2014 National Software Engineering Conference

Handling Intrusion and DDoS Attacks in Software Defined Networks Using Machine Learning

Techniques Javed Ashraf

CSE Dept, MCS National University of Sciences and Technologies,

Islamabad, Pakistan. javed.ashraf@mcs.edu.pk

Abstract- Software-Defined Networking (SDN) is an emerging concept that intends to replace traditional networks by breaking vertical integration. It does so by separating the control logic of network from the underlying switches and routers, suggesting logical centralization of network control, and allowing to program the network. Although SDN promises more flexible network management, there are numerous security threats accompanied with its deployment. This paper aims at studying SDN accompanied with OpenFlow protocol from the perspective of intrusion and Distributed Denial of Service (DDoS) attacks and suggest machine learning based techniques for mitigation of such attacks.

Keywords: Machine Learning, Software Defined Networking (SDN), Intrusion Detection, Distributed Denial of Service Attack.

I. INTRODUCTION Software-Defined Networking (SDN) [1], [2] is an emerging networking model that is intended to change the limitations of current network infrastructures. First, it breaks the vertical integration by separating the network's control logic (the control plane) from the underlying routers and switches that forward the traffic (the data plane). Second, with the separation of the control and data planes, network switches tum into simple forwarding devices and the control logic is implemented in a logically centralized controller (or network operating system), simplifying policy enforcement and network (re )configuration and evolution [3]. A simplified view of this architecture is shown in Fig 1 and layered view of networking functionality is shown in Fig 2. The most notable implementation of such architecture and functionality is Opentlow [32] [33].

978-1-4799-6162-7114/$31.00 2014 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for aU other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.

Seemab Latif CSE Dept, MCS

National University of Sciences and Technologies, Islamabad, Pakistan. seemab@mcs.edu.pk

There are already some research efforts on identifying the critical security threats of SDNs and in augmenting its security [4],[5],[6]. The suggested approaches try to apply simple techniques, such as classifying applications and using rule prioritization, to ensure that rules generated by security applications will not be overwritten by lower priority applications [4]. Other proposals try to go a step further by providing a framework for developing security-related applications in SDNs [5]. However, there is still a lot of work is to be done towards development of secure SDN infrastructures [6]. A detailed overview of SDN security issues and challenges can be found in [7].

Controller Platform ----.------, ----------

Network Infrastructure

Fig 1: Simplified V iew of SDN Architecture [7]

55

Fig 2: Layered view of networking functionality [7]

The research and experimentation on software defmed networks is also being conducted by some commercial players (e.g., Google, Yahoo!, Rackspace, Microsoft). However commercial adoption is still in its early stage. Industry experts believe that security issues need to be addressed and further investigated in SDN[6],[8],[9]. Different threat vectors have already been identified in SDN architectures [6], as well as several security issues and weaknesses in OpenFlow-based networks [lO], [11], [12], [4], [13]. It is worth mentioning that most threats vectors are independent of the technology or the protocol (e.g., OpenFlow, POF, ForCES), because they embody threats on conceptual and architectural layers of SDN itself. As discussed in [7] there are at least seven identified threats vector in SDN architectures. Two of the most significant threats to SDN are intrusion and DDoS attacks. DDoS attacks likely to occur in the shape of forged or faked traffic flows in the data plane, which can be used to attack forwarding devices and controllers. DDoS attacks occur when a large number of packets are forwarded to a PC or server or a group of PC or server in a network. In case the source addresses of these packets are spoofed, the switch will not find a match of this spoofed packet it will forward the packet to the controller. The legitimate and the DDoS spoofed packets together can force the resources of the controller to continuously process these packets resultantly exhausting them. Now when new valid packets arrive the controller will become unreachable resulting in loss of the SDN architecture. Now, even if we deploy a backup controller, it will have to encounter the similar challenge. This paper focuses on intrusion and DDoS attacks to SDN and suggest machine learning based techniques to mitigate them.

II. OV ERV IEW OF DDoS A TT ACKS AND INTRUSION DETECTION

The DDoS attack is an attempt with malicious intent to drain the resources of a computer or a network of computers by sending continuous and heavy traffic to them [14]. Here, the attacker intends to: i) deplete the Bandwidth and ii) exhaust the

resource. DDoS attack is initiated by the attacker by putting a code in the affected servers/PCs which are called Botnet. Once attack occurs, these codes are executed and a heavy stream of traffic is sent to the victim. Use of botnets makes the attack more rigorous and keeps the attacker concealed behind the scene. On the other hand, DDoS is also one of the most common techniques of consuming and disturbing the service in a network. Each day, hackers launch thousands of such attacks. Record shows that in the first quarter of 2013 alone the attack bandwidth average exceeded 48.25 Gbps which is about 700% more than the bandwidth consumed in last quarter of 2012 [16]. Although all types of such attacks cannot be detected or documented, even the available figures of number of DDoS attacks indicate that it remains one of the major threats for conventional network as well as SDN . i. Intrusion Detection Techniques

There are two types of intrusion detection techniques. Signature detection technique deals with searching of network traffic for a series of bytes or packet sequences known to be malicious. Whereas, in the anomaly detection technique the baseline for network behavior is worked out. This baseline is a depiction of accepted network behavior, which is learned or specified by the network administrators, or both. Events in an anomaly detection engine are triggered by any activities that fall outside the predefined or accepted model of behavior.

ii. Types of Anomaly Detection Techniques As highlighted above, Anomaly detection is the identification of events, items or observations which do not conform to an anticipated pattern or other items available in a dataset. Such type of anomalous activity will transform to an issue like bank fraud, medical problems, or locating errors in text. Outliers, peculiarities, noise, deviations, surprise and exceptions are also termed as anomalies. A variety of techniques are used for anomaly detection. Following are two main techniques used for anomaly detection[18]:-

I. Statistical analyses ii. Machine learning

III. MACHINE LEARNING TECHNIQUES TO MITIGATE INTRUSION AND DDOS ATTACKS

Security of centralized software-based SDN controller is one of the major security concerns. The machine learning techniques are applied to mitigate intrusion and DDoS attack on SDN controller or switch by automatically building the model based on the training data set. The data set contains a collection of data examples or instances. Each instance can be illustrated using a set of attributes and the associated labels. Different types of attributes can be used like categorical or

56

continuous. The applicability of related technique for anomaly detection is determined based on the type of attributes. The binary values are used for labels associated with data instances i.e. normal/valid and anomalous. Some researchers have used different labels for different types of attacks such as DDoS, R2L, U2R, and Probe instead of the anomalous label. Thus the learning techniques are able to present more specific information about the types of anomalies detected. However, results of experiments conducted on the subject show that current learning techniques are not accurate enough to identify the type of anomalies in conventional networks; same holds good for SDN. As manual human efforts are required for labeling, fmding an accurate labeled data set which represents all types of behaviors is quite costly. Thus, three operating modes are defined for anomaly detection techniques based on the availability of the labels: as Supervised Learning, Unsupervised Learning, Semi supervised Learning [19], explanation of which is out of scope of this paper.

In Signatures based IDSs, humans are responsible to create, test, and deploy the signatures. Thus, generation of a new signature for an attack on SDN may take hours or days, which is considered too long in case we are dealing rapid attacks. Nevertheless, to offer a human-independent solution to the above mentioned problem, anomaly based IDSs based on machine learning techniques provide an added advantage. Anomaly based IDSs using machine learning techniques in SDN are capable to implement a system that can learn from data (examples/ experience) and offer the decision for test or unseen data. Fig 3 shows most commonly used techniques based on machine learning for classification of intrusive and normal/nonintrusive behavior [20] in conventional networks. Same techniques hold good for SDN.

I Machine Leaming Techniques I

N emal Networks I 1----11 Suppott Vector Machinel

I----I Genetic Algorithms I 1----11 Fuzzy Logic I 1----11 Bayesian Networks I 1-0---11 Decision Tree I

Fig. 3 Classification of machine learning techniques

i. Artificial Neural Networks (ANN)

Based on lines of biological nervous system processes information, ANNs consist of a collection of processing elements interconnected with each other aimed to transform a set of inputs to a set of desired outputs. In this, the Multilayer Perceptions MLP has been widely adopted neural network for intrusion detection in conventional networks and same can be used in SDN also. MLP based ANN is used to build classification decision boundary in feature space to perform as non-linear discriminate function. In NN based packets classification system, each element of the feature vector has one input node. Also, usually one output node is used for each class to which a feature may be assigned (shown in Fig. 4). The hidden nodes are connected to input nodes and some initial weight assigned to these connections. These weights are adjusted during the training process. Back-propagation rule is one of the learning algorithms used for MLP based ANN. -propagation rule works on a gradient descent method. This method calculated an error function which is the difference between the output calculated by the network and the output desired. The Mean Squared Error (MSE) is used to define this error function. The MSE is added over the complete training set. To learn successfully, the true output of network should be brought close to the desired output. This is done by reducing the value of this error, continuously. The error for a particular input is calculated using back-propagation rule and then this error is back- propagated from one layer to the previous one [20].

The weights of the connection between the nodes are adjusted according to the back-propagated error. In this manner error is reduced and the network learns. The input, output, and hidden layers neurons are variable. Input/output neurons are changed according to the input/output vector. Hidden layer neurons are adjusted as per performance requirements. More the hidden layers neurons more complex will be the MLP. The intrusion detection system based on neural network works in three phases: i. The raw TCP/IP dump data is parsed into form readable by

the machine readable form using automated parsers. ll. Training: Training of NN is done on different types of

attacks as well as on normal/valid data. The input consists of a number of attributes (features). The output can assume any one of the two values: normal data or intrusion.

iii. Testing: is done on the test dataset.

As mentioned earlier, the purpose of Intrusion detection systems based on NN is to classify the normal/valid and attack patterns along with the type of the attack. Thus classification of a single record can be done easily after suitable training. So, the IDS based on NN can function as an online classifier for the type of attack it was trained for. The NN will be off-line only for small duration when it is gathering information which is required to calculate the features [21][22].

11. Support V ector Machines

57

Support V ector Machines (SV M) is one of the most common and popular methods used for classification for machine learning tasks. Using this method, a set of training examples is used with each example marked with one of the two categories. Then, SV M algorithm is used to construct a model which can predict if the new example falls into one category or other. Now classification is done using SV M by extracting attributes from the selected training examples/samples. Generally, a network connection is selected as a sample. The benchmark datasets like KDD99 are also used which consists of collection of network connections attributes captured from various networks. An input space X is defmed for each network connection, selecting n attribute characteristics. The vector x (one-dimensional) can be used to describe a network connection as under:-

x = {xl, x2, ... ... ... , xn } where xi , i = 1,2, ... ... . . n, denote the i characteristic value of the sample x. As we have to only find if it is a normal or abnormal connection for each network connection, therefore only two states are sufficient to express this problem. So we defme Y = (+ 1,-1) . If we get Y as + 1 then it is termed as a normal connection and if we get Y = -1 it would be classified as abnormal connection. A basic SV M classification diagram shown in Fig. 5.[20].

Nonna] Cia

1 AbuOJlllal CL,"

luputLaycr Hidden L9)'er Oulput Layer Fig. 4 Simple Architecture of MLP

Classification method based on SV M provides comparatively good ability of learning for small samples. Apart from Network Intrusion Detection, SV M has also been used for web page identification and face identification. SV M is also used in solving practical classification problems, like problems with small samples and problems which are non-linear. It is therefore expected that SV M will be one of the popular choices in handling classification problems in SDN.

iii. Decision Tree Decision Tree (DT) algorithm is one of the predictive modeling techniques used in statistics, data mining and machine learning for classification problem which is one of the challenges in SDN. DT algorithm uses inductive inference to estimate the target function, which produces discrete values. Robust to noisy

data, the DT algorithm is widely used, as a practical method for learning disjunctive expressions. DT algorithm sorts the instances down the tree from the root node to some leaf node. Each node in the tree denotes a test of some attribute of the instance. Each branch descending from that node corresponds to one of the possible values for this attribute [34]. As already discussed, intrusion detection in SDN is a classification problem where each connection or user is identified either as valid or normal connection or one of the attack types. DT can solve this classification problem of intrusion detection in SDN. DTs perform well with large data sets. This factor is advantageous as large amounts of data will flow across SDNs. The high performance of DTs makes them helpful in real time intrusion detection in SDN. DTs construct easily interpretable models, which helps a security officer to inspect and edit. Generalization accuracy of decision trees is another useful property for intrusion detection model for SDN. Some new attacks on the system are always likely which may be slightly different from the known attacks captured during the construction of the intrusion detection models. Because of the generalization accuracy of decision trees mentioned above, it is possible to detect these new intrusions [35].

IV. Genetic Algorithm (GA) GA is a search method that finds an approximate solution to an optimization task. GA uses hill climbing method from an arbitrary selected number of genes. GA has been used in different ways in IDS. Some researchers have used GAs in IDS to detect malicious intrusion in the network. GA based IDS is also used to detect intrusion using past behavior. In this a profile is created for the normal behavior. Based on this profile GA learns and takes the decision for the unseen patterns. Genetic algorithm is also used to develop rules for network intrusion detection. A chromosome in an individual contains genes corresponding to attributes such as the service, flags, logged in or not, and super-user attempts.

/ /

/ /

.

In GA, the attacks that are common can be detected more accurately compared to uncommon attributes. The GA is applied to the networks as under: The IDS collects the information about the traffic passing through a network. The IDS applies GA. Incoming traffic is then classified by the IDS as anomalous

or normal based on their pattern. GA was successfully used in different types of IDS as an

evolutionary algorithm. Using results obtained through GA, the best fitness value was found closely to the ideal fitness value[23-27].

v. Fuzzy Logic Fuzzy logic based on fuzzy set theory which works on reasoning which is termed as an approximation rather than precise or fixed. Techniques based on fuzziness have been used for anomaly detection because the features which are to be considered to solve the problem can be termed as fuzzy variables. The concept of fuzzy logic lets an object to fit in to different classes simultaneously. This flexibility is very useful in case it is difficult to distinguish between different classes. It is also helpful in intrusion detection task in SDN, where the differences between the normal and anomalous classes or traffic are not well defined. While fuzzy logic has been effective, particularly against probes and port scans, its main disadvantages to be considered in case of SDN are the high resource consumption and large time consumed during the training. [28] [29] [25].

VI. Bayesian Network A Bayesian network model is used to encode probabilistic relationships among the variables of interest. This method is used to solve problem of intrusion detection in combination with statistical techniques. The naIve Bayesian (NB) algorithm is used for learning task, where a training set with target class is provided. Aim is to classify an unseen pattern, whose attribute values are known but class is unknown. To classify the unseen example, the Bayesian approach is to assign the most probable target class. Given the values of attribute (a, a2, ... ... ... , an ) which describe the example. Cmap = argmax C} E CP C} aI, a2 ... ... ... a) the expression can be rewritten using Bayesian theorem as Cmap = argmax C} E C(aI, a2 ... an I C} )P(C} ) . . . . . (1)

It is easy to estimate each of the P (C) simply by counting the frequency with which each target class C} occurs in the training set. The naiVe Bayesian algorithm is based on the simplifying assumption that given the target class of the example, the probability of observing the conjunction aI, a2 ... an is just the product of the probabilities for the individual attributes: P( aI, a2 ... ... ... an IC} ) = i P(aiIC} ). Substituting this into equation 1, we get

CNB = argmax C} E CP(C} i P(ai)IC}) . . . . . . . . . . . . . . . . . . (2)

Where C N B, denotes the target class predicate by the naIve Bayesian classifier. In naIve Bayesian algorithm, the probability values of equation 2 are estimated from the given training data. These estimated values are then used to classify unknown examples[29][24].

IV . COMPARISON OF THE REV IEWED SCHEME

Though all above mentioned intrusion detection schemes based on machine learning have tried to achieve high detection rate but each one have their own pros and cons. Following table describes the pros and cons of techniques discussed above [30][31 ].

SI Machine N Learning

Technique 1. Neural

Networks

2. Bayesian Network

3. Support Vector Machine

4. Genetic Algorithm

5. Fuzzy Logic

Pros

Capable to generalize from limited. noisy and incomplete data. Does not need expert knowledge and it can find unknown or novel intrusions. Encodes probabilistic relationships among the variables of interest. Capable to incorporate both prior data and knowledge. Is good with learning ability for small samples. High decision rate and training rate, insensitiveness to dimension of input data. Ability to derive best classification rules and selecting optimal parameters. Biologically inspired and employs evolutionary algorithm. Reasoning needs to be an approximation instead of being precise. Effective, especially against probes and port scans.

Cons

Slow training process so not suitable for real-time detection. Over-fitting may happen during neural network training.

Harder to handle continuous features. May not contain any good classifiers if prior knowledge is wrong.

Training takes a long time. Mostly used binary classifier which cannot give additional information about detected type of attack. cannot assure constant optimization response times.

Over-fitting.

High consumption of resources. Reduced, relevant rule subset identification and dynamic rule updation at runtime is a difficult task.

V . CONCLUSION

Machine learning based techniques for handling DDOS attacks and intrusion has received much attention in the computational intelligence community handling conventional networks and as well as SDN, now. In this paper we have analyzed various machine learning techniques which can be used to handle the issues of intrusion and DDoS attacks to Software Defined Networks. Being new research area the suggested techniques offer a great research prospects for both industry as well as academia.

59

REFERENCES

[I] N. Mckeown, "How SDN will Shape Networking," October 2011. [Online]. http://www.youtube.comiwatch?v=c9-K50qYgA

[2] S. Schenker, "The Future of Networking, and the Past of Protocols,"October 2011. [Online]. http://www.youtube.com/watch?v=YHeyuD89nl Y

[3] H. Kim and N. Feamster, "Improving network management with software defined networking," Communications Magazine, IEEE, vol. 51, no. 2, pp. 114-119, 2013.

[4] P. Porras, S. Shin, V. Yegneswaran, M. Fong, M. Tyson, and G. Gu, "A security enforcement kernel for OpenFlow networks," in Proceedings of the First Workshop on Hot Topics in Software Defined Networks,ser. HotSDN '12. New York, NY, USA: ACM, 2012, pp. 121-126.[Online]. http://doi.acm.orglI0.1145/2342441.2342466

[5] S. Shin, P. Porras, V. Yegneswaran, M. Fong, G. Gu, and M. Tyson, "FRESCO: Modular composable security services for software-defined networks," in Internet Society NDSS., Feb. 2013.

[6] D. Kreutz, F. M. Ramos, and P. Verissimo, 'Towards secure and dependable software-defined networks," in Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking, ser. HotSDN '13. New York, NY, USA: ACM, 2013, pp. 55-60.

[7] Diego Kreutz, Member, Fernando M. V. Ramos, Paulo Verissimo, Fellow, Christian Esteve Rothenberg, Siamak Azodolmolky, and Steve Uhlig, "Software-Defined Networking: A Comprehensive Survey". [Online]: http://arxiv .orglabsl 1406. 0440

[8] S. Sorensen, "Security implications of software-defined networks,"2012. [Onl ine ]. Available: http://www.fiercetelecom.com/storylsecurity-implications-software-defined-networks/20 12-05-14

[9] S. M. Kerner, "Is SDN Secure?" Mar 2013. [Online]. Available: http://www.enterprisenetworkingplanet.com/netsecur/is-sdn-ecure.html

[10] R. Kloti, "Openflow: A security analysis," Master's thesis, Swiss Federal Institute of Technology Zurich (ETH), Zurich, Swiss, 2013.

[II] M. Wasserman and S. Hartman, "Security analysis of the open networking foundation (ont) OpenFlow switch specification," Internet Engineering Task Force, Apr 2013. [Online]. Available: https:!ldatatracker.ietf.orgidoc/draft-mrw-sdnsec-openflow-analysisl

[12] S. Shin and G. Gu, "Attacking software-defined networks: A first feasibility study," in Proceedings of the second workshop on Hot topics in software defined networks, ser. HotSDN '13. New York, NY, USA: ACM, 2013, pp. 1-2.

[13] K. Benton, L. J. Camp, and C. Small, "OpenFlow vulnerability assessment," in Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking, ser. HotSDN '13. New York, NY, USA: ACM, 2013, pp. 151-152.

[14] M. Masikos, O. Zouraraki C. Patrikakis. (2004, December) CISCO. [Online]. http://www.cisco.comlweb/aboutlac 123/ac 147 larchived _issues/ipj_7-4/dos _ attacks.html

[15] A Mitrocotsa C. Douligeris, "DDoS Attack and Defence Mechanism: A Classification," in Singnal processing and information tecnology in 3rd IEEE International Symposium, Apr 2003, pp. 190-193.

[16] Prolexic. (2013, December) DoS and DDoS attack reports, trends and statistics. [On I ine]. http://www.prolexic.com/knowledge-center-dos-andddos-attackreports.html

[17] Google, Arbor. (2013, Oct) Digital Attack Map. [Online]. http://www.digitalattackmap.coml#anim= I &color=O&country=ALL&ti me 16003&view=map

[18] Seyed Mohammad Mousavi, Early Detection of DDoS Attacks in Software Defined Networks Controller [Online]. http://www.csit.carleton.cal-msthilairelThesis/Seyed%20Mousavi.pdf

[19] Sharmila Kishor Wagh, Vinod K Pachghare and Satish R Kolhe. Article: Survey on Intrusion Detection System using Machine Learning Techniques. International Journal of Computer Applications 78(16):30-37, September 2013. Published by Foundation of Computer Science, New York, USA

[20] Jayveer Singh, Manisha J.Nene, A Survey on Machine Learning Techniques for Intrusion Detection Systems. [Online]. http://www.ijarcce.com/upload/20 13/november/3 5 -o-jayveer _ singhA_Survey_on_Machine.pdf

[21] Hua TANG, Zhuolin CAO "Machine Learning-based Intrusion Detection Algorithms" Binary Information Press, December, 2009

[22] D. Rumelhart, G. Hinton and R Williams, "Learning internal representations by back-propagating errors," Parallel Distributed Processing: Explorations in the Microstructure of Cognition, D. Rumelhart and I. McClelland editors, vol. I, pp. 3 18-362, MIT Press, 1986.

[23] Dewan Md. Farid, Mohammad Zahidur Rahman "Learning Intrusion Detection Based on Adaptive Bayesian Algorithm" 1-4244-2136-7/2008

[24] Jonatan Gomez and Dipankar Dasgupta "Evolving Fuzzy Classifiers for Intrusion Detection" Workshop on Information Assurance United States Military Academy, West Point, NY June 2001

[25] AA Ojugo, AO. Eboka, O.E. Okonta, R.E Yoro, F.O. Aghware "Genetic Algorithm Rule-Based Intrusion Detection System" (GAIDS), ISSN 2079-8407 VOL. 3, NO. 8 Aug, 2012

[26] 1. L. Zhao, J. F. Zhao, and 1. 1. Li, -Intrusion Detection Based on Clustering Genetic Algorithmll, International Conference on Machine Learning and Cybernetics IEEE, Guangzhou, 2005, pp. 3911-3914.

[27] W. Spears, and V. Anand, -A Study of Crossover Operators in Genetic Programming", In Proceedings of the Sixth International Symposium on Methodologies for Intelligent Systems, Charlotte, NC. 1991, pp. 409-418.

[28] M. S. A Khan, "Rule based Network Intrusion Detection using Genetic Algorithm," International J. Computer Applications, vol. 18, no. 8, pp. 26-29, March 2011.

[29] Rajdeep Borgohain, " FuGelDS : Fuzzy Genetic paradigms in Intrusion Detection Systems," International Journal of Advanced Networking and Applications, vol. 3, no. 6, pp. 1409-1415, 2012

[30] P Garcia Teodora, J Diaz Verdejo, G Macia Farnandez, and E Vazquez, "Anomaly-based network intrusion detection:Techniques,Systems and Challenges," Journal of Computers & Security, vol. 28, no. I, pp. 18-28, February 2009.

[31] Hua TANGi", Zhuolin CAO "Machine Learning-based Intrusion Detection Algorithms "Journal of Computational Information Systems5:6(2009) 1825-1831.

[32] N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, J. Rexford, S. Shenker, and 1. Turner, "Openjlow: enabling innovation in Campus networks, " SlGCOMM Comput. Commun. Rev., vol. 38, no. 2, pp. 69-74, Mar. 2008.

[33] ONF, "Open networking foundation" 2014. [Online]. Available: https:!lwww.opennetworking.orgi

[34] T. Mitchell, "Decision Tree Learning", in T. Mitchell, Machine Learning, The McGraw-Hili Companies, Inc., 1997, pp. 52-78.

[35] Sandhya Peddabachigari , Ajith Abraham , Johnson Thomas, "Intrusion Detection Systems Using Decision Trees and Support Vector Machines". international Journal OJ Applied Science And Computation, 2004.

60