Network-based anomaly intrusion detection using ant colony clustering model and genetic-fuzzy rule mining approach


Student thesis: Master's Thesis

View graph of relations


  • Chi Ho TSANG

Related Research Unit(s)


Awarding Institution
Award date15 Feb 2006


Provision of secured computer network is crucial in the daily operation of electronic commerce, government and energy suppliers nowadays. As intrusion attacks become more sophisticated and polymorphous, there is a growing demand of reliable and intelligent Intrusion Detection Systems (IDS). Unfortunately, the conventional IDS using the known signatures of the discovered vulnerabilities are unreliable to identify novel attacks. Moreover, emergent intervention of security experts is required to define the accurate signatures. To overcome this problem, anomaly-based intrusion detection based on pattern recognition techniques has attracted a wide range of interest over the last decade. Many supervised and unsupervised learning approaches have been proposed for intrusion detection. However, they commonly suffer from low detection accuracy for detecting novel attacks and high false alarm rate for recognizing normal network traffic. As the network traffic data containing intrusion attacks are noisy, high-dimensional, and have uncertain data distributions as well as imbalanced classes, both the unsupervised data clustering and supervised classification approaches need to solve these challenging and critical issues in the intrusion detection domain. This research explores the applications of novel unsupervised and supervised learning techniques for anomaly intrusion detection. Regarding the unsupervised learning, a bio-inspired and stochastic clustering model called Ant Colony Clustering Model (ACCM) is proposed. The proposed model improves existing ant-based clustering algorithms in searching for near-optimal clustering heuristically, in which the meta-heuristic engages the optimization principles in swarm intelligence. It aims to extract the compact clustering from the complex network traffic data and solve some clustering problems suffered from the partitional clustering algorithms such as the number of clusters dependency, degeneracy and getting suck in local-optimal solutions. To further improve the clustering solution and alleviate the “curse of dimensionality” problem in the network data, some unsupervised feature extraction algorithms such as Principle Component Analysis (PCA) and Independent Component Analysis (ICA) are studied and evaluated. The experimental results on UCI real-world benchmark datasets and KDD-Cup99 IDS data demonstrate that ACCM can outperform other existing clustering algorithms by providing robust clustering solution, and its application with an ICA algorithm is effective for intrusion detection. Regarding the supervised learning, a multi-objective genetic-fuzzy intrusion detection approach is proposed. Learning classification rules from network data is one of the effective methods that can automate and simplify the manual development of intrusion signatures, and predict novel attacks if generalized knowledge can be extracted from the data. We apply a genetic-fuzzy rule mining approach to extract both accurate and interpretable fuzzy IF-THEN rules from network data for classification. The fuzzy rule-based systems are evolved using an agent-based evolutionary computation framework and multi-objective genetic algorithm. In addition, our approach acts as a genetic feature selection wrapper to search for the near-optimal feature subset for dimensionality reduction. The proposed approach is compared with some well-known classifiers as well as feature selection filters and wrappers in terms of the classification accuracy and feature selection performance. The empirical results on the KDD-Cup99 IDS data demonstrate that the proposed approach produces interpretable fuzzy systems for intrusion detection, and outperforms other classifiers and wrappers by providing robust classification results for intrusion detection.

    Research areas

  • Computer networks, Security measures