Designing a Hybrid Approach with ComputationalAnalysis and Visual Analytics to Detect Network

IntrusionsDong Hyun Jeong

Dept. of Computer ScienceUniversity of the District of Columbia

Washington, D.C. 20008–1122Email: djeong@udc.edu

Bong-Keun JeongDept. of Computer Information SystemsMetropolitan State University of Denver

Denver, CO 80217Email: bjeong@msudenver.edu

Soo-Yeon JiDept. of Computer Science

Bowie State UniversityBowie, Maryland 20715–3319

Email: sji@bowiestate.edu

Abstract—As network traffic has become more prevalent andcomplex, understanding network traffic patterns is vital to designinnovative detection methods. Researchers have proposed variousintrusion detection techniques by integrating different machinelearning algorithms, but these techniques commonly share a highfalse-positive rate problem. In this study, we propose a hybrid ap-proach of integrating computational analysis with visual analyticsto detect network intrusions. For the computational analysis,both Multi-Resolution Analysis (MRA) and Principal ComponentAnalysis (PCA) are applied to analyze network traffic data.First, Discrete Wavelet Transform (DWT) is utilized as the MRAapproach to extract features from the network traffic data. Afterdetermining statistically significant features from a statisticalvalidation, PCA is applied to transform the extracted featuresfor identifying principal components in eigenspace. Lastly, avisual analytics tool is designed to help the user conduct aninteractive visual analysis on detected network intrusions byinitiating interactive visual validation and verification. We foundthat our approach is useful to detect the network intrusions aswell as to understand their patterns.

I. INTRODUCTION

The Internet provides many useful services like news, email,storage, and social network. However, this technology has a lotof security related issues because the use of Internet servicesoften requires to inadvertently put personal information inonline storages. While people may assume that their personalinformation is well protected, recent online attacks indicatethat it is not 100% secure. Many organizations and businessesinvest significant amounts of budget in information securityand data privacy to protect their computing infrastructures.They also organize computer security incident response teamsto protect data storages, guarantee data confidentiality, andprevent external intrusions. Since attacks are major threats tothe integrity of user data, it is important to build a trust whenproviding services to customers. Consequently, designing ef-ficient intrusion detection techniques is extremely crucial. Toaddress this challenge, researchers have proposed numerousintrusion detection techniques. A traditionally known intrusiondetection system discovers threats by analyzing network pack-ets at the network layer, and directly compare them to known

patterns. But, detecting network intrusions by referencingknown attack patterns has a limitation to identify unknown (ornew) intrusions. For this reason, analyzing network patternswithout previous knowledge about intrusions is considered.However, this approach also has an issue of high false alarmrate (i.e. high false-positives).

In this paper, we emphasize the importance of integratingboth computational analysis and visual analytics to detectnetwork intrusions. For the computational analysis, both Multi-Resolution Analysis (MRA) and Principal Component Anal-ysis (PCA) are used. MRA [1] is an approach that focuseson representing different scales or frequency components insignals by utilizing signal processing techniques. Waveletanalysis is one of the commonly used techniques for MRA. Itanalyzes localized variations of power within network trafficdata. Since the wavelet analysis decomposes data into time-frequency space, it is possible to determine dominant modesof variability [2]. In the past, researchers applied the waveletanalysis to detect anomalies. However, our approach is dif-ferent because we apply the wavelet analysis to determineand extract informative features from the data. There arevarious wavelet analysis methods such as Continuous WaveletTransform (CWT), Fast Wavelet Transform (FWT), DiscreteWavelet Transform (DWT), and Stationary Wavelet Transform(SWT). In our study, Discrete Wavelet Transform (DWT) ischosen as it is suitable for understanding non-stationary datasuch as network traffic. Based on DWT, various numbersof features depending on input parameters are determined.A statistical validation is then performed to remove non-statistically significant features as well as all zero-variancefeatures (i.e. features that have the same values). The objectiveof applying the statistical validation is to increase the accuracyof detecting network intrusions by removing insignificantdata. Then, PCA is applied to the significant features todetermine principal components. Lastly, a visual analytics toolis designed to support an interactive visual analysis to furtherexplore intrusions. The tool utilizes the principal componentsto represent the determined features in 2D display space so thatnetwork activities are displayed with forming clusters which978-1-5090-4228-9/17/$31.00 c©2017 IEEE

indicate either attacks or normal. Also, several user interactiontechniques are added to assist the user in conducting theinteractive visual analysis.

The rest of the paper consists of six sections. First, wediscuss prior research in network intrusion detections andthe benefits of utilizing visualization techniques. Then, ourapproach of analyzing network traffic data to determine in-trusions is introduced with an emphasis on the importanceof designed visualization tool. In section V, we present theperformance of our approach and conclude with discussions,conclusion, and future work.

II. PREVIOUS WORK

In the early network intrusion detection literature, statis-tical analysis was broadly applied to detect intrusions byperforming a statistical comparison of current network eventsto a pre-determined set of baseline criteria. However, thestatistical analysis has a limitation of identifying new typesof attacks. Since the popularity of the Internet produces amassive amount of network traffic patterns as well as unknownattacks, designing an innovative intrusion detection analysisis considered as a major research area in cybersecurity. Toaccomplish this challenge, researchers proposed two intrusiondetection techniques: signature-based detection techniques andbehavior-based or anomaly-based detection techniques [3].

Signature-based techniques (also known as knowledge-based or misused-based techniques) are based on knownattack signatures or system vulnerabilities. Since signature-based techniques analyze current network traffic patterns bycomparing them with the attack signatures, they are quiteaccurate for detecting known attacks, but less effective againstunknown attacks. Therefore, a constant update on attack sig-natures should be performed which may require considerableresources and overhead. Behavior-based or anomaly-basedtechniques perform an analysis of detecting intrusions viadeviations from normal or expected traffic behaviors. Althoughthe two types (anomaly vs. behavior) maintain considerableoverlap and are often regarded as identical in literature, it isimportant to note that there is a slight difference between them.Anomaly-based techniques create a normal profile by trainingcurrent network traffic, and then use the profile to detectdeviations. On the other hand, behavior-based techniques donot necessarily compare against a baseline profile. Althoughthese techniques can be effective to detect network intrusionsin real-time, there are significant limitations. Signature-basedtechniques cannot guarantee to detect unknown network in-trusions, and behavior (or anomaly)-based techniques show asignificant performance issue under heavy traffic or suddentraffic bursts [4]. To address the limitations, researchers havestudied on designing new techniques which integrate differentMachine Learning (ML) techniques [5], [6].

In 1990’s, Cannady [7] emphasized the usefulness ofArtificial Neural Networks (ANNs) for intrusion detection.However, ANNs are not used widely since the accuracy todetect intrusions is closely dependent on datasets and methodsused in training. Furthermore, they do not provide a detailed

reason about detected intrusions. Amor et al. [8] utilizedNaıve Bayes (NB) for detecting intrusions. As a simplifiedBayesian probability model, NB classifier operates based onthe likelihood that one attribute does not affect others. It isfaster than Decision Tree (DT) for learning and classifying, butthere is no significant performance difference between the two.As the number of studies on designing new intrusion detectiontechniques by adapting ML algorithms increased in early 2000,Nguyen and Armitage [9] surveyed various network trafficclassification algorithms appeared in the period between 2004and early 2007. They found that different ML algorithmssuch as AutoClass, Expectation Maximisation (EM), DT, andNB demonstrate high accuracy. However, most approachesare uniquely designed to define their classification modelsby evaluating different test datasets. Therefore, the modelsare less efficient to analyze different datasets and networkcircumstances. To overcome this limitation, researchers havecontinuously sought and adopted various new ML algorithms.Wang [10] showed the effectiveness of logistic regression (LR)modeling to detect multi-attack types. Albayati and Issac [11]compared the performance of detecting intrusions among NB,Random Tree Classifier (rTree), and Random Forest Classifier(rForest), and found that rForest is superior to others withmaintaining low false alarm rate.

Many researchers utilized Support Vector Machine (SVM)to conduct intrusion detection analysis. SVM is well-suitedfor classifying data by finding the hyperplane that maximizesthe margin among all intrusion classes [12], [13], [14], [15],[16]. It simply classifies the input data by using a set ofsupport vectors representing data patterns. However, SVMclassification depends mainly on the used kernel types andparameter settings [16]. It also requires longer training timethan other classification algorithms. To address this limita-tion, Khan et al. [12] proposed an approach of integratinghierarchical clustering analysis. Genetic Algorithm (GA) hasbeen used for various purposes in intrusion detection such asoptimization, automatic model generation, and classification[17], [18]. GA is a search algorithm that utilizes the mechanicsof natural selection and genetics. It is often used to generatedetection rules or select appropriate features from the inputdata. However, the classification accuracy using GA is slightlylower than tree algorithms such as J4.8 and Classificationand Regression Trees (CART) [19]. CART is an algorithmthat generates a set of rules by splitting data into each childnode. Since CART predicts continuous dependent variables(regression) and categorical predictor variables (classification)by building a tree, it is used to perform a classification [20],[21]. It also supports dealing with multiple data types andmissing values. Despite the fact that classical PCA has highsensitivity to outliers [22], PCA is often used to extractsignificant features from network traffic data. In summary,numerous studies have been conducted to design an effectivenetwork intrusion detection technique. However, it is importantto note that one algorithm or approach cannot detect allexisting or unknown attacks precisely due to the existence ofanonymity in network traffic patterns.

In the visualization community, researchers apply visual-ization techniques to address limitations in traditional net-work intrusion detection analysis. Due to the importance ofanalyzing large complex network traffic data, the communityprovides network traffic data as a part of visualization chal-lenge to motivate people to analyze real-world network trafficdata visually. For example, the VAST 2012 challenge [23]provided a financial institution’s data for researchers to gainan opportunity to understand the health of global corporatenetwork visually by identifying anomalies or problems. Shiraviet al. [24] conducted a comprehensive review of existingnetwork security visualization systems by classifying theminto different five use-case classes: host/server monitoring,internal/external monitoring, port activity, attack patterns, androuting behavior. Although numerous network security visual-ization systems have been designed, most systems focus onlyon addressing the issue of how to represent collected logdata or network events. To better understand network trafficpatterns and detect network intrusions more precisely, visu-alization techniques should be integrated with computationaland machine learning approaches. In the following sections,a detailed explanation how we combine both computationalapproaches and visualization techniques in intrusion detectionis included.

III. APPROACH

In this paper, a publicly available intrusion detection dataset(called NSL-KDD [25]) is used. It contains 148,517 recordswith 41 attributes (three nominal, six binary, and thirty-twonumeric attributes). The dataset includes twenty-four attacktypes that can be grouped into four major attack categories:DoS, R2L, U2R, and Probe. DoS indicates denial-of-serviceattack attempting to disable machine or network resourcesunavailable from remote machines. R2L represents Remoteto User attack to gain access to local user accounts bysending packets to a computing machine over the network.Probe is a method of gathering network information to findknown vulnerabilities in machines. User to Root Attack (U2R)indicates that an attacker accesses normal user accounts byexploring the system as an administrator. Since the size of datafor U2R attack is small (only 119 records), U2R is excludedin the analysis.

MRA utilizes signal processing techniques, so it is capableto discover hidden patterns from the network traffic data. Ourapproach utilizes DWT to extract features from the data indifferent resolution levels (γ). DWT is a broadly known time-frequency analysis method. It uses two basis functions such aswavelet function and scaling function [26]. The functions areapplied to transform input data into a set of approximationcoefficients and detail coefficients. Since a small localizedwave in a time domain is analyzed, any sudden or rapidchanges in the data can be identified. Thus, DWT is especiallyuseful for analyzing non-stationary signal data (e.g. internettraffic data) [27].

Sliding window analysis is a common approach when exam-ining large network traffic data [28], [29]. The sliding window

analysis uses two main parameters: window size and step size.The sliding window size (α) is used to extract feature vectorsfor analyzing anomalies in the network traffic data. If the sizeof the window is small, large feature vectors are generated. Thestep size (β) is considered as a tunable parameter that has adirect impact on identifying the anomalies. Since it indicatesthe distance between successive windows, if the step size in-creases, fewer windows are required to analyze the data. Whenapplying DWT to network traffic data, an appropriate waveletfunction should be chosen that is closely matched to variationsin the input data. Also, choosing appropriate attributes toapply DWT to the network traffic data is critical [30], [31].A common approach to determine the size of sliding windowis referencing time information. However, there is no optimalapproach of determining the attribute values for analyzing thenetwork traffic data. Therefore, determining optimal valuesfor sliding window (α), step (β), and level (γ) is important.In network anomaly detection with DWT, various levels ofdecomposition are often considered [32]. Depending on thedecomposition level (γ), different levels of detail coefficients(detail level 1 ∼ n) and approximate coefficients can bemeasured. We performed an empirical study with MATLABsoftware to determine the optimal values for detecting networkintrusion more precisely. In DWT, there are various waveletfamilies proposed by researchers such as Daubechies, Coiflets,Symlets, Discrete Meyer, Biorthogonal, and among others. Toidentify the best possible wavelet family for network intrusiondetection, we evaluate all available wavelet families.

After identifying informative features with DWT, a statisti-cal validation is performed to determine statistically significantfeatures (p < 0.05). If the decomposition level is increased,the chance of having zero-variance features is also increased.Therefore, the statistical validation is useful for removingsuch unimportant features. Then, PCA is applied to determineprincipal components of the data. PCA computation is broadlyused in feature extraction and exploratory data analysis innetwork intrusion detection [33], [34]. PCA performs eigen-value decomposition to determine the variances and coeffi-cients of the data by finding eigenvectors and eigenvalues.First, covariance is measured to determine how much thedimensions vary from the mean with respect to each other.Then, the eigenvectors and eigenvalues are calculated. Theeigenvector with the highest eigenvalue is the most dominantprinciple component in the data, indicating the most significantrelationship among the data dimensions. For this reason, PCAis often considered as a dimension reduction method for repre-senting high-dimensional data into a lower dimensional spacewith the dominant principal components. To determine theprincipal components, we use Singular Value Decomposition(SVD) [35] because it is good for finding eigenvectors andeigenvalues in non-square matrice such as network traffic data.When representing data into 2D or 3D display space (i.e.coordinate system) with the principal components, confidenceinterval (θ) should be considered because it indicates theerror between original and projected data. For instance, formapping a high-dimensional data into a lower dimensional

space, determination of an optimal low-dimensional spaceneeds to be performed by considering the eigenvectors ofthe covariance matrix. However, if both the amount of dataand the size of attributes are large, identifying the best low-dimensional space is difficult due to the complexity of thedata. Therefore, we use the first two principal components todisplay the network traffic data in a 2D display space withproviding an option for the user to change them to others.

IV. VISUAL ANALYSIS

Our visualization tool is designed by following a coor-dinated multi-views (CMV) framework [36] to support dataanalysis from different perspectives. It consists of two views- (a) Projection view and (b) Data view (Figure 1). The twoviews are tightly integrated such that a user’s interactions withone view are immediately reflected in all other views. In theProjection view, computed PCA results of the network trafficdata are displayed. By default, the 1st and 2nd principal com-ponents are used to display the data. A parallel coordinates vi-sualization technique (simply called parallel-coordinates [37])is used to represent the MRA result (Figure 1b). As the tool isdesigned to help the user conduct an interactive visual analysis,basic navigation techniques and user interaction techniquesare added. For the navigation techniques, semantic zoomingand panning are supported in the Projection view, with whichthe user can review the represented network traffic data itemsin a closer look (see Figure 1c ∼ 1f). The user interactiontechniques include selection and manipulation. If the user isinterested in understanding the further detail of data item(s),she is allowed to select the item(s) in the Projection view.Figure 1 shows an example when an R2L attack is selected.The red arrow indicates the selected data item in the Projectionview. In the Data view, the corresponding information of theselected item is highlighted in black with representing allattribute values (Figure 1b). The manipulation technique isdesigned to allow the user to eliminate data item(s). This tech-nique is useful when the user conducts a study of identifyingthe effectiveness of the data item(s) to PCA computation. Forexample, if the user is interested in exploring the relationshipamong attacks, this technique can be used to remove normalnetwork activities.

Our visualization tool also supports identifying statisticallysimilar data items. In the tool, four similarity measurementsare supported such as Cosine similarity, Euclidean distance,extended Jaccard coefficient, and Pearson correlation coeffi-cient. Once the user selects data item(s) in the Projectionview, a similarity measurement can be performed to findstatistically similar data items (p < 0.05). This feature isuseful when the user conducts a study of comparing relevantdata items to previously known (or determined) outliers. Forexample, if the user finds a possible network anomaly, shemay want to validate it by conducting a statistical analysis toidentify similar network events. If no similar network eventsare found, the anomaly can be considered as a possible net-work anomaly. Lastly, applying an agglomerative hierarchicalclustering method with various distance measures is supported.

Fig. 1: A screenshot of the designed intrusion detectionanalysis tool. The tool consists of two views: (a) Projectionview and (b) Data view. All network traffic data items aremapped with different color attributes as DoS (green), Probe(brown), R2L (purple), and Normal (red). In the Projectionview, nagaviation is supported ((c) ∼ (f)).

Since the clustering method builds a hierarchy of clusters bycalculating the similarity among data items, k clusters aredetermined to identify the effectiveness of our approach. Thedistance measures for the clustering method include Euclideandistance (L2), Chebyshev distance (L∞), City-block distance(L1) and Pearson correlation coefficient (R2).

V. RESULTS AND DISCUSSION

As discussed above, an empirical study was performed todetermine the optimal values for DWT (Figure 2). For the slid-ing window (α), different window sizes ranging from 25 to 250were tested. Depending on the size of sliding window, differentstep size (β) was applied. For instance, if the sliding windowsize is set to 250, the step sizes from 25 to 225 are tested. SinceDWT is influenced by the decomposition level, determiningappropriate decomposition level (γ) is also important [38].Based on the analysis, we identified that the optimal values fordetecting network intrusions are α = 150, β = 50, and γ = 3.We also found that if the sliding window size is decreased(α < 150), the chance of having false positives increases.However, if the window size is increased (α >= 150), a clearseparation has emerged among the attacks. Interestingly, wefound that if the size of the window is increased continuously,it tends to remove unique characteristics of the attacks. Forinstance, as shown in Figure 2d and 2e, Normal and R2Lattacks are appeared in the same cluster when the size ofthe sliding window is increased (α >= 200). A further studyneeds to be performed to understand the effectiveness of the

(a) α : 50, β : 25, γ : 3 (b) α : 125, β : 75, γ : 3 (c) α : 150, β : 50, γ : 3 (d) α : 200, β : 100, γ : 3 (e) α : 300, β : 150, γ : 3

Fig. 2: An example empirical study result of identifying optimal values for sliding window size (α), step (β), and waveletlevel (γ) with the wavelet function (i.e. Daubechies 3) to detect network intrusions.

sliding window size. However, since it is not the primaryobjective of this study, we leave this for our future work.

When applying DWT with different wavelet functions andlevels, different amounts of data records and attributes aregenerated. For instance, when applying Daubechies 3 (i.e.db3) with α = 150, β = 50, and γ = 3, total of 2,958data records with 703 attributes are generated. Out of 703attributes, 418 (59.5%) are selected as statistically significantattributes (p < 0.01). However, when using Discrete Meyerwith α = 50, β = 20, and γ = 3, total of 7,417 data recordswith 3,478 attributes are generated. And, 2,992 attributes(86%) are determined as significant features (p < 0.01). Thesignificant features are considered as dominant features thatcan be used to detect intrusions. As discussed in Section III,if the size of the window (α) is small, large feature vectors aregenerated. The sliding window size can be adjusted to speed-up the computation process. However, it may compromise theoverall accuracy of detecting intrusions if improperly set. It isalso important to note that if the step size (β) is small, morewindows are required to analyze the data.

With the original network traffic data, it is difficult todetermine normal vs. attack activities. As we discussed, MRAdetermines significant features from the data. However, itis still not clear what DWT wavelet families produce moresignificant features to detect intrusions. Therefore, we testedmost wavelet families under the same experimental condition(i.e. α = 150, β = 50, and γ = 3). Figure 3a shows aPCA projection of the original data. As can be seen, differentnetwork activities appear in all over the place which makesus difficult to separate them clearly. On the other hand,when applying different wavelet families, a somewhat clearseparation between normal and attack activities is appearedby forming unique clusters (see Figure 3b ∼ 3j). Biorthogonal(Figure 3f and 3g) shows that some Probe attacks appear in theDoS attack cluster. Discrete Meyer (Figure 3h) and Symlets(Figure 3i) are suitable for separating DoS and Probe attacksfrom R2L attack. But, R2L attack is appeared near to thenormal network activity cluster (see the regions in left-bottomin Figure 3h and 3i). Another interesting observation is thatthe results of Coiflets 1 and Daubechies 3 are similar to eachother. The reason might be because Coiflets is constructedfrom Daubechies with a high number of vanishing moments

in the scaling and the wavelet functions [39].Huang et al. [31] found that Coiflet and Mexican Hat

wavelets are good for detecting anomalies when using a five-minute, sixty-sample window. However, we identified thatDaubechies 3 is the best-suited wavelet for detecting networkintrusions since it creates well-separated clusters (see Figure3c). Huang’s experiment was well formatted, but they usedonly the first and second coefficients based on the assumptionthat these two coefficients have sufficient information. As theycommented, any larger coefficients might contain too sparseinformation. However, from our empirical study, we foundthat the coefficient (γ = 3) is better for extracting significantinformation to detect intrusions.

Table I shows the results when the hierarchical clusteringmethod is applied to three different datasets: wavelet features(3,478 attributes), two principal components (2 attributes),and three principal components (3 attributes). The resultsare generated with the DWT features (α = 150, β = 50,and γ = 3). Solid connected lines indicate the clusteringresults. Since the wavelet features are the statistically validatedDWT features, good clustering results are generated. However,we found that a large number of attributes often require asignificantly large computational time which is not appropriatefor the real-time intrusion detection. To support the real-timeintrusion detection, PCA is considered because it has a benefitof reducing the total number of attributes (i.e. dimensions).As mentioned above, the confidence interval (θ) is oftenconsidered to determine major PCA components. However,minor PCA components (i.e. after removing the componentsthat have higher eigenvalues) are also essential for revealinganomalies in network traffic data [40]. Because of this reason,allowing the user to select different PCA components isnecessary. Our visualization tool has the feature of selectingthe best possible PCA components to detect intrusions.

From the hierarchical clustering results, clustering accuracyis measured as 0.86 ± 0.16 (for using all wavelet features),0.64± 0.04 (for using two principal components), and 0.83±0.18 (for using three principal components). When comparingthe results of the two vs. three principal components, thethree principal components produced a better clustering result.Moreover, the three principal components and the wavelet fea-tures showed similar clustering accuracy. We also found that

(a) Original data (b) Daubechies 1 (c) Daubechies 3 (d) Daubechies 5 (e) Daubechies 7

(f) Biorthogonal 1.1 (g) Biorthogonal 2.2 (h) Discrete Meyer (i) Symlets 5 (j) Coiflets 3

Fig. 3: PCA projections of (a) original data and (b) DWT features with various wavelet families.

TABLE I: Results of the detected k clusters with differentdistance metric (Euclidean distance (L2), Chebyshev distance(L∞), City-block distance (L1) and Pearson correlation coef-ficient (R2)). The cluster are represented as solid connectedlines

Metric Wavelet Features Two PrincipalComponents

Three PrincipalComponents

L2

L∞

L1

R2

the three principal components outperform the other two whenChebyshev distance (L∞) is applied. Interestingly, Chebyshevdistance (L∞) was not good for creating clusters with thewavelet features. Moreover, Pearson correlation coefficient(R2) did not work well for creating clusters with the two andthree principal components.

VI. CONCLUSION AND FUTURE WORKS

In this paper, we introduced a new approach to analyzenetwork traffic data for intrusion detections. Although variousapproaches have been proposed by incorporating machinelearning algorithms, most methods still suffer from detectingunknown attacks. To address the limitation, we proposed ahybrid approach that integrates computational analysis andvisual analytics. The computational analysis is used to ex-tract significant features from the data. For visual analytics,an interactive visualization tool is designed to display theanalyzed network traffic features and provide user interactiontechniques to support an interactive visual analysis on thevisually represented data items. To determine best suitableparameters for applying DWT on the network traffic data,an empirical study was conducted. To show the effectivenessof our approach, the hierarchical cluster method was appliedto identify clusters. Although the results indicate that ourapproach has a strength, it is still important to conduct a formalevaluation study to determine the effectiveness of all possibleinput and output parameters for DWT and PCA. For futureworks, we plan to extend our study to test all possible inputparameters and measure sensitivity and specificity in detectingnetwork intrusions. Also, a comparative study with knownintrusion detection models will be conducted to determine thebenefits and limitations of our approach. Since our approachrequires less amount of computation time for detecting intru-

sions, a real-time intrusion detection system will be designedand tested in a real network environment.

ACKNOWLEDGMENT

This work was supported by the U.S. Army Research Office(ARO) - Grant No. W911NF-13-1-0143.

REFERENCES

[1] S. G. Mallat, “A theory for multiresolution signal decomposition: Thewavelet representation,” IEEE Trans. Pattern Anal. Mach. Intell., vol. 11,no. 7, pp. 674–693, Jul. 1989.

[2] C. Torrence and G. P. Compo, “A practical guide to wavelet analysis,”Bulletin of the American Meteorological Society, vol. 79, pp. 61–78,1998.

[3] A. Patcha and J. M. Park, “An Overview of Anomaly Detection Tech-niques: Existing Solutions and Latest Technological Trends,” Comput.Netw., vol. 51, no. 12, pp. 3448–3470, Aug. 2007.

[4] A. Kind, M. Stoecklin, and X. Dimitropoulos, “Histogram-based trafficanomaly detection,” Network and Service Management, IEEE Transac-tions on, vol. 6, no. 2, pp. 110–121, June 2009.

[5] M. Stevanovic and J. Pedersen, “An efficient flow-based botnet detectionusing supervised machine learning,” in Computing, Networking andCommunications (ICNC), 2014 International Conference on, Feb 2014,pp. 797–801.

[6] K. Singh and S. Agrawal, “Performance evaluation of five machinelearning algorithms and three feature selection algorithms for ip traf-fic classification,” IJCA Special Issue on Evolution in Networks andComputer Communications, no. 1, pp. 25–32, 2011, full text available.

[7] J. Cannady, “Artificial neural networks for misuse detection,” in NationalInformation Systems Security Conference, 1998, pp. 443–456.

[8] N. B. Amor, S. Benferhat, and Z. Elouedi, “Naive bayes vs decisiontrees in intrusion detection systems,” in Proceedings of the 2004 ACMSymposium on Applied Computing, ser. SAC ’04. New York, NY, USA:ACM, 2004, pp. 420–424.

[9] T. T. Nguyen and G. Armitage, “A survey of techniques for internettraffic classification using machine learning,” Commun. Surveys Tuts.,vol. 10, no. 4, pp. 56–76, Oct. 2008.

[10] Y. Wang, “A multinomial logistic regression modeling approach foranomaly intrusion detection,” Computers & Security, vol. 24, no. 8, pp.662 – 674, 2005.

[11] M. Albayati and B. Issac, “Analysis of intelligent classifiers and enhanc-ing the detection accuracy for intrusion detection system,” InternationalJournal of Computational Intelligence Systems, vol. 8, no. 5, pp. 841–853, 2015.

[12] L. Khan, M. Awad, and B. Thuraisingham, “A new intrusion detectionsystem using support vector machines and hierarchical clustering,” TheVLDB Journal, vol. 16, no. 4, pp. 507–521, Oct. 2007.

[13] S. A. Mulay, P. Devale, and G. Garje, “Article:intrusion detection systemusing support vector machine and decision tree,” International Journalof Computer Applications, vol. 3, no. 3, pp. 40–43, June 2010, publishedBy Foundation of Computer Science.

[14] J. Yao, S. Zhao, and L. Fan, “An enhanced support vector machinemodel for intrusion detection,” in Proceedings of the First InternationalConference on Rough Sets and Knowledge Technology, ser. RSKT’06.Berlin, Heidelberg: Springer-Verlag, 2006, pp. 538–543.

[15] S.-Y. Ji, B.-K. Jeong, S. Choi, and D. H. Jeong, “A multi-level intrusiondetection method for abnormal network behaviors,” Journal of Networkand Computer Applications, vol. 62, pp. 9 – 17, 2016.

[16] N. Kausar, B. Belhaouari Samir, A. Abdullah, I. Ahmad, and M. Hus-sain, “A review of classification approaches using support vector ma-chine in intrusion detection,” in Informatics Engineering and Informa-tion Science: International Conference, ICIEIS 2011, Kuala Lumpur,Malaysia, November 14-16, 2011, Proceedings, Part III, A. Abd Manaf,S. Sahibuddin, R. Ahmad, S. Mohd Daud, and E. El-Qawasmeh, Eds.Berlin, Heidelberg: Springer Berlin Heidelberg, 2011, pp. 24–34.

[17] T. Xia, G. Qu, S. Hariri, and M. Yousif, “An efficient network intrusiondetection method based on information theory and genetic algorithm,”in Performance, Computing, and Communications Conference, 2005.IPCCC 2005. 24th IEEE International, April 2005, pp. 11–17.

[18] P. G. Majeed and S. Kumar, “Genetic Algorithms in Intrusion DetectionSystems: A Survey,” International Journal of Innovation and AppliedStudies, vol. 5, no. 3, pp. 233–240, 2014.

[19] S. N. Pawar and R. S. Bichkar, “Genetic algorithm with variable lengthchromosomes for network intrusion detection,” International Journal ofAutomation and Computing, vol. 12, no. 3, pp. 337–342, 2015.

[20] S. Chebrolu, A. Abraham, and J. P. Thomas, “Feature deduction andensemble design of intrusion detection systems,” Computers & Security,vol. 24, no. 4, pp. 295 – 307, 2005.

[21] S. Y. Ji, S. Choi, and D. H. Jeong, “Designing a two-level monitoringmethod to detect network abnormal behaviors,” in Information Reuseand Integration (IRI), 2014 IEEE 15th International Conference on, Aug2014, pp. 703–709.

[22] M. Hubert, P. Rousseeuw, and T. Verdonck, “Robust {PCA} for skeweddata and its outlier map,” Computational Statistics & Data Analysis,vol. 53, no. 6, pp. 2264 – 2274, 2009, the Fourth Special Issue onComputational Econometrics.

[23] “Ieee visual analytics challenge 2012, contest chairs- kris cook,georges grinstein, mark whiting,” VAST 2012. [Online]. Available:http://www.vacommunity.org/VAST+Challenge+2012

[24] H. Shiravi, A. Shiravi, and A. A. Ghorbani, “A survey of visualizationsystems for network security,” IEEE Transactions on Visualization andComputer Graphics, vol. 18, no. 8, pp. 1313–1329, Aug. 2012.

[25] NSL-KDD, “NSL-KDD dataset,” http://nsl.cs.unb.ca/NSL-KDD/, 2016,[Online; accessed 10-November-2016].

[26] A. Graps, “An introduction to wavelets,” IEEE Comput. Sci. Eng., vol. 2,no. 2, pp. 50–61, Jun. 1995.

[27] S.-Y. Ji, S. Choi, and D. H. Jeong, “Designing an internet trafficpredictive model by applying a signal processing method,” Journal ofNetwork and Systems Management, vol. 23, no. 4, pp. 998–1015, 2015.

[28] B. AsSadhan, H. Kim, J. M. F. Moura, and X. Wang, “Network trafficbehavior analysis by decomposition into control and data planes,” inParallel and Distributed Processing, 2008. IPDPS 2008. IEEE Interna-tional Symposium on, April 2008, pp. 1–8.

[29] D. Jiang, J. Liu, Z. Xu, and W. Qin, “Network traffic anomaly detec-tion based on sliding window,” in Electrical and Control Engineering(ICECE), 2011 International Conference on, Sept 2011, pp. 4830–4833.

[30] P. Barford, J. Kline, D. Plonka, and A. Ron, “A signal analysis ofnetwork traffic anomalies,” in Proceedings of the 2Nd ACM SIGCOMMWorkshop on Internet Measurment, ser. IMW ’02. New York, NY,USA: ACM, 2002, pp. 71–82.

[31] C. T. Huang, S. Thareja, and Y. J. Shin, “Wavelet-based real timedetection of network traffic anomalies,” in Securecomm and Workshops,2006, Aug 2006, pp. 1–7.

[32] S. S. Kim, A. L. N. Reddy, and M. Vannucci, Detecting TrafficAnomalies Using Discrete Wavelet Transform. Berlin, Heidelberg:Springer Berlin Heidelberg, 2004, pp. 951–961.

[33] G. Liu, Z. Yi, and S. Yang, “A hierarchical intrusion detection modelbased on the pca neural networks,” Neurocomputing, vol. 70, no. 7–9, pp. 1561 – 1568, 2007, advances in Computational Intelligenceand Learning14th European Symposium on Artificial Neural Networks200614th European Symposium on Artificial Neural Networks 2006.

[34] Y. Bouzida, “Intrusion detection using principal component analysis,”in In Proceedings of the 7th World Multiconference on Systemics,Cybernetics and Informatics, 2003.

[35] G. E. Plassman, “A survey of singular value decomposition methodsand performance comparison of some available serial codes,” NASATechnical Report CR-2005-213500, October 2005.

[36] J. C. Roberts, “State of the art: Coordinated multiple views in ex-ploratory visualization,” in Coordinated and Multiple Views in Ex-ploratory Visualization, 2007. CMV ’07. Fifth International Conferenceon, July 2007, pp. 61–71.

[37] A. Inselberg and B. Dimsdale, “Parallel coordinates: A tool for visualiz-ing multi-dimensional geometry,” in Proceedings of the 1st Conferenceon Visualization ’90, ser. VIS ’90. Los Alamitos, CA, USA: IEEEComputer Society Press, 1990, pp. 361–378.

[38] Y.-F. Sang, D. Wang, and J.-C. Wu, “Entropy-based method of choosingthe decomposition level in wavelet threshold de-noising,” Entropy,vol. 12, no. 6, p. 1499, 2010.

[39] L. Monzon, G. Beylkin, and W. Hereman, “Compactly supportedwavelets based on almost interpolating and nearly linear phase filters(coiflets),” Applied and Computational Harmonic Analysis, vol. 7, no. 2,pp. 184 – 210, 1999.

[40] B. Scholkopf, J. Platt, and T. Hofmann, In-Network PCA and AnomalyDetection. MIT Press, 2007, pp. 617–624.