Application of online-training SVMs for real-time intrusion detection with different considerations

Zonghua Zhang, Hong Shen

Research output: Contribution to journalArticlepeer-review

83 Citations (Scopus)


As intrusion detection essentially can be formulated as a binary classification problem, it thus can be solved by an effective classification technique - Support Vector Machine (SVM). Additionally, some text processing techniques can also be employed for intrusion detection, based on the characterization of the frequencies of the system calls executed by the privileged programs. Based on the intersection of these two research domains, i.e. pattern recognition and text categorization, and breaking the strong traditional assumption that training data for intrusion detectors are readily available with high quality in batch, the conventional SVM, Robust SVM and one-class SVM have been modified respectively based on the idea from Online SVM in this paper, and their performances are compared with that of the original algorithms. After elaborate theoretical analysis, concrete experiments with 1998 DARPA BSM data set collected at MIT's Lincoln Labs are carried out. These experiments verify that the modified SVMs can be trained online and the results outperform the original ones with fewer support vectors (SVs) and less training time without decreasing detection accuracy. Both of these achievements could significantly benefit an effective online intrusion detection system.

Original languageEnglish
Pages (from-to)1428-1442
Number of pages15
JournalComputer Communications
Issue number12
Publication statusPublished - 18 Jul 2005
Externally publishedYes


  • Anomaly detection
  • Computer security
  • Intrusion detection
  • Support vector machines
  • Text categorization


Dive into the research topics of 'Application of online-training SVMs for real-time intrusion detection with different considerations'. Together they form a unique fingerprint.

Cite this