Intrusion Patterns Recognition in Computer Networks Ali Farzan, Naser Razavi, Mohammad Ali Balafar and Farshad Arvin Abstract - One of the hottest research areas in recent years is detecting network intrusion patterns in computer networks. Because of dynamic nature of intrusion patterns in networks, intelligently inspecting the behavior of networks and detecting anomalies are mostly desirable. KDD-Cup99 pattern database are used as a standard source of network packets in our research. K-mean, Bayesian method and Support Network Machine (SVM) are used as anomaly detectors. Results show the superiority of SVM over other two methods regarding the accuracy of classifying patterns into normal packets and suspicious ones. It can be concluded that using high dimensional pattern recognition methods have reasonable competence in detecting attack patterns in computer networks. Keywords: k-mean; Bayesian; SVM; Network Intrusion Detection I. INTRODUCTION With the development of complicated networks and specially Internet technology, security of the networks has become one of the major issues in designing the networks [1]. Availability of comprehensive and rich information sources for the various ways of destructive attacks motivates more hackers to use simple operations in performing fatal attacks [2-5]. It is supposed that the amount of hacking attacks is growing 10 times per year [6] and this makes the security of computer networks a critical topic. Traditional methods for enforcing security in networks such as VPN, firewall or encryption methods suffer from their static nature and cannot be adapted to the dynamic nature of the attacks. Manuscript received July 26, 2011; revised August 9, 2011. This work was supported by the Islamic Azad University, Shabestar Branch, Iran under Grant 51954900129001. Ali Farzan is with the Islamic Azad University, Shabestar Branch and University of Putra Malaysia (Corresponding author to provide phone: +601-76737629; e-mail: alifarzanam@gmail.com). Naser Razavi is with the Islamic Azad University, Shabestar Branch (email: razavi@iust.ac.ir). Mohammad Ali Balafar is with the Islamic Azad University, Shabestar Branch (email: balafarila@yahoo.com). Farshad Arvin is with the Islamic Azad University, Shabestar Branch (email: farshadarvin@yahoo.com). That is, the attack data packets, often don’t follow a pre specified well known pattern format. Rather, regarding the type of attack and the severity of attacker, its format varies. This dynamic nature of attack types motivates researchers to develop new methods in detecting intrusion packets [1-2, 7-8]. A network intrusion detection system has the responsibility of monitoring traffic on the network, modeling the normal an abnormal behavior of it and regarding this model, to issue an alarm when detecting any data packet which matches the abnormal state of the model [8]. Three different classification methods are used in this paper to classify data packets into normal or abnormal ones. According to our sample data set, the abnormal packets are also divided into 4 different groups [9]. This categorization has been done based on the type of attacks as:  Denial of Service Attack (DoS): is an attack in which the attacker makes some computing or memory resource too busy or too full to handle legitimate requests, or denies legitimate users access to a machine.  User to Root Attack (U2R): is a class of exploit in which the attacker starts out with access to a normal user account on the system (perhaps gained by sniffing passwords, a dictionary attack, or social engineering) and is able to exploit some vulnerability to gain root access to the system.  Remote to Local Attack (R2L): occurs when an attacker who has the ability to send packets to a machine over a network but who does not have an account on that machine exploits some vulnerability to gain local access as a user of that machine.  Probing Attack: is an attempt to gather information about a network of computers for the apparent purpose of circumventing its security controls. For each packet of dada, there are 41 various characteristics of them in the database which are used as Proceedings of the World Congress on Engineering and Computer Science 2011 Vol I WCECS 2011, October 19-21, 2011, San Francisco, USA ISBN: 978-988-18210-9-6 ISSN: 2078-0958 (Print); ISSN: 2078-0966 (Online) WCECS 2011