Network Security

**VI**

cooperation during the period of publishing the volume. Our sincere thanks also go to Ms. Ana Pantar, Senior Commissioning Editor at IntechOpen, for having faith in us and delegating to us the critical responsibility of editing such a prestigious academic volume. We would surely be failing in our duty if we do not acknowledge the encouragement, motivation, and assistance that we received from graduate students of the School of Computing and Analytics of NSHM Knowledge Campus, Kolkata, India. While there are too many to name, the contributions of Abhishek Dutta, Manjari Mukherjee, Saikat Mondal, and Ashmita Paul stand out as being invaluable in ensuring this volume is as error-free as possible. Last but not the least, we would like to thank all members of our respective families for being the major

**Jaydip Sen**

Kolkata, India

Department of Computing and Analytics,

NSHM Knowledge Campus,

sources of our motivation, inspiration, and strength.

**3**

**Chapter 1**

Detection

**1. Introduction**

*Jaydip Sen and Sidra Mehtab*

minimizing the false alarm rates.

Introductory Chapter: Machine

Learning in Misuse and Anomaly

Over the last 30 years, ubiquitous and networked computing has increasingly

Applications of machine learning and data mining algorithms in both signature

and anomaly detection systems have been widely proposed in the literature. In misuse detection systems, following approaches of machine learning are quite popular: (1) classification using association rules [1–3], (2) artificial neural networks [4], (3) support vector machines [5], (4) classification and regression trees [6, 7], (5) Bayesian network classifier [8–10], and (6) naïve Bayes method [11]. While the signature detection systems require labeled training data in order to learn the features of the attack and the normal traffic, anomaly detection systems are based on identifying any significant changes in the system from its normal state. Various approaches to machine learning in anomaly detection have been proposed in the literature. Some of these approaches are as follows: (1) association rule mining [12–14], (2) fuzzy association rule mining [15], (3) artificial neural network [16–18], (4) support vector machines [19, 20], (5) nearest neighbor [21], (6) hidden Markov model [22–24], (7) Kalman filter [25], (8) clustering [26], and (9) random forest [27, 28]. Other machine learning methods have been proposed for learning the probability distribu-

tion of data and in applying statistical tests to detect outliers [29–35].

The hybrid detection approach combines the adaptability and the powerful detection ability of an anomaly detection system with the higher accuracy and reliability of the misuse detection approach [28, 36–43]. The selection of misuse and anomaly detection systems for designing a hybrid detection system is dependent on the application in which the detection system is to be deployed. Following a combinational approach, the integration of an anomaly detection system with a misuse detection counterpart has been classified into four categories [28, 36]. These types

gained importance in our life. With the increase in complexity of computer networks, cybersecurity threats have also manifested in a variety of which was unimaginable even a decade back. While the rule-based intrusion detection systems (IDSs) can accurately detect already known attacks on a cyberinfrastructure, these systems are not capable to detect novel, unknown, and polymorphic cyber threats. Moreover, the computational overheads including CPU cycles and memory overheads are unacceptably high for most of the detection systems. Hence, it has been a constant challenge for security researchers to design automated, fast, and yet accurate IDSs for deployment in real-world cyberinfrastructures. From expert-crafted rules to sophisticated machine learning and deep learning algorithms, researchers have explored and attempted to push the boundary of the detection accuracy while
