<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE article  PUBLIC "-//NLM//DTD Journal Publishing DTD v3.0 20080202//EN" "http://dtd.nlm.nih.gov/publishing/3.0/journalpublishing3.dtd"><article xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink" dtd-version="3.0" xml:lang="en" article-type="research article"><front><journal-meta><journal-id journal-id-type="publisher-id">JIS</journal-id><journal-title-group><journal-title>Journal of Information Security</journal-title></journal-title-group><issn pub-type="epub">2153-1234</issn><publisher><publisher-name>Scientific Research Publishing</publisher-name></publisher></journal-meta><article-meta><article-id pub-id-type="doi">10.4236/jis.2020.111001</article-id><article-id pub-id-type="publisher-id">JIS-96983</article-id><article-categories><subj-group subj-group-type="heading"><subject>Articles</subject></subj-group><subj-group subj-group-type="Discipline-v2"><subject>Computer Science&amp;Communications</subject></subj-group></article-categories><title-group><article-title>
 
 
  Comparing the Area of Data Mining Algorithms in Network Intrusion Detection
 
</article-title></title-group><contrib-group><contrib contrib-type="author" xlink:type="simple"><name name-style="western"><surname>Yasamin</surname><given-names>Alagrash</given-names></name><xref ref-type="aff" rid="aff1"><sup>1</sup></xref><xref ref-type="corresp" rid="cor1"><sup>*</sup></xref></contrib><contrib contrib-type="author" xlink:type="simple"><name name-style="western"><surname>Azhar</surname><given-names>Drebee</given-names></name><xref ref-type="aff" rid="aff2"><sup>2</sup></xref><xref ref-type="corresp" rid="cor1"><sup>*</sup></xref></contrib><contrib contrib-type="author" xlink:type="simple"><name name-style="western"><surname>Nedda</surname><given-names>Zirjawi</given-names></name><xref ref-type="aff" rid="aff3"><sup>3</sup></xref><xref ref-type="corresp" rid="cor1"><sup>*</sup></xref></contrib></contrib-group><aff id="aff1"><addr-line>Computer Science and Informatics, Oakland University, Rochester, Michigan, USA</addr-line></aff><aff id="aff2"><addr-line>Computer Engineering, Ankara Yildirim Beyazt University, Ankara, Turkey</addr-line></aff><aff id="aff3"><addr-line>Informatics-Applied Software Engineering, University of Hamburg, Hamburg, Germany</addr-line></aff><pub-date pub-type="epub"><day>10</day><month>12</month><year>2019</year></pub-date><volume>11</volume><issue>01</issue><fpage>1</fpage><lpage>18</lpage><history><date date-type="received"><day>25,</day>	<month>July</month>	<year>2019</year></date><date date-type="rev-recd"><day>7,</day>	<month>December</month>	<year>2019</year>	</date><date date-type="accepted"><day>10,</day>	<month>December</month>	<year>2019</year></date></history><permissions><copyright-statement>&#169; Copyright  2014 by authors and Scientific Research Publishing Inc. </copyright-statement><copyright-year>2014</copyright-year><license><license-p>This work is licensed under the Creative Commons Attribution International License (CC BY). http://creativecommons.org/licenses/by/4.0/</license-p></license></permissions><abstract><p>
 
 
  The network-based intrusion detection has become common to evaluate machine learning algorithms. Although the KDD Cup’99 Dataset has class imbalance over different intrusion classes, still it plays a significant role to evaluate machine learning algorithms. In this work, we utilize the singular valued decomposition technique for feature dimension reduction. We further reconstruct the features form reduced features and the selected eigenvectors. The reconstruction loss is used to decide the intrusion class for a given network feature. The intrusion class having the smallest reconstruction loss is accepted as the intrusion class in the network for that sample. The proposed system yield 97.90% accuracy on KDD Cup’99 dataset for the stated task. We have also analyzed the system with individual intrusion categories separately. This analysis suggests having a system with the ensemble of multiple classifiers; therefore we also created a random forest classifier. The random forest classifier performs significantly better than the SVD based system. The random forest classifier achieves 99.99% accuracy for intrusion detection on the same training and testing data set. 
 
</p></abstract><kwd-group><kwd>Feature Reduction</kwd><kwd> Singular Value Decomposition</kwd><kwd> Intrusion Detection</kwd><kwd>  Correlation Analysis</kwd><kwd> Association Impact Scale</kwd><kwd> Intrusion Detection System</kwd><kwd> KDD Cup 1999</kwd><kwd> Random Forest</kwd></kwd-group></article-meta></front><body><sec id="s1"><title>1. Introduction</title><p>With the advance of the Internet and its potential, there has been a subsequent growth of information flow and services over networks. Consequently, the security issues have become a key concern of business organizations that rely on network-based 5 services. Therefore, there is an essential need for Intrusion Detection Systems (IDS). That monitors and analyzes networks to automatically detect malicious and suspicious activities, vulnerabilities, and policy violations in the network.</p><p>An intrusion attempt or a threat can be defined as a deliberate and unauthorized attempt to access or/and manipulate information or (ii) make a system unreliable or 10 unusable. Intrusion detection techniques used in IDSs are generally classified into two categories: misuse detection and anomaly detection [<xref ref-type="bibr" rid="scirp.96983-ref1">1</xref>]. Misuse detection techniques are most widely used, and they are based on a database of previous and well-known attacks to identify any intrusion attempts. Although these techniques have very a small rate of false attacks, they must be continually updated and maintained and may fail to 15 detect unique intrusions. Anomaly detection techniques, on the other hand, are based on a set of rules of normal behavior to identify deviation of activities from this normal behavior. They have the ability to detect unknown, novel, or unfamiliar attacks that have not been encountered previously; however, false attack rate is high.</p><p>In recent years, the use of machine learning techniques such as support vector machine (SVM) [<xref ref-type="bibr" rid="scirp.96983-ref2">2</xref>], extreme learning machine (ELM) [<xref ref-type="bibr" rid="scirp.96983-ref3">3</xref>], Artificial Neural Networks (ANN) [<xref ref-type="bibr" rid="scirp.96983-ref4">4</xref>], Genetic Algorithms (GA), etc. to classify and detect attacks has become a common in intrusion detection system due to the fact that they can achieve intrusions generalizations. Due to the complexity and diversity of intrusions, machine learning based IDSs have the ability to process and extract features from a large volume of data 25 related to online intrusions. Hence, they became a vital solution for developing an efficient and robust intrusion detection system.</p><p>Challenges and Motivations</p><p>This work is due to the demanded detection and analysis system over data and service flow produced by web service invocation over computing environment. The traditional analysis mechanisms do not offer significant results where malware is everywhere and these services do share common geographical locations, reside on different internet segments.</p><p>The size of data in analysis phase is still challenge, so policy based analysis is a real demand to control and detect the intruder over virtual global network composed of web services.</p><p>Contribution</p><p>In this work, we have tested and analyzed the two classification methods based on Singular Value Decomposition (SVD) and Random Forest (RF). Besides this, we have evaluated the two methods with different performance measures.</p><p>The rest of this work is organized as follows. 30 The related work of machine learning based IDSs is described in Section 2. The proposed system is explained in Section 3. The experimental results and comparative study of proposed methods are analyzed and discussed in Section 4. The last Section 5 concludes the paper.</p></sec><sec id="s2"><title>2. Background</title><sec id="s2_1"><title>2.1. Singular Value Decomposition Algorithm</title><p>The Singular Value Decomposition (SVD) technique has a long and surprising journey. SVD is first used in the social sciences with intelligence testing. The initial research in intelligence testing found out that tests given to measure different aspects of intelligence, such as verbal and spatial, were often closely correlated. There are a lot of 150 names for which SVD is known. In the early days, it was called as principal component (PC) decomposition, factor analysis, and empirical orthogonal function (EOF) analysis. All these names are mathematically equivalent to each other, but they are treated differently in the literature.</p><p>Today, singular value decomposition has spread through many branches of science, 155 in particular psychology and sociology, climate and atmospheric science, and astronomy. It is also extremely useful in machine learning and in both descriptive and predictive statistics. In many machine learning applications, it is useful to find a lower rank matrix which can represent the data matrix. The singular value decomposition of a matrix X is the factorization of X into the product of three matrices as follows</p><p>X = U &#215; D &#215; V T (1)</p><p>where the matrices U and V are real valued matrices. Besides this, the columns of Um160 and V are orthonormal. The matrix D is positive real valued and it is a diagonal matrix [<xref ref-type="bibr" rid="scirp.96983-ref5">5</xref>].</p></sec><sec id="s2_2"><title>2.2. Random Forest Algorithm</title><p>There are a lot of supervised classification algorithms and the ensemble of those may yield better performance. With this intuition, Random forest algorithm creates the ensemble of several decision tree classifiers which is called as the forest of the decision 165 of trees. The Random Forest algorithm is proposed by Dr. Leo Breiman [<xref ref-type="bibr" rid="scirp.96983-ref6">6</xref>]. All the decision trees in the forest participate and the final results are drowned by the majority vote. Therefore, a higher number of trees in the forest give the high accuracy results.</p><p>We have partitioned the training data samples into K subsets (K = 500 in our work) randomly. For each subset, we have constructed a decision tree. All the decision trees 170 are constructed by randomly selecting m variables (with randomly selected samples in the corresponding subset) and finding the best split on the selected variables. This technique is applied at each node of decision tree till a node becomes a leaf node. Each decision tree votes for a classification result and the final classification result is decided by the majority votes of the decision trees [<xref ref-type="bibr" rid="scirp.96983-ref7">7</xref>] [<xref ref-type="bibr" rid="scirp.96983-ref8">8</xref>].</p><p>Let we have K set of decision tree classifiers C1(175 x);C2(x); :::;Ck(x). These decision tree classifiers are created by the training sets, randomly drawn from the training set of KDDCUP’99 dataset. Let the vector Y and X are class label and corresponding attribute samples vector then we can get the margin function by Equation (2)</p><p>m g ( X ; Y ) = a v k I ( C k ( X ) = Y ) − m a x J Y a v k I = Y a v k I ( C k ( X ) = j ) (2)</p><p>where indicator function is symbolized with I. The margin function measures the 180 average number of votes the correct attack class exceeds by average number of votes for any other class at given vector X and Y. We will get more accuracy with the larger margin. The generalization error of the system is given as Equation (3).</p><p>P E = P X , Y ( m g ( X , Y ) ≤ 0 ) (3)</p><p>where the P<sub>X</sub><sub>,Y</sub> is the probability over the X, Y space.</p></sec></sec><sec id="s3"><title>3. Related Work</title><p>In Information security, the machine learning techniques have become more attractive to researchers because of their capabilities to process large volume of data and provide classifications without prior knowledge of data. Therefore, different numbers of IDS have used these techniques to identify abnormal activities in the network. Extensive survey of various IDS are given in this study, we focus on IDS that are based on classification techniques. Examples of these IDS and their performance on KDD99Cup dataset are given in <xref ref-type="table" rid="table1">Table 1</xref>. Classification consists of two phases. First, during the training phase, a classifier is built (learned) using labeled training data. Then, this classifier is used to classify an instance as normal or anomalous (testing phase). Classification-based anomaly detection approaches are popular 45 for detecting network anomalies. The classification techniques are based on establishing an explicit or implicit model that enables categorization of network traffic patterns into several classes.</p><p>Classifications based IDS can use number of classifiers such as Nave Bayesian, Support vector machine (SVM), Artificial Neural Networks (ANN), etc. Nave Bayesian is a most widely used classifier for network intrusion detection.</p><p>Klassen and Ning [<xref ref-type="bibr" rid="scirp.96983-ref9">9</xref>] proposed a Nave Bayesian approach to detect black holes, selective forwarding and Distributed Denial of Service (DDoS) attacks, in real time. The system monitored packets sent from nodes; therefore, their behavior is checked in order to detect any abnormality. Tao et al. [<xref ref-type="bibr" rid="scirp.96983-ref10">10</xref>] also used a</p><table-wrap id="table1" ><label><xref ref-type="table" rid="table1">Table 1</xref></label><caption><title> Different attack types and their categorization in KDD99 dataset [<xref ref-type="bibr" rid="scirp.96983-ref29">29</xref>]</title></caption><table><tbody><thead><tr><th align="center" valign="middle" >Category</th><th align="center" valign="middle" >Different Attack Type within its category</th></tr></thead><tr><td align="center" valign="middle" >R2L</td><td align="center" valign="middle" >ftp write, guess passwd, httptunnel, imap, multihop, named, phf, sendmail, snmpguess, spy, snmpget attack, xlock, xsnoop, ware z-client, worm, ware zmaster</td></tr><tr><td align="center" valign="middle" >DoS</td><td align="center" valign="middle" >apache2, back, cesstable, land, prosmurf, mailbomb, udpstorm, neptune, teardrop, pod</td></tr><tr><td align="center" valign="middle" >Probe</td><td align="center" valign="middle" >ipsweep, saint, mscan, port sweep, nmap, satan</td></tr><tr><td align="center" valign="middle" >U2R</td><td align="center" valign="middle" >sqlattack, load module, ps, root kit, buffer overflow, perl, xterm</td></tr></tbody></table></table-wrap><p>Nave Bayesian classifier in combination with a time slicing function to detect network abnormality. Thus, they exploited the relationship between time and network traffic, since network traffic changes at distinct times and some traffic does not occur at a particular time. The model proposed in [<xref ref-type="bibr" rid="scirp.96983-ref11">11</xref>] accurately detected suspicious payload content in network packets through the use of the multinomial one class Naive Bayes classifier for payload based anomaly detection (OCPAD).</p><p>Also, SVM classifier is used to build IDS system. For instance, Wagner et al. [<xref ref-type="bibr" rid="scirp.96983-ref12">12</xref>] use one-class classifiers that can detect new anomalies data points that do not belong to the learned class. In particular, they use a one-class SVM classifier proposed by Scholkopf et al. [<xref ref-type="bibr" rid="scirp.96983-ref13">13</xref>]. In such a classifier, the training data is presumed to belong to only one class, and the learning goal during training is to determine a function which 65 is positive when applied to points on the circumscribed boundary around the training points and negative outside. They obtain 92% accuracy on average for all attacks classes. Catania et al. [<xref ref-type="bibr" rid="scirp.96983-ref14">14</xref>] proposed a novel approach to providing autonomous labeling to normal traffic, in order to overcome imbalanced class distribution situations and reduce the presence of attacks in the traffic data used for training an SVM classifier. Amer et al. [<xref ref-type="bibr" rid="scirp.96983-ref15">15</xref>] applied two modifications in order to make one-class SVMs more suitable for unsupervised anomaly detection: Robust one-class SVMs and eta one-class SVMs. Their aim was to make the decision boundary less sensitive to outliers in the data.</p><p>Additionally, Wang et al. [<xref ref-type="bibr" rid="scirp.96983-ref16">16</xref>] developed an effective IDS based on an SVM with 75 augmented features. These IDS model integrates the SVM with the logarithm marginal density ratios transformation (LMDRT), a feature transduction technique that transforms the dataset into a new one. The new and concise dataset is used to train the SVM classifier, improving its detection. By evaluating the framework using the mostly used NSL-KDD dataset, the authors could achieve a fast training speed, high accuracy and 80 detection rates, as well as low false alarm presences. Kabir et al. [<xref ref-type="bibr" rid="scirp.96983-ref17">17</xref>] proposed an IDS based on a modification of the standard SVM classifier, known as the least square support vector machine (LS-SVM). This alteration is sensitive to outliers and noise in the training dataset when compared to a regular SVM. Their decision-making process is divided into two stages. The first stage is 85 responsible for reducing the dataset dimension by selecting samples depending on the variability of data by using an optimum allocation scheme. Then, the next stage uses these representative samples as the input of the LS-SVM. An example of classification-based IDS is Automated Data Analysis and Mining (ADAM) [<xref ref-type="bibr" rid="scirp.96983-ref18">18</xref>] that provides a test bed for detecting anomalous instances. ADAM exploits a combination of classification techniques and association rule mining to discover attacks in a tcpdump audit trail. Abbes et al. [<xref ref-type="bibr" rid="scirp.96983-ref19">19</xref>] introduce an approach that uses decision trees with protocol analysis for effective intrusion detection.</p><p>Several authors have used a combination of classifications and clustering for network intrusion detection exploiting the advantages of the two approaches. For example, Muda et al. [<xref ref-type="bibr" rid="scirp.96983-ref20">20</xref>] present a two stage model for network intrusion detection. In the first stage, k-means clustering is used to generate three clusters: C1 for attack data such as Probe, U2R and R2L; C2 for DoS attack data, and C3 for non-attack data. In the second stage, the Naive Bayes classifier to classify the data into the five more classes called Normal, DoS, Probe, R2L and U2R. Another approach based on the combination of k-mean for clustering and Iterative Dichotomiser (ID3) algorithm for decision tree classifier is proposed in [<xref ref-type="bibr" rid="scirp.96983-ref21">21</xref>]. In this approach, the training data is grouped into k clusters using Euclidean distance similarity. A decision tree is then built using ID3 algorithm on the instances in a cluster to overcome the shortcomings of k-mean algorithm. The authors claim that the detection accuracy of the k-means + ID3 method 105 is very high with low false positive rate on network anomaly data.</p><p>Artificial Neural Networks (ANNs) are also used in the anomaly detection system mostly as classifiers. An example of ANN-based IDS is RT-UNNID [<xref ref-type="bibr" rid="scirp.96983-ref22">22</xref>]. This system is capable of intelligent real time intrusion detection using unsupervised neural networks (UNN). Subba et al. [<xref ref-type="bibr" rid="scirp.96983-ref23">23</xref>] employed an ANN model in order to introduce an intelligent agent for classifying whether the underlying patterns of audit records are normal or abnormal while classifying them into new and unseen records. Saeed et al. [<xref ref-type="bibr" rid="scirp.96983-ref24">24</xref>] proposed a two-level anomaly-based IDS using a Random Neural Network (RNN) model in an IoT environment. The RNN model was employed in order to build a behavior profile based on both valid and invalid system input parameters to distinguish 115 normal and abnormal patterns. Brown et al. [<xref ref-type="bibr" rid="scirp.96983-ref25">25</xref>] proposed a two-class classifier using an evolutionary general regression neural network (E-GRNN) for intrusion detection based on the features of application layer protocols.</p></sec><sec id="s4"><title>4. Proposed System</title><p>In this work we have utilized two machine learning approaches for the task of network intrusion detection. These approaches are Singular Value Decomposition (SVD) and Randome Forest. The dataset used in this work to evaluate these approaches is KDDCUP’99 dataset for network intrusion detection. We have also compared these approaches in different evaluation metrics. The detail of comparison is given in Section 4. In this section we are explaining the two approaches used in the work.</p>Pre-Processing of the Data<p>As the KDDCUP’99 dataset has continuous and categorical both type of attributes we need to change all categorical attributes into real values vectors. The detail of KDDCUP’99 dataset is given in subsection 4.1. Some operations are performed on the KDDCUP’99 dataset to prepare it for the machine learning algorithms.</p><p>1) Convert categorical attributes: All the categorical attributes are converted into one-hot encoded vector format. The one-hot vector has all values zero except one. Here we create a vector of length same as the number of unique categories available for the attribute. Every unique category has assigned an id. The position of one in one-hot encoded vector is given by this id. The corresponding vector for a category has one at position id of the category if unique categories are “A”, “B”, “C”, “D”, “E” then the one-hot vector for category “B” is 01000 where is it is 00010 for the category “D”.</p><p>2) Update Incomplete data samples: There are some attributes for which their corresponding value is not available for some sample in the dataset. We have updated 140 these values by its mean within the corresponding label class.</p><p>3) Normalized the data: The different features/attributes of the dataset have different unit and scale. The two attribute with different unit or scale cannot be compared, so we normalized the dataset. We are normalized the dataset as z score [<xref ref-type="bibr" rid="scirp.96983-ref22">22</xref>].</p></sec><sec id="s5"><title>5. Comparative Study</title><sec id="s5_1"><title>5.1. Experimental Datasets</title><p>The KDDCUP’99 dataset is the processed version of DARPA dataset created in 1998. This dataset is distributed under a competition (KDDCUP competition in 1999). This competition was sponsored by the International Conference on Knowledge Discovery in Databases. This competition was required the content to create a predictive model that can learn to predict the class label of a computer network connection [<xref ref-type="bibr" rid="scirp.96983-ref9">9</xref>]. The class labels for any computer network connection are legitimate and illegitimate connection. This dataset has a large number sample data for network connections. These sample have both normal connections and attack connections. The whole dataset is divided into two mutual exclusive parts name train set and test set. The train set has approximately five million records of computer network connections whereas the test set has about 0.3 million records of computer network connections.</p><p>A computer network connection is a session of data transfer in-between a pair of computer. This session is time-stamped and has 41 other attributes. Out of these 41 attributes (features), 32 attributes are continuous type and rest 7 are categorical type. Beside these attributes the connections are also labeled as normal connection or as an attack type (different attack types are mentioned in <xref ref-type="table" rid="table1">Table 1</xref>) connection. These attributes can be further broken categorize into four categories as Basic features, Traffic features, Host based traffic features, and Connection-based content features [<xref ref-type="bibr" rid="scirp.96983-ref26">26</xref>] [<xref ref-type="bibr" rid="scirp.96983-ref27">27</xref>] [<xref ref-type="bibr" rid="scirp.96983-ref28">28</xref>].</p><p>• Basic features/attributes (refer <xref ref-type="table" rid="table2">Table 2</xref>): the basic features/attributes are common to all network connections. These features/attributes could be used in detection of intrusion/attacks targeting service and protocol vulnerabilities.</p><p>Traffic features/attributes based on a fixed time window (refer <xref ref-type="table" rid="table3">Table 3</xref>): the features/attributes that are calculated using a fixed duration time window. The two-second time window is utilized to examine the connections which have the 210 same service or destination host as that of the current network connection.</p><table-wrap id="table2" ><label><xref ref-type="table" rid="table2">Table 2</xref></label><caption><title> Basic attributes features in KDDCUP’99 dataset [<xref ref-type="bibr" rid="scirp.96983-ref30">30</xref>]</title></caption><table><tbody><thead><tr><th align="center" valign="middle" >Attribute/Feature Name</th><th align="center" valign="middle" >Type of attribute</th><th align="center" valign="middle" >Description of Basic attribute</th></tr></thead><tr><td align="center" valign="middle" >duration</td><td align="center" valign="middle" >continuous</td><td align="center" valign="middle" >Time duration of the network connection in seconds</td></tr><tr><td align="center" valign="middle" >protocol type</td><td align="center" valign="middle" >nominal</td><td align="center" valign="middle" >protocol type (e.g. udp, tcp, etc.)</td></tr><tr><td align="center" valign="middle" >service</td><td align="center" valign="middle" >nominal</td><td align="center" valign="middle" >network connection service on the destination system (e.g. http, ftp, telnet, etc.)</td></tr><tr><td align="center" valign="middle" >src bytes</td><td align="center" valign="middle" >continuous</td><td align="center" valign="middle" >the number of data bytes transferring from source system to destination system</td></tr><tr><td align="center" valign="middle" >dst bytes</td><td align="center" valign="middle" >continuous</td><td align="center" valign="middle" >the number of data bytes transfering from destination system to source system</td></tr><tr><td align="center" valign="middle" >flag</td><td align="center" valign="middle" >nominal</td><td align="center" valign="middle" >the status of the network connection (e.g. normal or error)</td></tr><tr><td align="center" valign="middle" >land</td><td align="center" valign="middle" >binary</td><td align="center" valign="middle" >1 if network connection is from/to the same host-port; 0 otherwise</td></tr><tr><td align="center" valign="middle" >wrong fragment</td><td align="center" valign="middle" >continuous</td><td align="center" valign="middle" >number of the wrong fragments</td></tr><tr><td align="center" valign="middle" >urgent</td><td align="center" valign="middle" >continuous</td><td align="center" valign="middle" >total number of the urgent packets</td></tr></tbody></table></table-wrap><table-wrap id="table3" ><label><xref ref-type="table" rid="table3">Table 3</xref></label><caption><title> Traffic attributes features in KDDCUP’99 dataset using two-second time windows [<xref ref-type="bibr" rid="scirp.96983-ref30">30</xref>]</title></caption><table><tbody><thead><tr><th align="center" valign="middle" >Attribute/Feature Name</th><th align="center" valign="middle" >Type of attribute</th><th align="center" valign="middle" >Description of Traffic attribute</th></tr></thead><tr><td align="center" valign="middle" >count</td><td align="center" valign="middle" >continuous</td><td align="center" valign="middle" >number of connections in the past two seconds to the same host as the current connection</td></tr><tr><td align="center" valign="middle" >serror rate</td><td align="center" valign="middle" >continuous</td><td align="center" valign="middle" >percent of connections for same host that have SYN errors</td></tr><tr><td align="center" valign="middle" >rerror rate</td><td align="center" valign="middle" >continuous</td><td align="center" valign="middle" >percent of connections for same hostmthat have REJ errors</td></tr><tr><td align="center" valign="middle" >same srv rate</td><td align="center" valign="middle" >continuous</td><td align="center" valign="middle" >percent of connections for same host to different services</td></tr><tr><td align="center" valign="middle" >srv count</td><td align="center" valign="middle" >continuous</td><td align="center" valign="middle" >number of connections in the past two seconds to the same service as the current connection</td></tr><tr><td align="center" valign="middle" >srv serror rate</td><td align="center" valign="middle" >continuous</td><td align="center" valign="middle" >percent of connections for same service that have SYN errors</td></tr><tr><td align="center" valign="middle" >srv rerror rate</td><td align="center" valign="middle" >continuous</td><td align="center" valign="middle" >percent of connections for same service that have REJ errors</td></tr><tr><td align="center" valign="middle" >srv diff host rate</td><td align="center" valign="middle" >continuous</td><td align="center" valign="middle" >percent of connections for same service to different hosts</td></tr></tbody></table></table-wrap><p>• Host based traffic attributes/features (refer in <xref ref-type="table" rid="table4">Table 4</xref>): the host based traffic category capture the features/attributes as the number of network connections to the same port, host, or service in the past 100 network connections by a destination host.</p><p>• Connection-based content attributes/features (refer <xref ref-type="table" rid="table5">Table 5</xref>). These features/attributes may or may not be useful in identifying the malicious network activities. These features are based on domain knowledge. These features are helpful in identifying the U2R and R2L attacks/intrusion by monitoring statistics disclosed in the payload section or in the audit logs.</p><table-wrap id="table4" ><label><xref ref-type="table" rid="table4">Table 4</xref></label><caption><title> Host based traffic attributes features in KDDCUP’99 dataset using windows of 100 connections [<xref ref-type="bibr" rid="scirp.96983-ref31">31</xref>]</title></caption><table><tbody><thead><tr><th align="center" valign="middle" >Attribute/Feature Name</th><th align="center" valign="middle" >Type of attribute</th><th align="center" valign="middle" >Description of Host based traffic attribute</th></tr></thead><tr><td align="center" valign="middle" >dst host count</td><td align="center" valign="middle" >continuous</td><td align="center" valign="middle" >In the past 100 connections the number of connections to the same host</td></tr><tr><td align="center" valign="middle" >dst host serror rate</td><td align="center" valign="middle" >continuous</td><td align="center" valign="middle" >percent of connections that have SYN errors</td></tr><tr><td align="center" valign="middle" >dst host rerror rate</td><td align="center" valign="middle" >continuous</td><td align="center" valign="middle" >percent of connections that have REJ errors</td></tr><tr><td align="center" valign="middle" >dst host same srv rate</td><td align="center" valign="middle" >continuous</td><td align="center" valign="middle" >percent of connections to the same service</td></tr><tr><td align="center" valign="middle" >dst host dif srv rate</td><td align="center" valign="middle" >continuous</td><td align="center" valign="middle" >percent of same host connections to different services</td></tr><tr><td align="center" valign="middle" >dst host srv count</td><td align="center" valign="middle" >continuous</td><td align="center" valign="middle" >In the past 100 connections the number of connections to the same service</td></tr><tr><td align="center" valign="middle" >dst host srv serror rate</td><td align="center" valign="middle" >continuous</td><td align="center" valign="middle" >percent of same service connections that have SYN errors</td></tr><tr><td align="center" valign="middle" >dst host srv rerror rate</td><td align="center" valign="middle" >continuous</td><td align="center" valign="middle" >percent of same service connections that have REJ errors</td></tr><tr><td align="center" valign="middle" >dst host srv diff host rate</td><td align="center" valign="middle" >continuous</td><td align="center" valign="middle" >percent of same service connections to different hosts</td></tr><tr><td align="center" valign="middle" >dst host same src port rate</td><td align="center" valign="middle" >continuous</td><td align="center" valign="middle" >percent of connections from the same source port</td></tr></tbody></table></table-wrap><table-wrap-group id="5"><label><xref ref-type="table" rid="table5">Table 5</xref></label><caption><title> Connection-based content attributes features in KDDCUP’99 dataset based on domain knowledge [<xref ref-type="bibr" rid="scirp.96983-ref30">30</xref>]</title></caption><table-wrap id="5_1"><table><tbody><thead><tr><th align="center" valign="middle" >Attribute/Feature Name</th><th align="center" valign="middle" >Type of attribute</th><th align="center" valign="middle" >Description of Connection-based content attribute</th></tr></thead><tr><td align="center" valign="middle" >hot</td><td align="center" valign="middle" >continuous</td><td align="center" valign="middle" >hot indicators e.g., creation, and execution of programs, access to system directories, etc</td></tr><tr><td align="center" valign="middle" >num failed logins</td><td align="center" valign="middle" >continuous</td><td align="center" valign="middle" >login attempts failed count</td></tr><tr><td align="center" valign="middle" >logged in</td><td align="center" valign="middle" >binary</td><td align="center" valign="middle" >if logged in successfully then 1; otherwise 0</td></tr><tr><td align="center" valign="middle" >num compromised</td><td align="center" valign="middle" >continuous</td><td align="center" valign="middle" >number of compromised/warning states on the destination host (e.g., Jump to instructions, and file/path not found errors, etc.)</td></tr><tr><td align="center" valign="middle" >root shell</td><td align="center" valign="middle" >binary</td><td align="center" valign="middle" >if root shell is acquired then 1; otherwise 0</td></tr><tr><td align="center" valign="middle" >su attempted</td><td align="center" valign="middle" >binary</td><td align="center" valign="middle" >if su root command tried then 1; otherwise 0</td></tr><tr><td align="center" valign="middle" >num root</td><td align="center" valign="middle" >continuous</td><td align="center" valign="middle" >total root accesses</td></tr><tr><td align="center" valign="middle" >num file creations</td><td align="center" valign="middle" >continuous</td><td align="center" valign="middle" >number of file operations(creation)</td></tr><tr><td align="center" valign="middle" >num shells</td><td align="center" valign="middle" >continuous</td><td align="center" valign="middle" >number of prompts(shell)</td></tr></tbody></table></table-wrap><table-wrap id="5_2"><table><tbody><thead><tr><th align="center" valign="middle" >num access files</th><th align="center" valign="middle" >continuous</th><th align="center" valign="middle" >On access control files, number of operations</th></tr></thead><tr><td align="center" valign="middle" >num outbound cmds</td><td align="center" valign="middle" >continuous</td><td align="center" valign="middle" >In an ftp session, number of out-bound commands</td></tr><tr><td align="center" valign="middle" >is host login</td><td align="center" valign="middle" >binary</td><td align="center" valign="middle" >if login belongs to the host then 1; otherwise 0</td></tr><tr><td align="center" valign="middle" >is guest login</td><td align="center" valign="middle" >binary</td><td align="center" valign="middle" >if login is a guest then 1; otherwise 0</td></tr></tbody></table></table-wrap></table-wrap-group></sec><sec id="s5_2"><title>5.2. Evaluation Criteria</title><p>We need to compare the performance of two machine learning approaches therefore, we require an evaluation measures which is sensitive as well as robust to the available dataset. It is very uncertain to have these properties in a single measure, so we are testifying the performance of the system on several measures.</p><p>For a class X there are four type of observation depending upon the pre-diction and ground truth. These four observations are listed in <xref ref-type="table" rid="table3">Table 3</xref>.</p><p>There are some performance measures based on these observations. We are utilizing some of them which are listed below</p><p>• Accuracy: This measure calculates the classifier performance as how many time it predict a class correctly with respect to the class itself. It can also refer to the closeness of a predicted value to a known or true value. This measure is calculated by Equation (4) [<xref ref-type="bibr" rid="scirp.96983-ref31">31</xref>].</p><p>accuracy = t p + t n / N (4)</p><p>where N is the total number of test samples. Precision: This measure calculates the classifier performance as how many times, its prediction as a class is correct. It can also refer to the closeness of multiple measurements with each other. This measure is calculated by Equation (5).</p><p>Precision = t p / t p + f p (5)</p><p>Recall: This measure calculates the classifier performance as how many times its prediction of a class retrieve the class correctly. In other word we can say that the recall is the per class accuracy of the system. This measure is calculated by Equation (6).</p><p>Recall = t p / t p + f n (6)</p><p>F-measure [<xref ref-type="bibr" rid="scirp.96983-ref32">32</xref>] : Generally Precision and Recall for a classifier are not following each other. If Precision is improving after some consideration the recall declined and vice-versa. A sound classifier need the both measurement (Precision and Recall) as high therefore a new measurement is required that incorporate both of them. This measure is the F-measure which included the Precision and Recall measure in it. This measure is calculated by Equation (7).</p><p>F-measure ( β ) = ( 1 + β 2 ) t p / ( 1 + β 2 ) t p + β 2 f p + f n (7)</p><p>In our experiments we have used F1-measure so the β = 1 is used.</p><p>• Area Under Curve (AUC): As Precision and Recall for a classifier are not following each other, and we need to encorporate them both for performance measurement, we can consider the area under the curve of Receiver operating characteristic [<xref ref-type="bibr" rid="scirp.96983-ref33">33</xref>].</p><p>As the task is multi-class problem, averaging the evaluation measures over all intrusion classes can give a view on the general results. We are using the micro-averaging and macro-averaging approaches for this task.</p><p>Macro-averaged measure</p><p>The macro-averaged results for a multi-class problem can be computed by Equation (8).</p><p>Amicro = 1 / q ∑ λ = 1 N A ( t p λ , f p λ , t n λ , f n λ ) (8)</p><p>Here A = {Cλ: λ = 1:q} is the set of all attack classes. Let a binary classifier Cl and corresponding evaluation measure AC(tp, tn, fp, fn). These measures are calculated based on respective true positive numbers (tp), true negative numbers (tn) (<xref ref-type="table" rid="table6">Table 6</xref>).</p><p>False negative numbers (fn), and false positive numbers (fp). Let these numbers are tp<sub>λ</sub>, tn<sub>λ</sub>, fn<sub>λ</sub>, and tn<sub>λ</sub> and used to evaluate the measure A for the class Cl Finally, we calculate the mean of this measure over all attack classes (refer Equation (8)).</p><p>Micro-averaged measure</p><p>Similarly, a micro averaged measure can be computed as Equation (9).</p><p>Amicro = A ( ∑ 1 q t p λ , ∑ 1 q f p λ , ∑ 1 q t n λ , ∑ 1 q f n λ ) (9)</p></sec></sec><sec id="s6"><title>6. Results and Analysis</title><p>In this section, we are showing the result of Singular Valued Decomposition (SVD) based model and Random Forest (RF) based system. <xref ref-type="fig" rid="fig1">Figure 1</xref> and <xref ref-type="fig" rid="fig2">Figure 2</xref> show the normalized confusion matrix for the model based on SVD and RF model respectively. These confusion matrices show that the system is capable enough to classify the most of the attack types correctly. There are still some attack type for which the performance of the system is not satisfactory. The main reason of this behavior of the system is class imbalance in training sample set. In the KDDCup’99 dataset, there are some attack classes for which number of samples are very low and for some classes it is very high. The ratio of maximum number of samples with respect to minimum.</p><p>Number of samples for an attack type in the dataset is very high. Beside these class imbalance problem the Random Forest method outperform the SVD model</p><table-wrap id="table6" ><label><xref ref-type="table" rid="table6">Table 6</xref></label><caption><title> Different observation of prediction for a class X</title></caption><table><tbody><thead><tr><th align="center" valign="middle" >True class label is X</th><th align="center" valign="middle" ></th><th align="center" valign="middle" >True class label is not X</th></tr></thead><tr><td align="center" valign="middle" >Predicted class label is X</td><td align="center" valign="middle" >tp: true positive</td><td align="center" valign="middle" >fp: false positive</td></tr><tr><td align="center" valign="middle" >Predicted class label is not X</td><td align="center" valign="middle" >fn: false negative</td><td align="center" valign="middle" >tn: true negative</td></tr></tbody></table></table-wrap><p>in all aspect of confusion matrix. We have also analysis the performance of the system on Receiver operating characteristic (ROC) curve and the area under the curve (AUC) measure. The Random Forest method clearly surpassed the SVD (refer <xref ref-type="fig" rid="fig3">Figure 3</xref>).</p><p>Here we have compared the Receiver operating characteristic of the respective methods with micro averaged and macro averaged performance measures. These ROC curves and the AUC measures exemplify the superiority of the Random Forest method over the SVD based method. The area under curve (AUC) measure for the Random Forest method is nearly perfect score (AUC = 1.0). The performance of the system with respect to individual attack type is depicted as bar charts in Figures 4-6. The attack type “ware client” and “neptune” are the worst behaving attack classes. The performance of the system for these attack classes is nearly zero with both methods.</p><p><xref ref-type="fig" rid="fig4">Figure 4</xref> shows the Precision performance analysis at all attack type for SVD and Random Forest models. <xref ref-type="fig" rid="fig5">Figure 5</xref> and <xref ref-type="fig" rid="fig6">Figure 6</xref> show the Recall performance analysis and F-measure performance analysis at all attack type for SVD and Random Forest models. These barcharts also describe the better performance of the Random Forest methods over the SVD method. Finally we are showing the overall performance of the system.</p><p>Here we are depicting the accuracy and F-measure of the Random Forest and SVD methods (refer <xref ref-type="fig" rid="fig7">Figure 7</xref>). The random forest method outperforms the SVD based system in all performance measures and shows the promising behavior for the intrusion detection in network connection environment.</p><p><xref ref-type="fig" rid="fig8">Figure 8</xref> shows different performance in classification method of SVD and RF algorithms, the results indicate the promising behavior of RF algorithm.</p></sec><sec id="s7"><title>7. Conclusion and Future Scope</title><p>In this work, we have tested and analyzed the two classification methods based on Singular Value Decomposition (SVD) and Random Forest (RF). The SVD based method utilizes the dimension reduction technique within each attack class. The decision is taken based upon the reconstruction error in each class. The class having the lowest reconstruction error is decided as the true attack class for the given sample. Besides this, the RF-based method utilizes the ensembles of decision trees to decide the true attack class. The results show that the RF-based method outperformed the SVD based method in all performance measures. The results show that the performance in both methods regarding the classes having few samples in the training set is suffering the class imbalance problem. A further study is required to handle this problem.</p></sec><sec id="s8"><title>Conflicts of Interest</title><p>The authors declare no conflicts of interest regarding the publication of this paper.</p></sec><sec id="s9"><title>Cite this paper</title><p>Alagrash, Y., Drebee, A. and Zirjawi, N. (2020) Comparing the Area of Data Mining Algorithms in Network Intrusion Detection. Journal of Information Security, 11, 1-18. https://doi.org/10.4236/jis.2020.111001</p></sec></body><back><ref-list><title>References</title><ref id="scirp.96983-ref1"><label>1</label><mixed-citation publication-type="other" xlink:type="simple">Bhuyan, M.H., Bhattacharyya, D.K. and Kalita, J.K. Network Anomaly Detection.</mixed-citation></ref><ref id="scirp.96983-ref2"><label>2</label><mixed-citation publication-type="other" xlink:type="simple">Feng, W., Zhang, Q., Hu, G. and Huang, J.X. (2014) Mining Network Data for Intrusion Detection through Combining SVMs with Ant Colony Networks. Future Generation Computer Systems, 37, 127-140.</mixed-citation></ref><ref id="scirp.96983-ref3"><label>3</label><mixed-citation publication-type="other" xlink:type="simple">Singh, R., Kumar, H. and Singla, R. (year) An Intrusion Detection System Using Network Traffic Profiling and Online Sequential Extreme Learning Machine. Expert Systems with Applications, 42, 8609-8624.</mixed-citation></ref><ref id="scirp.96983-ref4"><label>4</label><mixed-citation publication-type="other" xlink:type="simple">Wu, S.X. and Banzhaf, W. (2010) The Use of Computational Intelligence in Intrusion Detection Intrusion Detection Systems: A Review. Applied Soft Computing, 10, 1-35. https://doi.org/10.1016/j.asoc.2009.06.019</mixed-citation></ref><ref id="scirp.96983-ref5"><label>5</label><mixed-citation publication-type="other" xlink:type="simple">DeLong, E.R., DeLong, D.M. and Clarke-Pearson, D.L. (1988) Comparing the Areas under Two or More Correlated Receiver Operating Characteristic Curves: A Nonparametric. Biometrics, 44, 837-845. https://doi.org/10.2307/2531595</mixed-citation></ref><ref id="scirp.96983-ref6"><label>6</label><mixed-citation publication-type="other" xlink:type="simple">Breiman, L. (2001) Random Forests. Machine Learning, 45.</mixed-citation></ref><ref id="scirp.96983-ref7"><label>7</label><mixed-citation publication-type="other" xlink:type="simple">Nadeem, M., Marshall, O., Singh, S., Fang, X. and Yuan, X. (2016) Semi-Supervised Deep Neural Network for Network Intrusion Detection. KSU Proceedings on Cybersecurity Education, Research and Practice. 2.</mixed-citation></ref><ref id="scirp.96983-ref8"><label>8</label><mixed-citation publication-type="other" xlink:type="simple">Shi, N., Yuan, X. and Nick, W. (2017) Semi-Supervised Random Forest for Intrusion Detection Network. 2017 The 28th Modern Artificial Intelligence and Cognitive Science Conference, Fort Wayne, IN, 28-29 April 2017, 181-185.</mixed-citation></ref><ref id="scirp.96983-ref9"><label>9</label><mixed-citation publication-type="other" xlink:type="simple">Klassen, M. and Yang, N. (2012) IEEE Fifth International Conference on Advanced Computational Intelligence.</mixed-citation></ref><ref id="scirp.96983-ref10"><label>10</label><mixed-citation publication-type="other" xlink:type="simple">Liu, T., Qi, A., Hou, Y. and Chang, X. (2008) Method for Network Anomaly Detection Based on Bayesian Statistical Model with Time Slicing. 2008 7th World Congress on Intelligent Control and Automation, Chongqing, 25-27 June 2008, 3359-3362. https://doi.org/10.1109/WCICA.2008.4593458</mixed-citation></ref><ref id="scirp.96983-ref11"><label>11</label><mixed-citation publication-type="other" xlink:type="simple">Swarnkar, M. and Hubballi, N. (2016) OCPAD: One Class Naive Bayes Classifier for Payload Based Anomaly Detection. Expert Systems with Applications, 64, 330-339. https://doi.org/10.1016/j.eswa.2016.07.036</mixed-citation></ref><ref id="scirp.96983-ref12"><label>12</label><mixed-citation publication-type="other" xlink:type="simple">Wagner, C., Francois, J., State, R. and Engel, T. (2011) Machine Learning Approach for IP-Flow Record Anomaly Detection. 10th IFIP Networking Conference (NETWORKING), Valencia, Spain, May 2011, 28-39.</mixed-citation></ref><ref id="scirp.96983-ref13"><label>13</label><mixed-citation publication-type="other" xlink:type="simple">Scholkopf, B.S., Platt, J.C. and Shawe-Taylor, J.C. (2001) Estimating the Support of a High-Dimensional Distribution. Neural Computation, 13, 1443-1471.</mixed-citation></ref><ref id="scirp.96983-ref14"><label>14</label><mixed-citation publication-type="other" xlink:type="simple">Catania, C.A., Bromberg, F. and Garino, C.G. (2011) An Autonomous Labeling Approach to 345 Support Vector Machines Algorithms for Network Traffic Anomaly Detection. Expert Systems with Applications, 39, 1822-1829.https://doi.org/10.1016/j.eswa.2011.08.068</mixed-citation></ref><ref id="scirp.96983-ref15"><label>15</label><mixed-citation publication-type="other" xlink:type="simple">Amer, M., Goldstein, M. and Abdennadher, S. (2013) Enhancing One-Class Support Vector Machines for Unsupervised Anomaly Detection. Proceedings of the ACM SIGKDD Workshop on Outlier Detection and Description on Outlier Detection and Description, Chicago, IL, 11 August 2013, 8-15. https://doi.org/10.1145/2500853.2500857</mixed-citation></ref><ref id="scirp.96983-ref16"><label>16</label><mixed-citation publication-type="other" xlink:type="simple">Wang, H., Gu, J. and Wang, S. (2017) An Effective Intrusion Detection Framework Based on SVM with Feature Augmentation. Knowledge-Based Systems, 136, 130-139. https://doi.org/10.1016/j.knosys.2017.09.014</mixed-citation></ref><ref id="scirp.96983-ref17"><label>17</label><mixed-citation publication-type="other" xlink:type="simple">Kabir, E., Hu, J., Wang, H. and Zhuo, G. (2018) A Novel Statistical Technique for Intrusion Detection Systems. Future Generation Computer Systems, 79, 303-318.https://doi.org/10.1016/j.future.2017.01.029</mixed-citation></ref><ref id="scirp.96983-ref18"><label>18</label><mixed-citation publication-type="other" xlink:type="simple">Barbard, D., Couto, J., Jajodia, S. and Wu, N. (2001) A Testbed for Exploring the Use of Data Mining in Intrusion Detection. SIGMOD Record, 30, 15-24.</mixed-citation></ref><ref id="scirp.96983-ref19"><label>19</label><mixed-citation publication-type="other" xlink:type="simple">Abbes, T., Bouhoula, A. and Rusinowitch, M. (2010) Efficient Decision Tree for Protocol Analysis in Intrusion Detection. International Journal of Security and Networks, 5, 220-235. https://doi.org/10.1504/IJSN.2010.037661</mixed-citation></ref><ref id="scirp.96983-ref20"><label>20</label><mixed-citation publication-type="other" xlink:type="simple">Muda, Z., Yassin, W., Sulaiman, M. and Udzir, N.I. (2011) A k-Means and Naive Bayes Learning Approach for Better Intrusion Detection. Information Technology Journal, 10, 648-655. https://doi.org/10.3923/itj.2011.648.655</mixed-citation></ref><ref id="scirp.96983-ref21"><label>21</label><mixed-citation publication-type="other" xlink:type="simple">Quinlan, J.R. (1986) Induction of Decision Trees. Machine Learning.</mixed-citation></ref><ref id="scirp.96983-ref22"><label>22</label><mixed-citation publication-type="other" xlink:type="simple">Amini, M., Jalili, R. and Shahriari, H.R. (2006) RT-UNNID: A Practical Solution to Real-Time Network-Based Intrusion Detection Using Unsupervised Neural Networks. Computers &amp; Security, 25, 459-468. https://doi.org/10.1016/j.cose.2006.05.003</mixed-citation></ref><ref id="scirp.96983-ref23"><label>23</label><mixed-citation publication-type="other" xlink:type="simple">Subba, B., Biswas, S. and Karmakar, S. (2016) A Neural Network Based System for Intrusion Detection and Attack Classification. 2016 Twenty Second National Conference on Communication (NCC), Guwahati, India, 4-6 March 2016, 1-6.https://doi.org/10.1109/NCC.2016.7561088</mixed-citation></ref><ref id="scirp.96983-ref24"><label>24</label><mixed-citation publication-type="other" xlink:type="simple">Saeed, A., Ahmadinia, A., Javed, A. and Larijani, H. (2016) Intelligent Intrusion Detection in Low-Power IoTs. ACM Transactions on Internet Technology, 16, Article No. 27. https://doi.org/10.1145/2990499</mixed-citation></ref><ref id="scirp.96983-ref25"><label>25</label><mixed-citation publication-type="other" xlink:type="simple">Brown, J., Anwar, M. and Dozier, G. (2016) An Evolutionary General Regression Neural Network. 25th International Conference on Computer Communication and Networks, Waikoloa, HI, 1-4 August 2016, 1-5. https://doi.org/10.1109/ICCCN.2016.7568493</mixed-citation></ref><ref id="scirp.96983-ref26"><label>26</label><mixed-citation publication-type="other" xlink:type="simple">Stolfo, S.J., Fan, W., Lee, W., Prodromidis, A. and Chan, P.K. (2000) Cost-Based Modeling for Fraud and Intrusion Detection: Results from the Jam Project. Tech Report, Columbia University, New York.</mixed-citation></ref><ref id="scirp.96983-ref27"><label>27</label><mixed-citation publication-type="other" xlink:type="simple">Shafi, K. (2008) An Online and Adaptive Signature-Based Approach for Intrusion Detection.</mixed-citation></ref><ref id="scirp.96983-ref28"><label>28</label><mixed-citation publication-type="other" xlink:type="simple">Stewart, I. (2009) A Modified Genetic Algorithm and Switch-Based Neural Net-Work Model.</mixed-citation></ref><ref id="scirp.96983-ref29"><label>29</label><mixed-citation publication-type="other" xlink:type="simple">Sheikhan, M., Jadidi, Z. and Farrokhi, A. (2012) Intrusion Detection Using Reduced-Size RNN Based on Feature Grouping. Neural Computing and Applications, 21, 1-6. https://doi.org/10.1007/s00521-010-0487-0</mixed-citation></ref><ref id="scirp.96983-ref30"><label>30</label><mixed-citation publication-type="other" xlink:type="simple">Proti&amp;#263, D.D. (2018) Review of KDD Cup’99, NSL-KDD i Kyoto 2006+ Baza Podataka. Vojnotehni&amp;#269ki glasnik, 663, 580-596. https://doi.org/10.5937/vojtehg66-16670</mixed-citation></ref><ref id="scirp.96983-ref31"><label>31</label><mixed-citation publication-type="other" xlink:type="simple">Kemal, O. (2015) A New Classification Scheme of Plastic Wastes Based upon Recycling Labels. Waste Management, 35, 29-35. https://doi.org/10.1016/j.wasman.2014.09.030</mixed-citation></ref><ref id="scirp.96983-ref32"><label>32</label><mixed-citation publication-type="other" xlink:type="simple">Rijsbergen, C.J.V. and Croft, W.B. (1975) Document Clustering: An Evaluation of Some Experiments with the Cranfield 1400 Collection. Information Processing &amp; Management, 11, 171-182.</mixed-citation></ref><ref id="scirp.96983-ref33"><label>33</label><mixed-citation publication-type="other" xlink:type="simple">DeLong, E.R., DeLong, D.M. and Clarke-Pearson, D.L. (1988) Comparing the Areas under Two or More Correlated Receiver Operating Characteristic Curves: A Nonparametric Approach. Biometric, 44, 837-845.</mixed-citation></ref></ref-list></back></article>