FOCUS
Exploiting timed automata based fuzzy controllers for designingadaptive intrusion detection systems
Giovanni Acampora
Published online: 6 November 2011
� Springer-Verlag 2011
Abstract Network intrusion detection systems (NIDSs)
are pattern recognition problems that classify network
traffic patterns as either ‘normal’ or ‘abnormal’. Precisely,
the main aim of intrusion detection is to identify unau-
thorized use, misuse, and abuse of computers by detecting
malicious network activities such as port scans, denial of
service or other attempts to crack computer network
environments. Even though the incorporation of conven-
tional Soft Computing techniques in NIDSs has yielded to
good solutions, the strong dynamism characterizing net-
work intrusion patterns tend to invalidate the usability of
existing framework. To tackle this issue, our proposal
performs an adaptive supervised learning on a collection of
time series that characterizes the network behavior to
create a so-called timed automata-based fuzzy controller
(TAFC), i.e. an evolvable fuzzy controller whose dynamic
features allow to design an advanced network intrusion
detection system able to directly deal with computer net-
work dynamism and support networks’ administrators to
prevent eventual damages coming from unauthorized net-
work intrusion. As will be shown in experiments, where
our approach has been compared with a conventional
Mamdani fuzzy controller, the proposed system reduces the
detection error and, as consequence, improves the com-
puter network robustness.
Keywords Fuzzy Markup Language � Fuzzy Systems �System Dynamics � Network intrusion detection systems
1 Introduction
Computer networks are playing an increasingly funda-
mental role in contemporary society and, consequently,
they have became potential targets for a novel kind of
malefactors known as cyberspace criminals. As conse-
quence, computer networks’ administrators try to face the
cyberspace fight by proposing innovative counter measures
to minimize possible damages related to a detected network
intrusion. A network intrusion is defined as ‘‘any set of
actions that attempt to compromise the integrity, confi-
dentiality or availability of a resource’’ (Scarfone and Mell
2007). Intrusion prevention techniques could help admin-
istrators to completely avoid unauthorized use of comput-
ers composing a network. Some samples of these
techniques are user authentication, avoiding programming
error and information protection. However, though the
above-said techniques could support users for protecting
their privacy from external penetrators, they are not suffi-
cient because as systems become ever more complex, there
are always vulnerabilities due to design and programming
errors (Lee and Stolfo 1998). Consequently, network
intrusion detection systems (NIDSs) become necessary for
monitoring the events occurring in a network and analyzing
them for recognizing and stopping potential violations.
In last years, several Soft Computing approaches,
including neural networks (Mukkamala et al. 2003), linear
genetic programming (LGP) (Mukkamala et al. 2004),
support vector machines (SVM) (Hu and Heywood 2003),
Bayesian networks (Bulatovic and Velasevic 1999) and
fuzzy inference systems (FISs) (Shah et al. 2004; Botha
and Solms 2003), have been developed and applied to
the design of NIDSs. However, in spite of their wide
applicability, these approaches suffer from lack of the
management of the temporal concept which strongly
G. Acampora (&)
Department of Computer Sciences, University of Salerno,
84084 Fisciano, Salerno, Italy
e-mail: [email protected]
123
Soft Comput (2012) 16:1183–1196
DOI 10.1007/s00500-011-0791-3
characterizes the so-called network context, i.e., the col-
lection of the features which model the dynamic behavior
of a computer network (e.g., the number of packets, the
number of individuals using the network, type of services
enabled in the network, etc.).
To overcome the aforementioned drawback, our work
proposes an innovative intrusion detection system based on
an adaptive supervised learning method capable of mining
a so-called timed automata-based fuzzy controller (TAFC),
i.e., an evolvable fuzzy controller whose dynamic charac-
teristics allow to improve network intrusion detection by
directly managing the computer network dynamism. The
proposed supervised learning approach extends a well-
known Tzung-Pei Hong and Chai-Ying Lee’s algorithm
(Hong and Lee 1996) and generates a TAFC-based detec-
tion system by analyzing a collection of time series which
depicts the computer network behavior.
As will be shown in experiments, where our approach has
been compared with a conventional Mamdani fuzzy con-
troller, the proposed system reduces the detection error and,
as consequence, improves the computer network robustness.
The paper is structured as follows: in the Sect. 2, some
of existing techniques and their limitation are presented. In
the Sect. 3 a more detail description of intrusion detection
systems is given. From the Sects. 4 to 5.2 a detailed dis-
cussion about our detection model is provided. Then, in the
Sect. 6 the supervised learning approach approach aims to
mine the most suitable TAFC starting from a sequence of
data instances. Finally, the Sect. 7 presents the case of
study and the experimental results led to display the
advantages achieved by exploiting our detection model.
2 Related work
In the past 20 years, a lot of techniques have been devel-
oped to solve the network intrusion problem. Several par-
adigms including statistical models (Javitz et al. 1986;
Anderson et al. 1995; Wang and Stolfo 2004), neural net-
works (Mukkamala et al. 2003; Kayacik et al. 2003; Lei
and Ghorbani 1901), linear genetic programming (LGP)
(Mukkamala et al. 2004), support vector machines (SVM)
(Hu and Heywood 2003), Bayesian networks (Bulatovic
and Velasevic 1999), fuzzy inference systems (FISs) (Shah
et al. 2004; Botha and Solms 2003) and clustering
approaches (Lee et al. 1998), have been applied to the
design of IDSs.
In general, the statistic-based systems proceed in this
way: during the so-called training phase, they build a
statistical model of the attack-free network behavior, then,
in the detection phase, the input data are compared with the
model using a distance function, and when the distance
measured exceeds a given threshold, the input is considered
anomalous, i.e., it is considered an attack. Also neural
networks work in a similar way, but instead of building a
statistical model, they train a neural network which is then
in charge of recognizing regular traffic from anomalous
one (Bolzoni and Etalle 2008). An example is presented in
Vokorokos et al. (2006), where an intrusion detection
system based on neural network self organizing map
(SOM) is described. Among data mining frameworks,
instead, the known project audit data analysis and mining
(ADAM) (Barbara et al. 2001) can be reported. ADAM
uses data mining to build a customizable profile of rules of
normal behavior, and a classifier that sifts the suspicious
activities, classifying them into real attacks (by name) and
false alarms.
With regard to fuzzy logic, several pure and hybrid
approaches have been applied to design NIDSs. In partic-
ular, in Mohajerani et al. (2003), the authors developed the
neuro-fuzzy intrusion detection system (NFIDS) that uses
fuzzy logic to detect if malicious activity is taking place on
a network and neural network to learn fuzzy rules. Wang
and Bridges (2000) applied genetic algorithms to tune the
membership functions of the fuzzy variables used to mine
the fuzzy association rules to improve the performance of
the intrusion detection system. Finally, Dickerson and
Dickerson (2000) present a system called fuzzy intrusion
recognition engine (FIRE), i.e., an anomaly-based intrusion
detection system that uses fuzzy logic to assess whether
malicious activity is taking place on a network. It uses
simple data mining techniques to process the network input
data and help expose metrics that are particularly signifi-
cant to anomaly detection. These metrics are then evalu-
ated as fuzzy sets. FIRE uses a fuzzy analysis engine to
evaluate the fuzzy inputs and produce alerts for the security
administrator that are true to a degree.
Nevertheless, the aforementioned approaches provide
several remarkable benefits: they may suffer from a design
weakness; they implement decision making systems based
on a static view of a computer network without considering
temporal aspects that strongly modify the network context
and, as a consequence, the network behavior. For this
reason, these systems could mistakenly perform intrusion
detection, i.e., provide false positives or identifying exist-
ing attacks.
In contrast, our proposal implements a supervised
learning algorithm that analyzes a collection of time series
modeling a computer network behavior and computes an
evolvable fuzzy system able to identify attacks and intru-
sions more accurately than previous fuzzy control
proposals.
1184 G. Acampora
123
3 Intrusion detection systems
An intrusion detection system is a framework that tries to
identify, preferably in real-time, unauthorized use, misuse
and abuse of computer systems by both system insiders and
external penetrators (Mukherjee et al. 1994). IDSs can be
classified as network-based or host-based by considering
source of data. More in detail, a network-based IDS col-
lects data from the monitored network as raw network
packets, instead, a host-based IDS operates on information
collected from within an individual computer system such
as operating system audit trails, C2 audit logs, and system
logs (Byuhghae-Cha and Jaiyttyun 2005).
In general, intrusion detection systems (IDSs) are based
on the beliefs that an intruder’s behavior will be noticeably
different from that of a legitimate user and that many
unauthorized actions are detectable (Mukherjee et al.
1994). Precisely, an intrusion can be defined as a deliberate
unauthorized attempt to access or manipulate information
or render a system unreliable or unusable (Anderson et al.
1995). It is possible to consider six types of intrusions
(Smaha 1988):
• Attempted break-ins, which are detected by atypical
behavior profiles or violations of security constraints;
• Masquerade attacks, which are detected by atypical
behavior profiles or violations of security constraints;
• Penetration of the security control system, which are
detected by monitoring for specific patterns of activity;
• Leakage, which is detected by atypical use of system
resources;
• Denial of service, which is detected by atypical use of
system resources;
• Malicious use, which is detected by atypical behavior
profiles, violations of security constraints, or use of
special privileges.
To test the behavior of our proposal of intrusion detec-
tion system, the denial of service (DoS) intrusion will be
considered. DoS is a particular kind of computer intrusion
that attempts to make a computer resource unavailable to
its authorized users. DoS attacks intents can be different:
consuming the bandwidth of an entire network, preventing
service use of a single targeted host or crashing of a single
service on the target machine. Typically, this attack is
achieved by saturating the target machine with a lot of
external communications requests such as ICMP Echo
Requests, such that it cannot accomplish its tasks. Since
there are many different ways through which it is possible
to consume system resources, DoS attacks are extremely
difficult to defend against.
From a structural point of view, a typical IDS consists of
three functional components (Bace 2000): an information
source, an analysis engine and a decision maker. The
information source provides a stream of event records. The
analysis engine finds signs of intrusions by analyzing data
from information source and it generates a suitable deci-
sion maker that exploits a collection of rules to detect
possible detection. Our approach uses a collection of time
series as information source, a supervised learning
approach as analysis engine and a timed automata fuzzy
controller as decision maker.
4 Timed fuzzy control: a new vision in fuzzy system
modeling
This section introduces the Timed Fuzzy Control, a new
theoretical vision for system modeling that attempts to
improve Fuzzy Control by introducing some additional
temporal concepts that allow standard fuzzy controllers to
evolve and adapt itself to systems dynamic changing.
Starting from this novel vision, the TAFCs will be intro-
duced and defined using a methodology from the Language
Theory, the timed automata.
4.1 Timed fuzzy controllers
Fuzzy control (Takagi and Sugeno 1985; Mamdani 1974) is
one of the most active and fruitful research areas in the
application of the fuzzy set theory. Basically, fuzzy logic
provides an effective method of capturing and managing
the approximate, inexact nature of the real world. From this
point of view, the essential component of a fuzzy logic
controller (FLC) is a set of linguistic rules related to the
dual concepts of fuzzy implications and the compositional
rule of inference. In other words, fuzzy control can be
considered as an algorithm which can convert the linguistic
control strategy based on expert knowledge into an auto-
matic control strategy. In general, the high-level structure
of a FLC is shown in Fig. 1.
Fig. 1 A standard fuzzy logic controller
Exploiting timed automata based fuzzy controllers 1185
123
This methodology appears very useful when the pro-
cesses are too complex for analysis by conventional
quantitative techniques or when the available sources of
information are interpreted qualitatively, inexactly, or
uncertainly. Thus, fuzzy control methodology may be
viewed as a right tradeoff between conventional precise
mathematical control and human-like decision making
(Gupta and Tsukamoto 1980). However, in spite of its
desirable features, fuzzy control techniques do not enable
the modeling of systems characterized from a discontinu-
ous nonlinear behavior, i.e., systems able to dynamically
change their functionalities by taking into account of
temporal or other kinds of events. As mentioned, this kind
of behavior strongly characterizes also network systems.
For this reason, a new kind of fuzzy inference engine is
necessary and is introduced in the following.
Timed fuzzy controllers enable to model network sys-
tem dynamism by extending standard fuzzy controllers
through three additional concepts: control configuration,
control era and control time. Proposed engine exploits the
control time as a clock moving the system through several
control eras, each one characterized by a specific control
configuration. More in detail, a control era can be defined
as the longest interval time in which the system does not
change its control configuration that is characterized by (1)
the number and typology of fuzzy variables and (2) the
number and structure of relationships among variables. In
other words, our proposal defines a systems’ modeling
method that, at each instant, considers the most appropriate
fuzzy controller that maps the system’s behavior in a better
way.
To formally define timed fuzzy control, a function-based
definition of a standard fuzzy controller (Mamdani or TSK)
is given.
Definition 1 (fuzzy logic controller) A fuzzy logic con-
troller, with n inputs and m outputs, can be considered as a
function mapping a vector x 2 Rn with an output vector
y 2 Rm: In other words:
c : Rn ! Rm
where the behavior of c is dictated by classic fuzzy infer-
ence operators.
Starting from previous definition, a timed fuzzy con-
troller on k control eras can be formally introduced.
Definition 2 Let C ¼ [n2N [m2N fc : Rn ! Rmg be the
collection of all possible fuzzy controllers and let
E ¼ fei ¼ ½t0i; t00i ½ji ¼ 1. . .k; k 2 N;
t0i; t00i 2 R
þ with t01 ¼ 0; t00i ¼ t0iþ1 and t0i\t0iþ1g
be the set of k disjointed control eras, where the ith control
era, known as ei, starts at t0i and ends at t00i : Once defined C
and E, let f : E! C be the function that maps each control
era to the corresponding control configuration and let
g : Rþ ! E a function which associates a time instant tjwith the corresponding control era. Then, a timed fuzzy
control is a function composition u ¼ f � g : Rþ ! C that
maps a time instant tj 2 Rþ belonging to the ith control era
to a fuzzy controller fi 2 C representing the associated
control configuration.
Observation 1 If two instants tj and tj?1, with tj \ tj?1,
belong to the same ith control era, the function u returns
the same function fi:
uðtjÞ ¼ f ðgðtjÞÞ ¼ fi ¼ f ðgðtjþ1ÞÞ ¼ uðtjþ1Þ
if t0i� tj\tjþ1\t00i
Observation 2 Each fuzzy controller c is a timed fuzzy
controller uc on 1 control era with following parameters:
E ¼ f½0; t01�; t001 [ 0gC ¼ fcgf ð½0; t001 �Þ ¼ c
gðtÞ ¼ ½0; t001 � 8 t 2 Rþ
uc ¼ f ðgðtÞÞ ¼ c 8 t 2 Rþ
Hereafter, the paper is devoted presenting the proposed
intrusion analysis engine named TAFC that represents the
implementation of the described function u using a theory
deriving from formal languages: timed automata.
5 Timed automata based fuzzy controllers
This section presents TAFCs, an evolvable fuzzy controller
whose dynamic features allow designing an advanced
network intrusion detection system that is able to directly
deal with computer network dynamism and support net-
works’ administrators to prevent eventual damages from
unauthorized network intrusion. Before formally intro-
ducing TAFCs, a brief description of timed automata the-
ory is given in the next subsection.
5.1 Timed automata
A timed automaton is a standard finite-state automaton
extended with a finite collection of real-valued clocks
providing a straightforward way to represent time related
events, whereas automata-based approaches cannot offer
this feature. The clocks can be reset to 0 (independently of
each other) with the transitions of the automaton, and keep
track of the time elapsed since the last reset. The transitions
of a timed automaton are labeled with a guard (a condition
on clocks), an action or symbol on alphabet R; and a clock
reset (a subset of clocks to be reset). Intuitively, a timed
1186 G. Acampora
123
automaton starts execution with all clocks set to zero.
Clocks increase uniformly with time while the automaton
is within a node. A transition may be taken only if the
current values of the clocks satisfy the associated con-
straints. By taking the transition, all clocks in the clock
reset will be set to zero, while the remaining keep their
values. With this mechanism, we can capture several
interesting aspects of real-time systems: qualitative fea-
tures such as liveness, fairness, and nondeterminism; and
quantitative features such as periodicity, bounded response,
and timing delays.
The set of behaviors expressed by a system modeled by
means of a timed automaton is defined by a timed lan-
guage, i.e., a collection of timed words. Both timed con-
cepts are defined as follows.
Definition 3 A time sequence s ¼ s1s2. . . is an infinite
sequence of time values si 2 R with si [ 0; satisfying the
following constraints:
1. Monotonicity s increases strictly monotonically; that
is, si\siþ1 for all i� iþ 1:
2. Progress For every t 2 R; there is some i� 1 such that
si [ t:
A timed word over an alphabet R is a pair ðr; sÞ where
r ¼ r1r2. . . is an infinite word over R and s is a time
sequence. A timed language over R is a set of timed words
on R:
Definition 4 For a set X of clock variables, the set UðXÞof clock constraints d is defined inductively by
d: ¼ x� cjc� xj:djd1 ^ d2
where x is a clock in X and c is a constant in Q; the set of
nonnegative rationals.
A clock interpretation m for a set X of clocks assigns a
real value to each clock; that is, it is a mapping from X to
R: We say that a clock interpretation m for X satisfies a
clock constraint d over X iff d evaluates to true using the
values given by m: For t 2 R; mþ t denotes the clock
interpretation which maps every clock x to the value mðxÞ þt; and the clock interpretation t � m assigns to each clock x
the value t � mðxÞ: For Y � X; ½Y 7!t�m denotes the clock
interpretation for X which assigns t to each x 2 Y; and
agrees with m over the rest of the clocks.
Now, a precise definition of timed transition table,
which determines the timed automaton behavior, is given:
Definition 5 A timed transition table A is a tuple
hR; S; S0;C;Ei; where
• R is a finite alphabet,
• S is a finite set of states,
• S0 � S is a set of start states,
• C is finite set of clocks, and
• E � S� S� R� 2C � UðCÞ gives the set of transi-
tions. An edge hs; s0; a; k; di represents a transition from
state s to state s0 on input symbol a. The set k � C gives
the clocks to be reset with this transition, and d is a
clock constraint over C.
If ðr; sÞ is a timed word viewed as an input to an
automaton, it presents the symbol ri at time si: If each
symbol ri is interpreted to denote an event occurrence then
the corresponding component si is interpreted as the time
of occurrence of ri: Given a timed word ðr; sÞ; the timed
transition table A starts in one of its start states at time 0
with all clocks initialized to 0. As time advances, the
values of all clocks change, reflecting the elapsed time. At
time si;A state from s to s0 using some transition of the
form hs; s0; ri; k; di reading the input ri; if the current
values of clocks satisfy d: With this transition, the clocks in
k are reset to 0, and thus start continuing time with respect
to the time of occurrence of this transition. Formally, this
timed behavior is captured by introducing runs of timed
transition tables.
Definition 6 A run r, denoted by ð�s;�mÞ; of a timed tran-
sition table hR; S; S0;C;Ei over a timed word ðr; sÞ is an
infinite sequence of the form
r:hs0; m0i!r1
s1
hs1; m1i!r2
s2
hs2; m2i!r3
s3
. . .
with si 2 S and mi 2 ½C ! R�; for all i� 0; satisfying the
following requirements:
• Initiation s0 2 S0 and m0ðxÞ ¼ 0 for all x 2 C:
• Consecution for all i� 1; there is an edge in E of the
form hsi1; si; ri; ki; dii such that ðmi1 þ si si1Þsatisfies di and mi equals ½ki 7! 0�ðmi1 þ si si1Þ:
The timed transition table together with the run concept
are the main notions used in our approach to embed
dynamism in the standard FLC definition.
5.2 Merging timed automata and fuzzy controllers:
TAFCs
This section is devoted to describe our contextual anomaly
detection system, i.e., timed automata based fuzzy con-
trollers (TAFCs). TAFCs represent an integration between
two theories: fuzzy control and timed automata.
A TAFC implements a timed fuzzy controller by
exploiting a timed automaton whose behaviors define all
the potential sequences of control eras (and the related
control configurations) that a system may cross during its
life cycle. More in detail, TAFCs are able to manage the
control eras by associating each of them with a state in the
timed automaton. The control eras progression can be
Exploiting timed automata based fuzzy controllers 1187
123
determined exploiting the automaton run concept (Defini-
tion 6). Indeed, the ith discrete transition can be used to
throw a temporal event which moves the system from the
ith control era to the (i ? 1)th one.
However, it is necessary to extend the classical timed
automaton (Definition 5) by modifying the definition of
timed automaton transition. Indeed, because each autom-
aton’s state represents a system’s control era with the
corresponding control configuration then, its outgoing
transitions would have to be able to transform system’s
configurations. To define this task, timed automata transi-
tion has been extended with a sequence of transformation
operators.
Once that the automaton computation starts over a
given timed word, the state transitions will opportunely
modify the current control configuration in the successive
one. In this vision, a timed word determines how and
when to execute the switching among successive control
eras. So, a timed word coincides with the control time
concept.
Therefore, a TAFC, as will be formally defined in the
last subsection, is a couple consisting of two components:
an extended timed automaton that describes the dynamic
evolution of a system and a fuzzy logic controller modeling
the control behavior of system during first phase of its
existence.
5.2.1 Transformation operators
The first step towards the formal definition of a TAFC is
to introduce a collection of operators capable of changing
control configurations. To define the so-called transfor-
mation operators, a new representation of a standard
fuzzy controller is used. This representation is based on
the labeled trees (Wang et al. 1996), a data structure
defined by means of the well-known graph theory. By
following this idea, it is possible to build a fuzzy control
labeled tree (Acampora and Loia 2008). A fuzzy con-
troller represented through labeled tree can be modified in
a very simple way, because labeled trees (i.e., graphs) are
characterized by modification operations (insert, delete
and update) which are simple, flexible and computation-
ally efficient.
In details, transformation operators will change a TAFC’s
control configuration by executing the following operations:
adding () or deleting (�) a variable; adding (�k), removing
(�k) or changing (�k) k rules in the rule base; changing
implication method of the rule base (� ); adding (~),
deleting (ø) or changing (}) a term to a variable; changing
defuzzify method (_), aggregation method (ffl) or default
value (> ) of an output variable; changing lower bound (n)
or upper bound (o) of the universe of discourse of a vari-
able. Besides, other four operators are defined indepen-
dently. In details, the first one does not concern with changes
to the fuzzy controller structure because it sets frequency
sampling (4), whereas the others deal with a complete
replacement of a fuzzy controller executing these opera-
tions: returning to the initial control configuration (y); set-
ting control configuration to that of the destination state (z)or transforming a control configuration in itself (g).
The formal definitions of the transformation operators
based on the labeled tree representation of a fuzzy con-
troller are not presented for sake of samplicity.
After listing all transformation operators, it is possible to
define the collection of transformation operators Cop.
Definition 7 The set of transformation operators acting
on a control configuration is
Cop ¼ f;�;�k;�k;�k; � ;n;o ;ffl;~; ø;};> ;4;_; y; z;gg
Following section will be devoted to introduce an extend
version of timed automata capable of directly dealing with
fuzzy control concept. The point of contact between timed
automata and fuzzy controllers is represented by the
transformation operators set that will be used to update the
definition of timed automata edges.
5.2.2 Extending timed automata for implementing timed
fuzzy control
Once that the set of transformation operators Cop has been
introduced, it is necessary to redefine the timed automaton
concept to consider a novel kind of transition edges capable
of changing the control configuration of the modeled sys-
tem. In particular, the standard transition set of timed
automata E is replaced with the following:
EC � S� S� R� 2C � UðCÞ � C�op
where Cop* represents the set of all possible sequences of
transformation operators, i.e, C�op ¼ [n� 1Cnop where Cn
op is
the set of all possible sequences of n operators with n� 1:
Now, it is possible to provide an extended definition of a
timed automaton:
Definition 8 A timed control transition table AC is a
tuple hR [ f�g; S; S0;C;ECi; where
• R is a finite alphabet;
• � represents empty event, i.e., when it is on a transition,
the crossing of this transition depends only on temporal
constraints;
• S is a finite set of states;
1188 G. Acampora
123
• S0 � S is a set of start states;
• C is finite set of clocks;
• EC � S� S� R� 2C � UðCÞ � C�op gives the set of
transitions. An edge hs; s0; a; k; d; oni represents a
transition from state s to state s0 on input symbol a
which can be also the empty event. The set k � C
gives the clocks to be reset with this transition, d is
a clock constraint over C and on 2 C�op is a sequence of
n transformation operators, with n� 1; defined to
change the current control configuration of modeled
system.
In each sequence of transformation operators, an oper-
ator can be repeated to execute the same task on different
arguments (e.g., to modify several variables’ universe of
discourse). Moreover, it is important to establish that the
operators are executed in the same order of their definition
in the sequence (Definition 10).
Definition 9 Let F be a fuzzy controller and let o 2 Cop
be a transformation operator then G = o(F) is the fuzzy
controller obtained to apply the operator o on fuzzy con-
troller F.
Definition 10 Let F be a fuzzy controller and let on 2 C�op
be a sequence on ¼ ðo1; o2; . . .; onÞ where oi 2 Cop8i 2f1; 2; . . .; ng then G ¼ onðFÞ ¼ ðonðon1ð. . .ðo2ðo1ðFÞÞÞÞÞÞis the fuzzy controller obtained to apply the operators
o1; o2; . . .; on1; on on fuzzy controller F in the same order
of listing in the sequence on.
At this point, it is possible to give a formal definition of
a TAFC and the properties characterizing its dynamic
behavior.
Definition 11 A TAFC T is an ordered pair composed by
an initial control configuration, represented by a fuzzy
controller named F0, together with a timed control transi-
tion table TC. Formally:
T ¼ ðF0;TCÞ:
The TAFC properties which define the dynamic
behavior of a system are control evolution and control run.
The control evolution is a mapping among the states S
contained in TC and the collection of possible control
configurations obtained starting from F0. More in detail,
the control evolution is a mathematical succession, gener-
ated in an inductive way, which maps each state in S with a
one or more control configurations obtained by sequen-
tially applying over F0 the transformation operators in
S� S� R [ f�g � 2C � UðCÞ � C�op. Then:
Definition 12 (control evolution) Let T ¼ ðF0; TCÞ be a
TAFC defined over a timed control transition table hR [
f�g; S; S0;C;ECi with S ¼ fs0; s1; . . .; sjSj1g the finite set
of automaton states; let F* be the collection of all possible
fuzzy controllers; let X ¼ fn1; n2; . . .; njXjg be a subset of
ordered sequences in Cop* , that is, ni ¼ ðo1; o2; . . .; ojnijÞ8i 2
f1; 2; . . .; jXjg; employed to define the edges in EC. Then,
the control evolution W over a state s0 2 S0 is:
W:N! S� F�
defined inductively, as follows:
The base case (i = 0). Let s0 2 S0 be an initial state of
hR [ f�g; S; S0;C;ECi; then:
Wð0Þ ¼ ðs0;F0Þ
The inductive step (i [ 0). Let Wði 1Þ; with i [ 1, be
defined as:
Wði 1Þ ¼ ðsi1;Fi1Þ
where si1 2 S and Fi1 2 F�; then:
WðiÞ ¼ ðsi;FiÞ
with si 2 S;Fi ¼ niðFi1Þ; ni 2 Xand hsi1; si; a; k; d; nii 2 EC:
More intuitively, the expression (1)shows the sequence
of pairs composing a control evolution over s0 2 S0 toge-
ther with the fuzzy transformations obtained by exploiting
the ni sequences of operators.
Wð0Þ: s0 2 S0 ! F0
# n0
Wð1Þ: s1 2 S ! F1
# n1
Wð2Þ: s2 2 S ! F2
# n2
..
. ...
# nj1
WðjÞ: s j 2 S ! F j
# nj
..
. ...
ð1Þ
The image of function W; IW; can be finite or infinite.
This depends on the topology of the graph modeling the
component TC of the TAFC. Indeed, if the topology of TC
contains cycles then various FLCs can be associated with a
same state sh 2 S: To explain it, let hsk; si1; a; k; d; nki 2EC be an edge entering in the state si-1 already crossed, that
is, an edge forming a cycle. If it is crossed the current fuzzy
controller stored in the state si-1 is replaced by a new one
obtained executing the sequence of operators nk on fuzzy
controller stored in the state sk. Then, crossing again the
edge hsi1; si; a; k; d; nii 2 EC also the controller fuzzy
stored in si is replaced. Indeed, even if the sequence of
operators ni is unchanged from the previous crossing of the
Exploiting timed automata based fuzzy controllers 1189
123
edge, a new controller fuzzy is stored in si because ni is
executed on the different fuzzy controller which has been
stored in si-1 in the previous step. So, states si-1 and si are
both associated with a new fuzzy controller because of the
cycle formed by the edge hsk; si1; a; k; d; nki:Obviously, the control evolution only represents a
mapping between the states of timed automaton TC and
the collection of control configurations computable
starting from F0 by applying different sequences of
operators in X; no dynamic aspects are considered in the
control evolution definition and, therefore, it is necessary
to introduce the idea of control run extending the initial
idea of the run of standard timed transition table (Defi-
nition 6).
Definition 13 Let W be a control evolution, then a con-
trol run rc, denoted by ð�s;�mÞ; of a timed transition table
hR [ f�g; S; S0;C;ECi over a timed word ðr; sÞ and a
collection of sequences of transformation operators X ¼fn1; n2; . . .; njXjg � C�op; is an infinite sequence of the form
rc:hs0; m0i !r1;n1
s1
hs1; m1i !r2;n2hs2; m2i !
r3;n3
s3
. . .
with si 2 S and mi 2 ½C ! R�; for all i C 0, and ni 2 C�op;
for all i C 1, satisfying the following requirements:
• Initiation s0 2 S0 and m0(x) = 0 for all x 2 C;
• Consecution for all i C 1, there is an edge in EC of the
form hsi1; si; ri; ki; di; nii such that ðmi1 þ si si1Þsatisfies di and mi equals ½ki 7!0�ðmi1 þ si si1Þ;
• Atomicity The operators of sequence ni 2 C�op are
atomic operations and their computation time is equals
to 0, i.e, they do not modify the duration of permanence
in the automaton state si; ðsi si1Þ;• Evolution each state si of a pair hsi; mii in rc is mapped
on a FLC Fi as described by the control evolution W:
If T = (F0, TC) is a TAFC which models a given system
then the set of control runs rc defined over the timed lan-
guage L, generated by TC, completely describes the col-
lection dynamic behaviors of the system, whereas, the
control run rc defined over a single word wi 2 L defines a
precise dynamic behavior of the system, so wi defines the
Control Time.
Definition 14 (control time) If T = (F0, TC) is a TAFC
and TC is a timed automaton recognizing the timed lan-
guage L ¼ w1;w2;w3; . . .;wi; . . . and wi is a timed word
and rc is a control run defined over wi then wi is a Control
Time of the system.
Finally, it is possible to give a formal description of
control era and control configuration concepts.
Definition 15 (control era and control configuration) If
rc is a control run defined over the Control Time
wi ¼ ðr; sÞ 2 L:
rc:hs0; m0i !r1;n1
s1
hs1; m1i !r2n2
s2
; hs2; m2i !r3;n3
s3
. . .
then time interval between the instant si and siþ1 is the
ith control era of system and the FLC Fi which depicts the
system during the same interval is defined as the ith control
configuration.
Therefore, it is important to notice how a TAFC is an
implementation of timed fuzzy controller thanks to the
concepts of the control evolution and control run which
perform the task accomplished by u function defined in the
section II.
Both the control evolution and the control run are
potentially based on the infinite concept. In fact, the control
evolution can exploit an infinite application of control
operators in X to compute the mappings between the state
si and the FLC Fi, whereas, the control run uses a timed
word, defined as an infinite sequence of ordered pairs, to
describe the dynamic behavior of the system. Conse-
quently, to simulate the behavior of a TAFC during the first
n control eras, the nth-order control evolution and control
run are introduced.
Definition 16 (nth order control evolution) If W is a
control evolution then the set
Wn ¼ fWðiÞ ¼ ðsi;FiÞji ¼ 1; 2; . . .; ng
which contains the first n ordered pairs computed by Wthrough Definition 12 is the nth order control evolution.
Definition 17 (nth order control run) Let
rc:hs0; m0i !r1;n1
s1
hs1; m1i !r2;n2hs2; m2i !
r3;n3
s3
. . .
be a control run defined over a control evolution W; then
nth-order control run rcn is the sequence of the first n
elements of rc:
rnc :hs0; m0i!
r1;n1
s1
hs1; m1i!r2;n2
s2
. . . !rn1;nn1
sn1
hsn; mni
where the mapping between the automaton states si and the
FLC Fi is computed by the nth-order control evolution
related to W:
In the following section, a supervised learning algorithm
will be introduced to mine the most suitable TAFC
T modeling an network intrusion detection system whereas,
in the case study the mined TAFC will be compared with a
Mamdani fuzzy controller by defining an appropriate nth-
order control run.
1190 G. Acampora
123
6 A supervised learning approach for mining
a TAFC-based network intrusion detection system
In this section, it will be introduce a supervised learning
approach that analyzes a collection of time series repre-
senting a computer network behavior and individuates the
most suitable sequence of control eras and configurations
related to a TAFC implementing a Network Intrution
Detection System. As will be shown in the Sect. 7, our
adaptive approach is better than a conventional Mamdani
Fuzzy Controller in terms of reduction of detection error.
In details, our proposal extends a Tzung-Pei Hong and
Chai-Ying Lee’s algorithm for inducting a TAFC whose
control configurations are capable of recognizing network’s
data stream in different control eras.
To model TAFC components taking in account network
context with aim of achieving a more efficient intrusion
detection mechanism, a data mining approach has been
exploited. In details, a novel supervised learning technique,
that mines a conveniently trained TAFC, has been imple-
mented by extending a Tzung-Pei Hong and Chai-Ying
Lee’s algorithm (Hong and Lee 1996). The TAFC so
implemented is capable of recognizing network’s data
streams related to different time intervals associate with
network contexts and, consequently, detecting intrusions in
a more realistic and efficient way. More precisely, the
algorithm analyzes a computer network’s behavior and
builds a TAFC T, where each control era manages a net-
work context related to a well-defined time interval. As
shown in the experimental results section, this approach
minimizes detection error and false positives by oppor-
tunely switching among learned control configurations.
The algorithm uses a sequence of data instances, known
as network training examples, that can be obtained by
monitoring the network in a promiscuous way. In detail,
the algorithm builds T by taking into account the following
steps:
1. to collect network training examples from network;
2. to individuate the sequence of time periods where the
computer network shows a well-defined behavior
(control eras);
3. to define the most suitable collection of fuzzy variables
and rules that characterizes each control era (control
configurations);
4. to build the TAFC T.
Hereafter, each step will be formally discussed and
depicted.
6.1 Collecting network training examples from routers
During this step, the algorithm sniffs data from network to
collect meaningful information. Data collection is performed
in a time discrete way, i.e., by processing network raw
packet data at instants fs1; s2; . . .jsi ¼ si1 þ Dtg: In
details, at the time si; the algorithm collects the training
example ðxi1; xi2; . . .; xim; xiðmþ1ÞÞ where the values
xi1; xi2; . . .; xim corresponds to network’s properties relevant
to detect possible intrusions such as number of ping
packets or the number of unusual ICMP packets, while
xi(m?1) is an alert level for an eventual intrusion occurred at
si. Reasoning in this way, the algorithm builds the networks
training examples:
s1 x11 x12 . . . x1ðm1Þ x1m x1ðmþ1Þs2 x21 x22 . . . x2ðm1Þ x2m x2ðmþ1Þ
..
. ... ..
. ... ..
. ... ..
.
sn xn1 xn2 . . . xnðm1Þ xnm xnðmþ1Þ
6.2 Individuating computer network’s control eras
The main aim of this phase of the algorithm is to cluster the
training examples for partitioning the original matrix into a
collection of so-called temporal areas. A temporal area can
be viewed as a time interval ½sk; sl�; with l [ k, that collects
similar data from the training examples matrix. To learn
the temporal areas, the algorithm considers the jth column
of training examples matrix and applies the followings four
steps:
1. Find the difference between adjacent data (e.g. xij and
x(i?1)j) ;
2. Find similarity value between adjacent data;
3. Cluster the training instances according to similarity to
separate data into rj different data regions named
R j1;R
j2; . . .;R j
rj;
Then, considering the whole collection of data regions,
the algorithm compute the last step:
4) exploiting data regions [mþ1j¼1 [
rj
p¼1 R jp to define tem-
poral areas.
More in detail, in the first step the difference between
adjacent data of the same variable ðxij and xðiþ1ÞjÞ is cal-
culated: d jiiþ1 ¼ xðiþ1Þj xij: Then, a similarity value,
0� s jiiþ1� 1; between adjacent data is computed by taking
into account d jiiþ1:
s jiiþ1 ¼ 1 d j
iiþ1
C�rjfor d j
iiþ1 � C � rj;
0 otherwise
(ð2Þ
where rj is the standard derivation of the difference values
belonging to the jth column of training examples matrix
and C is a control parameter used to tune similarity values
in an experimental way. Precisely, a large value of C
causes a greater similarity.
Exploiting timed automata based fuzzy controllers 1191
123
In the third step, the similarity values are used as inputs
for an a-cut operation that groups the jth column elements
into different classes. The value of a determines the
threshold for two adjacent data to be thought as belonging
to the same class. In particular, the method is:
If sii?1j \ a then put two adjacent data into different
group; else put them into the same group.
Once the a-cut operation has been applied, each column
of matrix is transformed into a sequence of pairs (xij, Rkj )
where 1 B i B n and 1 B j B m ? 1, which indicates the
ith variable value of the jth column belongs to kth data
region of the jth variable. At the end, the algorithm have to
compute the temporal areas. These are built considering the
whole collection of data regions [mþ1j¼1 [
rj
p¼1 Rjp and apply-
ing the following steps:
1. q = 1;
2. R0q ¼ arg minj¼1...mþ1 jR jqj;
3. if jR0qj ¼¼ 0 then end;
4. for j ¼ 1. . .mþ 1; consider the first jR0qj values
contained in the region Rqj and move them into a
collection named Xqj ;
5. the matrix Tq obtained by considering the collection Xqj
as its jth column is the qth temporal area;
6. Move the remaining elements in Rqj to Rq?1
j
(j ¼ 1; . . .;mþ 1);
7. q = q ? 1;
8. go to step 2.
After that algorithm accomplished these steps, it returns
a collection of matrix Tq modeling the homogeneous
behavior of a computer network in well-defined time
intervals. Next step is to derive a TAFC able to model this
behavior in robust and efficient way to help systems’
administrators to prevent network intrusions.
6.3 Mining computer network’s control configurations
To define the collection of control configurations modeling
a network monitoring system, our proposal exploits an
inductive algorithm proposed by Tzung-Pei Hong and
Chai-Ying Lee to learn membership functions and the
fuzzy rules related to data contained in each temporal area
Tq. In details, on each temporal area Tq, the algorithm
computes the following steps:
1. Cluster and fuzzify the output data;
2. Costruct initial membership functions for input variables;
3. Costruct the initial decision table;
4. Simplify the initial decision table;
5. Rebuild membership functions in the simplification
process;
6. Derive decision rules from the decision table.
Once these steps have been applied, a collection of
fuzzy controllers, modeling the computer network behavior
in each temporal area is built. These controllers will be
used to define the control configurations of a TAFC.
6.3.1 Building the TAFC T
The last step considers temporal areas and control config-
urations computed in previous stages to build an efficient
TAFC T, modeling a network monitoring systems. This
step is performed as follows:
Fig. 2 From dataset to control eras and control configuration
Fig. 3 A TAFC mined through supervised learning approach
1192 G. Acampora
123
• Each temporal area represents a control era;
• Each state Sq stores a fuzzy controller. It is character-
ized by the input and output variables and if-then rules
obtained by executing Hong-Lee’s algorithm on the
temporal area Tq;
• The temporal constraints described on TAFC transi-
tions are represented by time instant between adjacent
temporal areas, Tq and Tq?1 (sl);
• The events, i.e, the symbols on TAFC transitions, are
the empty events �;• Each transition is characterized by the following
transformation operator sequence:
ðø; . . .; ø;�k;n; . . .;n;o ; . . .;o ;~; . . .;~;�hÞ
where the sequence of ø indicates the deleting of all terms
in all variables, the �k operator indicates the deleting of all
k rules, the sequences of n and o indicate modifications of
universe of discourse of all variables, the sequence of ~
indicates the inserting of new terms in all variables and the
�h operator indicates the inserting of new h rules;
• Initial state is chosen by mean of initial time instant.
Next section is devoted to prove the superiority of our
method when applied to a particular kind of network
intrusion: the Denial of Service.
7 Learning a TAFC for designing a network intrusion
detection system: experimental results
To show how the TAFC T improves network intrusion
detection performance with respect to the conventional fuzzy
methods, hereafter a possible attack scenario is presented. As
mentioned, a denial of service (DoS) attack is considered. In
particular, a ping flood attack has been chosen, i.e., a DoS
attack where the attacker overwhelms the victim with ICMP
Echo Request (ping) packets. To mine a TAFC T that deals
with DoS intrusion detection, the described supervised
learning algorithm is used with a dataset D that represents the
daily behavior of a given computer network. The dataset D has
been prepared by means of two sequential steps:
1. Raw packet data are collected by employing tcpdump
tool;
2. Each 10 min, the collection of captured data is used to
compute the following meaningful information:
numberOfSDT that represents the number of unusual
ICMP packets where SDT indicates the combined
identifier [Source, Destination, ICMP Type] of an ICMP
packet;
numberOfEcho that represents the number of observed
ping packets;
alert indicates the danger situation is detected. This
value is set by a computer network security expert.
Once that the daily set of tcpdump raw data are pro-
cessed, the collection of triples
D ¼ fðnumberOfSDTi; numberOfEchoi; alertiÞ; i¼ 1. . .144g ð3Þ
will be used as training set for the proposed learning
algorithm that will produce a collection of temporal areas
and fuzzy controllers as shown in Fig. 2. These collections
Fig. 4 Membership functions related to the fuzzy variables of the FC3 controller: a numberOfSDT, b numberOfEcho and c alert
Exploiting timed automata based fuzzy controllers 1193
123
represent, respectively the control eras and control con-
figuration of a TAFC. Then, starting from this data, the
TAFC shown Fig. 3 is made. For example, Fig. 4a–c
shows the variables of the fuzzy controller FC3 returned by
our approach and associated with automaton state S3.
The performance of the TAFC T has been evaluated by
comparing it with a standard Mamdani fuzzy controller
F presented in Dickerson et al. (2001) and implemented
using the FML language (see Listing 1).
To prove if and how much our solution is more efficient
than a standard fuzzy controller, an experiment which
compares inference results computed by our proposal and
by the described conventional controller with respect to a
testing data set is led. The employed testing data are built
by processing the data collected by tcpdump tool whereas
controlled denial of service attacks are performed on the
network. Raw packet data provided by tcpdump tool are
processed in intervals which lasts approximately 60 min.
So, by considering data sniffed by tcpdump in a single day,
a network testing data of n = 24 testing instances has been
created. Figure 5 shows the comparison of inference
results. To highlight the improvement provided by our
proposal, the known error function named mean square
error (MSE) is computed:
Listing 1 FML sample
program
1194 G. Acampora
123
TAFCerror ¼ 0:038Ferror ¼ 0:093: ð4ÞFrom the Eq. 4, it is clear that the approach based on
TAFC improves the conventional fuzzy controller perfor-
mance with the following percentage variation:
ð0:093 0:038Þ=0:093� 100 � 59%:
The minor error which characterizes the implemented
TAFC proves the superiority of our proposal to achieve a
greater computer network robustness.
8 Conclusion
This paper introduces a novel contextual anomaly detection
method based on exploiting of a novel fuzzy inference
engine named TAFCs. This novel fuzzy controller has been
used to support networks’ administrators to prevent even-
tual damages coming from unauthorized network intrusion
and reduce false positives. Enhanced by its implementation
through the extension of a well-known data mining tech-
nique, the proposed method has been compared with a
classic fuzzy controller and it has shown a better behavior.
However, further experiments are leading by exploiting the
popular DARPA Intrusion Detection Evaluation datasets
(Lippmann et al. 1998).
References
Acampora G, Loia V (2005) Fuzzy control interoperability and
scalability for adaptive domotic framework. IEEE Trans Ind Inf
1(2):97–111
Acampora G, Loia V (2008) An open integrated environment for
transparent fuzzy agents design. Open Source Development,
Communities and Quality, IFIP International Federation for
Information Processing, vol 275/2008. Springer, Boston,
pp 1571–5736
Alur R (1994) A theory of timed automata. Theor Comput Sci
126:183–235
Anderson JP (1980) Computer security threat monitoring and
surveillance. Technical report, James P Anderson Co., Fort
Washington, Pennsylvania
Anderson D, Frivold T, Valdes A (1995) Next-generation intrusion-
detection expert system (NIDES). Technical report, Computer
Science Laboratory, SRI International, Menlo Park
Bace RG (2000) Intrusion detection. Macmillan Technical Publishing,
Indianapolis
Barbara D, Couto J, Jajodia S, Popyack L, Wu N (2001) ADAM:
detecting intrusions by data mining. In: Proceedings of the 2001
IEEE, workshop on information assurance and security, United
States Military Academy, West Point
Biswanath M, Todd LH, Karl NL (1994) Network intrusion detection.
IEEE Netw 8(3):26–41
Bolzoni D, Etalle S (2008) Approaches in anomaly-based network
intrusion Detection systems. In: Intrusion detection systems.
Advances in Information Security, vol 38. Springer, London,
pp 1–15
Botha M, Solms R (2003) Utilising fuzzy logic and trend analysis for
effective intrusion detection. Comput Secur 22:423–434
Bulatovic D, Velasevic D (1999) A distributed intrusion detection
system based on bayesian alarm networks. Lect Notes Comput
Sci 1740:219–228
Byuhghae-Cha KP, Jaiyttyun S (2005) Neural networks techniques
for host anomaly intrusion detection using fixed pattern trans-
formation. In: ICCSA 2005, LNCS, vol 3481, pp 254–263
Chandola V, Banerjee A, Kumar V (2009) Anomaly detection: a
survey. ACM Comput Surv 41(3)
Debar H, Dacier M, Wespi A (1999) Towards a taxonomy of
intrusion-detection systems. Comput Netw 31(8):805–822
Dickerson JE, Dickerson JA (2000) Fuzzy network profiling for
intrusion detection. In: Proceedings of NAFIPS 19th interna-
tional conference of the North American fuzzy information
processing society, Atlanta, pp 301–306
Dickerson JE, Juslin J, Koukousoula O, Dickerson JA (2001) Fuzzy
intrusion detection. In: IFSA world congress and 20th NAFIPS
international conference, vol 9. No 3, pp 1506–1510
Gupta MM, Tsukamoto Y (1980) Fuzzy logic controllers—a
perspective. In: Proceedings of the joint automatic control
Conference, San Francisco, pp FA10-C
Hong TP, Lee CY (1996) Induction of fuzzy rules and membership
functions from training examples. Fuzzy Sets Syst 84:33–47
Hu PZ, Heywood MI (2003) Predicting intrusions with local linear
model. In: Proceedings of the international joint conference on
neural networks, vol 3, pp 1780–1785
Javitz HS, Valdes A, Denning DE, Neumann PG, (1986) Analytical
techniques development for a statistical intrusion-detection
Fig. 5 Comparison results
Exploiting timed automata based fuzzy controllers 1195
123
system (SIDS) based on accounting records. Technical report,
SRI International, Menlo Park
Kayacik HG, Zincir-Heywood AN, Heywood MI (2003) On the
capability of an som based intrusion detection system. In:
Proceedings of the international joint conference on neural
networks, vol 3, pp 1808–1813
Lee CC (1990) Fuzzy logic in control system: fuzzy logic control-
ler—Part I and Part II. IEEE Trans SMC 20:404–435
Lee W, Salvatore J. Stolfo, Mok KW (1998) Mining audit data to
build intrusion detection models. In: Proceedings of the fourth
international conference on knowledge discovery and data
mining (KDD 98), New York
Lee W, Stolfo SJ (1998) Data mining approaches for intrusion
detection. In: Proceedings of the 7th USENIX Security Sympo-
sium, San Antonio
Lei JZ, Ghorbani A (2004) Network intrusion detection using an
improved competitive learning neural network. In: Proceedings
of the second annual conference on communication networks
and services research (CNSR04), pp 190–197
Lippmann R, Fried D, Graf I, Haines J, Kendall K, McClung D,
Weber D, Webster S, Wyschogrod D, Cunningham R, Zissman
M (1998) Evaluating intrusion detection systems: 1998 DARPA
off-line intrusion detection evaluation. In: Proceedings of IEEE
symposium on security and privacy, Oakland
Mamdani EH (1974) Applications of fuzzy algorithms for simple
dynamic plants. Proc IEE 121:1585–1588
Mohajerani M, Moeini A, Kianie M (2003) NFIDS: a neuro-fuzzy
intrusion detection system. In: Proceedings of the 10th IEEE
international conference on electronics, circuits and systems,
pp 348–351
Mukkamala S , Sung AH, Abraham A (2003) Intrusion detection
using ensemble of soft computing paradigms. In: The third
international conference on intelligent systems design and
applications, intelligent systems design and applications,
advances in soft computing. Springer, Germany, pp 239–248
Mukkamala S, Sung AH, Abraham A (2004) Modeling intrusion
detection systems using linear genetic programming approach.
In: The 17th international conference on industrial &
engineering applications of artificial intelligence and expert
systems, innovations in applied artificial intelligence. In: Robert
O.,Chunsheng Y., Moonis A., editors. Lecture Notes in Com-
puter Science, vol 3029. Springer, Germany, pp 633–642
Mukherjee B, Herberlein LT, Levitt KN (1994) Network intrusion
detection. IEEE Netw 8
Peddabachigari S, Abraham A, Grosan C, Thomas J (2007) Modeling
intrusion detection system using hybrid intelligent systems.
J Netw Comput Appl 30:114–132
Scarfone K, Mell P (2007) Guide to intrusion detection and
prevention systems (IDPS), National Institute of Standards and
Technology Special Publication 800-94, 127
Shah K, Dave N, Chavan S, Mukherjee S, Abraham A, Sanyal S
(2004) Adaptive neuro-fuzzy intrusion detection system. In:
IEEE international conference on information technology:
coding and computing (ITCC04), vol 1. IEEE Computer Society,
USA, pp 70–74
Smaha SE (1988) Haystack: an intrusion detection system. In: Fourth
aerospace computer security applications conference, Tracor
Applied Science Inc., Austin, pp 37–44
Takagi T, Sugeno M (1985) Fuzzy identification of systems and its
applications to modeling and control. IEEE Trans Syst Man
Cybern 15(1):116–132
Vokorokos L, Balaz A, Chovanec M (2006) Intrusion detection
system using self organizing map. Acta Electrotechnica et
Informatica 6(1):6
Wang WD, Bridges S (2000) Genetic algorithm optimization of
membership functions for mining fuzzy association rules. In:
Proceedings of the 7th international conference on fuzzy theory
& technology, Atlantic City, pp 131–134
Wang Y, Chen H, Liu W (1996) A parallel algorithm for constructing
a labeled tree. IEEE Trans Parallel and Distrib Syst 8:1236–1240
Wang K, Stolfo SJ (2004) Anomalous payload-based network
intrusion detection. In: Jonsson E, Valdes A, Almgren M (eds)
RAID 04: Proceedings of the 7th symposium on recent advances
in intrusion detection. LNCS, vol 3224. Springer, Berlin,
pp 203–222
Zadeh LA (1965) Fuzzy sets. Inf Control 8:338–353
1196 G. Acampora
123