A Taxonomy and Survey of Intrusion Detection System Design Techniques, Network Threats and Datasets HANANHINDY,DivisionofCyberSecurity,AbertayUniversity,Scotland 8 DAVIDBROSSET,NavalAcademyResearchInstitute,France 1 ETHANBAYNE,DivisionofCyberSecurity,AbertayUniversity,Scotland 0 AMARSEEAM,DepartmentofComputerScience,MiddlesexUniversity,Mauritius 2 CHRISTOSTACHTATZIS,EEEDepartment,UniversityofStrathclyde,Scotland n ROBERTATKINSON,EEEDepartment,UniversityofStrathclyde,Scotland u J XAVIERBELLEKENS,DivisionofCyberSecurity,AbertayUniversity,Scotland 9 Withtheworldmovingtowardsbeingincreasinglydependentoncomputersandautomation,oneofthemain challengesinthecurrentdecadehasbeentobuildsecureapplications,systemsandnetworks.Alongside ] R thesechallenges,thenumberofthreatsisrisingexponentiallyduetotheattacksurfaceincreasingthrough numerousinterfacesofferedforeachservice.Toalleviatetheimpactofthesethreats,researchershaveproposed C numeroussolutions;however,currenttoolsoftenfailtoadapttoever-changingarchitectures,associated . s threatsand0-days.Thismanuscriptaimstoprovideresearcherswithataxonomyandsurveyofcurrent c datasetcompositionandcurrentIntrusionDetectionSystems(IDS)capabilitiesandassets.Thesetaxonomies [ andsurveysaimtoimproveboththeefficiencyofIDSandthecreationofdatasetstobuildthenextgeneration 1 IDSaswellastoreflectnetworksthreatsmoreaccuratelyinfuturedatasets.Tothisend,thismanuscript v alsoprovidesataxonomyandsurveyornetworkthreatsandassociatedtools.Themanuscripthighlights 7 thatcurrentIDSonlycover25%ofourthreattaxonomy,whilecurrentdatasetsdemonstrateclearlackof 1 real-networkthreatsandattackrepresentation,butratherincludealargenumberofdeprecatedthreats,hence 5 limitingtheaccuracyofcurrentmachinelearningIDS.Moreover,thetaxonomiesareopen-sourcedtoallow 3 publiccontributionsthroughaGithubrepository. 0 . ACMReferenceFormat: 6 HananHindy,DavidBrosset,EthanBayne,AmarSeeam,ChristosTachtatzis,RobertAtkinson,andXavier 0 8 Bellekens.2018.ATaxonomyandSurveyofIntrusionDetectionSystemDesignTechniques,NetworkThreats 1 andDatasets. 1,1(June2018),35pages.https://doi.org/10.1145/nnnnnnn.nnnnnnn : v 1 INTRODUCTION i X Theworldisbecomingmoredependentonconnectedactuatorsandsensors,regulatingthelife r ofmillionsofpeople.Furthermore,sensordataisexpectedtoincreasebyaround13%,reaching a 35%ofoveralldatacommunicationby2020,reachingapeakof50billionconnecteddevicesand anincreasedInternettrafficreaching30GBonaveragepercapitacomparedtoaround10GBin Authors’addresses:HananHindy,DivisionofCyberSecurity,AbertayUniversity,BellStreet,Dundee,DD11HG,Scotland, [email protected];DavidBrosset,NavalAcademyResearchInstitute,Lanveoc,France;EthanBayne,DivisionofCyber Security,AbertayUniversity,BellStreet,Dundee,DD11HG,Scotland;AmarSeeam,DepartmentofComputerScience, MiddlesexUniversity,Mauritius;ChristosTachtatzis,EEEDepartment,UniversityofStrathclyde,Glasgow,Scotland;Robert Atkinson,EEEDepartment,UniversityofStrathclyde,Glasgow,Scotland;XavierBellekens,DivisionofCyberSecurity, AbertayUniversity,BellStreet,Dundee,DD11HG,Scotland,[email protected]. Permissiontomakedigitalorhardcopiesofallorpartofthisworkforpersonalorclassroomuseisgrantedwithoutfee providedthatcopiesarenotmadeordistributedforprofitorcommercialadvantageandthatcopiesbearthisnoticeand thefullcitationonthefirstpage.CopyrightsforcomponentsofthisworkownedbyothersthanACMmustbehonored. Abstractingwithcreditispermitted.Tocopyotherwise,orrepublish,topostonserversortoredistributetolists,requires priorspecificpermissionand/[email protected]. ©2018AssociationforComputingMachinery. XXXX-XXXX/2018/6-ART$15.00 https://doi.org/10.1145/nnnnnnn.nnnnnnn ,Vol.1,No.1,Article.Publicationdate:June2018. :2 H.Hindyetal. 2016[17].WhileeachofthesedevicesinIoTsystemexchangecollecteddata,associatedservices oftenprovidenumerousinterfacestointeractwiththecollecteddata,oftenincreasingtheattack surface,highlightingtheimportanceofnetworksecurity.Therefore,itiscrucialtobuildrobusttools todefendnetworksagainstsecuritythreats.Currentdetectiontoolsareoftenbasedonoutdated datasetswhich,donotreflecttherealityofnetworkattacks,renderingtheIntrusionDetection Systems(IDS)ineffectiveagainstnewthreatsand0-days.Tothebestknowledgeoftheauthors, thereiscurrentlynosurveyandtaxonomymanuscriptanalysingavailabledatasets,norproviding ataxonomyofthecurrentnetworkthreatsandthetoolsassociatedwiththem.Thecontributions ofthispaperarethreefold: • AnIntrusiondetectionsystemssurveyandtaxonomyispresented,including: – AnIDSDesignTaxonomy – IDSEvaluationMetrics – AsurveyofIDSImplementations • Evaluationofavailabledatasets • AThreattaxonomyispresented,categorizedby: – TheThreatSources – TheOpenSystemsInterconnection(OSI)Layer – ActiveorPassivemodes – Aswellasanexampleofrecentattacks Therestofthepaperisorganizedasfollows;Section2depictsthemaindifferencesbetween intrusiondetectionsystemsandtheirmainevaluationmetrics.Insection3,IDSofthepastdecade are reviewed and their individual contributions are assessed. Moreover, available datasets are discussedhighlightingtheirdrawbacksandlimitations.Section4providesathreattaxonomy. 2 INTRUSIONDETECTIONSYSTEMS IDSaredefinedassystemsbuilttomonitorandanalysenetworkcommunication,asaresultof monitoring,andhencedetectanomaliesandintrusions. Current IDS taxonomies focus on a single aspect of the IDS, such as the machine learning algorithmsthatresearcherscanpotentiallyuse[32][38],thecharacteristicsofintrusiondetection systems[20][6],orthefeaturesthatshouldbeusedbyresearcherstodesignanIDS[91].While theseprovidevaluableinformation,thesesurveysdonotprovideanglobaloverviewdedicated tothedesignofnext-generationIDS,butratherfocusonanarrowfield.Inthissection,abroad taxonomydedicatedtothedesignofintrusiondetectionsystemispresentedincludingthedifferent featuresanIDScanbecomposedof. Figure1providesataxonomyofintrusiondetectionssystems.Figure1(Branch1)includesthe generalattributescharacterizingIDSsuchastheirroleinthenetwork,theinformationprovidedby theintrusiondetectionsystem,thesystemrequirements,andtheirusage.Branch2describesthe attributesrelatedtothetypesofdecisions,infrastructureinplace,aswellastheircomputational location.Branch3includestheevaluationmetrics.Branch4providesadescriptiveanalysisoftheir locationonthenetwork.Branch4alsoincludesananalysisofthetriggers.Branch5placesintrusion detectionsystemsinthecontextofMobileAdhocNetworks(MANETS),andfinally,Branch6 highlightstheshortcomingsofIDSinthecontextofWirelessSensorNetworks(WSN)[13].The differentbranchesaresubsequentlydescribedinSections2.1through2.4. 2.1 IDSDesignTaxonomy Asmentioned,machinelearningbasedIDSfocusesondetectingmisbehaviourinnetworks.When anintrusionisdetectedtheIDSisexpectedtologtheinformationrelatedtotheintrusion(1.1.1). ,Vol.1,No.1,Article.Publicationdate:June2018. ATaxonomyandSurveyofIntrusionDetectionSystemDesignTechniques,NetworkThreatsand Datasets :3 es ess 1.1.1 Log Results1.1.2 Trigger Alerts1.1.3 Mitigation 1.2.1 Intruder Identification1.2.2 Intruder Location1.2.3 Intrusion Time1.2.4 Intrusion Layer1.2.5 Intrusion Activity1.2.6 Intrusion Type 1.3.1 Efficient detection 1.3.2 Do not affect working users 1.3.3 Low resources consumptoin 1.3.4 Throughput 1.3.5 Do not introduce new weakn 1.4.1 Continuous 1.4.2 Periodical 2.1.1 Collaborative 2.1.2 Independent 2.2.1 Flat2.2.2 Clustered 2.3.1 Centralized2.3.2 Stand-alone 2.3.3 Distributed and Cooperative2.3.4 Hierarchical 3.1 Overall Accuracy 3.2 Detection Rates 3.3 Precision 3.4 F1 score 3.5 Mcc 3.6.1 Time to build modeln3.6.2 Time to test model o pti m u 1.1 Role 1.2 OutputInformation 1.3 Requirements 1.4 Usage 2.1 Decision Making 2.2 Infrastructure 2.3 ComputationLocation 3. EvaluationMetrics 3.6 CPU Cons s m 4.1.1 Host-+ve: Respond to long term attacksBased4.1 Location-ve: Poor real-time response +ve: Detect multiple host malicious activities+ve: Respond in real time4.1.2-ve: if busy network,Network-packet processing rate < incoming data rateBased 4.1.3 Hybrid+ve: High accuracy4.2.1 Signature-Based4.2 Triggered By-ve: Fail to detect new attacks Training is a prerequisite +ve: Detection of new intrustions4.2.2 Anomaly-based-ve: High false positive rate4.2.3 Specification-BasedUnivariate4.2.2.1 StatisticalMultivariateTime seriesCumulative Sum Finite state machinesRule basedn-grmasExpert Systems4.2.2.2 Knowledge-basedDescription LanguagesIntrusion Detection SysteAdaptive BoostingAnt ColonyArtificial Neural Network4.2.2.3 Machine Learning basedAssociation RulesAuto-EncodersBayesianConvolutional Neural Network5.1 Agent based distributed and collaborativeData Mining5.2 Clustering (Hierarchical) basedDecision Tree5.3 Statistical detection basedFuzzy Logic5.4 Misuse detection basedGenetic Agorithms5 MANET5.5 Reputation (trust) basedk-means5.6 Zone basedk-Nearest Neighbors5.6 Game theory basedMarkov Chains5.7 Genetic algorithm basedParticle Swarm Optimization6 Why IDSsParzendo not workwith WSNsPrincipal Component Analysis6.1 No InfrastructureRecurrent Neural Network6.2 Possible physical capture of nodesRegression6.3 Misleading routing from compromised nodesSelf-Organizing Map6.4 EavesdroppingSupport Vector Machine6.5 No trusted authority Fig.1. IntrusionDetectionSystems ,Vol.1,No.1,Article.Publicationdate:June2018. :4 H.Hindyetal. Theselogscanthenbeusedbynetworkforensicinvestigatorstofurtheranalysethebreachorfor thelearningprocessoftheIDSitself.IDSarealsoexpectedtotriggeralerts(1.1.2).Thealertshould provideinformationonthethreatdetected,andtheaffectedsystem.Byraisinganalert,authorized userscantakecorrectiveactionandmitigatethethreat.IntrusionDetectionSystemshouldalso includeamitigationfeature,givingtheabilityofthesystemtotakecorrectiveactions(1.1.3)[13]. Inordertobuildanefficientintrusiondetectionsystem,theoutputinformationprovidedby theIDStotheenduseriscriticalforanalysis.Theinformationrecordedshouldcontainintruder identificationinformation(1.2.1)andlocation(1.2.2)foreachevent.IPaddressesandusercredentials areusedtoidentifytheintruder.Thesystemdesignshouldbemodulartoadapttotheenvironment, i.e.[66]proposetousebiometricdatatoidentifyintruders.Additionally,loginformationcancontain metadatarelatedtotheintrusion,suchastimestamp(1.2.3),intrusionlayer(i.e.OSI)(1.2.4),intrusion activity(1.2.5)whethertheattackisactiveorpassiveandfinally,thetypeofintrusion(1.2.6)[13]. InorderforanIDStobeconsideredeffective,thedetectionrate(1.3.1)andlowfalsepositiverate arekeyaspectstoconsider.Thesecanbeevaluatedusingdifferentmetricsdiscussedinsection2.3. Other important factors include the transparency and safety of the overall system (1.3.2). The overallperformanceofthesystemhastobetakenintoaccount,theseincludememoryrequirements, powerconsumption(1.3.3)andthroughput(1.3.4).Lastly,theIDSshouldnotintroduceabnormal behavior(1.3.5),henceatestingprocedureshouldbesetinplacebeforedeployment.Theprocedure canincludefuzzingtodetectanomaliesandbugsintheIDS.Suchanomaliescouldbeexploitedby anattackertorendertheIDSuselessorinitiateadenialofserviceattack[13]. 2.2 DistributedIDS IDScanbedistributedovermultiplenodesinthenetwork.Intrusiondecisionsinthiscase,can be made in a collaborative or swarm like (2.1.1) fashion, or independent (2.1.2) manner. In a collaborativemanner,multiplenodesshareasingledecision.Thiscollaborationcanusestatistical techniquessuchasvotingandgametheory,whileinanindependentmode,alldecisionsaremade byindividualnodesonthenetwork. Moreover, in this distributed manner, when all nodes are working with the same capacity, it is considered a flat (2.2.1) infrastructure, unlike a clustered infrastructure (2.2.2) where the nodesbelongtoclusterswithdifferentcapabilities,eachcontributingtothedecisionsinadifferent manner.ThecomputationlocationisanotheraspectofdistributedIDS.Thecentralizedcomputation location(2.3.1)worksondatacollectedfromthewholenetwork.Unlikethecentralized,thestand- alonecomputationlocation(2.3.2)worksonlocaldata,disregardingdecisionsfromothernodes. A combination of both centralized and stand-alone, can also be achieved through cooperative computation,suchthateachnodecandetectanintrusiononitsownbutalsocontributestothe overalldecision.Finally,IDScanalsooperateinhierarchalcomputation(2.3.4),whereacluster sendallintrusiondetectiontorootnode,whereadecisionistaken[13]. 2.3 IDSAccuracy AhighdetectionrateisessentialinamachinelearningbasedIDSalongsidetheevaluationmetrics aforementioned.Themainaspectstoconsiderwhenmeasuringtheaccuracyare • TruePositive(TP):Numberofintrusionscorrectlydetected • TrueNegative(TN):Numberofnon-intrusionscorrectlydetected • FalsePositive(FP):Numberofnon-intrusionsincorrectlydetected • FalseNegative(FN):Numberofintrusionsincorrectlydetected ,Vol.1,No.1,Article.Publicationdate:June2018. ATaxonomyandSurveyofIntrusionDetectionSystemDesignTechniques,NetworkThreatsand Datasets :5 Hodoetal.[38],Buseetal.[9]andAminantoetal.[7]discussthemainmetricstoconsiderin theirrespectivework.Theseincludetheoverallaccuracy,decisionrates,precision,recall,F1and Mcc. TP +TN OverallAccuracy = (1) TP +TN +FP +FN Equation1providestheuserwiththeprobabilitythatanitemiscorrectlyclassifiedbythealgorithm. DetectionRates: TP Sensitivity (akaRecall)= TP +FN TN Specificity = TN +FP (2) FP Fallout = TN +FP FN Miss Rate = TP +FN Equation2calculatestheTP,TN,FPandFNdetectionratesrespectively. TP Precision = (3) TP +FP Equation3providesthepercentageofpositivelyclassifiedincidentsthataretrulypositive. 2TP F1= (4) 2TP +FP +FN Equation4representstheharmonicmeanofprecisionandrecall. (TPxTN)−(FPxFN) Mcc = (5) (cid:112)(TP +FP)(TP +FN)(TN +FP)(TN +FN) Equation5providesMatthewscorrelationcoefficient.ItcanonlybeusedinbinaryIDSinwhich incidentsareclassifiedaseitherattackornormal. Additionally,theCPUconsumption,thethroughputandthepowerconsumptionareimportant metricsfortheevaluationofintrusiondetectionsystemsrunningondifferenthardwareonspecific settingssuchashigh-speednetworks,oronhardwarewithlimitedresources. 2.4 IDSInternals ThelocationofIDSonthenetworkcantremendouslyimpactthethreatdetection,hencetheoverall accuracy of the system. As shown in Figure 1 (4.1), IDS can be located on a host computer, or inlineandrespondinrealtimetothreats(4.1.2).NotethatthedetectionrateofaninlineIDSoften degradeswhenusedonabusynetwork.Ahybridsystem(4.1.3)beingdistributedbothonthehosts andthroughthenetworkcanalsobeimplemented,usinghostsassensorsforswarmintelligence. Thedetectionmethodisanimportantaspectofallintrusiondetectionsystem(4.2).Signature- based(4.2.1)IDSarebasedonpriorthreatdetectionandthecreationofaccuratesignatures.The main advantage of this method is the high accuracy for known attacks. The IDS is , however, unabletodetect0-daysandpolymorphicthreats[12].Signature-basedisalsoknownas’Misuse Detection’.Anomaly-based(4.2.2)dependsonidentifyingpatternsandcomparingthemtonormal trafficpatterns.Thismethodrequirestrainingthesystempriortodeployingit.Theaccuracyofsuch ,Vol.1,No.1,Article.Publicationdate:June2018. :6 H.Hindyetal. asystemagainst0-daysandpolymorphicthreatsisbetterwhencomparedagainstsignature-based IDS.However,thefalsepositiverateisoftenhigh. Anomaly-based IDS are based on identifying patterns defining normal and abnormal traffic. TheseIDScanbeclassifiedintosubcategoriesbasedonthetrainingmethodused.Thesecategories areidentifiedrespectivelyasstatistical,knowledge-basedandmachinelearningbased.Statisti- cal(4.2.2.1)includesunivariate,multivariateandtimeseries.Knowledge-based(4.2.2.2)usesfinite statemachinesandruleslikecase-based,n-based,expertsystemsanddescriptorlanguages.Finally, machinelearningincludesartificialneuralnetworks,clustering,geneticalgorithms,deeplearning, ...Specification-based(4.2.3)combinesthestrengthofbothsignatureandanomalybasedtoforma hybridmodel. 2.5 IndustrialIDS Industrial Intrusion Detection Systems face different challenges, than traditional IDS. The au- tomationofprocessesincludedinindustrialnetworkarchitecturesoftenmakeuseofspecialized hardwareforspecificindustriessuchaspetrochemical,aerospace,etc.Thesehardwaresusespecific communicationprotocolssuchasModBus,Profibus... Table 1 summarizes how the industrial settings differ from traditional ones. Including the dependencyonembeddedsystems,hardware-suchasPLC,DataLogger,etc-areanimportant aspectofthenetwork.Unliketraditionalnetworks,PLCsareunabletorunanintegratedIDSdue tolimitedprocessingpower.Moreover,thenetworkarchitectureisfixedandrarelychanges,as industrialprocessesoftencoveralimitedrangeoffunctions.Thesesystemscanbeusedfordecades withoutupdates.However,industrialprocesseshaveapredictableelement,whichshouldbetaken intoaccountwhendesigningtheIDS[106]. Table1. IndustrialProcessesVSTraditionalProcesses IndustrialProcesses TraditionalProcesses HardwareInvolvement Yes No NetworkTopology Fixed Dynamic Functionality FixedandSmallrange Widerange Protocols Simple Complex Resources Limited Highlyaccessible PerformanceandAvailability Requiresreal-time Notdominantrequirement Behaviour Predictable Unpredictable 2.6 FeatureSelection "FeatureLearning"[7]or"FeatureEngineering"[28]playsanimportantroleinbuildinganyIDSin awaythatchosenfeatureshighlyaffecttheaccuracy.Differentfeaturesrepresentationscanbe usedtoaddressdifferentareasofthreatdetection.Someofthemareconsiderednaivewhenthey containbasicinformationaboutthesoftwareornetwork.Othersareconsideredrichwhenthey representdeeperdetails[28]. Obtainingfeaturescanbedoneusingoneofthefollowingprocessesoracombinationofthem. • Construction • Extraction • Selection ,Vol.1,No.1,Article.Publicationdate:June2018. ATaxonomyandSurveyofIntrusionDetectionSystemDesignTechniques,NetworkThreatsand Datasets :7 Featureconstructioncreatesnewfeaturesbyminingexistingonesbyfindingmissingrelations withinfeatures.Whileextractionworksonrawdataand/orfeaturesandapplymappingfunctions toextractnewones.Selectionworksongettingasignificantsubsetoffeatures.Thishelpsreduce thefeaturespaceandreducethecomputationalpower. Featureselectioncanbedonethroughthreeapproaches,asshowninTable2,filter,wrapperand embedded. Table2. FeatureSelectionApproaches Approach Description Advantages Disadvantages Filter[33] Selectsthemostmeaning- Low Execution Time May choose redun- fulfeaturesregardlessthe andover-fitting dantvariables model Wrapper[65] Combinerelatedvariables Considerinteractions Over-fitting risk and tohavesubsets Highexecutiontime Embedded[35] Investigateinteractionina Result in an optimal – deepermannerthanWrap- subsetofvariables per InthefollowingsectionasurveyofrecentIDSispresented. 3 IDSANDDATASETSSURVEY In the past decade numerous IDS were developed and evaluated against a range of published availabledatasets.InthisSection,thesedatasetsaresummarized,andtheirlimitationshighlighted. Furthermore,recentIDSareanalyseddiscussingalgorithmsusedandthedatasetstheIDSwere evaluatedagainst.Moreover,thetrendsinthealgorithmsusedbyresearchoverthepastdecadeare discussed,highlightingaclearshiftintheuseofspecificalgorithms. 3.1 IDSandAssociatedDatasets Researchers depended on benchmark datasets to evaluate their results. However, the datasets currently available lack real-life properties. This is the reason that made most of the anomaly intrusiondetectionsystemsnotapplicableforproductionenvironments[92],furthermore,they unableofadaptingtotheconstantchangesinnetworks(i.e.newnodes,changingtrafficloads, changingtopology,etc...). Viegasetal.[92]mentionedthatforadatasettobeconsidered,ithastocoverthefollowing properties:(a)Realnetworktraffic(similartoproductionones),(b)Valid,suchthatithascomplete scenarios.(c)Labeled,specifyingtheclassofeachrecordasnormalorattack,(d)Variant,(e)Correct, (f)Canbeupdatedeasily,(g)Reproducibleinordertogiveresearchersthespacetocompareacross different datasets, and finally (h) Sharable, hence it should not contain any confidential data. Additionally,Imanetal[75]mentionsthat(i)havingvariantprotocolsisanimportantaspectofIDS dataset,aswellas(j)havinganappropriatedocumentationforthefeatureanddatasetcollection environment. Abenchmarkfordatasetispresentedin[75].ThebenchmarkincludeDARPA[49],KDD’99[36], DEFCON[30],CAIDA[26],LBNL[50],CDX[73],Kyoto[81],Twente[82],UMASS[67],ISCX2012[27] andADFA[18].Whiletheevaluationincludestheattacksineachdatasetandthefeaturesare compared,theauthorsfailtoprovideadetailedanalysisofthebroaderimpactoftheirbenchmark. In this manuscript, a survey of machine learning IDS is provided, analyzing the associated datasetsandtheirshort-comings. ,Vol.1,No.1,Article.Publicationdate:June2018. :8 H.Hindyetal. Table3.1introducesthemostpre-eminent(i.e.mostcited)IDSresearchfromthepastdecade. EachIDSismentionedwithalistofthealgorithmsusedandthedatasetstheIDSwasevaluated against.Moreover,theattacksdetectedarealsolisted. Thealgorithmictrendsarethendiscussedalongsidetheattacksincludedinthedatasetsused. ,Vol.1,No.1,Article.Publicationdate:June2018. ATaxonomyandSurveyofIntrusionDetectionSystemDesignTechniques,NetworkThreatsand Datasets :9 Ref[99] [29] [19] [41] [87] [71] page t m- nex i n n o i d d Attacks activityntainersxdR2L ardFrau Continue Detected-Probing-DoS-R2L-U2R-Probing-DoS-R2L-U2R1)Illegalportedco2)Anthra3)DoSan -Probing-DoS-R2L-U2R-Probing-DoS-R2L-U2R-CreditC Systems(2008-2018) UsedAlgorithms-TreeClassifiers-BayesianClustering -ParzenClassifier-v-SVC-k-means APD-BayesianNetworkLikeli-hood-ConditionalAnomalyDe-tection-WSARE-AdaBoost -ABC-FuzzyAssociationRules -FuzzyAssociationRules n o cti cy rusionDete DatasetKDD-99 KDD-99 1)PIERS2)EmergenDepart-mentDataset3)KDD-99KDD-99 KDD-99 Collectedtrans-actionsdataset t n Table3.ADecadeofI PaperTitleDesignofMultiple-LevelHybridClassifierforIntrusionDetectionSystemusingBayesianCluster-ingandDecisionTreesIntrusionDetectioninComputerNetworksbyaModularEnsembleofOne-classClassifiers AnomalyPatternDetectioninCategoricalDatasets AdaBoost-basedAlgorithmforNetworkIntrusionDetection IntrusionDetectionusingFuzzyAssociationRules AssociationRulesAppliedtoCreditCardFraudDetection AuthorsChengXiangetal. GiorgioGiacintoetal. KaustavDasetal. WeimingHuetal. ArmanTajbakhshetal. D.Sánchezetal. ar08 08 08 08 09 09 Ye20 20 20 20 20 20 ,Vol.1,No.1,Article.Publicationdate:June2018. :10 H.Hindyetal. Ref[74] [98] [90] [88] [57] [94] [60] page t x e n n o d ks ue c s n Atta Type Conti dg g g g k g g en n n n c n n Detect-Probi-DoS-R2L-U2R-Probi-DoS-R2L-U2R-Probi-DoS-R2L-U2R-Probi-DoS-R2L-U2R13Atta -Probi-DoS-R2L-U2R-Probi-DoS-R2L-U2R d ue M n U tems(2008-2018)ContiUsedAlgorithms-Genetic-based -C4.5 BSPNNusing:-AdaptiveBoosting-Semi-parametricNN -RBF-ElmanNN -SNORT-Non-ParametricCUS-EMbasedClusteringFC-ANNbasedon:-ANN-FuzzyClustering -LogisticRegression s y S n o ctiet99 99 99 A A 99 99 nDeteDatasKDD- KDD- KDD- 1999DARP 1999DARP KDD- KDD- o Table3–ADecadeofIntrusiPaperTitleAnAdaptiveGenetic-basedSig-natureLearningSystemforIntru-sionDetection Datamining-basedIntrusionDe-tectors NovelIntrusionDetectionusingProbabilisticNeuralNetworkandAdaptiveBoosting AResearchusingHybridRBF/ElmanNeuralNetworksforIntrusionDetectionSystemSecureModelDetectingNetworkAnomaliesUsingCUSUMandEMCluster-ingANewApproachtoIntrusionDetectionusingArtificialNeuralNetworksandFuzzyClustering RandomEffectsLogisticRegres-sionModelforAnomalyDetec-tion AuthorsKamranShafiandHusseinA.Abbass Su-YunWuandEs-terYen TichPhuocTranetal. XiaojunTongetal. WeiLuandHengjianTong GangWangetal. MinSeokMoketal. ar09 09 09 09 09 10 10 Ye20 20 20 20 20 20 20 ,Vol.1,No.1,Article.Publicationdate:June2018.