Partial Consensus and Incremental Learning Based
Intrusion Detection System
Mohd Mohtashim Nawaz
Indian Institute of Information Technology, Allahabad
Prayagraj, Uttar Pradesh, India
nawazmohtashim@gmail.com
Aditya Raj
Indian Institute of Information Technology, Allahabad
Prayagraj, Uttar Pradesh, India
rajadityagolu@gmail.com
Abstract—The tremendous growth of internet and ease of
availability of computer systems have brought with it a serious
threat of malicious cyber activities. The intrusion or the malicious
attempt to compromise the security of a computer system is one
such threat. As the computational resources have increased, the
problem has attracted the researchers to build efficient systems
to thwart intrusion attempts. This paper provides insight to
the intrusion detection techniques and technologies and analyzes
different techniques used in building intrusion detection systems.
We also propose a distributed partial consensus and incremental
learning based intrusion detection system.
Index Terms—Intrusion, Distributed intrusion detection sys-
tems, incremental learning, weighted random selection, consensus
I. I NTRODUCTION
Broadly speaking, intrusion is an attempt to compromise
the security of a computer system. The intruder may try to
compromise the security policies like confidentiality, integrity
and availability of the system, user policies and system defined
security measures. Intrusion detection, as name suggests, is
the process of detection of the intrusion and attempt to stop
it. Since the computer systems deal with a large community
and widespread network, the intrusion detection is critically
important in today’s world.
Intrusion detection plays a very important role in cyber se-
curity. Network Intrusion Detection Systems are a category
of IDSs which deal with the violations of security aspects in
the network. NIDSs monitor and analyze the network traffic
for detection of any kind of intrusion and trigger alarms
of intrusion detection for network administrator. Network
Intrusion Detection System by anomaly detection consists of
two main parts. First is the model or the architecture that
defines the operational structure. Second, the detection engine
which is used to detect the anomalies in network. There
exist several intrusion detection techniques and the methods to
implement these techniques but the use of machine learning
and data mining techniques have been quite profound in
the development of intrusion detection systems. However, a
combination of machine learning techniques and distributed
1
Vineet Gupta
Indian Institute of Information Technology, Allahabad
Prayagraj, Uttar Pradesh, India
vineet.gupta224a@gmail.com
Sangeeta Meena
Indian Institute of Information Technology, Allahabad
Prayagraj, Uttar Pradesh, India
smiiit.1999@gmail.com
systems is relatively unexplored. It is interesting to note that
implementation of incremental learning algorithms and con-
sensus into the intrusion detection is exceptionally rare if not
yet to be implemented. We have analyzed the machine learning
and data mining techniques used to build intrusion detection
system and proposed a possible solution using an incremental
learning algorithm Learn++ proposed by R. Polikar, L. Upda,
S. S. Upda and V. Honavar [1]. The proposed solution makes
use of concepts of decentralization and makes decisions based
on consensus among the nodes.
II. L ITERATURE R EVIEW
Intrusion detection systems are divided into two categories
in terms of where the components are placed, the ”Host-based
Intrusion Detection Systems (HIDSs)” and the ”Network-
based Intrusion Detection Systems (NIDSs)”.
Host based network system places the system at each node in
the network and the packets are scanned at the host level to
check for behaviour.
Network intrusion detection system is placed at suitable lo-
cations in the network to strategically monitor the traffic and
perform checks on it.
Distributed Intrusion detection systems (DIDS) are designed
for networks where centralized approach fails. Centralized
systems have a single or a few analysis nodes in network
which receive their required network information from data
collecting nodes which are spread all over the network. The
centralized systems have the security issues like failure of
network, crash of central node, etc. Moreover, if the central
node is compromised, whole system fails. Networks like
wireless Ad-hoc networks where a node in the network is
not physically linked with the network but is in radio range
can communicate to the network. These networks have certain
limitations like fixed transmission range, limited bandwidth,
etc. Also, mobile nodes have limited battery and memory.
Therefore, different solutions and distributed approaches exist
for providing better security in wireless networks. As wireless
networks are flexible, nodes may leave and join the network
frequently, so there should be a mechanism to provide security
to such nodes in the network. Approaches like multi agent
based hierarchical approach, semi-centralized cluster based
approach and distributed consensus based approaches are used
to provide security to wireless Ad-hoc networks.
There are several intrusion detection techniques like signature
based detection, anomaly based detection, etc. The more com-
monly used of these is the signature-based intrusion detection.
This type of intrusion detection system deals with the attack in
a way that whenever a new attack is encountered, the attack
pattern or signature is defined and stored. Network security
specialists can design a defence against the new assault after
the attack signature is studied. Accordingly, IDS is updated so
that it can detect the new signature pattern and respond to it.
This method is useful only for known patterns. If attacks are
slightly changed or altered they can not be identified.
Anomaly based Intrusion Detection Systems are another type
of IDSs. These detection systems deal with the attacks where
signatures and patterns are not defined in the database. Net-
work behaviour is a major parameter on which the detection
system is based and if the network behaviour is within the
predefined behaviour than it is recognized as normal traffic else
it is recognized as abnormal traffic. Instead of using signatures
and patterns, these detection systems use rules and heuristics
to differentiate normal behaviour from abnormal behaviour.
Implementation of machine learning and data mining tech-
niques and algorithms can provide a simple yet effective
solution for detection and classification of anomalies in the
network. Several approaches like probabilistic and model
based machine learning algorithms have been used in the
intrusion detection systems. The use of model based learning
techniques have an advantage that they predict faster and
once the model is trained, there is no need to keep the
data unless the model needs to be re-trained on same data.
However, probabilistic techniques like bayesian classifiers are
much efficient and provide better accuracy. A few studies have
used the combined model based and probabilistic techniques
to build such classifiers. One such approach uses Probabilistic
Neural Networks for classification. The interested reader can
find more details in the paper published by Atay, İbrahim [2].
IDSs that can scan the network’s large data, are robust and
have a good accuracy are always in demand within the
industries. The tools like sniffers, firewalls, IDSs have become
a necessity due to the shortcomings of underlying protocols
used in the communication.
NSL-KDD is a data set used worldwide for evaluating in-
trusion detection systems. This data set contains four major
categories of attacks that are denial of service attack, user-to-
root attack, remote-to-local attack and probing attack.
The evaluation criteria used to compare the performance of
different techniques and methods of intrusion detection include
: i) accuracy, ii) false positive rate (FNR), iii) false negative
rate (FPR), iv) time complexity, v) memory complexity, and
vi) Correlation measures. False negative rate and false positive
rate play a major role in the cases where class imbalance
problem exists. When the desired class instances are rare it
2
is called a class imbalance problem and the class imbalance is
specially found in intrusion detection because number of non-
anomalous instances is much higher than anomalous instances.
However, not all of these criteria are often used. The most
widely used of these are:
1) Accuracy: It is the measure of ability of the system
to classify the new instances correctly. In essence, the
percentage of instances classified as positive if they are
really positive and as negative if they are really negative.
It is one of the basic evaluation criteria.
2) False Negative Rate: The percentage of actually pos-
itive (anomalous) samples reported as negative (non-
anomalous) is called the false negative negative rate.
High false negative rate indicates that the system is not
able to detect actually anomalous instances correctly.
3) False Positive Rate: The percentage of actually nega-
tive (non-anomalous) instances misclassified as positive
(anomalous) instances.
III. R ESEARCH A DVANCES
Different architectures of Network Intrusion Detection
Systems and different algorithms for anomaly detection
are the subject of research for more effective and efficient
intrusion detection.
In [3], Sen, Jaydip proposed a cluster based semi-centralized
intrusion detection system for wireless networks.In the
proposed model the network is divided into clusters using
a particular clustering algorithm [4].All different clusters in
network have a cluster head to manage all remaining cluster
members of that cluster, also cluster heads led to initialization
of cooperative intrusion detection process.These cluster heads
are chosen on the basis of output of an election algorithm
which is based on trust level of nodes. Also, each node
in network maintains a database containing information of
known attacks and for the new attacks in the network some
thresholds are set based on anomaly detection algorithm.
When a network wide intrusion is detected cluster heads relay
the information to other clusters using a gateway, however,
in case of local intrusion, member node handles it locally
and cluster head adds the information of detected intrusion
in the database so that it can be used in future for intrusion
detection. Cluster head manages mobile agents for collecting
intrusion related data and relaying response of intrusion
detection system to cluster members these mobile agents
reduces load of cooperative detection. Though the approach
provides the seemingly good solution at initial level, there
are some security concerns related to mobile agents which
can be found in [5].
A major downfall of this approach becomes visible as network
topology changes and cluster head begin to leave the network
at higher rate. In such case elections must be done frequently
to save the system from going into an inconsistent state
and to maintain the availability. Since the wireless network
topology is prone to frequent and sometimes sudden changes,
a lot more number of elections may be necessary which adds
to the overhead. However, as the algorithm uses concept of
local and global detection, it helps to manage the latency
in detection as most of the attacks can be handled locally.
Hence, the algorithm have a few weaknesses but may prove
to be beneficial in designing the intrusion detection systems
for wireless networks.
In [6], Said OUIAZZANE, Malika ADDOU, Fatimazahra
BARRAMOU, proposed a model of distributed network
intrusion detection system which can detect intrusions in
a large network using multi-agent system and HADOOP
Distributed File System(HDFS). The proposed model uses
agents to perform it’s tasks. First, DIDS uses capturing agent
to collect the network data, then collected data is filtered by
filtering agent to separate the categorized data (normal and
abnormal) and un-categorized data that is not yet recognized.
This un-categorized data is stored in HDFS cluster for further
processing by Load Balancing agent. Finally, the Decision
Maker agent processes the data stored on Hadoop to detect
whether it is an intrusion. If an intrusion is found it stores
the detected intrusion in intrusion database. Here, Decision
Maker agent can use any machine learning algorithm for
anomaly detection.
The model has good processing speed in comparison to other
distributed NIDSs because of the used Hadoop file system
that uses parallel distributed computing. Also, filtering of data
before storing data in HDFS adds to it. The model is scalable
to large networks as more agents can be added to DIDS if
needed. An apparent downfall of this model is the crash of
the file system however, to overcome it, authors presented an
approach of replicating the whole database and storing it at
three different sites. But again, the replication not only gives
rise to data redundancy but also consumes a lot of storage as
the data can be large. Although, the use of modern big data
techniques and file systems like HDFS are the backbone of
this model, the same adds to the complexity.
In [7], Michel Toulouse, Bùi Quang Minh, Philip Curtis,
proposed a fully distributed network intrusion detection
system based on a consensus algorithm called ”average
consensus algorithm”. This algorithm like all other consensus
algorithms aims to reach a common decision of all nodes
which executes the detection algorithm. The detection
algorithm used in the proposed model is Naive Bayes
classifier for anomaly detection. The work flow of model can
be seen as a process of multiple steps where, initially, all
n NIDS modules are trained for naive bayes classification.
Each module then computes two initial variables then average
consensus algorithm is applied which uses those initial
variables to reach two final variables for whole network.
Next, the probability or hypotheses of the network behaviour
being normal and probability or hypotheses of the network
behaviour being abnormal is calculated using the variables
obtained in above step. To reach the final variables 1000
iterations are executed for each module.
The model has a good accuracy and is a better solution for
ad-hoc wireless networks as decision is not taken by a single
3
node which may leave or loose connection. This model is
scalable to large networks but will have a communication
overhead and may become time inefficient as for 9 NIDS
module their will be 9000 iteration, for 81 modules 81000
iterations and so on. The model suffers the problems of
consensus algorithm [8] which may result to inconsistent
state in case of network faults, byzantine faults and crash
faults. The model relies on the naive bayes classifier which
has a fundamental problem of assumption that the features
are independent which may not be a case in real world
scenario. Also, the algorithm requires that all the data is kept
in a database i.e. data shall not be deleted. Moreover, the
naive bayes needs to scan the whole database each time to
make predictions. All these requirements add to the cons of
the algorithm. Therefore, the algorithm even though may be
beneficial for some scenarios, it comes with a price of large
memory needs, complexity and latency.
In [10] Krishnan Subramanian, Sachin Senthilkumar and
Balasubramanian Thiagrajan proposed an intelligent intrusion
detection system which uses tools such as neural networks
and support vector machines. The model first categorizes
different types of attacks and then individual neural networks
are trained for a particular attack type. It uses bayesian neural
networks for denial of service(DoS) or distributed denial of
service(DDoS) attack, Re-circulation neural network for U2R
attacks, fuzzy neural network for R2L attacks and evolving
fuzzy neural network for probe attacks. A feed-forward multi-
layer perceptron and back propagation learning algorithm is
used as a committee machine. The machine assigns weighted
average to each separate attack and then voting is done to
detect the anomaly.
The model is a good approach for detecting attacks as each
type of attack is handled by different algorithms specialised
for a single attack and then overall decision is made by
voting. The chances of detection of attacks are very high due
to specialised machines for each type of attack.
The model suffers from the problems of Naive Bayes model as
already discussed. In addition, it is computationally expensive
as for each attack four predictions are made. Also during
training of the model, there is a need of a large amount of
classified data to train different neural networks. The model
despite it’s high performance isn’t viable for small capacity
machines due to high computational expenses. A distributed
system can be used to implement the model to work efficiently
but this will introduce risks of network faults. The model
suffers from the obvious high complexity and non-viability
in some real world scenarios. The intrusion data often suffers
from class imbalance problem and a large amount of classified
data with sufficient number of positive instances for each
class of attack may not be available. Therefore, the model
is not as robustly applicable to real world scenarios as needed.
In [11] Lukas Iffländer et. al. proposed two algorithms
namely Adaptive blacklisting and Adaptive whitelisting to
improve the performance of intrusion detection systems. It
uses the basic principle that most attacks occur within first
few packets after establishing a new connection.
Currently most of the intrusion detection systems use selective
filtering which is an static approach. In selective filtering,
destination machine needs the knowledge of application
workload running on different hosts and intrusion detection
system for protection. Selective filtering uses a flow entry in
the switch for each server and application which redirects
the susceptible traffic to intrusion detection system using an
SDN based traffic analysis.
In the adaptive blacklisting as proposed by the authors,
Connections are removed from the blacklist after sometime
when they do not raise an alarm for a certain period of
time. In this approach, when a network traffic arrives, the
model first confirms whether the requested connection is a
new connection. If new connection is detected, a controller
creates two flows in the network for different duration. The
network traffic is forwarded to intrusion detection system by
the first flow and a small timeout duration is set. Once the
time is over, the traffic is sent directly to the host destination.
If intrusion detection system raises any alert before timeout,
first flow is used in the network and all traffic is passed
through the intrusion detection system.
In adaptive white listing, the model does not require any
knowledge about the configured signatures in the intrusion
detection system. Explicitly, white listed traffic types are
optionally needed. In this approach, for every connection,
the host initially queries the SDN controller which creates
a flow via the intrusion detection system. If after a certain
number of predetermined packets, intrusion detection system
generates lesser number of alerts than a threshold, the traffic
is flagged as white listed. The remaining traffic of white listed
connection is directly routed to the host. After a certain time
limit, the traffic of the connection is again tested for alerts.
If alerts more than the threshold value are generated by the
intrusion detection system, then whole remaining network
for the particular connection is passed through the intrusion
detection system.
This model has the limitations that it only counts the number
of detected attacks. To account for the false positive and false
negative results, Model proposed in [10] can be used with
the model proposed in [11] to adjust threshold values and
increase efficiency.
IV. P ROPOSED S OLUTION : PCIL-IDS
In the traditional IDSs the intercepted data is sent to a
central node where the decisions are taken. Such a centralized
system is prone to failure in case of network faults or crash of
the central decision making node. Also, such a system can not
tolerate the byzantine faults. Moreover, most of the traditional
systems using data mining and machine learning concepts train
the model once in a while as a batch learning process and need
to keep the full database so as to retain the knowledge when
the model is re-trained. Thus, nodes with limited memory can
not train such models on their own and have to rely on the
pre-trained models or a central node. Although, the proposals
have been made to build the IDSs with Distributed systems
4
and incremental learning, both of them have seldom been
combined. The proposed solution uses the combination of both
in a unique way.
Here, we propose a solution for developing an intrusion detec-
tion system using incremental learning and partial consensus.
The incremental learning is a form of machine learning where
the model is able to learn incrementally without losing the
learned information. Such type of learning algorithms are
effective when there isn’t enough memory to load the full data
set into the memory for training. Also, they can be applied to
the systems where the training data is available incrementally
i.e. in chunks. The consensus is a mechanism to achieve
necessary agreement on a single data value in a decentralized
or distributed system. It is necessary in a distributed system
to reach the consensus so that the state of the system remains
consistent. There exist a number of incremental learning
algorithms each with their own pros and cons. Losing, Viktor
and Hammer, Barbara and Wersing, Heiko published a paper
in 2016 [9] providing an in depth analysis on the subject of
incremental machine learning algorithms. The paper not only
provides the basic definitions of each incremental machine
learning algorithm but also provides the accuracy obtained by
different models on different datasets. It compares most widely
used algorithms like Incremental Support Vector Machine
(ISVM), On-line Random Forest (ORF), Incremental Learn-
ing Vector Quantization (ILVQ), Learn++ (LPP), Incremental
Extreme Learning Machine (IELM), Gaussian Naive Bayes
(GNB), etc. The paper helps in choosing the appropriate algo-
rithm according to the need of the application. The interested
reader can find more in paper [9].
R. Polikar, L. Upda, S. S. Upda and V. Honavar in their paper
[1] proposed an incremental learning algorithm for neural
networks called ’Learn++’. The algorithm uses ensemble of
classifiers learned on the data sets sampled from a database.
It uses a weak classifier as the base learning algorithm and
the results of different learned classifiers are combined using
weighted majority voting process. Neural networks are often
used as the base learning algorithm as they can be easily
manipulated to simulate a weak learner. However, the learn++
algorithm recommends not to use strong classifiers.
Learn++ uses an ensemble of classifiers by generating
multiple hypotheses using training data sampled according to
careful distributions. The outputs of the resulting classifiers
are combined using a weighted majority voting procedure.
As the input, learn++ requires a data set sampled from
a database D, a weak learn base classifier and an integer
specifying number of iterations to be performed. It performs
complex calculations and generates a final hypothesis H
which can be used for prediction. As stated in the published
paper, ”Learn++ guarantees convergence on any given training
data set, by reducing the classification error with each added
hypothesis”. Interested reader can find more details in paper
[1]. The choice of learn++ is justified as according to paper
[9]. It provides a very good accuracy over large datasets
having either large number of features and classes or small
number of features and classes. Moreover, it does not need to
store previous data which makes it suitable for low storage
devices.
A. General Approach
Initially, a classifier model is trained over the pre-
accumulated data set and kept at each node. Let Nbe the total
number of nodes in the network and ith be the node at which
the packet/request arrived. The algorithm works as follows:
• Packet/Request arrives at ith node.
• i relays the request to m neighbour nodes and applies the
classifier to the received instance.
• Requested neighbours return the probabilities obtained
according to their classifiers to i
• i makes the decision based on weighted average of proba-
bilities received from different peers and own prediction.
• The results are displayed.
• The weights of those nodes that were questioned are
readjusted using the formula given in (1) and (2).
• Readjusted weights are relayed to neighbours which
further relay the weights. Thus the weights reach to all
the nodes over the network.
• i stores the received instance in the database and when a
sufficient number of instances are accumulated in a batch,
learning algorithm is again applied. Thus over a period
of time different nodes have their own classifier different
from others.
Fig. 1 shows the process flow through a flow diagram.
Fig. 1. process flow diagram
5
B. Learning
• The learning algorithm used is Learn++ [1] incremental
learning algorithm with neural network as the base weak
classifier.
• Whenever sufficient number of new instances are accu-
mulated the model is re-trained.
C. Selection of neighbour
• The m number of neighbours, where m should be much
less than N, are selected randomly. The random selection
is a weighted random selection so that same nodes are
not selected each time.
• The weights in random selection are calculated based on
the distance in the network and the predictive weights of
individual nodes.
• The neighbours to be requested are selected beforehand
i.e. after the decision making process is finished, the
neighbours for next time are selected to overcome the
overhead of neighbour selection procedure when packet
arrives.
D. Updating the weights
As discussed, the decision making over the returned proba-
bilities requires weights therefore, the updating of weights is
one of the crucial steps. The following operations occur at the
ith i.e. the requesting node:
• Initially, all the nodes are given a constant weight, say
Winit .
• If a node does not return any value, its weight is set to
zero.
• Otherwise weights are updated as:
 : error tolerance f actor
α, β : weight control parameters
v : agreed value
ci : proposed probability value
If : |v − ci | <= 
W i = W i + α ∗ e−x/ (1)
−x/
else : W i = W i − β ∗ (e − e) (2)
• Equation (1) denotes the updating of weights in case if the
error in prediction is lesser than or equal to the tolerance
factor.
• Equation (2) denotes the updating of weights in other
case.
• The values of α and β are to taken in the orders of /10
and /100 respectively. This helps to maintain the change
of weights effectively rewarding and penalizing the nodes
but at the same time keeping in mind that the weights are
not changed too drastically for each unit error.
• If a node recovers after failure, it needs to sync the set
of weights from its neighbours.
E. Consensus
Once the weights are updated, they are propagated to the
neighbours. Each weight update message contains an epoch
number to identify the current epoch. The message is signed
by the node which sends the update message and the message
includes only weights that are needed to be updated along
with the IDs of nodes to which the respective updated weights
belong.
• When a node receives a weight change message, it checks
the signature.
• If the signature is valid the node further broadcasts the
message to its neighbours.
• If message contains ID of any node then node then before
updating its own weight, it checks if it sent the prediction
to the node from which update message originated and
epoch number is greater than its own epoch number, if
so, it updates it own weights.
• If not so, it rejects the message and do not propagate
it further, as it shows something malicious is going on.
Rather, in former case when the node did not sent the
prediction but the weight update message contains its ID
and new weight, it broadcasts an alert message to indicate
to all nodes that something malicious has happened and Fig. 2. consensus diagram
every node should revert to the previous weights.
• Such an alert message contains ID of weight change
[2] Atay, İbrahim. (2018). Intrusion Detection with Probabilistic Neural
message and its epoch number so if some node already Network (PNN) - Comparative Analysis.
updated the weights they should revert back or if not [3] Sen, Jaydip. ”An intrusion detection architecture for clustered wireless
updated yet, they should discard the message. ad hoc networks.” Computational Intelligence, Communication Systems
• Each nodes need to keep a few previous set of weights and Networks (CICSyN), 2010 Second International Conference on.
IEEE, 2010.
so that the changes ca be undone.
[4] C.R. Lin, M. Gerla, “Adaptive clustering for mobile wireless networks”
In this way, every node in the network reaches consensus. Fig. IEEE Journal on Selected Areas in Communications, Vol. 15, No. 7,
2 explains the process in a simple way. September 1997, pp. 1265-1275.
[5] W. Farmer, J.Guttman, and V. Swarup. “Security for Mobile Agents:
V. C ONCLUSION Authentication and State Appraisal”, Proc. of the European Symposium
Machine learning and data mining techniques have been on Research in Computer Security (ESORICS), LNCS, September 1996.
used extensively in developing anomaly based intrusion de-
[6] S. OUIAZZANE, M. ADDOU and F. BARRAMOU, ”A Multi-Agent
tection systems and they have proved to be highly accurate in Model for Network Intrusion Detection,” 2019 1st International Con-
some scenarios. Combined with data science techniques, con- ference on Smart Systems and Data Science (ICSSD), Rabat, Morocco,
cepts of decentralization and distributed systems have helped 2019, pp. 1-5.
in building robust and accurate systems dealing with some [7] Michel Toulouse, Bùi Quang Minh and Philip Curtis.”A consensus based
network intrusion detection system” 2015 5th International Conference
inherent problems of centralized systems. Since the demand on IT Convergence and Security (ICITCS).
of such systems is ever increasing, systems with high accuracy, [8] N. A. Lynch, Distributed Algorithms. San Francisco, CA, USA: Morgan
robustness and ability to deal with large data are welcomed Kaufmann Publishers Inc., 1996.
into the industry. We have proposed a solution to build such a [9] Losing, Viktor & Hammer, Barbara & Wersing, Heiko. (2016). Choosing
the Best Algorithm for an Incremental On-line Learning Task.
system using concepts of consensus and incremental learning
[10] Krishnan Subramanian, Sachin Senthilkumar and Balasubramanian Thi-
algorithm which eliminates certain issues of batch learning agrajan. (2016). Intelligent Intrusion Detection System using a Commit-
and centralized systems. Also, the proposed solution is simple, tee of Experts.
lightweight yet effective though the network latency may be [11] Lukas Iffländer, Jonathan Stoll, Nishant Rawtani, Veronika Lesch, Klaus-
a downfall to the proposed solution when tested in the large Dieter Lange and Samuel Kounev. (2019). Performance Oriented Dy-
namic Bypassing for Intrusion Detection Systems.
network.

R EFERENCES
[1] R. Polikar, L. Upda, S. S. Upda and V. Honavar, ”Learn++: an in-
cremental learning algorithm for supervised neural networks,” in IEEE
Transactions on Systems, Man, and Cybernetics, Part C (Applications
and Reviews), vol. 31, no. 4, pp. 497-508, Nov. 2001.