The continuous changing networks introduce new attacks, which represent an explicit problem that affects the security of enterprise resources. Thus, there is a real need to build up intelligent intrusion detection systems that can learn from the network behavior. In this paper, a learnable anomaly intrusion detection system based on attributional rules is presented. The proposed model is chosen with the advantages of being expressive, flexible and can operate in noisy and inconsistent environments. The system is a real-time intrusion detector that utilizes incremental supervised machine learning technique. Such technique makes use of the Algorithm Quasi-optimal (AQ) which is based on attributional calculus.
Here, an Algorithm Quasi-optimal for Intrusion Detection System (AQ4IDS) is exploited and implemented using attributional rules to discriminate between normal and anomalous network traffic. The behavior of AQ4IDS is tested, and to illustrate its superiority. The experimental results showed that, the model automatically accommodates new rules from continuous network stream. Many experiments have verified the fact that AQ4IDS can efficiently discriminate between normal and anomalous network traffic, in addition to offering the advantage of detecting novel and zero day attacks.

The ever changing network traffic reveals new attack types, which represent a security threat that poses a serious risk for enterprise resources. Therefore, the security administrators are in a real need to employ efficient Intrusion Detection and Prevention Systems, IDPS. Such systems might be capable to learn from the network behavior. In this paper, we present an incremental Learnable Model for Anomaly Detection and Prevention of Zero-day attacks, LMAD/PZ. To facilitate the ability of learning from observations that can provide a reliable model for automatic prevention, a comparison has been carried out between supervised and unsupervised learning techniques.
Thus, in LMAD/PZ, the intrusion detection step is integrated with an intrusion prevention plan. To ensure that the prevention plan is dependable and automatic, it must be backed and sustained with robust and accurate detection process. Therefore, two incremental data mining techniques are deeply investigated and implemented on NSL-KDD’99 intrusion dataset. The first technique is the Algorithm Quasi-optimal (AQ), which is a supervised Attributional Rules Learner, ARL, while the second is the Cobweb; an unsupervised hierarchical conceptual clustering algorithm. These algorithms categorize the network connections as either normal or anomalous. The performance of AQ is compared to Cobweb, and the best performance result is integrated with the prevention plan, to afford a fully automated system. The experimental results showed that, the model automatically adapts its knowledge base from continuous network streams, in addition to offering the advantage of detecting novel and zero day attacks. Many experiments have verified that AQ performance outperforms the Cobweb clustering, in terms of accuracy, detection rate and false alarm rate.