FOCUS

Exploiting timed automata based fuzzy controllers for designingadaptive intrusion detection systems

Giovanni Acampora

Published online: 6 November 2011

� Springer-Verlag 2011

Abstract Network intrusion detection systems (NIDSs)

are pattern recognition problems that classify network

traffic patterns as either ‘normal’ or ‘abnormal’. Precisely,

the main aim of intrusion detection is to identify unau-

thorized use, misuse, and abuse of computers by detecting

malicious network activities such as port scans, denial of

service or other attempts to crack computer network

environments. Even though the incorporation of conven-

tional Soft Computing techniques in NIDSs has yielded to

good solutions, the strong dynamism characterizing net-

work intrusion patterns tend to invalidate the usability of

existing framework. To tackle this issue, our proposal

performs an adaptive supervised learning on a collection of

time series that characterizes the network behavior to

create a so-called timed automata-based fuzzy controller

(TAFC), i.e. an evolvable fuzzy controller whose dynamic

features allow to design an advanced network intrusion

detection system able to directly deal with computer net-

work dynamism and support networks’ administrators to

prevent eventual damages coming from unauthorized net-

work intrusion. As will be shown in experiments, where

our approach has been compared with a conventional

Mamdani fuzzy controller, the proposed system reduces the

detection error and, as consequence, improves the com-

puter network robustness.

Keywords Fuzzy Markup Language � Fuzzy Systems �System Dynamics � Network intrusion detection systems

1 Introduction

Computer networks are playing an increasingly funda-

mental role in contemporary society and, consequently,

they have became potential targets for a novel kind of

malefactors known as cyberspace criminals. As conse-

quence, computer networks’ administrators try to face the

cyberspace fight by proposing innovative counter measures

to minimize possible damages related to a detected network

intrusion. A network intrusion is defined as ‘‘any set of

actions that attempt to compromise the integrity, confi-

dentiality or availability of a resource’’ (Scarfone and Mell

2007). Intrusion prevention techniques could help admin-

istrators to completely avoid unauthorized use of comput-

ers composing a network. Some samples of these

techniques are user authentication, avoiding programming

error and information protection. However, though the

above-said techniques could support users for protecting

their privacy from external penetrators, they are not suffi-

cient because as systems become ever more complex, there

are always vulnerabilities due to design and programming

errors (Lee and Stolfo 1998). Consequently, network

intrusion detection systems (NIDSs) become necessary for

monitoring the events occurring in a network and analyzing

them for recognizing and stopping potential violations.

In last years, several Soft Computing approaches,

including neural networks (Mukkamala et al. 2003), linear

genetic programming (LGP) (Mukkamala et al. 2004),

support vector machines (SVM) (Hu and Heywood 2003),

Bayesian networks (Bulatovic and Velasevic 1999) and

fuzzy inference systems (FISs) (Shah et al. 2004; Botha

and Solms 2003), have been developed and applied to

the design of NIDSs. However, in spite of their wide

applicability, these approaches suffer from lack of the

management of the temporal concept which strongly

G. Acampora (&)

Department of Computer Sciences, University of Salerno,

84084 Fisciano, Salerno, Italy

e-mail: gacampora@unisa.it

123

Soft Comput (2012) 16:1183–1196

DOI 10.1007/s00500-011-0791-3

characterizes the so-called network context, i.e., the col-

lection of the features which model the dynamic behavior

of a computer network (e.g., the number of packets, the

number of individuals using the network, type of services

enabled in the network, etc.).

To overcome the aforementioned drawback, our work

proposes an innovative intrusion detection system based on

an adaptive supervised learning method capable of mining

a so-called timed automata-based fuzzy controller (TAFC),

i.e., an evolvable fuzzy controller whose dynamic charac-

teristics allow to improve network intrusion detection by

directly managing the computer network dynamism. The

proposed supervised learning approach extends a well-

known Tzung-Pei Hong and Chai-Ying Lee’s algorithm

(Hong and Lee 1996) and generates a TAFC-based detec-

tion system by analyzing a collection of time series which

depicts the computer network behavior.

As will be shown in experiments, where our approach has

been compared with a conventional Mamdani fuzzy con-

troller, the proposed system reduces the detection error and,

as consequence, improves the computer network robustness.

The paper is structured as follows: in the Sect. 2, some

of existing techniques and their limitation are presented. In

the Sect. 3 a more detail description of intrusion detection

systems is given. From the Sects. 4 to 5.2 a detailed dis-

cussion about our detection model is provided. Then, in the

Sect. 6 the supervised learning approach approach aims to

mine the most suitable TAFC starting from a sequence of

data instances. Finally, the Sect. 7 presents the case of

study and the experimental results led to display the

advantages achieved by exploiting our detection model.

2 Related work

In the past 20 years, a lot of techniques have been devel-

oped to solve the network intrusion problem. Several par-

adigms including statistical models (Javitz et al. 1986;

Anderson et al. 1995; Wang and Stolfo 2004), neural net-

works (Mukkamala et al. 2003; Kayacik et al. 2003; Lei

and Ghorbani 1901), linear genetic programming (LGP)

(Mukkamala et al. 2004), support vector machines (SVM)

(Hu and Heywood 2003), Bayesian networks (Bulatovic

and Velasevic 1999), fuzzy inference systems (FISs) (Shah

et al. 2004; Botha and Solms 2003) and clustering

approaches (Lee et al. 1998), have been applied to the

design of IDSs.

In general, the statistic-based systems proceed in this

way: during the so-called training phase, they build a

statistical model of the attack-free network behavior, then,

in the detection phase, the input data are compared with the

model using a distance function, and when the distance

measured exceeds a given threshold, the input is considered

anomalous, i.e., it is considered an attack. Also neural

networks work in a similar way, but instead of building a

statistical model, they train a neural network which is then

in charge of recognizing regular traffic from anomalous

one (Bolzoni and Etalle 2008). An example is presented in

Vokorokos et al. (2006), where an intrusion detection

system based on neural network self organizing map

(SOM) is described. Among data mining frameworks,

instead, the known project audit data analysis and mining

(ADAM) (Barbara et al. 2001) can be reported. ADAM

uses data mining to build a customizable profile of rules of

normal behavior, and a classifier that sifts the suspicious

activities, classifying them into real attacks (by name) and

false alarms.

With regard to fuzzy logic, several pure and hybrid

approaches have been applied to design NIDSs. In partic-

ular, in Mohajerani et al. (2003), the authors developed the

neuro-fuzzy intrusion detection system (NFIDS) that uses

fuzzy logic to detect if malicious activity is taking place on

a network and neural network to learn fuzzy rules. Wang

and Bridges (2000) applied genetic algorithms to tune the

membership functions of the fuzzy variables used to mine

the fuzzy association rules to improve the performance of

the intrusion detection system. Finally, Dickerson and

Dickerson (2000) present a system called fuzzy intrusion

recognition engine (FIRE), i.e., an anomaly-based intrusion

detection system that uses fuzzy logic to assess whether

malicious activity is taking place on a network. It uses

simple data mining techniques to process the network input

data and help expose metrics that are particularly signifi-

cant to anomaly detection. These metrics are then evalu-

ated as fuzzy sets. FIRE uses a fuzzy analysis engine to

evaluate the fuzzy inputs and produce alerts for the security

administrator that are true to a degree.

Nevertheless, the aforementioned approaches provide

several remarkable benefits: they may suffer from a design

weakness; they implement decision making systems based

on a static view of a computer network without considering

temporal aspects that strongly modify the network context

and, as a consequence, the network behavior. For this

reason, these systems could mistakenly perform intrusion

detection, i.e., provide false positives or identifying exist-

ing attacks.

In contrast, our proposal implements a supervised

learning algorithm that analyzes a collection of time series

modeling a computer network behavior and computes an

evolvable fuzzy system able to identify attacks and intru-

sions more accurately than previous fuzzy control

proposals.

1184 G. Acampora

123

3 Intrusion detection systems

An intrusion detection system is a framework that tries to

identify, preferably in real-time, unauthorized use, misuse

and abuse of computer systems by both system insiders and

external penetrators (Mukherjee et al. 1994). IDSs can be

classified as network-based or host-based by considering

source of data. More in detail, a network-based IDS col-

lects data from the monitored network as raw network

packets, instead, a host-based IDS operates on information

collected from within an individual computer system such

as operating system audit trails, C2 audit logs, and system

logs (Byuhghae-Cha and Jaiyttyun 2005).

In general, intrusion detection systems (IDSs) are based

on the beliefs that an intruder’s behavior will be noticeably

different from that of a legitimate user and that many

unauthorized actions are detectable (Mukherjee et al.

1994). Precisely, an intrusion can be defined as a deliberate

unauthorized attempt to access or manipulate information

or render a system unreliable or unusable (Anderson et al.

1995). It is possible to consider six types of intrusions

(Smaha 1988):

• Attempted break-ins, which are detected by atypical

behavior profiles or violations of security constraints;

• Masquerade attacks, which are detected by atypical

behavior profiles or violations of security constraints;

• Penetration of the security control system, which are

detected by monitoring for specific patterns of activity;

• Leakage, which is detected by atypical use of system

resources;

• Denial of service, which is detected by atypical use of

system resources;

• Malicious use, which is detected by atypical behavior

profiles, violations of security constraints, or use of

special privileges.

To test the behavior of our proposal of intrusion detec-

tion system, the denial of service (DoS) intrusion will be

considered. DoS is a particular kind of computer intrusion

that attempts to make a computer resource unavailable to

its authorized users. DoS attacks intents can be different:

consuming the bandwidth of an entire network, preventing

service use of a single targeted host or crashing of a single

service on the target machine. Typically, this attack is

achieved by saturating the target machine with a lot of

external communications requests such as ICMP Echo

Requests, such that it cannot accomplish its tasks. Since

there are many different ways through which it is possible

to consume system resources, DoS attacks are extremely

difficult to defend against.

From a structural point of view, a typical IDS consists of

three functional components (Bace 2000): an information

source, an analysis engine and a decision maker. The

information source provides a stream of event records. The

analysis engine finds signs of intrusions by analyzing data

from information source and it generates a suitable deci-

sion maker that exploits a collection of rules to detect

possible detection. Our approach uses a collection of time

series as information source, a supervised learning

approach as analysis engine and a timed automata fuzzy

controller as decision maker.

4 Timed fuzzy control: a new vision in fuzzy system

modeling

This section introduces the Timed Fuzzy Control, a new

theoretical vision for system modeling that attempts to

improve Fuzzy Control by introducing some additional

temporal concepts that allow standard fuzzy controllers to

evolve and adapt itself to systems dynamic changing.

Starting from this novel vision, the TAFCs will be intro-

duced and defined using a methodology from the Language

Theory, the timed automata.

4.1 Timed fuzzy controllers

Fuzzy control (Takagi and Sugeno 1985; Mamdani 1974) is

one of the most active and fruitful research areas in the

application of the fuzzy set theory. Basically, fuzzy logic

provides an effective method of capturing and managing

the approximate, inexact nature of the real world. From this

point of view, the essential component of a fuzzy logic

controller (FLC) is a set of linguistic rules related to the

dual concepts of fuzzy implications and the compositional

rule of inference. In other words, fuzzy control can be

considered as an algorithm which can convert the linguistic

control strategy based on expert knowledge into an auto-

matic control strategy. In general, the high-level structure

of a FLC is shown in Fig. 1.

Fig. 1 A standard fuzzy logic controller

Exploiting timed automata based fuzzy controllers 1185

123

This methodology appears very useful when the pro-

cesses are too complex for analysis by conventional

quantitative techniques or when the available sources of

information are interpreted qualitatively, inexactly, or

uncertainly. Thus, fuzzy control methodology may be

viewed as a right tradeoff between conventional precise

mathematical control and human-like decision making

(Gupta and Tsukamoto 1980). However, in spite of its

desirable features, fuzzy control techniques do not enable

the modeling of systems characterized from a discontinu-

ous nonlinear behavior, i.e., systems able to dynamically

change their functionalities by taking into account of

temporal or other kinds of events. As mentioned, this kind

of behavior strongly characterizes also network systems.

For this reason, a new kind of fuzzy inference engine is

necessary and is introduced in the following.

Timed fuzzy controllers enable to model network sys-

tem dynamism by extending standard fuzzy controllers

through three additional concepts: control configuration,

control era and control time. Proposed engine exploits the

control time as a clock moving the system through several

control eras, each one characterized by a specific control

configuration. More in detail, a control era can be defined

as the longest interval time in which the system does not

change its control configuration that is characterized by (1)

the number and typology of fuzzy variables and (2) the

number and structure of relationships among variables. In

other words, our proposal defines a systems’ modeling

method that, at each instant, considers the most appropriate

fuzzy controller that maps the system’s behavior in a better

way.

To formally define timed fuzzy control, a function-based

definition of a standard fuzzy controller (Mamdani or TSK)

is given.

Definition 1 (fuzzy logic controller) A fuzzy logic con-

troller, with n inputs and m outputs, can be considered as a

function mapping a vector x 2 Rn with an output vector

y 2 Rm: In other words:

c : Rn ! Rm

where the behavior of c is dictated by classic fuzzy infer-

ence operators.

Starting from previous definition, a timed fuzzy con-

troller on k control eras can be formally introduced.

Definition 2 Let C ¼ [n2N [m2N fc : Rn ! Rmg be the

collection of all possible fuzzy controllers and let

E ¼ fei ¼ ½t0i; t00i ½ji ¼ 1. . .k; k 2 N;

t0i; t00i 2 R

þ with t01 ¼ 0; t00i ¼ t0iþ1 and t0i\t0iþ1g

be the set of k disjointed control eras, where the ith control

era, known as ei, starts at t0i and ends at t00i : Once defined C

and E, let f : E! C be the function that maps each control

era to the corresponding control configuration and let

g : Rþ ! E a function which associates a time instant tjwith the corresponding control era. Then, a timed fuzzy

control is a function composition u ¼ f � g : Rþ ! C that

maps a time instant tj 2 Rþ belonging to the ith control era

to a fuzzy controller fi 2 C representing the associated

control configuration.

Observation 1 If two instants tj and tj?1, with tj \ tj?1,

belong to the same ith control era, the function u returns

the same function fi:

uðtjÞ ¼ f ðgðtjÞÞ ¼ fi ¼ f ðgðtjþ1ÞÞ ¼ uðtjþ1Þ

if t0i� tj\tjþ1\t00i

Observation 2 Each fuzzy controller c is a timed fuzzy

controller uc on 1 control era with following parameters:

E ¼ f½0; t01�; t001 [ 0gC ¼ fcgf ð½0; t001 �Þ ¼ c

gðtÞ ¼ ½0; t001 � 8 t 2 Rþ

uc ¼ f ðgðtÞÞ ¼ c 8 t 2 Rþ

Hereafter, the paper is devoted presenting the proposed

intrusion analysis engine named TAFC that represents the

implementation of the described function u using a theory

deriving from formal languages: timed automata.

5 Timed automata based fuzzy controllers

This section presents TAFCs, an evolvable fuzzy controller

whose dynamic features allow designing an advanced

network intrusion detection system that is able to directly

deal with computer network dynamism and support net-

works’ administrators to prevent eventual damages from

unauthorized network intrusion. Before formally intro-

ducing TAFCs, a brief description of timed automata the-

ory is given in the next subsection.

5.1 Timed automata

A timed automaton is a standard finite-state automaton

extended with a finite collection of real-valued clocks

providing a straightforward way to represent time related

events, whereas automata-based approaches cannot offer

this feature. The clocks can be reset to 0 (independently of

each other) with the transitions of the automaton, and keep

track of the time elapsed since the last reset. The transitions

of a timed automaton are labeled with a guard (a condition

on clocks), an action or symbol on alphabet R; and a clock

reset (a subset of clocks to be reset). Intuitively, a timed

1186 G. Acampora

123

automaton starts execution with all clocks set to zero.

Clocks increase uniformly with time while the automaton

is within a node. A transition may be taken only if the

current values of the clocks satisfy the associated con-

straints. By taking the transition, all clocks in the clock

reset will be set to zero, while the remaining keep their

values. With this mechanism, we can capture several

interesting aspects of real-time systems: qualitative fea-

tures such as liveness, fairness, and nondeterminism; and

quantitative features such as periodicity, bounded response,

and timing delays.

The set of behaviors expressed by a system modeled by

means of a timed automaton is defined by a timed lan-

guage, i.e., a collection of timed words. Both timed con-

cepts are defined as follows.

Definition 3 A time sequence s ¼ s1s2. . . is an infinite

sequence of time values si 2 R with si [ 0; satisfying the

following constraints:

1. Monotonicity s increases strictly monotonically; that

is, si\siþ1 for all i� iþ 1:

2. Progress For every t 2 R; there is some i� 1 such that

si [ t:

A timed word over an alphabet R is a pair ðr; sÞ where

r ¼ r1r2. . . is an infinite word over R and s is a time

sequence. A timed language over R is a set of timed words

on R:

Definition 4 For a set X of clock variables, the set UðXÞof clock constraints d is defined inductively by

d: ¼ x� cjc� xj:djd1 ^ d2

where x is a clock in X and c is a constant in Q; the set of

nonnegative rationals.

A clock interpretation m for a set X of clocks assigns a

real value to each clock; that is, it is a mapping from X to

R: We say that a clock interpretation m for X satisfies a

clock constraint d over X iff d evaluates to true using the

values given by m: For t 2 R; mþ t denotes the clock

interpretation which maps every clock x to the value mðxÞ þt; and the clock interpretation t � m assigns to each clock x

the value t � mðxÞ: For Y � X; ½Y 7!t�m denotes the clock

interpretation for X which assigns t to each x 2 Y; and

agrees with m over the rest of the clocks.

Now, a precise definition of timed transition table,

which determines the timed automaton behavior, is given:

Definition 5 A timed transition table A is a tuple

hR; S; S0;C;Ei; where

• R is a finite alphabet,

• S is a finite set of states,

• S0 � S is a set of start states,

• C is finite set of clocks, and

• E � S� S� R� 2C � UðCÞ gives the set of transi-

tions. An edge hs; s0; a; k; di represents a transition from

state s to state s0 on input symbol a. The set k � C gives

the clocks to be reset with this transition, and d is a

clock constraint over C.

If ðr; sÞ is a timed word viewed as an input to an

automaton, it presents the symbol ri at time si: If each

symbol ri is interpreted to denote an event occurrence then

the corresponding component si is interpreted as the time

of occurrence of ri: Given a timed word ðr; sÞ; the timed

transition table A starts in one of its start states at time 0

with all clocks initialized to 0. As time advances, the

values of all clocks change, reflecting the elapsed time. At

time si;A state from s to s0 using some transition of the

form hs; s0; ri; k; di reading the input ri; if the current

values of clocks satisfy d: With this transition, the clocks in

k are reset to 0, and thus start continuing time with respect

to the time of occurrence of this transition. Formally, this

timed behavior is captured by introducing runs of timed

transition tables.

Definition 6 A run r, denoted by ð�s;�mÞ; of a timed tran-

sition table hR; S; S0;C;Ei over a timed word ðr; sÞ is an

infinite sequence of the form

r:hs0; m0i!r1

s1

hs1; m1i!r2

s2

hs2; m2i!r3

s3

. . .

with si 2 S and mi 2 ½C ! R�; for all i� 0; satisfying the

following requirements:

• Initiation s0 2 S0 and m0ðxÞ ¼ 0 for all x 2 C:

• Consecution for all i� 1; there is an edge in E of the

form hsi1; si; ri; ki; dii such that ðmi1 þ si si1Þsatisfies di and mi equals ½ki 7! 0�ðmi1 þ si si1Þ:

The timed transition table together with the run concept

are the main notions used in our approach to embed

dynamism in the standard FLC definition.

5.2 Merging timed automata and fuzzy controllers:

TAFCs

This section is devoted to describe our contextual anomaly

detection system, i.e., timed automata based fuzzy con-

trollers (TAFCs). TAFCs represent an integration between

two theories: fuzzy control and timed automata.

A TAFC implements a timed fuzzy controller by

exploiting a timed automaton whose behaviors define all

the potential sequences of control eras (and the related

control configurations) that a system may cross during its

life cycle. More in detail, TAFCs are able to manage the

control eras by associating each of them with a state in the

timed automaton. The control eras progression can be

Exploiting timed automata based fuzzy controllers 1187

123

determined exploiting the automaton run concept (Defini-

tion 6). Indeed, the ith discrete transition can be used to

throw a temporal event which moves the system from the

ith control era to the (i ? 1)th one.

However, it is necessary to extend the classical timed

automaton (Definition 5) by modifying the definition of

timed automaton transition. Indeed, because each autom-

aton’s state represents a system’s control era with the

corresponding control configuration then, its outgoing

transitions would have to be able to transform system’s

configurations. To define this task, timed automata transi-

tion has been extended with a sequence of transformation

operators.

Once that the automaton computation starts over a

given timed word, the state transitions will opportunely

modify the current control configuration in the successive

one. In this vision, a timed word determines how and

when to execute the switching among successive control

eras. So, a timed word coincides with the control time

concept.

Therefore, a TAFC, as will be formally defined in the

last subsection, is a couple consisting of two components:

an extended timed automaton that describes the dynamic

evolution of a system and a fuzzy logic controller modeling

the control behavior of system during first phase of its

existence.

5.2.1 Transformation operators

The first step towards the formal definition of a TAFC is

to introduce a collection of operators capable of changing

control configurations. To define the so-called transfor-

mation operators, a new representation of a standard

fuzzy controller is used. This representation is based on

the labeled trees (Wang et al. 1996), a data structure

defined by means of the well-known graph theory. By

following this idea, it is possible to build a fuzzy control

labeled tree (Acampora and Loia 2008). A fuzzy con-

troller represented through labeled tree can be modified in

a very simple way, because labeled trees (i.e., graphs) are

characterized by modification operations (insert, delete

and update) which are simple, flexible and computation-

ally efficient.

In details, transformation operators will change a TAFC’s

control configuration by executing the following operations:

adding () or deleting (�) a variable; adding (�k), removing

(�k) or changing (�k) k rules in the rule base; changing

implication method of the rule base (� ); adding (~),

deleting (ø) or changing (}) a term to a variable; changing

defuzzify method (_), aggregation method (ffl) or default

value (> ) of an output variable; changing lower bound (n)

or upper bound (o) of the universe of discourse of a vari-

able. Besides, other four operators are defined indepen-

dently. In details, the first one does not concern with changes

to the fuzzy controller structure because it sets frequency

sampling (4), whereas the others deal with a complete

replacement of a fuzzy controller executing these opera-

tions: returning to the initial control configuration (y); set-

ting control configuration to that of the destination state (z)or transforming a control configuration in itself (g).

The formal definitions of the transformation operators

based on the labeled tree representation of a fuzzy con-

troller are not presented for sake of samplicity.

After listing all transformation operators, it is possible to

define the collection of transformation operators Cop.

Definition 7 The set of transformation operators acting

on a control configuration is

Cop ¼ f;�;�k;�k;�k; � ;n;o ;ffl;~; ø;};> ;4;_; y; z;gg

Following section will be devoted to introduce an extend

version of timed automata capable of directly dealing with

fuzzy control concept. The point of contact between timed

automata and fuzzy controllers is represented by the

transformation operators set that will be used to update the

definition of timed automata edges.

5.2.2 Extending timed automata for implementing timed

fuzzy control

Once that the set of transformation operators Cop has been

introduced, it is necessary to redefine the timed automaton

concept to consider a novel kind of transition edges capable

of changing the control configuration of the modeled sys-

tem. In particular, the standard transition set of timed

automata E is replaced with the following:

EC � S� S� R� 2C � UðCÞ � C�op

where Cop* represents the set of all possible sequences of

transformation operators, i.e, C�op ¼ [n� 1Cnop where Cn

op is

the set of all possible sequences of n operators with n� 1:

Now, it is possible to provide an extended definition of a

timed automaton:

Definition 8 A timed control transition table AC is a

tuple hR [ f�g; S; S0;C;ECi; where

• R is a finite alphabet;

• � represents empty event, i.e., when it is on a transition,

the crossing of this transition depends only on temporal

constraints;

• S is a finite set of states;

1188 G. Acampora

123

• S0 � S is a set of start states;

• C is finite set of clocks;

• EC � S� S� R� 2C � UðCÞ � C�op gives the set of

transitions. An edge hs; s0; a; k; d; oni represents a

transition from state s to state s0 on input symbol a

which can be also the empty event. The set k � C

gives the clocks to be reset with this transition, d is

a clock constraint over C and on 2 C�op is a sequence of

n transformation operators, with n� 1; defined to

change the current control configuration of modeled

system.

In each sequence of transformation operators, an oper-

ator can be repeated to execute the same task on different

arguments (e.g., to modify several variables’ universe of

discourse). Moreover, it is important to establish that the

operators are executed in the same order of their definition

in the sequence (Definition 10).

Definition 9 Let F be a fuzzy controller and let o 2 Cop

be a transformation operator then G = o(F) is the fuzzy

controller obtained to apply the operator o on fuzzy con-

troller F.

Definition 10 Let F be a fuzzy controller and let on 2 C�op

be a sequence on ¼ ðo1; o2; . . .; onÞ where oi 2 Cop8i 2f1; 2; . . .; ng then G ¼ onðFÞ ¼ ðonðon1ð. . .ðo2ðo1ðFÞÞÞÞÞÞis the fuzzy controller obtained to apply the operators

o1; o2; . . .; on1; on on fuzzy controller F in the same order

of listing in the sequence on.

At this point, it is possible to give a formal definition of

a TAFC and the properties characterizing its dynamic

behavior.

Definition 11 A TAFC T is an ordered pair composed by

an initial control configuration, represented by a fuzzy

controller named F0, together with a timed control transi-

tion table TC. Formally:

T ¼ ðF0;TCÞ:

The TAFC properties which define the dynamic

behavior of a system are control evolution and control run.

The control evolution is a mapping among the states S

contained in TC and the collection of possible control

configurations obtained starting from F0. More in detail,

the control evolution is a mathematical succession, gener-

ated in an inductive way, which maps each state in S with a

one or more control configurations obtained by sequen-

tially applying over F0 the transformation operators in

S� S� R [ f�g � 2C � UðCÞ � C�op. Then:

Definition 12 (control evolution) Let T ¼ ðF0; TCÞ be a

TAFC defined over a timed control transition table hR [

f�g; S; S0;C;ECi with S ¼ fs0; s1; . . .; sjSj1g the finite set

of automaton states; let F* be the collection of all possible

fuzzy controllers; let X ¼ fn1; n2; . . .; njXjg be a subset of

ordered sequences in Cop* , that is, ni ¼ ðo1; o2; . . .; ojnijÞ8i 2

f1; 2; . . .; jXjg; employed to define the edges in EC. Then,

the control evolution W over a state s0 2 S0 is:

W:N! S� F�

defined inductively, as follows:

The base case (i = 0). Let s0 2 S0 be an initial state of

hR [ f�g; S; S0;C;ECi; then:

Wð0Þ ¼ ðs0;F0Þ

The inductive step (i [ 0). Let Wði 1Þ; with i [ 1, be

defined as:

Wði 1Þ ¼ ðsi1;Fi1Þ

where si1 2 S and Fi1 2 F�; then:

WðiÞ ¼ ðsi;FiÞ

with si 2 S;Fi ¼ niðFi1Þ; ni 2 Xand hsi1; si; a; k; d; nii 2 EC:

More intuitively, the expression (1)shows the sequence

of pairs composing a control evolution over s0 2 S0 toge-

ther with the fuzzy transformations obtained by exploiting

the ni sequences of operators.

Wð0Þ: s0 2 S0 ! F0

# n0

Wð1Þ: s1 2 S ! F1

# n1

Wð2Þ: s2 2 S ! F2

# n2

..

. ...

# nj1

WðjÞ: s j 2 S ! F j

# nj

..

. ...

ð1Þ

The image of function W; IW; can be finite or infinite.

This depends on the topology of the graph modeling the

component TC of the TAFC. Indeed, if the topology of TC

contains cycles then various FLCs can be associated with a

same state sh 2 S: To explain it, let hsk; si1; a; k; d; nki 2EC be an edge entering in the state si-1 already crossed, that

is, an edge forming a cycle. If it is crossed the current fuzzy

controller stored in the state si-1 is replaced by a new one

obtained executing the sequence of operators nk on fuzzy

controller stored in the state sk. Then, crossing again the

edge hsi1; si; a; k; d; nii 2 EC also the controller fuzzy

stored in si is replaced. Indeed, even if the sequence of

operators ni is unchanged from the previous crossing of the

Exploiting timed automata based fuzzy controllers 1189

123

edge, a new controller fuzzy is stored in si because ni is

executed on the different fuzzy controller which has been

stored in si-1 in the previous step. So, states si-1 and si are

both associated with a new fuzzy controller because of the

cycle formed by the edge hsk; si1; a; k; d; nki:Obviously, the control evolution only represents a

mapping between the states of timed automaton TC and

the collection of control configurations computable

starting from F0 by applying different sequences of

operators in X; no dynamic aspects are considered in the

control evolution definition and, therefore, it is necessary

to introduce the idea of control run extending the initial

idea of the run of standard timed transition table (Defi-

nition 6).

Definition 13 Let W be a control evolution, then a con-

trol run rc, denoted by ð�s;�mÞ; of a timed transition table

hR [ f�g; S; S0;C;ECi over a timed word ðr; sÞ and a

collection of sequences of transformation operators X ¼fn1; n2; . . .; njXjg � C�op; is an infinite sequence of the form

rc:hs0; m0i !r1;n1

s1

hs1; m1i !r2;n2hs2; m2i !

r3;n3

s3

. . .

with si 2 S and mi 2 ½C ! R�; for all i C 0, and ni 2 C�op;

for all i C 1, satisfying the following requirements:

• Initiation s0 2 S0 and m0(x) = 0 for all x 2 C;

• Consecution for all i C 1, there is an edge in EC of the

form hsi1; si; ri; ki; di; nii such that ðmi1 þ si si1Þsatisfies di and mi equals ½ki 7!0�ðmi1 þ si si1Þ;

• Atomicity The operators of sequence ni 2 C�op are

atomic operations and their computation time is equals

to 0, i.e, they do not modify the duration of permanence

in the automaton state si; ðsi si1Þ;• Evolution each state si of a pair hsi; mii in rc is mapped

on a FLC Fi as described by the control evolution W:

If T = (F0, TC) is a TAFC which models a given system

then the set of control runs rc defined over the timed lan-

guage L, generated by TC, completely describes the col-

lection dynamic behaviors of the system, whereas, the

control run rc defined over a single word wi 2 L defines a

precise dynamic behavior of the system, so wi defines the

Control Time.

Definition 14 (control time) If T = (F0, TC) is a TAFC

and TC is a timed automaton recognizing the timed lan-

guage L ¼ w1;w2;w3; . . .;wi; . . . and wi is a timed word

and rc is a control run defined over wi then wi is a Control

Time of the system.

Finally, it is possible to give a formal description of

control era and control configuration concepts.

Definition 15 (control era and control configuration) If

rc is a control run defined over the Control Time

wi ¼ ðr; sÞ 2 L:

rc:hs0; m0i !r1;n1

s1

hs1; m1i !r2n2

s2

; hs2; m2i !r3;n3

s3

. . .

then time interval between the instant si and siþ1 is the

ith control era of system and the FLC Fi which depicts the

system during the same interval is defined as the ith control

configuration.

Therefore, it is important to notice how a TAFC is an

implementation of timed fuzzy controller thanks to the

concepts of the control evolution and control run which

perform the task accomplished by u function defined in the

section II.

Both the control evolution and the control run are

potentially based on the infinite concept. In fact, the control

evolution can exploit an infinite application of control

operators in X to compute the mappings between the state

si and the FLC Fi, whereas, the control run uses a timed

word, defined as an infinite sequence of ordered pairs, to

describe the dynamic behavior of the system. Conse-

quently, to simulate the behavior of a TAFC during the first

n control eras, the nth-order control evolution and control

run are introduced.

Definition 16 (nth order control evolution) If W is a

control evolution then the set

Wn ¼ fWðiÞ ¼ ðsi;FiÞji ¼ 1; 2; . . .; ng

which contains the first n ordered pairs computed by Wthrough Definition 12 is the nth order control evolution.

Definition 17 (nth order control run) Let

rc:hs0; m0i !r1;n1

s1

hs1; m1i !r2;n2hs2; m2i !

r3;n3

s3

. . .

be a control run defined over a control evolution W; then

nth-order control run rcn is the sequence of the first n

elements of rc:

rnc :hs0; m0i!

r1;n1

s1

hs1; m1i!r2;n2

s2

. . . !rn1;nn1

sn1

hsn; mni

where the mapping between the automaton states si and the

FLC Fi is computed by the nth-order control evolution

related to W:

In the following section, a supervised learning algorithm

will be introduced to mine the most suitable TAFC

T modeling an network intrusion detection system whereas,

in the case study the mined TAFC will be compared with a

Mamdani fuzzy controller by defining an appropriate nth-

order control run.

1190 G. Acampora

123

6 A supervised learning approach for mining

a TAFC-based network intrusion detection system

In this section, it will be introduce a supervised learning

approach that analyzes a collection of time series repre-

senting a computer network behavior and individuates the

most suitable sequence of control eras and configurations

related to a TAFC implementing a Network Intrution

Detection System. As will be shown in the Sect. 7, our

adaptive approach is better than a conventional Mamdani

Fuzzy Controller in terms of reduction of detection error.

In details, our proposal extends a Tzung-Pei Hong and

Chai-Ying Lee’s algorithm for inducting a TAFC whose

control configurations are capable of recognizing network’s

data stream in different control eras.

To model TAFC components taking in account network

context with aim of achieving a more efficient intrusion

detection mechanism, a data mining approach has been

exploited. In details, a novel supervised learning technique,

that mines a conveniently trained TAFC, has been imple-

mented by extending a Tzung-Pei Hong and Chai-Ying

Lee’s algorithm (Hong and Lee 1996). The TAFC so

implemented is capable of recognizing network’s data

streams related to different time intervals associate with

network contexts and, consequently, detecting intrusions in

a more realistic and efficient way. More precisely, the

algorithm analyzes a computer network’s behavior and

builds a TAFC T, where each control era manages a net-

work context related to a well-defined time interval. As

shown in the experimental results section, this approach

minimizes detection error and false positives by oppor-

tunely switching among learned control configurations.

The algorithm uses a sequence of data instances, known

as network training examples, that can be obtained by

monitoring the network in a promiscuous way. In detail,

the algorithm builds T by taking into account the following

steps:

1. to collect network training examples from network;

2. to individuate the sequence of time periods where the

computer network shows a well-defined behavior

(control eras);

3. to define the most suitable collection of fuzzy variables

and rules that characterizes each control era (control

configurations);

4. to build the TAFC T.

Hereafter, each step will be formally discussed and

depicted.

6.1 Collecting network training examples from routers

During this step, the algorithm sniffs data from network to

collect meaningful information. Data collection is performed

in a time discrete way, i.e., by processing network raw

packet data at instants fs1; s2; . . .jsi ¼ si1 þ Dtg: In

details, at the time si; the algorithm collects the training

example ðxi1; xi2; . . .; xim; xiðmþ1ÞÞ where the values

xi1; xi2; . . .; xim corresponds to network’s properties relevant

to detect possible intrusions such as number of ping

packets or the number of unusual ICMP packets, while

xi(m?1) is an alert level for an eventual intrusion occurred at

si. Reasoning in this way, the algorithm builds the networks

training examples:

s1 x11 x12 . . . x1ðm1Þ x1m x1ðmþ1Þs2 x21 x22 . . . x2ðm1Þ x2m x2ðmþ1Þ

..

. ... ..

. ... ..

. ... ..

.

sn xn1 xn2 . . . xnðm1Þ xnm xnðmþ1Þ

6.2 Individuating computer network’s control eras

The main aim of this phase of the algorithm is to cluster the

training examples for partitioning the original matrix into a

collection of so-called temporal areas. A temporal area can

be viewed as a time interval ½sk; sl�; with l [ k, that collects

similar data from the training examples matrix. To learn

the temporal areas, the algorithm considers the jth column

of training examples matrix and applies the followings four

steps:

1. Find the difference between adjacent data (e.g. xij and

x(i?1)j) ;

2. Find similarity value between adjacent data;

3. Cluster the training instances according to similarity to

separate data into rj different data regions named

R j1;R

j2; . . .;R j

rj;

Then, considering the whole collection of data regions,

the algorithm compute the last step:

4) exploiting data regions [mþ1j¼1 [

rj

p¼1 R jp to define tem-

poral areas.

More in detail, in the first step the difference between

adjacent data of the same variable ðxij and xðiþ1ÞjÞ is cal-

culated: d jiiþ1 ¼ xðiþ1Þj xij: Then, a similarity value,

0� s jiiþ1� 1; between adjacent data is computed by taking

into account d jiiþ1:

s jiiþ1 ¼ 1 d j

iiþ1

C�rjfor d j

iiþ1 � C � rj;

0 otherwise

(ð2Þ

where rj is the standard derivation of the difference values

belonging to the jth column of training examples matrix

and C is a control parameter used to tune similarity values

in an experimental way. Precisely, a large value of C

causes a greater similarity.

Exploiting timed automata based fuzzy controllers 1191

123

In the third step, the similarity values are used as inputs

for an a-cut operation that groups the jth column elements

into different classes. The value of a determines the

threshold for two adjacent data to be thought as belonging

to the same class. In particular, the method is:

If sii?1j \ a then put two adjacent data into different

group; else put them into the same group.

Once the a-cut operation has been applied, each column

of matrix is transformed into a sequence of pairs (xij, Rkj )

where 1 B i B n and 1 B j B m ? 1, which indicates the

ith variable value of the jth column belongs to kth data

region of the jth variable. At the end, the algorithm have to

compute the temporal areas. These are built considering the

whole collection of data regions [mþ1j¼1 [

rj

p¼1 Rjp and apply-

ing the following steps:

1. q = 1;

2. R0q ¼ arg minj¼1...mþ1 jR jqj;

3. if jR0qj ¼¼ 0 then end;

4. for j ¼ 1. . .mþ 1; consider the first jR0qj values

contained in the region Rqj and move them into a

collection named Xqj ;

5. the matrix Tq obtained by considering the collection Xqj

as its jth column is the qth temporal area;

6. Move the remaining elements in Rqj to Rq?1

j

(j ¼ 1; . . .;mþ 1);

7. q = q ? 1;

8. go to step 2.

After that algorithm accomplished these steps, it returns

a collection of matrix Tq modeling the homogeneous

behavior of a computer network in well-defined time

intervals. Next step is to derive a TAFC able to model this

behavior in robust and efficient way to help systems’

administrators to prevent network intrusions.

6.3 Mining computer network’s control configurations

To define the collection of control configurations modeling

a network monitoring system, our proposal exploits an

inductive algorithm proposed by Tzung-Pei Hong and

Chai-Ying Lee to learn membership functions and the

fuzzy rules related to data contained in each temporal area

Tq. In details, on each temporal area Tq, the algorithm

computes the following steps:

1. Cluster and fuzzify the output data;

2. Costruct initial membership functions for input variables;

3. Costruct the initial decision table;

4. Simplify the initial decision table;

5. Rebuild membership functions in the simplification

process;

6. Derive decision rules from the decision table.

Once these steps have been applied, a collection of

fuzzy controllers, modeling the computer network behavior

in each temporal area is built. These controllers will be

used to define the control configurations of a TAFC.

6.3.1 Building the TAFC T

The last step considers temporal areas and control config-

urations computed in previous stages to build an efficient

TAFC T, modeling a network monitoring systems. This

step is performed as follows:

Fig. 2 From dataset to control eras and control configuration

Fig. 3 A TAFC mined through supervised learning approach

1192 G. Acampora

123

• Each temporal area represents a control era;

• Each state Sq stores a fuzzy controller. It is character-

ized by the input and output variables and if-then rules

obtained by executing Hong-Lee’s algorithm on the

temporal area Tq;

• The temporal constraints described on TAFC transi-

tions are represented by time instant between adjacent

temporal areas, Tq and Tq?1 (sl);

• The events, i.e, the symbols on TAFC transitions, are

the empty events �;• Each transition is characterized by the following

transformation operator sequence:

ðø; . . .; ø;�k;n; . . .;n;o ; . . .;o ;~; . . .;~;�hÞ

where the sequence of ø indicates the deleting of all terms

in all variables, the �k operator indicates the deleting of all

k rules, the sequences of n and o indicate modifications of

universe of discourse of all variables, the sequence of ~

indicates the inserting of new terms in all variables and the

�h operator indicates the inserting of new h rules;

• Initial state is chosen by mean of initial time instant.

Next section is devoted to prove the superiority of our

method when applied to a particular kind of network

intrusion: the Denial of Service.

7 Learning a TAFC for designing a network intrusion

detection system: experimental results

To show how the TAFC T improves network intrusion

detection performance with respect to the conventional fuzzy

methods, hereafter a possible attack scenario is presented. As

mentioned, a denial of service (DoS) attack is considered. In

particular, a ping flood attack has been chosen, i.e., a DoS

attack where the attacker overwhelms the victim with ICMP

Echo Request (ping) packets. To mine a TAFC T that deals

with DoS intrusion detection, the described supervised

learning algorithm is used with a dataset D that represents the

daily behavior of a given computer network. The dataset D has

been prepared by means of two sequential steps:

1. Raw packet data are collected by employing tcpdump

tool;

2. Each 10 min, the collection of captured data is used to

compute the following meaningful information:

numberOfSDT that represents the number of unusual

ICMP packets where SDT indicates the combined

identifier [Source, Destination, ICMP Type] of an ICMP

packet;

numberOfEcho that represents the number of observed

ping packets;

alert indicates the danger situation is detected. This

value is set by a computer network security expert.

Once that the daily set of tcpdump raw data are pro-

cessed, the collection of triples

D ¼ fðnumberOfSDTi; numberOfEchoi; alertiÞ; i¼ 1. . .144g ð3Þ

will be used as training set for the proposed learning

algorithm that will produce a collection of temporal areas

and fuzzy controllers as shown in Fig. 2. These collections

Fig. 4 Membership functions related to the fuzzy variables of the FC3 controller: a numberOfSDT, b numberOfEcho and c alert

Exploiting timed automata based fuzzy controllers 1193

123

represent, respectively the control eras and control con-

figuration of a TAFC. Then, starting from this data, the

TAFC shown Fig. 3 is made. For example, Fig. 4a–c

shows the variables of the fuzzy controller FC3 returned by

our approach and associated with automaton state S3.

The performance of the TAFC T has been evaluated by

comparing it with a standard Mamdani fuzzy controller

F presented in Dickerson et al. (2001) and implemented

using the FML language (see Listing 1).

To prove if and how much our solution is more efficient

than a standard fuzzy controller, an experiment which

compares inference results computed by our proposal and

by the described conventional controller with respect to a

testing data set is led. The employed testing data are built

by processing the data collected by tcpdump tool whereas

controlled denial of service attacks are performed on the

network. Raw packet data provided by tcpdump tool are

processed in intervals which lasts approximately 60 min.

So, by considering data sniffed by tcpdump in a single day,

a network testing data of n = 24 testing instances has been

created. Figure 5 shows the comparison of inference

results. To highlight the improvement provided by our

proposal, the known error function named mean square

error (MSE) is computed:

Listing 1 FML sample

program

1194 G. Acampora

123

TAFCerror ¼ 0:038Ferror ¼ 0:093: ð4ÞFrom the Eq. 4, it is clear that the approach based on

TAFC improves the conventional fuzzy controller perfor-

mance with the following percentage variation:

ð0:093 0:038Þ=0:093� 100 � 59%:

The minor error which characterizes the implemented

TAFC proves the superiority of our proposal to achieve a

greater computer network robustness.

8 Conclusion

This paper introduces a novel contextual anomaly detection

method based on exploiting of a novel fuzzy inference

engine named TAFCs. This novel fuzzy controller has been

used to support networks’ administrators to prevent even-

tual damages coming from unauthorized network intrusion

and reduce false positives. Enhanced by its implementation

through the extension of a well-known data mining tech-

nique, the proposed method has been compared with a

classic fuzzy controller and it has shown a better behavior.

However, further experiments are leading by exploiting the

popular DARPA Intrusion Detection Evaluation datasets

(Lippmann et al. 1998).

References

Acampora G, Loia V (2005) Fuzzy control interoperability and

scalability for adaptive domotic framework. IEEE Trans Ind Inf

1(2):97–111

Acampora G, Loia V (2008) An open integrated environment for

transparent fuzzy agents design. Open Source Development,

Communities and Quality, IFIP International Federation for

Information Processing, vol 275/2008. Springer, Boston,

pp 1571–5736

Alur R (1994) A theory of timed automata. Theor Comput Sci

126:183–235

Anderson JP (1980) Computer security threat monitoring and

surveillance. Technical report, James P Anderson Co., Fort

Washington, Pennsylvania

Anderson D, Frivold T, Valdes A (1995) Next-generation intrusion-

detection expert system (NIDES). Technical report, Computer

Science Laboratory, SRI International, Menlo Park

Bace RG (2000) Intrusion detection. Macmillan Technical Publishing,

Indianapolis

Barbara D, Couto J, Jajodia S, Popyack L, Wu N (2001) ADAM:

detecting intrusions by data mining. In: Proceedings of the 2001

IEEE, workshop on information assurance and security, United

States Military Academy, West Point

Biswanath M, Todd LH, Karl NL (1994) Network intrusion detection.

IEEE Netw 8(3):26–41

Bolzoni D, Etalle S (2008) Approaches in anomaly-based network

intrusion Detection systems. In: Intrusion detection systems.

Advances in Information Security, vol 38. Springer, London,

pp 1–15

Botha M, Solms R (2003) Utilising fuzzy logic and trend analysis for

effective intrusion detection. Comput Secur 22:423–434

Bulatovic D, Velasevic D (1999) A distributed intrusion detection

system based on bayesian alarm networks. Lect Notes Comput

Sci 1740:219–228

Byuhghae-Cha KP, Jaiyttyun S (2005) Neural networks techniques

for host anomaly intrusion detection using fixed pattern trans-

formation. In: ICCSA 2005, LNCS, vol 3481, pp 254–263

Chandola V, Banerjee A, Kumar V (2009) Anomaly detection: a

survey. ACM Comput Surv 41(3)

Debar H, Dacier M, Wespi A (1999) Towards a taxonomy of

intrusion-detection systems. Comput Netw 31(8):805–822

Dickerson JE, Dickerson JA (2000) Fuzzy network profiling for

intrusion detection. In: Proceedings of NAFIPS 19th interna-

tional conference of the North American fuzzy information

processing society, Atlanta, pp 301–306

Dickerson JE, Juslin J, Koukousoula O, Dickerson JA (2001) Fuzzy

intrusion detection. In: IFSA world congress and 20th NAFIPS

international conference, vol 9. No 3, pp 1506–1510

Gupta MM, Tsukamoto Y (1980) Fuzzy logic controllers—a

perspective. In: Proceedings of the joint automatic control

Conference, San Francisco, pp FA10-C

Hong TP, Lee CY (1996) Induction of fuzzy rules and membership

functions from training examples. Fuzzy Sets Syst 84:33–47

Hu PZ, Heywood MI (2003) Predicting intrusions with local linear

model. In: Proceedings of the international joint conference on

neural networks, vol 3, pp 1780–1785

Javitz HS, Valdes A, Denning DE, Neumann PG, (1986) Analytical

techniques development for a statistical intrusion-detection

Fig. 5 Comparison results

Exploiting timed automata based fuzzy controllers 1195

123

system (SIDS) based on accounting records. Technical report,

SRI International, Menlo Park

Kayacik HG, Zincir-Heywood AN, Heywood MI (2003) On the

capability of an som based intrusion detection system. In:

Proceedings of the international joint conference on neural

networks, vol 3, pp 1808–1813

Lee CC (1990) Fuzzy logic in control system: fuzzy logic control-

ler—Part I and Part II. IEEE Trans SMC 20:404–435

Lee W, Salvatore J. Stolfo, Mok KW (1998) Mining audit data to

build intrusion detection models. In: Proceedings of the fourth

international conference on knowledge discovery and data

mining (KDD 98), New York

Lee W, Stolfo SJ (1998) Data mining approaches for intrusion

detection. In: Proceedings of the 7th USENIX Security Sympo-

sium, San Antonio

Lei JZ, Ghorbani A (2004) Network intrusion detection using an

improved competitive learning neural network. In: Proceedings

of the second annual conference on communication networks

and services research (CNSR04), pp 190–197

Lippmann R, Fried D, Graf I, Haines J, Kendall K, McClung D,

Weber D, Webster S, Wyschogrod D, Cunningham R, Zissman

M (1998) Evaluating intrusion detection systems: 1998 DARPA

off-line intrusion detection evaluation. In: Proceedings of IEEE

symposium on security and privacy, Oakland

Mamdani EH (1974) Applications of fuzzy algorithms for simple

dynamic plants. Proc IEE 121:1585–1588

Mohajerani M, Moeini A, Kianie M (2003) NFIDS: a neuro-fuzzy

intrusion detection system. In: Proceedings of the 10th IEEE

international conference on electronics, circuits and systems,

pp 348–351

Mukkamala S , Sung AH, Abraham A (2003) Intrusion detection

using ensemble of soft computing paradigms. In: The third

international conference on intelligent systems design and

applications, intelligent systems design and applications,

advances in soft computing. Springer, Germany, pp 239–248

Mukkamala S, Sung AH, Abraham A (2004) Modeling intrusion

detection systems using linear genetic programming approach.

In: The 17th international conference on industrial &

engineering applications of artificial intelligence and expert

systems, innovations in applied artificial intelligence. In: Robert

O.,Chunsheng Y., Moonis A., editors. Lecture Notes in Com-

puter Science, vol 3029. Springer, Germany, pp 633–642

Mukherjee B, Herberlein LT, Levitt KN (1994) Network intrusion

detection. IEEE Netw 8

Peddabachigari S, Abraham A, Grosan C, Thomas J (2007) Modeling

intrusion detection system using hybrid intelligent systems.

J Netw Comput Appl 30:114–132

Scarfone K, Mell P (2007) Guide to intrusion detection and

prevention systems (IDPS), National Institute of Standards and

Technology Special Publication 800-94, 127

Shah K, Dave N, Chavan S, Mukherjee S, Abraham A, Sanyal S

(2004) Adaptive neuro-fuzzy intrusion detection system. In:

IEEE international conference on information technology:

coding and computing (ITCC04), vol 1. IEEE Computer Society,

USA, pp 70–74

Smaha SE (1988) Haystack: an intrusion detection system. In: Fourth

aerospace computer security applications conference, Tracor

Applied Science Inc., Austin, pp 37–44

Takagi T, Sugeno M (1985) Fuzzy identification of systems and its

applications to modeling and control. IEEE Trans Syst Man

Cybern 15(1):116–132

Vokorokos L, Balaz A, Chovanec M (2006) Intrusion detection

system using self organizing map. Acta Electrotechnica et

Informatica 6(1):6

Wang WD, Bridges S (2000) Genetic algorithm optimization of

membership functions for mining fuzzy association rules. In:

Proceedings of the 7th international conference on fuzzy theory

& technology, Atlantic City, pp 131–134

Wang Y, Chen H, Liu W (1996) A parallel algorithm for constructing

a labeled tree. IEEE Trans Parallel and Distrib Syst 8:1236–1240

Wang K, Stolfo SJ (2004) Anomalous payload-based network

intrusion detection. In: Jonsson E, Valdes A, Almgren M (eds)

RAID 04: Proceedings of the 7th symposium on recent advances

in intrusion detection. LNCS, vol 3224. Springer, Berlin,

pp 203–222

Zadeh LA (1965) Fuzzy sets. Inf Control 8:338–353

1196 G. Acampora

123