An Intrusion Detection and Prevention System based on Automatic Learning of Traffic Anomalies

The ever changing network traffic reveals new attack types, which represent a security threat that poses a serious risk for enterprise resources. Therefore, the security administrators are in a real need to employ efficient Intrusion Detection and Prevention Systems, IDPS. Such systems might be capable to learn from the network behavior. In this paper, we present an incremental Learnable Model for Anomaly Detection and Prevention of Zero-day attacks, LMAD/PZ. To facilitate the ability of learning from observations that can provide a reliable model for automatic prevention, a comparison has been carried out between supervised and unsupervised learning techniques. Thus, in LMAD/PZ, the intrusion detection step is integrated with an intrusion prevention plan. To ensure that the prevention plan is dependable and automatic, it must be backed and sustained with robust and accurate detection process. Therefore, two incremental data mining techniques are deeply investigated and implemented on NSL-KDD’99 intrusion dataset. The first technique is the Algorithm Quasi-optimal (AQ), which is a supervised Attributional Rules Learner, ARL, while the second is the Cobweb; an unsupervised hierarchical conceptual clustering algorithm. These algorithms categorize the network connections as either normal or anomalous. The performance of AQ is compared to Cobweb, and the best performance result is integrated with the prevention plan, to afford a fully automated system. The experimental results showed that, the model automatically adapts its knowledge base from continuous network streams, in addition to offering the advantage of detecting novel and zero day attacks. Many experiments have verified that AQ performance outperforms the Cobweb clustering, in terms of accuracy, detection rate and false alarm rate.