Application of Anomaly Detection Technology in Network Intrusion Detection System

Main Article Content

ณัฐกานต์ เอี่ยมอ่อน
ทศพล บุญเกิน
นที ปั้นทอง


Given the rise of recent events related to cyber security, both in Thailand and other countries around the globe, such a threat is imminent, with undesired impacts on organizational and personal resources. The intensity of this problem is likely to increase, especially during the period of promoting Thai digital economy. The government has taken this seriously, as shown by the drafting of national research strategy 2013-2017 that includes the aforementioned issue. This is to set a guideline for research and innovation development to resolve cyber-security problems. One of the major subjects being investigated widely is a network intrusion detection system or NIDS. In a nutshell, it analyzes network-traffic information to identify possible acts of attack. However, most of the systems developed thus far have focused on the known attack patterns, whist lacking the capability to disclose new or unknown threats. In response, anomaly detection is adopted to provide the flexibility to NIDS. This article is set to provide the review of on network intrusion, NIDS and different applications of anomaly detection to the problem. In addition, it presents the perspective of future research, and its remedy in accordance with the governmental policy.

Article Details

How to Cite
เอี่ยมอ่อน ณ., บุญเกิน ท., & ปั้นทอง น. (2018). Application of Anomaly Detection Technology in Network Intrusion Detection System. NKRAFA JOURNAL OF SCIENCE AND TECHNOLOGY, 12, 64–81. Retrieved from
Research Articles


[1] The 2015 Household Survey on the Use of Information and Communication Technology, National Statistical Office, Ministry of Information and Communication Technology, 2015.

[2] Mcafee: Estimating the Global Cost of Cybercrime 2014, [Accessed on 1 June 2016].

[3] A. Sundaram. An introduction to intrusion detection. Crossroads, 2( 4): 3–7, 1996.

[4] J.P. Anderson. Computer Security Threat Monitoring and Surveillance. James P Anderson Co, Fort Washington, Pennsylvania, Tech. Rep., April 1980.

[5] V. Chandola, A. Banerjee, and V. Kumar. Anomaly Detection: A Survey. ACM Computing Surveys, 41(3): 15/1–15/58, 2009.

[6] N.K. Ampah, C.M. Akujuobi, M.N.O. Sadiku, and S. Alam. An intrusion detection technique based on continuous binary communication channels. International Journal of Security and Networks, 6(2-3): 174–180, 2011.

[7] F.Y. Edgeworth. On discordant observations. Philosophy Mag., 23(5):364–375, 1987.

[8] A. Patcha and J.M. Park. An overview of anomaly detection techniques: Existing solutions and latest technological trends. Computer Networks, 51(12):3448–3470, 2007.

[9] P. Garcia-Teodoro, J. Diaz-Verdejo, G. Macia-Fernandez, and E. Vazquez. Anomaly-based network intrusion detection: techniques, systems and challenges. Computers & Security, 28(1-2): 18–28, 2009.

[10] H.G. Kayacik, A.N. Zincir-Heywood, and M.I. Heywood. Selecting Features for Intrusion Detection: A Feature Relevance Analysis on KDD 99 Intrusion Detection Datasets. In Proceedings of Annual Conference on Privacy, Security and Trust, 2005.

[11] A.A. Ghorbani, W. Lu, and M. Tavallaee. Network Intrusion Detection and Prevention: Concepts and Techniques. Advances in Information Security. Springer-Verlag, 2009.

[12] R. Heady, G. Luger, A. Maccabe, and M. Servilla. The Architecture of a Network Level Intrusion Detection System. Computer Science Department, University of New Mexico, Tech. Rep. TR-90, 1990.

[13] Wikimedia: Intrusion detection system. http://en. [Accessed on 13 Aug 2016].

[14] M.H. Bhuyan, D.K. Bhattacharyya, and J.K. Kalita. Surveying Port Scans and Their Detection Methodologies. The Computer Journal, 54(10): 1565–1581, 2011.

[15] V. Kumar. Parallel and distributed computing for cyber security. IEEE Distributed Systems Online, 6(10), 2005.

[16] M.Thottan and C. Ji. Anomaly detection in IP networks. IEEE Trans. Signal Process, 51(8): 2191–2204, 2003.

[17] P.N. Tan, M. Steinbach, and V. Kumar. Introduction to Data Mining. Addison-Wesley, 2005.

[18] S.H. Cha. Comprehensive Survey on Distance/Similarity Measures between Probability Density Functions. International Journal of Mathematical Models and Methods in Applied Science, 1(4):300–307, 2007.

[19] M.V. Joshi, R.C. Agarwal, and V. Kumar. Mining needle in a haystack: classifying rare classes via two-phase rule induction. In Proceedings of ACM SIGKDD International Conference on Knowledge Discovery and Data Mining: 293–298, 2001.

[20] J. Theiler and D.M. Cai. Resampling approach for anomaly detection in multispectral images. In Proceedings of SPIE: 230–240, 2003.

[21] R. Fujimaki, T. Yairi, and K. Machida. An approach to spacecraft anomaly detection problem using kernel feature space. In Proceedings of ACM SIGKDD International Conference on Knowledge Discovery in Data Mining: 401–410, 2005.
[22] F.J. Anscombe and I. Guttman. Rejection of outliers. Technometrics, 2(2): 123–147, 1960.

[23] E. Eskin. Anomaly detection over noisy data using learned probability distributions. In Proceedings of International Conference on Machine Learning: 255–262, 2000.

[24] M. Desforges, P. Jacob, and J. Cooper. Applications of probability density estimation to the detection of abnormal conditions in engineering. In Proceedings of Institute of Mechanical Engineers, 687–703, 1998.

[25] C. Manikopoulos and S. Papavassiliou. Network Intrusion and Fault Detection: A Statistical Anomaly Approach. IEEE Communication Magazine, 40(10):76–82, 2002.

[26] P.K. Chan, M.V. Mahoney, and M.H. Arshad. A machine learning approach to anomaly detection. Department of Computer Science, Florida Institute of Technology, Tech. Rep. CS-2003-06, 2003.

[27] M.V. Mahoney and P.K. Chan. Learning rules for anomaly detection of hostile network traffic. In Proceedings of IEEE International Conference on Data Mining: 601-604, 2003.

[28] K. Wang and S.J. Stolfo. Anomalous Payload-Based Network Intrusion Detection. In Proceedings of Recent Advances in Intrusion Detection: 203–222, 2004.

[29] X. Song, M. Wu, C. Jermaine, and S. Ranka. Conditional Anomaly Detection. IEEE Transactions on Knowledge and Data Engineering, 19: 631–645, 2007.

[30] P. Chhabra, C. Scott, E.D. Kolaczyk, and M. Crovella. Distributed Spatial Anomaly Detection. In Proceedings of IEEE International Conference on Computer Communications: 1705–1713, 2008.

[31] W. Lu and A.A. Ghorbani. Network Anomaly Detection Based on Wavelet Analysis. EURASIP Journal of Advances in Signal Processing, 2009(837601), 2009.

[32] F.S. Wattenberg, J. I.A. Perez, P.C. Higuera, M.M. Fernandez, and I.A. Dimitriadis. Anomaly Detection in Network Traffic Based on Statistical Inference and α-Stable Modeling. IEEE Transactions on Dependable Secure Computing, 8(4): 494–509, 2011.

[33] M. Yu. A Nonparametric Adaptive CUSUM Method And Its Application In Network Anomaly Detection. Int. Journal of Advancements in Computing Technology, 4(1): 280–288, 2012.

[34] W. Lu and H. Tong. Detecting Network Anomalies Using CUSUM and EM Clustering. In Proceedings of International Symposium on Advances in Computation & Intelligence: 297–308, 2009.

[35] M.A. Qadeer, A. Iqbal, M. Zahid, and M.R. Siddiqui. Network Traffic Analysis and Intrusion Detection Using Packet Sniffer. In Proceedings of International Conference on Communication Software and Networks: 313–317, 2010.

[36] I. Kang, M.K. Jeong, and D. Kong. A differentiated one-class classification method with applications to intrusion detection. Expert Systems with Applications, 39(4): 3899–3905, 2012.

[37] C. Wagner, J. Francois, R. State, and T. Engel. Machine Learning Approach for IP-Flow Record Anomaly Detection. In Proceedings of International IFIP conference on Networking: 28–39, 2011.

[38] Z. Muda, W. Yassin, M.N. Sulaiman, and N.I. Udzir. A K-means and naive bayes learning approach for better intrusion detection. Information Technology Journal, 10(3): 648–655, 2011.

[39] M.H. Bhuyan, D.K. Bhattacharyya, and J.K. Kalita. RODD: An Effective Reference-Based Outlier Detection Technique for Large Datasets. Advanced Computing, 133: 76–84, 2011.

[40] C. Zhang, G. Zhang, and S. Sun. A Mixed Unsupervised Clustering-Based Intrusion Detection Model. In Proceedings of International Conference on Genetic and Evolutionary Computing: 426–428, 2009.

[41] P. Casas, J. Mazel, and P. Owezarski. Unsupervised network intrusion detection systems: detecting unknown without knowledge. Computer Communications, 35(7): 772–783, 2012.

[42] Z. Zhuang, Y. Li, and Z. Chen. Enhancing intrusion detection system with proximity information. International Journal of Security and Networks, 5(4): 207–219, 2010.

[43] M.H. Bhuyan, D.K. Bhattacharyya, and J.K. Kalita. NADO: network anomaly detection using outlier approach. In Proceedings of ACM International Conference on Communication, Computing and Security: 531–536, 2011.

[44] Z. Chen and C. Chen. A Closed-Form Expression for Static Worm- Scanning Strategies. In Proceedings of IEEE International Conference on Communications: 1573– 1577, 2008.

[45] F. Geramiraz, A.S. Memaripour, and M. Abbaspour. Adaptive Anomaly-Based Intrusion Detection System Using Fuzzy Controller. International Journal of Network Security, 14(6): 352–361, 2012.

[46] S. Mabu, C. Chen, N. Lu, K. Shimada, and K. Hirasawa. An Intrusion-Detection model based on fuzzy class-association-rule mining using genetic programming. IEEE Transactions on System, Man and Cybernetics, Part C, 41(1): 130–139, 2011.

[47] A.O. Adetunmbi, S.O. Falaki, O.S. Adewale, and B.K. Alese. Network Intrusion Detection based on Rough Set and k-Nearest Neighbour. International Journal of Computing and ICT Research, 2(1): 60–66, 2008.

[48] R.C. Chen, K.F. Cheng, Y.H. Chen, and C.F. Hsieh. Using Rough Set and Support Vector Machine for Network Intrusion Detection System. In Proceedings of Asian Conference on Intelligent Information and Database Systems: 465–470, 2009.

[49] A. Visconti and H. Tahayori. Artificial immune system based on interval type-2 fuzzy set paradigm. Applied Soft Computing, 11(6): 4055–4063, 2011.

[50] J.M. Estevez-Tapiador, P. Garcya-Teodoro, and J. E. Dyaz-Verdejo. Stochastic protocol modeling for anomaly based network intrusion detection. In Proceedings of International Workshop on Information Assurance: 3–12, 2003.

[51] A. Shabtai, U. Kanonov, and Y. Elovici. Intrusion detection for mobile devices using the knowledge-based, temporal abstraction
method. Journal of System Software, 83(8): 1524–1537, 2010.

[52] S.S. Hung and D.S.M. Liu. A user-oriented ontology-based approach for network intrusion detection. Computer Standards & Interfaces, 30(1-2): 78–88, 2008.

[53] K. Noto, C. Brodley, and D. Slonim. Anomaly Detection Using an Ensemble of Feature Models. In Proceedings of IEEE International Conference on Data Mining: 953–958, 2010.
[54] R. Perdisci, D. Ariu, P. Fogla, G. Giacinto, and W. Lee. McPAD: A multiple classifier system for accurate payload-based anomaly detection. Computer Networks, 53(6): 864–881, 2009.

[55] W. Khreich, E. Granger, A. Miri, and R. Sabourin. Adaptive ROC-based ensembles of HMMs applied to anomaly detection. Pattern Recognition, 45(1): 208–230, 2012.

[56] D. Parikh and T. Chen. Data Fusion and Cost Minimization for Intrusion Detection. IEEE Transactions on Information Forensics and Security, 3(3): 381–389, 2008.

[57] R. Yan and C. Shao. Hierarchical Method for Anomaly Detection and Attack Identification in High-speed Network. Journal of Information Technology, 11(9): 1243–1250, 2012.

[58] W. Gong, W. Fu, and L. Cai. A Neural network based intrusion detection data fusion model. In Proceedings of International Joint Conference on Computational Science & Optimization: 410–414, 2010.

[59] D. Ariu, R. Tronci, and G. Giacinto. HMMPayl: An intrusion detection system based on Hidden Markov Models. Computers & Security, 30(4): 221–241, 2011.

[60] H.H. Nguyen, N. Harbi, and J. Darmont. An efficient local region and clustering-based ensemble system for intrusion detection. In Proceedings of Symposium on International Database Engineering & Applications: 185–191, 2011.

[61] A.K. Jain, M.N. Murty, and P.J. Flynn. Data clustering: A review. ACM Computing Survey, 31(3): 264-323, 1999.

[62] A.L. Fred and A.K. Jain. Combining multiple clusterings using evidence accumulation. IEEE Transaction on Pattern Analysis and Machine Intelligence, 27(6): 835-850, 2005.

[63] N. Nguyen and R. Caruana. Consensus clusterings. In Proceedings of IEEE International Conference on Data Mining: 607-612, 2007.

[64] B. Fischer and J. M. Buhmann. Bagging for path-based clustering. IEEE Transactions on Pattern Analysis and Machine Intelligence, 25(11): 1411-1415, 2003.

[65] A. Strehl and J. Ghosh. Cluster ensembles: A knowledge reuse framework for combining multiple partitions. Journal of Machine Learning Research, 3: 583-617, 2002.

[66] N. Iam-On and T. Boongoen. Comparative Study of Matrix Refinement Approaches for Ensemble Clustering. Machine Learning, 98(1-2): 269-300, 2015.

[67] T. Meehinkong, P. Praneetpolgrang and N. Chirawichitchai. An Adaptive Real-Time Intrusion Detection System Based on Cybersecurity Knowledge Architecture. NKRAFA Journal of Science and Technology, 10: 71-81, 2014.

[68] P. Sirinam. UAVs from a Cyber Security Perspective: Cyber Attack Vulnerabilities and
the Preparation of the RTAFA against Cyber Threats. NKRAFA Journal of Science and Technology, 10: 7-12, 2014.