Integration of Expectation Maximization using Gaussian Mixture Models and Naïve Bayes for Intrusion Detection

loka raj ghimire (Nepal College of Information Technology - Pokhara University)
Roshan Chitrakar (Nepal College of Information Technology)


Intrusion detection is the investigation process of information about the system activities or its data to detect any malicious behavior or unauthorized activity. Most of the IDS implements K-means clustering technique due to its linear complexity and fast computing ability. Nonetheless, it is Naïve use of the mean data value for the cluster core that presents a major drawback. The chances of two circular clusters having different radius and centering at the same mean the occur.  This condition cannot be addressed by the K-means algorithm because the mean value of the various clusters is very similar together. However, if the clusters are not spherical, it fails.  To overcome this issue, a new integrated hybrid model by integrating expectation maximizing (EM) clustering using Gaussian mixture model (GMM) and naïve Bays classifier have been proposed. In this model, GMM give more flexibility than K-Means in terms of cluster covariance. Also, they use probabilities function and soft clustering, that’s why they can have multiple cluster for a single data. In GMM, we can define the cluster form in GMM by two parameters: the mean and the standard deviation. This means that by using these two parameters, the cluster can take any kind of elliptical shape. EM-GMM will be used to cluster data based on data activity into the corresponding category.


anomaly detection, clustering, EM Classification, Expectation Maximization (EM), Gaussian Mixture Model (GMM), GMM classification, intrusion detection, Naïve Bayes classification

Full Text:



[1]S. Varuna, Dr. P. Natesan "An Integration of K-Means Clustering and Naïve Bayes Classifier for Intrusion Detection." 2015 3rd international conference on signal processing, communication and networking " ICSCN. 978-1-4673-6823-0/15. 2015 IEEE

[2]D. E. Denning, “An intrusion-detection model,” IEEE Transactions on Software Engineering, vol. SE-13, no. 2, pp. 222–232, 1987.

[3]W. Parkand S. Ahn, “Performance Comparison and Detection Analysis in Snortand Suricata Environment,” Wireless Personal Communications, vol.94, no.2, pp.241–252, 2016.

[4]R. T. Gaddam and M. Nandhini, “An analysis of various snort based techniques to detect and prevent intrusions in networks: Proposal with code refactoring snort tool in Kali Linux environment,” in Proceedings of the 2017 International Conference on Inventive Communication and Computational Technologies, ICICCT2017, pp.10–15, India, March 2017.

[5]C.-T. Huang, R. K. C. Chang, and P. Huang, “Signal Processing Applications in Network Intrusion Detection Systems,” EURASIP Journal on Advances in Signal Processing, vol. 2009, Article ID 527689, 2 pages, 2009.

[6]U. Adhikari, T. H. Morris, and S. Pan, “Applying Non-Nested Generalized Exemplars Classification for Cyber-Power Event and Intrusion Detection,” IEEE Transactions on Smart Grid, vol. 9, no. 5, pp. 3928–3941, 2018.

[7]R. Taormina and S. Galelli, “A Deep Learning approach for the detection and localization of cyber-physical attacks on water distribution systems,” Journal of Water Resources Planning & Management, vol.144, no.10, Article ID 04018065, 2018.

[8]F. Raynal, Y. Berthier, P. Biondi, and D. Kaminsky, “Honeypot forensics,”in Proceedings of the Proceedings from the Fifth Annual IEEE System, Man and Cybernetics Information Assurance Workshop, SMC, pp.22–29, USA, June 2004.

[9]W. J. Anand M. G. Liang, “A new intrusion detection method based on SVM with minimum within-class scatter,” Security and Communication Networks, vol.6, no. 9, pp. 1064–1074, 2013.

[10]E. Kabir, J. Hu, H. Wang, and G. Zhuo, “A novel statistical technique for intrusion detection systems,” Future Generation Computer Systems, vol. 79, pp. 303–318, 2018.

[11]M. Gudadhe, P. Prasad, and K. Wankhade, “A new data mining based network intrusion detection model,” in Proceedings of the 2010 International Conference on Computer and Communication Technology, ICCCT-2010, pp. 731–735, India, September 2010.

[12]S. T. Al-Janabi and H. A. Saeed, “A Neural Network Based Anomaly Intrusion Detection System,” in Proceedings of the 2011 Developments in E-systems Engineering (DeSE), pp. 221– 226, Dubai, United Arab Emirates, December 2011.

[13]K. D. Denatious and A. John, “Survey on data mining techniques to enhance intrusion detection,” in Proceedings of the International Conference on Computer Communication and Informatics, pp. 1–5, 2012.

[14]Y.Guan, A. A. Ghorbani, and N. Belacel, “Y-means: A clustering method for intrusion detection,” in Proceedings of the CCECE 2003 Canadian Conference on Electrical and Computer Engineering: Toward a Caring and Humane Technology, pp. 1083–1086, Canada, May 2003.

[15]H.-B. Wang, H.-L. Yang, Z.-J. Xu, and Z. Yuan, “A clustering algorithm use SOM and K-means in intrusion detection,” in Proceedings of the 1st International Conference on E-Business and E-Government (ICEE’10), pp. 1281–1284, May2010.

[16]H. Gao, D. Zhu, and X. Wang, “A Parallel Clustering Ensemble Algorithm for Intrusion Detection System,” in Proceedings of the 2010 Ninth International Symposium on Distributed Computing and Applications to Business, Engineering and Science (DCABES), pp. 450–453, Hong Kong, China, August 2010.

[17]Akashdeep, I. Manzoor, and N. Kumar, “A Feature Reduced Intrusion Detection System Using ANN Classifier,” Expert Systems with Applications, vol. 88, pp. 249–257, 2017.

[18]Z. Muda, W. Yassin, M.N. Sulaiman, and N.I. Udzir, “Intrusion detection based on K-Means clustering and Naïve Bayes classification,” in Proceedings of the 7th International Conference on Information Technology in Asia (CITA ’11), pp. 1–6, IEEE, July 2011.

[19]M. Ishida, H. Takakura, and Y. Okabe, “High-performance intrusion detection using OptiGrid clustering and grid-based labelling,” in Proceedings of the 11th IEEE/IPSJ International Symposium on Applications and the Internet, SAINT 2011, pp. 11– 19, Germany, July 2011.

[20]H. Om and A. Kundu, “A hybrid system for reducing the false alarm rate of anomaly intrusion detection system,” in Proceedings of the 2012 1st International Conference on Recent Advances in Information Technology, RAIT-2012, pp. 131–136, India, March 2012.

[21]S. A.R. Shah and B. Issac, “Performance comparison of intrusion detection systems and application of machine learning to Snort system,” Future Generation Computer Systems, vol. 80, pp. 157–170, 2018.

[22]J. S. Yi., X. song, H. Wang, J.-J. Han and Q.-H. Li, "A clustering-based method for unsupervised intrusion detections." Pattern recognition letters 27, no. 7 (2006): 802-810.

[23]Oh, S. Hyum, and W. S. Lee. "An anomaly intrusion detection method by clustering normal user behavior." Computer and security 22, no.7 (2003): 596-612.

[24]C.F. Tasi and C.Y. Lin 2010. "A triangle area-based nearest neighbors approach to intrusion detection." Pattern recognition, 43(1): p.222-229.

[25]W. Gang, H. Jinxing and M. Jian 2011. "A new approach to intrusion detection using artificial neural networks and fuzzy clustering. Expert systems with applications, 376: p.6255-6232.

[26]Shaohua, D. Hongle, W. Naiqi, Z. Wej and S. Jiangyi, 2010. "A cooperative network intrusion detection based on fuzzy SVMs. Journals of networks, 5: p. 475-483.

[27]F. Amiri, F. Mohammad, R. Y. Caro, L. Azadeh, S. and Y. Nasser 2011. "Mutual information-based feature selection for intrusion detection system." Journal of network and computer applications, 34: p.1184-1199.

[28]S.J. Horng 2011 "A novel intrusion detection system based on hierarchical clustering and support vector machines. Expert systems with applications. 38(1) :P.399-408.

[29]J. Huang, J. Lu, C. X. Ling, "Comparing Naïve Bayes, Decision trees, and SVM with AUC and accuracy." The third international conference on data mining 2003.

[30]R. Chitrakar and H. Chauanhe "Anomaly detection using support vector machine classification with K-medoids clustering". 978-1-4673-2590-5/12. 2012 IEEE.

[31]F. Kelly. "The mathematics of traffic in networks." The Princeton companion to mathematics, 1(1):862-870, 2008.

[32]Z.Muda, W. Yassin, M.N. Sulaiman, N.I. Udzir "K-Means clustering and Naïve Bayes classification for intrusion detection." Journal of IT in Asia Vol 4 (2014).

[33]V.-E. Neagoe, V.C.-Berbentea "Improved Gaussian mixture model with Expectation Maximization for clustering of remote sensing imagery." 978-1-5090-3332-4/4/16. 2016 IEEE.

[34]A. Reddy, M. Ordaway-West, M. Lee, M. Dugan, J. Whitney, R. Kahan, B. Ford, J. Muedsam, A. Henslee, & M. Rao "Using Gaussian Mixture models to detect outliers in seasonal univariate network traffic." DOI 10.1109/SPW.2017.9 IEEE computer society 2017.

[35]E. A. Shams and A. Rizaner, “A novel support vector machine based intrusion detection system for mobile adhoc networks,” Wireless Networks, pp.1–9, 2017.

[36]W. Shang, L. Li, M. Wan, and P. Zeng, “Industrial communication intrusion detection algorithm based on improved one-class SVM,” in Proceedings of the World Congress on Industrial Control Systems Security, WCICSS 2015, pp. 21–25, UK, December 2015.

[37]T. Jan, “Ada-Boosted Locally Enhanced Probabilistic Neural Network for IoT Intrusion Detection,” in Proceedings of the Conference on Complex, Intelligent, and Software Intensive Systems, pp. 583–589, Springer, 2018.

[38]O. Osanaiye, K.-K. R. Choo, and M. Dlodlo, “Distributed denial of service (DDoS) resilience in cloud: review and conceptual cloud DDoS mitigation framework,” Journal of Network and Computer Applications, vol.67, pp.147–165, 2016

[39]H. Li, “Research and Implementation of an Anomaly Detection Model Based on Clustering Analysis,” Journal of Beijing Information Science & Technology University, pp. 458–462, 2010.

[40]R. O. Duda, P.E. Hart, and D.G. Stork. Pattern Classification. John Wiley & Sons, Inc., 2nd edition, 2001.



  • There are currently no refbacks.
Copyright © 2021 loka raj ghimire, Roshan Chitrakar(PHD) Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.