 8965 9467 9934









Acknowledgments


References







































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in




Acknowledgments


References







































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in










Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in



Documents

Research Article Network Anomaly Detection System with ...downloads.hindawi.com/journals/tswj/2014/753659.pdf · Research Article Network Anomaly Detection System with Optimized DS