08076830.pdf (9.07 MB)

Using pattern-of-life as contextual information for anomaly-based intrusion detection systems

Download (9.07 MB)
journal contribution
posted on 21.09.2017, 15:09 by Francisco J. Aparicio-Navarro, Kostas Kyriakopoulos, Yu Gong, David J. Parish, Jonathon Chambers
As the complexity of cyber-attacks keeps increasing, new robust detection mechanisms need to be developed. The next generation of Intrusion Detection Systems (IDSs) should be able to adapt their detection characteristics based not only on the measureable network traffic, but also on the available high-level information related to the protected network. To this aim, we make use of the Pattern-of-Life (PoL) of a computer network as the main source of high-level information. We propose two novel approaches that make use of a Fuzzy Cognitive Map (FCM) to incorporate the PoL into the detection process. There are four main aims of the work. First, to evaluate the efficiency of the proposed approaches in identifying the presence of attacks. Second, to identify which of the proposed approaches to integrate FCM into the IDS framework produces the best results. Third, to identify which of the metrics used in the design of the FCM produces the best detection results. Fourth, to evidence the improved detection performance that contextual information can offer in IDSs. The results that we present verify that the proposed approaches improve the effectiveness of our IDS by reducing the total number of false alarms; providing almost perfect Detection Rate (i.e. 99.76%), and only 6.33% False Positive Rate, depending on the particular metric combination.


This work was supported by the Engineering and Physical Sciences Research Council (EPSRC) Grant number EP/K014307/2 and the MOD University Defence Research Collaboration in Signal Processing.



  • Mechanical, Electrical and Manufacturing Engineering

Published in

IEEE Access




22177 - 22193


APARICIO-NAVARRO, F.J. ... et al, 2017. Using pattern-of-life as contextual information for anomaly-based intrusion detection systems. IEEE Access, 5, pp. 22177-22193.




VoR (Version of Record)

Publisher statement

This work is made available according to the conditions of the Creative Commons Attribution 3.0 Unported (CC BY 3.0) licence. Full details of this licence are available at: http://creativecommons.org/licenses/by/3.0/

Acceptance date


Publication date



This work is licensed under a Creative Commons Attribution 3.0 License. For more information, see http://creativecommons.org/licenses/by/3.0/.