CiiT International Journal of Data Mining and Knowledge Engineering, Vol 5, No 9, September 2013 366

Implementation of Echo State Neural Network and

Radial Basis Function Network for Intrusion
Detection
Y. Kalpana, S. Purushothaman and R. Rajeswari

Abstract---Intrusion detection is the art of detecting computer would attack or otherwise abuse the system; (iii) presenting
abuse and any attempt to break into networks. As a field of research, traces of intrusions, allowing improved diagnosis, recovery
it must continuously change and evolve to keep up with new types of and corrective measures after an attack; (iv) documenting the
attacks or adversaries and the ever-changing environment of the existing threat from inside and outside a system, permitting
Internet. To make networks more secure, intrusion-detection systems
(IDS) aims to recognize attacks. Artificial neural networks (ANN)
security management to realistically assess risk and adapt its
based IDS were implemented and tested. The goal for using ANNs security strategy in response, and (v) acting as quality control
for intrusion detection is to generalize from incomplete data and able for security design and implementation (highlighting some
to classify data as being normal or intrusive. An ANN consists of a deficiencies or errors, before serious incidents occur)
collection of processing elements that are highly interconnected. [Verwoed and Hunt, 2002].
Given a set of inputs and a set of desired outputs, the transformation
from input to output is determined by the weights associated with the
inter-connections among processing elements. By modifying these
Categories of Attacks
interconnections, the network adapts to desired outputs. The ability of A good taxonomy makes it possible to classify individual
high tolerance for learning-by-example makes neural networks attacks into groups sharing common properties. One widely
flexible and powerful in IDS. This paper has implemented Echo state used taxonomy divides attacks into four classes: Probes,
neural network and Radial basis function applied to intrusion Denial of Service (DoS), User to Root (U2R) and Remote to
detection. The scope of the work includes using the available KDD Local (R2L).
database.

Keywords---Radial Basis Function (RBF) Networks Echo State

Neural Networks (ESNN), KDD Features, Intrusion Detection.

I. INTRODUCTION
NTRUSION detection [Theuns Verwoerd, Ray Hunt, 2002]
I is the process of monitoring the events occurring in a
computer system or network and analyzing them for signs of
Fig. 1 Categories of Attacks

intrusions [Power, 2002]. Intrusions [Zenghui and Yingxu,

Probe: Probe attacks are used to gather information about
2009; Chan, et al, 2005] are attempts to compromise the
the targeted network or a specific machine on a network.
confidentiality, integrity and availability of a computer or
Without network probes, an attacker would have hard time
network or to bypass its security mechanisms. They are caused
finding the vulnerabilities present on his target. However,
by attackers accessing a system from the Internet, by
since probing or scanning abuses a perfectly legitimate feature
authorized users of the systems who attempt to gain additional
used by network administrators to check on machines on a
privileges for which they are not authorized, and by authorized
network, it is also difficult to diff erentiate attacks from regular
users who misuse the privileges given to them. The main
actions. Many programs have been developed to scan a
benefits of IDS [Chobrolu, et al, 2005; Deepa, et al, 2013]
network. The most famous is “nmap” which is a powerful tool
include: (i) detecting attacks and other security violations,
that can be used to look for active machines and active ports
which have not been prevented by other primary protection
on a machine. This information is very valuable because
techniques; (ii) preventing problem behaviors by increasing
knowing that the port 80 is active, for instance, means that a
the perceived risk of discovery and punishment for those who
web server with potential vulnerabilities or misconfigurations
runs on the machine. If port 80 is open, the attacker can also
Manuscript received on September 26, 2013, review completed on October
05, 2013 and revised on October 09, 2013. conclude that the machine serves its content unencrypted.
Y. Kalpana, Research Scholar, VELS University, Pallavaram, Chennai, “nmap” is not limited to finding the open ports, it is also
India - 600117. E-Mail: [email protected] possible to discover the type and version of the server or the
Dr. S. Purushothaman, Professor, PET Engineering College, Vallioor, type and version of the operating system. Other attacks such as
India - 627117, E-Mail: [email protected]
R. Rajeswari, Research Scholar, Mother Teresa Women’s University, “saint” and “satan” are specialized in discovering
Kodaikanal-624102, India. E-Mail: [email protected] vulnerabilities in the targeted system. These scanning tools
Digital Object Identifier: DMKE092013006.

0974-9683/CIIT–IJ-4685/08/$20/$100 © 2013 CiiT Published by the Coimbatore Institute of Information Technology

CiiT International Journal of Data Mining and Knowledge Engineering, Vol 5, No 9, September 2013 367

allow even unskilled attackers to find vulnerabilities the program. To manage that, the attacker uses a buff er with
automatically on a large number of machines. A typical attack non-existent or poorly performed boundary checking. The
scenario would involve a first phase where the attacker tries to second step is to subvert the state of the program. The attacker
scan the network that he intends to compromise. Table 1 must corrupt the stack pointer to make it point to his malicious
shows diff erent types of Probe with some properties for a code. Several options are possible but the most common is to
particular type such as the service that the attack uses, the overwrite a function return address to point to the first
platforms vulnerable to this kind of Probe, the type of instruction of the code of the attacker. This attack is also
vulnerability (mechanism) that the attack takes advantage of, called “stack smashing attack”. Other attacks such as
the time required to implement it and the effect caused by the “loadmodule” or “perl” take advantage of the way some
attack. programs sanitize their environment. Table 3 shows diff erent
TABLE 1 types of U2R with some properties for a particular type such
PROBE ATTACKS
as the service that the attack uses, the platforms vulnerable to
this kind of U2R, the type of vulnerability (mechanism) that
Mechanism
Vulnerable

implement
Platforms

Time to
Service

Effect
Name

the attack takes advantage of, the time required to implement

it and the effect caused by the attack.

Abuse Find TABLE 3

Ipsweep Icmp All of Short active USER TO ROOT ATTACKS
Feature machines

Mechanism
Looks for

Vulnerable

implement
Abuse

Platforms
known

Time to
Service
Mscan Many All of Short

Effect
Name
vulnerabi
Feature
lities
Find
Abuse Eject Any Solaris Buffer Medium Root
active
Nmap Many All of Short user Overflow Shell
ports on a
Feature session
machine
Looks for Ffbconfig Any Solaris Buffer Medium Root
Abuse user Overflow Shell
known
Saint Many All of Short session
vulnerabi
Feature Fdformat Any Solaris Buffer Medium Root
lities
Looks for user Overflow Shell
Abuse session
known
Satan Many All of Short Loadmod Any SunOS Poor Short Root
vulnerabi
Feature ule user environm Shell
lities
session ent
TABLE 2 sanitation
FEATURE SELECTED FOR PROBE LAYER Perl Any Linux Poor Short Root
Feature Feature Name user environm Shell
Number session ent
1 duration sanitation
2 Protocol type Ps Any Solaris Poor temp Short Root
3 Service user file Shell
session managem
4 flag
ent
5 Src_bytes
Xterm Any Linux Buffer Short Root
user overflow Shell
User to Root (U2R): In a User to Root attack an attacker session
starts a session on a computer as a normal user with restricted
TABLE 4
rights and by exploiting some vulnerability on the software FEATURE SELECTED FOR U2R LAYER
installed on the system, the user can elevate his privilege. The Feature Feature Name
goal of this class of exploits is obviously to obtain Number
administrator rights on the attacked computer in order to have 10 hot
13 num_compromised
full control of it. There are several types of U2R attacks. 14 root_shell
Buff er overflow is certainly the major vulnerability used by 16 num_root
hackers when trying to obtain privileged rights on a computer. 17 num_file-creation
The goal of a buff er overflow attack is to corrupt a program 18 num_shell
19 num_access_files
running with high privileges (i.e. root) in order to take control 21 is_host_login
of the program. If the program has root privilege, the attacker
can immediately execute a command to obtain a root shell. In Remote to Local (R2L): In a Remote to Local attack, the
that case, the attacker has full control of the host computer attacker starts from a session on a computer outside of the
which runs the vulnerable program. The attack is performed in targeted network and exploits a vulnerability in order to gain
two steps. In the first step, the hacker must find a way to have access to a computer on the local network. A precondition that
the appropriate code to launch a root shell in the memory of must be fulfilled is the ability for the attacker to send network

0974-9683/CIIT–IJ-4685/08/$20/$100 © 2013 CiiT Published by the Coimbatore Institute of Information Technology

CiiT International Journal of Data Mining and Knowledge Engineering, Vol 5, No 9, September 2013 368

packets to the victim host. R2L attacks are combined with TABLE 6
FEATURE SELECTED FOR R2L LAYER
U2R attacks allowing the attacker to obtain full access of a Feature Feature Name
remote machine which is part of a diff erent network than the Number
network of the attacker. Examples of remote to local attacks 1 duration
include “warezmaster” and “warezclient”. Those two attacks 2 Protocol_type
3 Service
exploit weaknesses in the file transfer protocol (FTP). The first 4 flag
one grants any user with writing permission on the FTP server. 5 Src_bytes
An attacker could use this bug to create a hidden directory and 10 hot
upload illegal files on the server. The “warezclient” attack can 11 Num_failed_logins
12 Logged_in
be seen as the second step of the “warezmaster” attack since it 13 num_compromised
involves a user downloading the uploaded files from the 17 num_file-creation
hidden directory created during the “warezmaster” attack. 18 num_shell
Other remote to local attacks called “imap”, “named” and 19 num_access_files
21 is_host_login
“sendmail” exploit bugs in well-known protocols used on the
22 is_guest-login
Internet such as DNS and SMTP. Attacks exploiting
misconfigurations in the system include “dictionary”, “ftp- Denial of Service (DoS): In a denial of service attack, an
write”, “guest” and “Xsnoop”. The main mitigation against attacker makes a resource on a network either unavailable to
remote to local attacks is to keep the system up-to-date. These legitimate users or too busy or too full to process their queries.
updates will remove from the system the most common bugs The resource can be network bandwidth, computer memory or
that are exploited by R2L attacks. Table 5 shows diff erent computing power. There are many diff erent types of DoS
types of R2L with some properties for a particular type such as attacks [Kumar, 2010]. A man-in-the-middle (MITM) attack is
the service that the attack uses, the platforms vulnerable to this a type of sniffing attack where the attacker stands in the middle
kind of R2L, the type of vulnerability (mechanism) that the of a communication between two hosts. The other major type
attack takes advantage of, the time required to implement it of DoS focuses on resource exhaustion. The attacker sends a
and the effect caused by the attack. huge amount of queries in a short amount of time to the
targeted victim. If the victim is a server, resource exhaustion
TABLE 5
REMOTE TO LOCAL ATTACKS occurs when the server receives more queries than it can
process. In that case, legitimate users will not be able to access
this resource during the time of the attack or even afterwards if
Mechanism
Vulnerable

implement
Platforms

the server crashes.

Time to
Service

Effect
Name

A DoS [Tao peng, et al, 2007] aiming at exhausting the

resource of a machine on a network or an entire network is the
Dict telnet, All Abuse Medium User- “UDP Port DoS” attack, also called “UDP packet storm”. In
iona rlogin, of level
ry pop, feature access
an “UDP storm”, an attacker forges a packet with a spoofed
imap, source address of a host running an “echo” or “chargen”
ftp process and sends it to another hosts running a similar “echo”
Ftp- ftp All Miscon Short User- or “chargen” process. The receiving host replies with echo
writ figurati level
e on access packet to the spoofed source which also replies with another
Gue telnet, All Miscon Short User- echo packet. A loop is created between the two hosts leading
st rlogin, figurati level to resource exhaustion or at least, performance degradation.
on access
Ima imap Linux Bug Short Root When targeted at a switch or router, the performance of the
p shell entire network can be aff ected. Another very popular variant
Nam dns Linux Bug Short Root of DoS that has been used extensively by hackers in the last
ed shell
decade is the distributed denial of service (DDoS). A “DDoS”
Phf http All Bug Short Execute
comman is performed in two main steps. In the first step, an attacker,
ds as called master, gains control over a number of computers,
user http called slaves or zombies, by exploiting unpatched
Sen smtp Linux Bug Short Execute
dma comman vulnerabilities found in the target systems. Once the attacker
il ds as has taken control of a sufficient number of slaves, the second
root step can start. The master orders all of the slaves to query a
Xloc X All Miscon Medium Spoof
k figurati user to
designated machine (usually servers) at the same time. The
on obtain target is flooded with the simultaneous queries. After a short
passwor time, the memory of the server is exhausted making it unable
d to handle all of the queries including the ones from legitimate
Xsn X All Miscon Short Monitor
oop figurati keystrok users. The service proposed by the server is denied. The
on es mechanism used by DoS attacks can abuse a legitimate feature
remotely

0974-9683/CIIT–IJ-4685/08/$20/$100 © 2013 CiiT Published by the Coimbatore Institute of Information Technology

CiiT International Journal of Data Mining and Knowledge Engineering, Vol 5, No 9, September 2013 369

of a network protocol. Some of these attacks are “mailbomb”, TABLE 9

FEATURE SELECTED FOR OTHER LAYER
“neptune”, “smurf” attack and “ARP poisoning”. “teardrop” Feature Feature Name
and “ping of death” exploit implementation bugs of the Number
TCP/IP [Shevtekar et al, 2005] protocol. Finally, attacks such 1 duration
as “apache2”, “back” and “syslogd” target a specific program 2 Protocol_type
3 Service
running on the victim host.
Table 8 presents features for Dos layer and Table 9 presents
Mitigation methods of DoS [Ranjan et al, 2009] include
other types of features.
disabling unnecessary services such as echo or unused UDP
services, keeping the network devices up-to-date, monitoring
II. RELATED WORK ON IDS
the network for anomaly, use proxy mechanisms, avoiding
misconfiguration of the firewall and other software used on the Tao Peng et al, 2007 discusses different types of DoS attack
network. Table 7 shows diff erent types of DoS with some and detection method. Detection method includes DoS attack
properties for a particular type such as the service that the specific detection, anomaly based detection.
attack uses, the platforms vulnerable to this kind of DoS, the Sapna Kaushik, et al, 2011, discusses four types of attack:
type of vulnerability (mechanism) that the attack takes DoS attack, probe attack, User to Root (U2R) attack, Remote
advantage of, the time required to implement it and the eff ect to Local (R2L) attack that can be detected in an intrusion
caused by the attack. This list of DoS attacks is by no means detection system. It is found that probe attack is detected when
exhaustive but gives an overview of the variety found in this an attacker adds some data into the data field sent by the
class of attacks. original sender, R2L attack is detected when connection
duration exceeds a maximum threshold and DoS attack is
TABLE 7 detected when a packet does not reach the destination thus
DENIAL OF SERVICE ATTACKS service to the destination is denied. Attacks can be detected in
a number of ways in an IDS which depends on the
Mechanism
Vulnerable

implement

organizational needs.
Platforms

Time to
Service

Hoai-Vu Nguyen, et al, 2010, proposed a kNN classifier

Name

method which detects the Dos attack by classifying the

Apache2 http Any Abuse short network status into normal, pre-attack and attack. This method
Apache has many advantages like easy implementation, short time
Back http Any Abuse/ Short computation and high accuracy of 91% which is necessary for
type Apache Bug
early detection of DoS attacks.
Land N/A Sun OS Bug Short
Mailbom smtp All Abuse Short Samaneh Rastegari, et al, 2009, proposes 3 neural network
b techniques: Back Propagation (BPA), Radial Basis Function
SYN Any All Abuse Short (RBF), and Self Organizing Maps (SOM) to classify the DoS
Flood(N TCP
eptune)
attacks. Back propagation neural network technique gives
Ping of icmp None(*) Bug Short higher accuracy in detecting and classifying the DoS attacks
Death than the other 2 techniques.
Process Any All Abuse Moder Kejie Lu, et al, 2007, proposes anti-DDoS technique which
Table TCP ate
Smurf icmp All Abuse Moder uses a machine learning algorithm to detect DDos attack. The
ate to algorithm is based on temporal and spatial characteristic of
long data traffic, both incoming and outgoing traffic. The detection
Syslogd syslog Solaris Bug Short
method has many advantages like ability to detect attacks
Teardrop N/A Linux Bug Short
Udpstor echo/c All Abuse Short having high and low data rate, robust against time-varying
m hargen patterns and deployable in large scale networks.
Arppoiso ARP All Abuse Short Zenghui, et al, 2009, developed a frame work for
ning
constructing the intrusion detection models which captures the
TABLE 8 actual behavior of intrusions and normal activities. Even
FEATURE SELECTED FOR DOS LAYER though this model can detect the probe attacks and U2R
Feature Feature Name attacks, it fails to detect the DOS attacks and R2L attacks. To
Number
improve the detection rate.
1 duration
2 Protocol_type Lappas, et al, 2007, presented a new idea on data mining
4 flag can support IDS’s by utilizing the bi-clustering tools.
5 Src_bytes
23 Count
III. MATERIALS AND METHODOLOGY
34 dst_host_same_srv _rate
38 dst_host_ serror_rate A. KDD99 Dataset Features
39 dst_host_srv_serror_rate
40 dst_host_rerror_rate In the KDD'99 data [Kayacik, et al, 2005], the initial
features extracted for a connection record include the basic

0974-9683/CIIT–IJ-4685/08/$20/$100 © 2013 CiiT Published by the Coimbatore Institute of Information Technology

CiiT International Journal of Data Mining and Knowledge Engineering, Vol 5, No 9, September 2013 370

features[Sung and Mukkamala, 2004] of an individual TCP 14 root_sh 1 if root Symbolic

ell shell is
connection, such as: its duration, protocol type, number of obtained; 0
bytes transferred and the flag indicating normal or error status otherwise
of a connection. These intrinsic features provide information 15 su 1 if su “root Symbolic
for general network-traffic analysis purposes. Since most DoS _attemp command”
ted attempted;0
and Probe attacks involve sending a lot of connections to the otherwise
host(s) at the same time, they can have frequent sequential 16 num Number of Continuous
patterns, which are different to the normal traffic. Temporal root root access
17 num_fil Number of Continuous
and statistical characteristics are referred to as time-based e- file creation
traffic features; there are several Probe attacks which use a creation operations
much longer interval than 2-secs (e.g., one minute) when 18 num_sh Number of Continuous
scanning hosts or ports; mirror set of host-based traffic ell shell
prompts
features were constructed based on a connection window of 19 num_ac Number of Continuous
100 connections. The R2L and U2R attacks are embedded in cess_fil operations
the data portions of the TCP packets and may involve only a es on access
control file
single connection. In general, there are 41 features (including 20 num- Number of Continuous
the attack type) in each connection record, with most of them outbou outbound
taking on continuous values. nd- commands
cmds in a ftp
The Table 10 describes the features of the KDD99
session
[Beghdad, 2007] dataset. 21 is_host 1 if the Symbolic
_login login
TABLE 10 belongs to
BASIC FEATURES OF INDIVIDUAL TCP CONNECTIONS the “hot”
nr Feature description Type list;0
01 Duration Duration of the Continuous otherwise
connection 22 is_gues 1 if the Symbolic
02 Protocol Connection Symbolic t-login login is a
type protocol(e.g. “guest”
tcp,udp) login;0
03 Service Destination symbolic otherwise
service
(e.g.telnet,ftp) TABLE 12
04 Flag Status flag of symbolic TRAFFIC FEATURES
the connection nr Feature description Type
05 Source Bytes sent from Continuous
bytes source to 23 count Number of Continuous
destination connections
06 Destination Bytes sent from Continuous
to the same
bytes destination to
source host as the
07 land 1 if connection Symbolic current
is from/to the connection
same host/port; in the past
0 otherwise two seconds
08 wrong Number of Continuous
fragment wrong fragment
24 Srv Number of Continuous
09 urgent Number of Continuous
count connections
urgent packets
to the same
service as
TABLE 11
CONTENT FEATURES the current
nr Feature description Type connection
10 hot Number of Continuous in the past
“hot” two seconds
indicators
11 Num_f Number of Continuous 25 serror % of Continuous
ailed_lo failed rate connections
gins logins
that have
12 Logged 1 if Symbolic
_in successfull SYN
y logged errors(same
in;0 host
otherwise connections)
13 num_co Number of Continuous
mpromi “compromi 26 srv % of Continuous
sed sed”
serror connections
conditions

0974-9683/CIIT–IJ-4685/08/$20/$100 © 2013 CiiT Published by the Coimbatore Institute of Information Technology

CiiT International Journal of Data Mining and Knowledge Engineering, Vol 5, No 9, September 2013 371

rate that have 35 dst host % different Continuous

SYN diff srv services on
errors(same rate the current
service host
connections)
36 dst host % of Continuous
27 rerror % of Continuous same src connections
rate connections port rate to the
that have current host
REJ having the
errors(same same port
host
connections) 37 dst host % of Continuous
srv diff connections
28 srv % of Continuous host rate to the same
rerror connections service
rate that have coming
REJN from
errors(same different
service host
connections)
38 dst host % of Continuous
29 same % of Continuous serror connections
srv rate connections rate to the
to the same current host
service that have an
SO error
30 diff srv % of Continuous
rate connections 39 dst host % of Continuous
to different srv connections
services serror to the
rate current host
31 srv diff % of Continuous and
host rate connections specified
to different service that
host have an SO
error
32 dst host Count of Continuous
count connections 40 dst host % of Continuous
having the rerror connections
same rate to the
destination current host
host that have an
RST error
33 dst host Count of Continuous
srv connections 41 dst host % of Continuous
count having the srv connections
same rerror to the
destination rate current host
host and and
using the specified
same service that
service have an
RST error
34 dst host % of Continuous
same connections
srv rate having the Experimental data were collected from the KDD database.
same
The number of patterns available are huge with different types
destination
host and
of intrusions. Neural network algorithms have been used to
using the learn the patterns.
same
service

0974-9683/CIIT–IJ-4685/08/$20/$100 © 2013 CiiT Published by the Coimbatore Institute of Information Technology

CiiT International Journal of Data Mining and Knowledge Engineering, Vol 5, No 9, September 2013 372

B. RBF 2. Sample the ESNN training dynamics:

A Radial basis function (RBF) network is a special type of (a) Initialize arbitrarily the state of the units.
neural network [Botha and Solms, 2004] that uses a radial (b) Present target values.
basis function as its activation function. A Radial Basis (c) Collect remaining input and network states row-wise and
Function (RBF) neural network [Mum and Kim, 2006] has an form into a matrix M.
(d) Collect simultaneously the remaining training pre-signals
input layer, a hidden layer and an output layer. The neurons in
into a column vector T.
the hidden layer contain radial basis transfer functions whose
3. Compute the output weights:
outputs are inversely proportional to the distance from the
(a) Multiply the pseudo-inverse of M with T:
center of the neuron. In RBF networks, the outputs of the input (Wout) = M−1 *T
layer are determined by calculating the distance between the whose ith column contains output weights from all network
network inputs and hidden layer centers. The second layer is units to the ith output unit.
the linear hidden layer and outputs of this layer are weighted (b) Transpose (Wout) to (Wout)T
forms of the input layer outputs. Each neuron of the hidden 4. The ESNN is ready to be used with new input sequences
layer has a parameter vector called center. The RBF [Dongli, u(n).
et al, 2007, Gavrilis and Dermatas, 2005] is applied to the
distance to compute the weight for each neuron. Centers are IV. RESULTS AND DISCUSSION
chosen randomly from the training set weight = RBF Implementation of Radial Basis Function Neural Network
(distance) Algorithm
Training RBF
Step 1: Initialize number of Inputs
Step 2: Create centers=Number of training patterns
Step 3: Calculate RBF as exp (-X) where X=(patterns-
centers).
Step 4: Calculate Matrix as G=RBF and A=GT*G.
Step 5: Calculate B=A-1 and E=B * G*T.
Step 6: Calculate the final weight as F= (E*D) and store the
final weights in a File.
Testing RBF
Step 1: Read packet information and convert into features.
Step 2: Calculate RBF as exp (-X) where X-(pattern-
centers) Fig.2 Radial Basis Function Output for Intrusion Detection
Step 3: Calculate Matrix as G=RBF
Step 4: Calculate Final value=Final weight * G. Figure 2 shows the performance of the radial basis function
Step 5: Classify the intrusion as an attack or normal. in intrusion detection.
C. Echo State Neural Network (ESNN) Implementation of Echo State Neural Network
ESNN possesses a highly interconnected and recurrent Algorithm
topology of nonlinear processing element that constitutes a
reservoir of rich dynamics and contains information about the
history of input and output patterns [Lukosevicius and Jaeger,
2009; Jaeger, 2001]. The outputs of this internal processing
element are fed to a memory less but adaptive readout network
[Gelenbe, 1993] that produces the network [Cunningham and.
Lippmann, 2000b] output. The interesting property of ESNN
is that only the memory less readout is trained, whereas the
recurrent topology has fixed connection weights.
Algorithm for training ESNN
1. Build an untrained Recurrent Neural Network (Win, W,
Fig. 3 Performance of Echo State Neural Network for Intrusion
Wback) which has the echo state property:
Detection
(a) Generate a random weight matrix W0.
(b) Normalize matrix W0 to matrix W1 with spectral radius λ0
Figure 3 shows that the performance of ESNN in estimating
max of W0, W1 = W0 / λ0 max
the type of intrusion is closer to the target values.
W1 has unit spectral radius.
The weight matrix between input layer and hidden layer,
(c) Scale matrix W1 to matrix W with α < 1,
W = α·W0. between hidden layer and output layer, reservoir matrix are
W has a spectral radius of α. initialized with normalized random values. The network
(d) Generate random weight matrices Win and Wback. training dynamics takes place by calculating the products of
input pattern with weight matrix added with products of

0974-9683/CIIT–IJ-4685/08/$20/$100 © 2013 CiiT Published by the Coimbatore Institute of Information Technology

CiiT International Journal of Data Mining and Knowledge Engineering, Vol 5, No 9, September 2013 373

desired output and weight matrix added with products of [20] Ranjan S., Swaminathan R., Uysal M., Nucci A., and Knightly E., 2009,
DDoS-shield: DDoS resilient scheduling to counter application layer
reservoir matrix with state vector. The total summed value is attacks, IEEE/ACM Transactions on Networking, Vol.17, pp.26-39.
passed through tanh activation function which is treated as the [21] Samaneh Rastegari, Iqbal Saripan M., and Mohd Fadlee A. Rasid, 2009,
next state. After presenting all the patterns, a state matrix is Detection of Denial of Service attacks against Domain Name System
Using Neural Networks, International Journal of Computer Science
obtained for which pseudo inverse is found. The output of
Issues, Vol.6, No.1, pp.444-447.
pseudo inverse is processed with target values. [22] Sapna S. Kaushik, Deshmukh P.R., 2011, Detection of Attacks in an
Intrusion Detection System, International Journal of Computer Science
V. CONCLUSION and Information Technologies, Vol.2, No.3, pp.982-986.
[23] Shevtekar A., Anantharam K., and Ansari N., 2005, Low-rate TCP
This paper presents combination of RBF with ESNN for denial-of-service attack detection at edge routers, IEEE Communications
identification of intrusion attack information in an intrusion Letters, Vol.9, pp.363-365.
[24] Sung A., and Mukkamala S., 2004, The feature selection and intrusion
detection. The RBF uses distance concept for learning the detection problems, Lecture Notes in Computer Science, 3321, pp.468-
intrusion detection attacks. ESNN uses reservoirs concept for 482.
learning the intrusion detection attacks. [25] Tao peng, Christopher leckie, and Kotagiri ramamohanarao, Survey of
Network-Based Defense Mechanisms Countering the DoS and DDoS
Problems, ACM Computing Surveys, Vol.39, No.1, Article 3, 2007.
REFERENCES [26] Theuns Verwoerd, Ray Hunt, 2002, Intrusion detection techniques and
[1] Beghdad R, 2007, Training all the KDD dataset to classify and detect approaches, Computer Communications, Vol.25, pp.1356-1365.
attacks in International Journal on Neural and Mass parallel computing [27] Verwoed T., and Hunt R., 2002, Intrusion detection techniques and
and Information Systems, Vol.17. approaches, Elsevier: computer communications, Vol.25, No.10,
[2] Botha M., Solms R., Utilizing Neural Networks For Effective Intrusion pp.1356-1365.
Detection, ISSA, 2004. [28] Zenghui L., Yingxu L., 2009, A Data Mining Framework for Building
[3] Chan, A., Ng W., Yeung D.S., and Tsang E., 2005, Multiple classifier Intrusion Detection Models Based on IPv6, Proceedings of the 3rd
system with feature grouping for intrusion detection: Mutual information International Conference and Workshops on Advances in Information
approach, Lecture Notes in Artificial Intelligence, 3683, pp.141-148. Security and Assurance. Seoul, Korea, Springer- Verlag.
[4] Chobrolu S., 2005A. Abraham, P. Johnson, feature deduction and
ensemble design of intrusion detection systems, Elsevier computers and Y. Kalpana has received her M.C.A and M.Phil.
security, Vol.24, pp.195-307. degrees from Bharathidasan university, India and
[5] Cunningham R., and Lippmann R., 2000b, Improving Intrusion currently pursuing her Ph.D degree in VELS University.
Detection performance using Keyword selection and Neural Networks, She has 15 years of Teaching experience. She has
Computer Networks, Vol.34, No.4, pp.597-603. presented 8 papers in National Conference and 1 paper
[6] Deepa V. Guleria, Chavan M.K., 2013, Intrusion Detection System in International conference. Her research interests
Based On Conditional Random Fields, International Journal of include Network security and Data Mining.
Engineering Research and Technology, Vol.2, Issue 5, pp.653-660.
[7] Dongli W., Yan Z, and Xiaoyang H., 2007, RBF neural network based
model predictive control for freeway traffic systems, International Dr.S. Purushothaman completed his PhD from Indian
Journal of Intelligent Systems Technologies and Applications, Vol.2, Institute of Technology Madras, India in 1995. He has
No.4, pp.370-388. 129 publications to his credit. He has 19 years of
[8] Gavrilis D., and Dermatas E., 2005, Real-time detection of distributed teaching experience. Presently he is working as
denial-of-service attacks using RBF networks and statistical features. Professor in PET college of Engineering, India
Computer Networks and ISDN Systems, Vol.48, pp.235-245.
[9] Gelenbe E., 1993, Learning in the recurrent random neural network,
Neural Computation, Vol.5, pp.154-164.
[10] Hoai-Vu Nguyen and Yongsun Choi, 2010, Proactive detection of DDoS
attacks utilizing k-NN classifier in an anti-DDoS framework, R. Rajeswari completed MSc Information Technology
International Journal of Electrical and Electronics Engineering, Vol.4, from Bharathidasan university, Tiruchirappalli and
Issue 4, pp.247. M.Phil Computer Science from Alagappa University,
[11] Jaeger H., The echo state approach to analyzing and training recurrent Karaikudi, Tamilnadu, India. She is currently pursuing
neural networks, German National Research Center for Information PhD in Mother Teresa Women’s University. Her area of
Technology, Tech. Rep.148, 2001. interest is Intelligent Computing.
[12] Kayacik H., Zincir-Haywood A., and. Haywood M., 2005, Selecting
features for intrusion detection: a feature relevance analysis on KDD99
intrusion detection datasets, Dalhousie University.
[13] KDD Cup 1999 Intrusion Detection Data,
http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html, 2010.
[14] Kejie Lu, Dapeng Wu, Jieyan Fan , Sinisa Todorovic, 2007, Antonio
Nucci, Robust and efficient detection of DDoS attacks for large scale
internet, Science Direct, Computer Networks, pp.5036-5056.
[15] Kumar S., 2010, Denial of Service Due to Direct and Indirect ARP
Storm Attacks in LAN Environment. Journal of Information Security 01,
Vol.2, pp.88–80.
[16] Lappas T., 2007, Data Mining Techniques for (Network) Intrusion
Detection System.
[17] Lukosevicius M., and Jaeger H., Reservoir computing approaches to
recurrent neural network training, Computer Science Review, pp.127–
149. 2009.
[18] Mum G., and Kim Y., 2006, network intrusion detection using statistical
probability distribution, information systems and information
technology, Vol.3984, pp.340-348.
[19] Power R., 2002, CSI/FBI computer crime and security survey, Computer
Security Journal, Vol.XVIII, No.2, pp.7-30.

0974-9683/CIIT–IJ-4685/08/$20/$100 © 2013 CiiT Published by the Coimbatore Institute of Information Technology