Applying a Neural Network Ensemble to Intrusion Detection

Simone A. Ludwig 1
  • 1 Department of Computer Science, North Dakota State University, Fargo, ND


An intrusion detection system (IDS) is an important feature to employ in order to protect a system against network attacks. An IDS monitors the activity within a network of connected computers as to analyze the activity of intrusive patterns. In the event of an ‘attack’, the system has to respond appropriately. Different machine learning techniques have been applied in the past. These techniques fall either into the clustering or the classification category. In this paper, the classification method is used whereby a neural network ensemble method is employed to classify the different types of attacks. The neural network ensemble method consists of an autoencoder, a deep belief neural network, a deep neural network, and an extreme learning machine. The data used for the investigation is the NSL-KDD data set. In particular, the detection rate and false alarm rate among other measures (confusion matrix, classification accuracy, and AUC) of the implemented neural network ensemble are evaluated.

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • [1] Cyber security,, last retrieved in 2018.

  • [2] W. Stallings, Network security essentials: applications and standards, 5th edition, Pearson, 2013.

  • [3] Top Free Network-Based Intrusion Detection Systems (IDS) for the Enterprise,, last retrieved in 2018.

  • [4] K. Scarfone and P. Mell, Guide to Intrusion Detection and Prevention Systems Recommendations (IDPS), National Institute of Standards and Technology, NIST Spec. Publ. 800-97, 2007.

  • [5] B. C. Rhodes, J. A. Mahaffey, J. D. Cannady, Multiple self-organizing maps for intrusion detection, 23rd national information systems security conference, 2000.

  • [6] P. O. Kane, S. Sezer, K. McLaughlin, Obfuscation: the hidden malware, IEEE Security & Privacy 9 (5), 41-47, 2011.

  • [7] G. Gu, P. Porras, V. Yegneswaran, M. Fong, W. Lee, Bothunter: Detecting malware infection through ids-driven dialog correlation, in: Proceedings of 16th USENIX Security Symposium, USENIX Association, 2007.

  • [8] G. Gu, R. Perdisci, J. Zhang, W. Lee, et al., Botminer: Clustering analysis of network trace for protocol-and structure-independent botnet detection., in: USENIX Security Symposium, pp. 139-154, 2008.

  • [9] G. Gu, J. Zhang, W. Lee, Botsniffer: Detecting botnet command and control channels in network trace, in: Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS’08), 2008.

  • [10] V. Julien, Suricata ids, Tech. rep., Open Information Security Foundation (OISF), available online:, last retrieved in 2018.

  • [11] M. Roesch, Snort: Lightweight intrusion detection for networks., in: LISA, pp. 229-238, 1999.

  • [12] V. Paxson, Bro: a system for detecting network intruders in real-time, Computer networks 31 (23), 2435-2463, 1999.

  • [13] D. M. Chess, S. R. White, Undetectable computer viruses, in: Virus Bulletin, pp. 107-115, 2000.

  • [14] R. Vaarandi, K. Podins, Network ids alert classifi-cation with frequent itemset mining and data clustering, in: Network and Service Management (CNSM), 2010 International Conference on, IEEE, pp. 451-456, 2010.

  • [15] M. Tavallaee, E. Bagheri, W. Lu, and A. Ghorbani, A Detailed Analysis of the KDD CUP 99 Data Set, IEEE Symposium on Computational Intelligence for Security and Defense Applications (CISDA), 2009.

  • [16] S. A. Ludwig, Intrusion Detection of Multiple Attack Classes using a Deep Neural Net Ensemble, IEEE Symposium Series on Computational Intelligence (SSCI), Honolulu, HI, USA, October 2017.

  • [17] I. Chairunnisa, Lukas, and H. D. Widiputra. Clustering base intrusion detection for network profiling using k-means, ecm and k-nearest neighbor algorithms. In Konferensi Nasional Sistem dan Informatika, 2009.

  • [18] S. Zanero and S. M. Savaresi. Unsupervised learning techniques for an intrusion detection system. In SAC ’04: Proceedings of the 2004 ACM symposium on Applied computing, pages 412-419, New York, NY, USA, 2004.

  • [19] A. Ali, A. Saleh, and T. Ramdan. Multilayer perceptrons networks for an intelligent adaptive intrusion detection system. International Journal of Computer Science and Network Security, 10(2), 2010.

  • [20] N. Gornitz, M. Kloft, K. Rieck, and U. Brefeld. Active learning for network intrusion detection. In 2nd ACM workshop on security and artificial intelligence, pp. 47-54, 2009.

  • [21] M. Kloft, U. Brefeld, P. Dussel, C. Gehl, and P. Laskov. Automatic feature selection for anomaly detection. In AISEC 2008, pp. 71-76, 2008.

  • [22] R. Chitrakar and C. Huang, Selection of candidate support vectors in incremental SVM for network intrusion detection, Computers & Security, vol. 45, pp. 231-241, 2014.

  • [23] F. Giroire, J. Chandrashekar, G. Iannaccone, K. Papagiannaki, E. M. Schooler, and N. Taft. The cubicle vs. the coffee shop: Behavioral modes in enterprise end-users. In Proceedings of the 2008 Passive and Active Measurement Conference, pages 202-211, Springer, 2008.

  • [24] M. Pillai, J. Eloff, and H. Venter. An approach to implement a network intrusion detection system using genetic algorithms. In Proceedings of South African Institute of Computer Scientists and Information Technologists, pp. 221-228, Western Cape, South Africa, 2004.

  • [25] G. E. Hinton, S. Osindero, and Y.-W. Teh, A fast learning algorithm for deep belief nets, Neural computation, vol. 18, pp. 1527-1554, 2006.

  • [26] R. Salakhutdinov and G. E. Hinton, Deep boltzmann machines, International conference on artifi-cial intelligence and statistics, 2009.

  • [27] M. Z. Alom, V. Bontupalli and T. M. Taha, Intrusion detection using deep belief networks, 2015 National Aerospace and Electronics Conference (NAE-CON), Dayton, OH, 2015.

  • [28] K. Alrawashdeh and C. Purdy, Toward an Online Anomaly Intrusion Detection System Based on Deep Learning, 2016 15th IEEE International Conference on Machine Learning and Applications (ICMLA), Anaheim, CA, 2016.

  • [29] Y. Li, R. Ma, R. Jiao, A Hybrid Malicious Code Detection Method based on Deep Learning, International Journal of Security and Its Applications, vol. 9, no. 5, 2015.

  • [30] Y. Liu and X. Zhang, Intrusion Detection Based on IDBM, 2016 IEEE 14th Intl Conf on Dependable, Autonomic and Secure Computing, Auckland, 2016.

  • [31] S. Potluri and C. Diedrich, Accelerated deep neural networks for enhanced Intrusion Detection System, 2016 IEEE 21st International Conference on Emerging Technologies and Factory Automation (ETFA), Berlin, 2016.

  • [32] T. A. Tang, L. Mhamdi, D. McLernon, S. A. Raza Zaidi, M. Ghogho, Deep learning approach for Network Intrusion Detection in Software Defined Networking, 2016 International Conference on Wireless Networks and Mobile Communications (WIN-COM), Fez, Morocco, 2016.

  • [33] W. Lee, S. J. Stolfo, A framework for constructing features and models for intrusion detection systems, ACM Transactions on Information and System Security 3:227-261, 2000.

  • [34] B. V. Dasarathy and B. V. Sheela, Composite classifier system design: concepts and methodology, Proceedings of the IEEE, vol. 67, no. 5, pp. 708-713, 1979.

  • [35] L. K. Hansen and P. Salamon, Neural network ensembles, IEEE Transactions on Pattern Analysis and Machine Intelligence, vol. 12, no. 10, pp. 993-1001, 1990.

  • [36] R. E. Schapire, The Strength of Weak Learnability, Machine Learning, vol. 5, no. 2, pp. 197-227, 1990.

  • [37] A. Javaid, Q. Niyaz, W. Sun, and M. Alam, A Deep Learning Approach for Network Intrusion Detection System. In Proceedings of the 9th EAI International Conference on Bio-inspired Information and Communications Technologies, Brussels, Belgium, 2016.

  • [38] D. P. Kingma, J. Ba, Adam: A Method for Stochastic Optimization, Proceedings of the 3rd International Conference on Learning Representations (ICLR), 2014.

  • [39] G.-B. Huang, Q.-Y. Zhu, and C.-K. Siew, Extreme learning machine: theory and applications, Neurocomputing, vol. 70, no. 1-3, pp. 489-501, 2006.

  • [40] G.-B. Huang, L. Chen, and C.-K. Siew, Universal approximation using incremental constructive feed- forward networks with random hidden nodes, IEEE Transactions on Neural Networks, vol. 17, no. 4, pp. 879-892, 2006.

  • [41] A. Ozgur, H. Erdem, A review of KDD99 dataset usage in intrusion detection and machine learning between 2010 and 2015 (Version 1), PeerJ Preprints, 2016.

  • [42] DARPA Intrusion Detection Data Set, 1998.

  • [43] R. Sommer, V. Paxson, Outside the closed world: On using machine learning for network intrusion detection, Proceedings of the 2010 IEEE Symposium on Security and Privacy, IEEE Computer Society, Washington, DC, USA, 2010.

  • [44] N. V. Chawla, N. Japkowicz, A. Kotcz, Editorial: Special Issue on Learning from Imbalanced Data Sets, SIGKDD Explor. Newsl., vol. 6, no. 1, pp. 1-6, 2014.


Journal + Issues