{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,8,2]],"date-time":"2025-08-02T18:18:54Z","timestamp":1754158734842,"version":"3.41.2"},"reference-count":45,"publisher":"Emerald","issue":"1","license":[{"start":{"date-parts":[[2015,3,9]],"date-time":"2015-03-09T00:00:00Z","timestamp":1425859200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2015,3,9]]},"abstract":"<jats:sec><jats:title content-type=\"abstract-heading\">Purpose<\/jats:title><jats:p>\u2013 The purpose of this paper is to build a new hierarchical intrusion detection system (IDS) based on a binary tree of different types of classifiers. The proposed IDS model must possess the following characteristics: combine a high detection rate and a low false alarm rate, and classify any connection in a specific category of network connection.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Design\/methodology\/approach<\/jats:title><jats:p>\u2013 To build the binary tree, the authors cluster the different categories of network connections hierarchically based on the proportion of false-positives and false-negatives generated between each of the two categories. The built model is a binary tree with multi-levels. At first, the authors use the best classifier in the classification of the network connections in category A and category G2 that clusters the rest of the categories. Then, in the second level, they use the best classifier in the classification of G2 network connections in category B and category G3 that represents the different categories clustered in G2 without category B. This process is repeated until the last two categories of network connections. Note that one of these categories represents the normal connection, and the rest represent the different types of abnormal connections.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Findings<\/jats:title><jats:p>\u2013 The experimentation on the labeled data set for flow-based intrusion detection, NSL-KDD and KDD\u201999 shows the high performance of the authors' model compared to the results obtained by some well-known classifiers and recent IDS models. The experiments\u2019 results show that the authors' model gives a low false alarm rate and the highest detection rate. Moreover, the model is more accurate than some well-known classifiers like SVM, C4.5 decision tree, MLP neural network and na\u00efve Bayes with accuracy equal to 83.26 per cent on NSL-KDD and equal to 99.92 per cent on the labeled data set for flow-based intrusion detection. As well, it is more accurate than the best of related works and recent IDS models with accuracy equal to 95.72 per cent on KDD\u201999.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Originality\/value<\/jats:title><jats:p>\u2013 This paper proposes a novel hierarchical IDS based on a binary tree of classifiers, where different types of classifiers are used to create a high-performance model. Therefore, it confirms the capacity of the hierarchical model to combine a high detection rate and a low false alarm rate.<\/jats:p><\/jats:sec>","DOI":"10.1108\/ics-04-2013-0031","type":"journal-article","created":{"date-parts":[[2015,2,26]],"date-time":"2015-02-26T06:35:30Z","timestamp":1424932530000},"page":"31-57","source":"Crossref","is-referenced-by-count":8,"title":["A new hierarchical intrusion detection system based on a binary tree of classifiers"],"prefix":"10.1108","volume":"23","author":[{"given":"Ahmed","family":"Ahmim","sequence":"first","affiliation":[]},{"given":"Nacira","family":"Ghoualmi Zine","sequence":"additional","affiliation":[]}],"member":"140","reference":[{"key":"key2020122505071667700_b1","unstructured":"Axelsson, S. (2000), \u201cIntrusion detection systems: a survey and taxonomy\u201d, Technical Report 99-15, Chalmers University, Goteborg."},{"key":"key2020122505071667700_b2","doi-asserted-by":"crossref","unstructured":"Badran, K. and Rockett, P. (2012), \u201cMulti-class pattern classification using single, multi-dimensional feature-space feature extraction evolved by multi-objective genetic programming and its application to network intrusion detection\u201d, Genetic Programming and Evolvable Machines , Vol. 13 No. 1, pp. 33-63.","DOI":"10.1007\/s10710-011-9143-4"},{"key":"key2020122505071667700_b3","doi-asserted-by":"crossref","unstructured":"Bishop, C.M. (1996), Neural Networks for Pattern Recognition , Oxford University Press, New York, NY.","DOI":"10.1201\/9781420050646.ptb6"},{"key":"key2020122505071667700_b4","doi-asserted-by":"crossref","unstructured":"Breiman, L. (2001), \u201cRandom forests\u201d, Machine Learning , Vol. 45 No. 1, pp. 5-32.","DOI":"10.1023\/A:1010933404324"},{"key":"key2020122505071667700_b5","unstructured":"Breiman, L. , Friedman, J.H. , Olshen, R.A. and Stone, C.J. (1984), Classification and Regression Trees , Wadsworth International Group, Belmont, CA."},{"key":"key2020122505071667700_b6","doi-asserted-by":"crossref","unstructured":"Bugmann, G. (1998), \u201cNormalized Gaussian radial basis function networks\u201d, Neurocomputing , Vol. 20 Nos 1\/3, pp. 97-110.","DOI":"10.1016\/S0925-2312(98)00027-7"},{"key":"key2020122505071667700_b7","unstructured":"Cannady, J. (1998), \u201cArtificial neural networks for misuse detection\u201d, paper presented at the 21st National Information Systems Security Conference, Arlington, VA, available at: http:\/\/webpages.cs.luc.edu\/\u223cpld\/courses\/447\/sum08\/class9\/cannady.1998.artificial_neural_networks_for_misuse_detection.pdf (accessed 14 January 2013)."},{"key":"key2020122505071667700_b8","unstructured":"Chang, C. and Lin, C. (2001), \u201cLIBSVM - a library for support vector machines\u201d, available at: www.csie.ntu.edu.tw\/\u223ccjlin\/libsvm\/ (accessed 4 January 2013)."},{"key":"key2020122505071667700_b9","doi-asserted-by":"crossref","unstructured":"Chimphlee, W. , Addullah, A.H. , Sap, M.N.M. , Srinoy, S. and Chimphlee, S. (2006), \u201cAnomaly-based intrusion detection using fuzzy rough clustering\u201d, Hybrid Information Technology (ICHIT \u201906) Proceedings of the International Conference, Vol. 1, Cheju Island, IEEE Computer Society, Washington, DC, pp. 329-334.","DOI":"10.1109\/ICHIT.2006.253508"},{"key":"key2020122505071667700_b10","unstructured":"Cohen, W.W. (1995), \u201cFast effective rule induction\u201d, paper presented at the Twelfth International Conference on Machine Learning, Lake Tahoe, CA, available at: www.cs.cmu.edu\/\u223cwcohen\/postscript\/ml-95-ripper.ps (accessed 21 January 2013)."},{"key":"key2020122505071667700_b11","unstructured":"Cole, E. , Krutz, R. and Conley, J. (2005), Network Security Bible , Wiley Publishing, Indianapolis, IN."},{"key":"key2020122505071667700_b12","doi-asserted-by":"crossref","unstructured":"Debar, H. , Dacier, M. and Wespi, A. (2000), \u201cA revised taxonomy for intrusion detection systems\u201d, Annals of Telecommunications , Vol. 55 Nos 7\/8, pp. 361-378.","DOI":"10.1007\/BF02994844"},{"key":"key2020122505071667700_b13","doi-asserted-by":"crossref","unstructured":"Fan, W. , Miller, M. , Stolfo, S. , Lee, W. and Chan, P. (2004), \u201cUsing artificial anomalies to detect unknown and known network intrusions\u201d, Knowledge and Information Systems , Vol. 6 No. 5, pp. 507-527.","DOI":"10.1007\/s10115-003-0132-7"},{"key":"key2020122505071667700_b14","doi-asserted-by":"crossref","unstructured":"Gaines, B.R. and Compton, P. (1995), \u201cInduction of ripple-down rules applied to modeling large databases\u201d, Journal of Intelligent Information Systems , Vol. 5 No. 3, pp. 211-228.","DOI":"10.1007\/BF00962234"},{"key":"key2020122505071667700_b15","doi-asserted-by":"crossref","unstructured":"Guoa, C. , Zhoua, Y. , Pingb, Y. , Luoa, S. , Laia, Y. and Zhanga, Z. (2013), \u201cEfficient intrusion detection using representative instances\u201d, Computers and Security , Vol. 39 No. Part. B, pp. 255-267.","DOI":"10.1016\/j.cose.2013.08.003"},{"key":"key2020122505071667700_b16","doi-asserted-by":"crossref","unstructured":"Horng, S. , Su, M. , Chen, Y. , Kao, T. , Chen, R. , Lai, J. and Perkasa, C.D. (2011), \u201cA novel intrusion detection system based on hierarchical clustering and support vector machines\u201d, Expert Systems with Applications , Vol. 38 No. 1, pp. 306-313.","DOI":"10.1016\/j.eswa.2010.06.066"},{"key":"key2020122505071667700_b17","doi-asserted-by":"crossref","unstructured":"H\u00fchn, J. and H\u00fcllermeier, E. (2009), \u201cFURIA: an algorithm for unordered fuzzy rule induction\u201d, Data Mining and Knowledge Discovery , Vol. 19 No. 3, pp. 293-319.","DOI":"10.1007\/s10618-009-0131-8"},{"key":"key2020122505071667700_b18","unstructured":"John, G.H. and Langley, P. (1995), \u201cEstimating continuous distributions in Bayesian classifiers\u201d, The Eleventh Conference on Uncertainty in Artificial Intelligence Proceedings of the International Conference, Montr\u00e9al, Qu\u00e9bec, Morgan Kaufmann Publishers, San Francisco, CA, pp. 338-345."},{"key":"key2020122505071667700_b19","doi-asserted-by":"crossref","unstructured":"Khor, K. , Ting, C. and Phon-Amnuaisuk, S. (2012), \u201cA cascaded classifier approach for improving detection rates on rare attack categories in network intrusion detection\u201d, Applied Intelligence , Vol. 36 No. 2, pp. 320-329.","DOI":"10.1007\/s10489-010-0263-y"},{"key":"key2020122505071667700_b20","doi-asserted-by":"crossref","unstructured":"Koc, L. , Mazzuchi, T.A. and Sarkani, S. (2012), \u201cA network intrusion detection system based on a Hidden Na\u00efve Bayes multiclass classifier\u201d, Expert Systems with Applications , Vol. 39 No. 18, pp. 13492-13500.","DOI":"10.1016\/j.eswa.2012.07.009"},{"key":"key2020122505071667700_b21","doi-asserted-by":"crossref","unstructured":"Kohonen, T. (2001), Self-Organizing Maps , Springer-Verlag, New York, NY, Secaucus, NJ.","DOI":"10.1007\/978-3-642-56927-2"},{"key":"key2020122505071667700_b22","doi-asserted-by":"crossref","unstructured":"Kolias, C. , Kambourakis, G. and Maragoudakis, M. (2011), \u201cSwarm intelligence in intrusion detection: a survey\u201d, Computers and Security , Vol. 30 No. 8, pp. 625-642.","DOI":"10.1016\/j.cose.2011.08.009"},{"key":"key2020122505071667700_b23","unstructured":"Labeled Dataset for Flow-based Intrusion Detection (2009), available at: www.simpleweb.org\/wiki\/Labeled_Dataset_for_Intrusion_Detection (accessed 3 October 2013)."},{"key":"key2020122505071667700_b24","unstructured":"Mccallum, A. and Nigam, K. (1998), \u201cA comparison of event models for naive Bayes text classification\u201d, AAAI-98 Workshop on Learning for Text Categorization Proceedings of the International Conference, Madison, WI, AAAI Press, Palo Alto, CA, pp. 41-48."},{"key":"key2020122505071667700_b25","doi-asserted-by":"crossref","unstructured":"McHugh, J. (2000), \u201cTesting intrusion detection systems: a critique of the 1998 and 1999 Darpa intrusion detection system evaluations as performed by Lincoln laboratory\u201d, ACM Transactions on Information and System Security , Vol. 3 No. 4, pp. 262-294.","DOI":"10.1145\/382912.382923"},{"key":"key2020122505071667700_b26","unstructured":"NSL-KDD (2009), available at: http:\/\/nsl.cs.unb.ca\/NSL-KDD\/ (accessed 3 March 2013)."},{"key":"key2020122505071667700_b27","unstructured":"Paek, S. , Oh, Y. and Lee, D. (2006), \u201csIDMG: small-size intrusion detection model generation of complimenting decision tree classification algorithm\u201d, 7th International Workshop (WISA 2006) Proceedings of the International Conference, Jeju Island, Springer Berlin Heidelberg, pp. 83-99."},{"key":"key2020122505071667700_b28","unstructured":"Platt, J. (1999), \u201cFast training of support vector machines using sequential minimal optimization\u201d, Advances in Kernel Methods , MIT Press Cambridge, MA, pp. 185-208."},{"key":"key2020122505071667700_b29","unstructured":"Quinlan, R. (1993), C4.5: Programs for Machine Learning , Morgan Kaufmann Publishers, San Mateo, CA."},{"key":"key2020122505071667700_b30","unstructured":"Scarfone, K. and Mell, P. (2007), Guide to Intrusion Detection and Prevention Systems (IDPS ), NIST Special Publication, Gaithersburg, MD, pp. 800-894."},{"key":"key2020122505071667700_b31","doi-asserted-by":"crossref","unstructured":"Scott, L.S. (2004), \u201cA Bayesian paradigm for designing intrusion detection systems\u201d, Computational Statistics and Data Analysis , Vol. 45 No. 1, pp. 69-83.","DOI":"10.1016\/S0167-9473(03)00177-4"},{"key":"key2020122505071667700_b32","unstructured":"Sperotto, A. , Sadre, R. , van Vliet, F. and Pras, A. (2009), \u201cA labeled dataset for flow-based intrusion detection\u201d, 9th IEEE International Workshop on IP Operations and Management Proceedings of the International Conference, Venice, Springer-Verlag, Berlin, pp. 39-50."},{"key":"key2020122505071667700_b33","unstructured":"Tavallaee, M. , Bagheri, E. , Wei, L. and Ghorbani, A.A. (2009), \u201cA detailed analysis of the KDD CUP 99 dataset\u201d, IEEE Symposium Computational Intelligence for Security and Defense Applications 2009 (CISDA\u201909) Proceedings of the International Conference, Ottawa, IEEE Press, Piscataway, NJ, pp. 1-6."},{"key":"key2020122505071667700_b34","unstructured":"The DARPA Intrusion Detection Datasets (1998), available at: www.ll.mit.edu\/mission\/communications\/ist\/corpora\/ideval\/data\/index.html (accessed 15 June 2012)."},{"key":"key2020122505071667700_b35","unstructured":"The KDD CUP 1999 Data (1999), available at: http:\/\/kdd.ics.uci.edu\/databases\/kddcup99\/kddcup99.html (accessed 9 June 2012)."},{"key":"key2020122505071667700_b36","doi-asserted-by":"crossref","unstructured":"Tong, X. , Wang, Z. and Yu, H. (2009), \u201cA research using hybrid RBF\/Elman neural networks for intrusion detection system secure model\u201d, Computer Physics Communications , Vol. 180 No. 10, pp. 1795-1801.","DOI":"10.1016\/j.cpc.2009.05.004"},{"key":"key2020122505071667700_b37","doi-asserted-by":"crossref","unstructured":"Toosi, A.N. and Kahani, M. (2007), \u201cA new approach to intrusion detection based on an evolutionary soft computing model using neuro-fuzzy classifiers\u201d, Computer Communications , Vol. 30 No. 10, pp. 2201-2212.","DOI":"10.1016\/j.comcom.2007.05.002"},{"key":"key2020122505071667700_b39","doi-asserted-by":"crossref","unstructured":"Wanga, G. , Hao, J. , Mab, J. and Huanga, L. (2010), \u201cA new approach to intrusion detection using artificial neural networks and fuzzy clustering\u201d, Expert Systems with Applications , Vol. 37 No. 9, pp. 6225-6232.","DOI":"10.1016\/j.eswa.2010.02.102"},{"key":"key2020122505071667700_b40","doi-asserted-by":"crossref","unstructured":"Winter, P. , Hermann, E. and Zeilinger, M. (2011), \u201cInductive intrusion detection in flow-based network data using one-class support vector machines\u201d, New Technologies, Mobility and Security (NTMS) International Conference, Paris, IEEE Press, Piscataway, NJ, pp. 1-5.","DOI":"10.1109\/NTMS.2011.5720582"},{"key":"key2020122505071667700_b41","unstructured":"Witten, I. , Frank, E. and Hall, M. (2011), Data Mining: Practical Machine Learning Tools and Techniques , Morgan Kaufmann Publishers, San Francisco, CA."},{"key":"key2020122505071667700_b44","doi-asserted-by":"crossref","unstructured":"Wu, S.X. and Banzhaf, W. (2010), \u201cThe use of computational intelligence in intrusion detection systems: a review\u201d, Applied Soft Computing , Vol. 10 No. 1, pp. 1-35.","DOI":"10.1016\/j.asoc.2009.06.019"},{"key":"key2020122505071667700_b42","unstructured":"Xiang, C. , Chong, M.Y. and Zhu, H.L. (2004), \u201cDesign of multiple-level tree classifiers for intrusion detection system\u201d, IEEE Conference on Cybernetics and Intelligent Systems 2004 Proceedings of the International Conference, IEEE Press, Piscataway, NJ, pp. 872-877, available at: http:\/\/ieeexplore.ieee.org\/xpl\/articleDetails.jsp?arnumber=1460703"},{"key":"key2020122505071667700_b43","doi-asserted-by":"crossref","unstructured":"Xiang, C. , Yong, C.P. and Meng, L.S. (2008), \u201cDesign of multiple-level hybrid classifier for intrusion detection system using Bayesian clustering and decision trees\u201d, Pattern Recognition Letters , Vol. 29 No. 7, pp. 918-924.","DOI":"10.1016\/j.patrec.2008.01.008"},{"key":"key2020122505071667700_b45","doi-asserted-by":"crossref","unstructured":"Zhang, Z. and Shen, H. (2005), \u201cApplication of online-training SVMs for real-time intrusion detection with different considerations\u201d, Computer Communications , Vol. 28 No. 12, pp. 1428-1442.","DOI":"10.1016\/j.comcom.2005.01.014"},{"key":"key2020122505071667700_frd1","doi-asserted-by":"crossref","unstructured":"Tsaia, C. , Hsub, Y. , Linc, C. and Lin, W. (2009), \u201cIntrusion detection by machine learning: a review\u201d, Expert Systems with Applications , Vol. 36 No. 10, pp. 11994-12000.","DOI":"10.1016\/j.eswa.2009.05.029"}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/www.emeraldinsight.com\/doi\/full-xml\/10.1108\/ICS-04-2013-0031","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-04-2013-0031\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-04-2013-0031\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:22:49Z","timestamp":1753406569000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/23\/1\/31-57\/111057"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2015,3,9]]},"references-count":45,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2015,3,9]]}},"alternative-id":["10.1108\/ICS-04-2013-0031"],"URL":"https:\/\/doi.org\/10.1108\/ics-04-2013-0031","relation":{},"ISSN":["2056-4961"],"issn-type":[{"type":"print","value":"2056-4961"}],"subject":[],"published":{"date-parts":[[2015,3,9]]}}}