Int. J. Communications, Network and System Sciences, 2010, 3, 303-310
doi:10.4236/ijcns.2010.33039 blished Online March 2010 (
Copyright © 2010 SciRes. IJCNS
Self-Organized Detection of Relationships in a Network
Qurban A. Memon
EE Department, College of Engineering, UAE University, Al Ain, UAE
Received December 20, 2009; revised January 24, 2010; accepte d F ebruary 26, 2010
Multistate operations within a network result in high-dimensional, multivariate temporal data, and are useful
for systems, which monitor access to network entities like resources, objects, etc. Efficient self organization
of such multi-state network operations stored in databases with respect to relationships amongst users or be-
tween a user and a data object is an important and a challenging problem. In this work, a layer is proposed
where discovered relationship patterns amongst users are classified as clusters. This information along with
attributes of involved users is used to monitor and extract existing and growing relationships. The correlation
is used to help generate alerts in advance due to internal user-object interactions or collaboration of internal
as well as external entities. Using an experimental setup, the evolving relationships are monitored, and clus-
tered in the database.
Keywords: Relationship Network, Network Access, Self-Organization in Networks, Relationship Clustering
1. Introduction
Communication started to grow due to several factors in
nineties, firstly, due to privatization and deregulation;
secondly, due to penetration of mobile phones into the
society; thirdly due to emergence of wavelength division
multiplexing; and fourthly due to private companies en-
tering into Internet business [1]. This growth has been hit
by Internet bubble burst that took place during 2001 to
2002. As recovery in telecommunication industry has
recently been witnessed, a new paradigm of ubiquitous
networking has emerged that is expected to change the
scene of computing. This concept is creating new net-
work topologies and relationship networks.
The network of the future can also be visualized as we
see the industry transitions today like from static markets
to dynamic fast-paced innovations; low speed to high
speed; divergence to convergence; local to global; fixed
to mobile; sometimes to always-on; one medium to mul-
timedia; and from distinct to bundled etc. [2]. The intel-
ligence is moving from centers to edges, where key tech-
nology developers are surfacing in the area of tagging-
things, sensors, smart technologies, and nano-structures.
The edges of the market include users, devices at user
level and the applications riding on them. The growth of
such technologies is going to affect the business and the
ways of doing businesses.
The ubiquitous networking, tagging, nano-structures,
etc. is also enriching the concept of mobile networking.
A mobile ad hoc network (MANET) [3] provides a com-
munication environment that is characterized by dynamic
changes in the topology and in the availability of re-
sources. In chaining partnerships and collaborations
within this environment, various access control models
have been proposed. The Enterprise Dynamic Access
Control (EDAC) model [4] is based on basic principles
of role based access control (RBAC) published by Na-
tional Institute of Standards and Technology (NIST) [5],
and accommodates complex and scalable access control
situations with pre-configured conditions. The model
criterion for resource access is based on user characteris-
tics and environmentals. As collaborations among the
participants of an ad hoc network cannot be set up,
therefore there is a need for explicit specification of poli-
cies for each activity. This accounts only for relation-
ships set within an access control model; but it is natural
that users, computing nodes and devices do communicate
with other users or objects in a user space or outside their
specified domain occasionally and continually.
Thus, new concepts in networking and corresponding
access technologies have triggered a great interest in
study of possible new forms of relationships in networks.
Typical applications include network access detection,
frequency of use of each resource, tracking use of re-
sources, user relationships, etc.
In order to model evolving relationships and build re-
lationship clusters from such databases, neural networks
can be investigated as they have been reported to be
flexible, fault tolerant, robust, and can solve difficult pro-
blems [6]. The learning/training features of neural net-
works in absence of a supervisory role may be used to
model relationship clusters. Unsupervised learning in the
neural network helps in finding energy minima and is
therefore more efficient with pattern association. Obvi-
ously, the disadvantage is that it is then up to the user to
interpret the output.
The Self-Organizing Map (SOM) with its related ex-
tensions has been the most popular artificial neural algo-
rithm for use in unsupervised learning and data visuali-
zation. There are quite a few types of self-organizing
networks, like the Instar-Outstar network, the ART-se-
ries, and the Kohonen network [7]. The Kohonen net-
work is probably the best example, because it is quite
simple and introduces the concepts of self-organization
and unsupervised training easily. It provides an ordered
display of data to facilitate understanding of the struc-
tures in the data and illustrates clustered density in the
input space case temporally and sequentially.
In the next section, the related research works found in
the literature regarding detection of network accesses are
2. Related Work
A lot of research work has recently been reported in the
area of access control in network operations of field units.
The primary target has been detection of intrusions in the
form of events and development of computer audit data.
In [8], the authors present studies for detecting intrusions
into the information system, using frequency property of
multiple audit event types for a given sequence of events.
In another work [9], the authors present an algorithm for
monitoring of frequent items in a distributed data stream
environment, with advantages claimed as reduced com-
munication cost and overall quality of output. The human
signatures have also been investigated in [10] for intru-
sion detection. The respective authors consider signature
based detection techniques and investigate the ability of
various routing protocols to facilitate intrusion detection
when attackers are completely known. In the research
works [8–9] stated above, the main idea has been to iden-
tify the relationship in the form of intrusion after it has
taken place.
The authors in [11] present a survey on the state of the
art work in intrusion detection in mobile ad hoc network
and conclude that schemes that would be distributed and
collaborative are more likely to succeed in intrusion de-
tection. In a similar work [12], the authors investigate the
placement of modules for misuse detection in ad hoc
networks and propose a family of algorithms that ap-
proximate the optimal solution, with resource consump-
tion tradeoffs. The Dempster-Shafer theory has also been
investigated in [13] in the context of intrusion detection
in networks and respective authors discuss its usefulness
in distributed networked environment. In the research
works [11–13], the main target has been the distributed
environment and the placement of sniffers in order to
monitor the data for subsequent analysis.
Regarding data classification and self-organization, a
lot of research has been reported in open literature, and
many commercial projects employ the SOM as the tool
for solving hard real-world problems [14–15]. The au-
thors in [16] suggest a method for clustering time vary-
ing data by using self-organizing maps, by introducing
dissimilarity measures for capturing the temporal struc-
ture of the data in a simple topology preserving model. In
another work [17], a temporal extension of the Self-Or-
ganizing Map (SOM) is presented by authors, where the
network learns local representations of the temporal con-
text associated with a time series, and extends classical
properties of SOM to time. The authors in [18] discuss
self-organizing models that provide valuable tools for
data mining, clustering and visualization. In that, they ext-
end basic vector-based models by recursive computation
to process sequential and tree-structured data directly.
In [19], the authors present an approach to build an
associative classifier composing consistent rules, and
have shown the effectiveness of such classifiers over
traditional classifiers in several datasets. The clustering
within an application other than network has also been
investigated in [20], where the authors discuss knowl-
edge discovery (in melanomas domain) using combina-
tion of clustering and generalization to indentify groups
and build general descriptions of respective clusters.
In summary, many approaches were found in literature
for detection of network access (either online or offline),
but objectives set for such works were either intrusion
detection or subsequent analysis for audit purposes. In
this work, the study and analysis of evolving relation-
ships formed during multi-state operations within a net-
work is the main focus.
The Section 3 discusses modeling of relationships and
the proposed scheme. In Section 4, experimental setup is
discussed to implement the proposed algorithm. For pur-
poses of simplicity and training, the Kohonen network is
embedded in the model for developing classification and
identifying evolving relationships in a network. The Sec-
tion 5 presents comparative discussions followed by con-
clusions in Section 6.
3. Proposed Approach
In order to understand relation between participating
devices or nodes, it is desirable that a mathematical rela-
tion among features or attributes of participating nodes
or devices be defined. Let X be a set of features, and R be
a relation. Then
Ry iff x and y satisfy following con-
ditions [21]:
Copyright © 2010 SciRes. IJCNS
Q. A. MEMON 305
( ) ( )
XxRx (1)
( , ) (if , then )
yX xRyyRx (2)
( , ) (if , then )
y XxRyyRzxRz  (3)
Therefore, R is called an equivalence on X iff R obeys
reflectivity, symmetry, and transitivity. In other words,
the features of nodes and devices stored in databases may
have relation if they satisfy reflectivity, symmetry, and
transitivity. Further, equivalence clause of an element
may be defined as follows [13]:
, { | }aX axXxRa
 (4)
Properties of Relation R:
Let R be an equivalence relation on X, such that:
, (if , then )abXaR bab
 
, (if , iff )abXaR bab 
where [ai] and [aj] are pair wise disjoint subsets of X. We
can narrate here an example of relation R on modular
arithmetic as follows:
Consider X = Z, where x, y Є Z; n Є N (and is fixed), n
> 1. If
iff |() .., divides ()
Rynx yienx y (8)
then R is reflective, symmetric, and transitive. This rela-
tionship is examined further in the next section, once
sample user activities in the form of attributes of each
node are considered for relationship detection.
3.1. Relationship Network
Relationship network analysis concerns itself with meas-
uring of relationships and flows among different meas-
urements of attributes [22]. Once a database containing
attributes or features of participating devices is devel-
oped, relations among attributes can be developed. Thus,
it is possible to model such an analysis as a relationship
network, as each individual activity measurement of the
device is an entity and their interactions or interactions
between users and data objects imply relationships and
flows. Such relationship networks can provide a mathe-
matical analysis of relationships in an expert system, yet
visual representations are often easier to comprehend.
The relationship network can be modelled as a graph,
consisting of a set of nodes and edges, where each node
represents a device or a data object and an edge repre-
sents a relationship between a pair of such entities, as
shown in Figure 1. The Figure 1 represents network
relationship among six entities (p1, p2,., p6) within a net-
work. Some of them are derived from others, in that
some relationships are prerequisite to others which may
further be termed as consequence. The connection be-
tween any two entities is weighted, and the weighted link
may be termed as an edge of the relationship. The edge
can be strong or weak depending on the value of corre-
sponding weight. Once this strength is correlated with a
threshold, it may be defined as: the higher the value of
this weight, the stronger the link and hence stronger the
Based on correlation, the relationships can be exploite-
d to develop clusters of similar and close attributes. The
correlations may further be used to generate triggers or
alerts once new instances of relationships are sensed and
correlated with these clusters. The question that needs to
be addressed is how such a relation is to be inferred and
how many such instances are needed for ensuring confi-
dence that a stronger relationship has occurred between
users or between a user and a data object. In the follow-
ing section, this is further investigated.
3.2. Modeling Relationship in a Network
Modeling or discovering a new relationship has been an
open problem. Generally, a threshold is deemed neces-
sary to trigger an alert before new relationship amongst
users or between a user and a data object affects the sys-
tem. In order to understand this, consider the example of
an intrusion detection system where port scan, buffer
overflow are considered as attacks and corresponding
messages from intrusion detection system are called as
alerts. An alert correlation system with a known model
database, which uses the correlation technique based on
a-priori knowledge, clusters the alerts that act as a pat-
tern defined in the model database. The matching thresh-
old is used to generate an alert. Let us classify this alert
typically as Orange_alert (O_alert). This type of model-
ing may be illustrated as shown in Figure 2.
Since the models in the database are limited to known
patterns, hence the new pattern of relationship is differ-
ent from a-priori knowledge based alert correlation. The
Figure 1. A simple relationship network.
opyright © 2010 SciRes. IJCNS
Copyright © 2010 SciRes. IJCNS
Figure 2. Alert correlation based on known patterns.
alerts based on discovery of new relationships can help
to solve this problem. For this, the strength and rising
process of the new relationship may be used to define the
threshold for triggering the tolerance mechanism of the
Relationship Detection System (RDS). This seems ra-
tionale as the rising process of achieving new strengths
in relationships on the network increases the vulnerabil-
ity of the targeted system.
To understand this further, an example of an unau-
thorized file access may be phrased as: getting knowl-
edge of the service port of the address getting the
root access installing the components to access the
file get the file. There is a logical relationship be-
tween two capability states. For example, if C0 = {src,
trgt, sniff, address, content, Anne} and C1 = {src, trgt,
sniff, all addresses, content, [Anne, Bill]}, this means C0
can be logically inferred from C1.
In order to model this rising process of achieving new
strength in relationship, consider a node/device which is
trying to access an object in a network. The capability of
the developing relationship may be described as a
six-tuple, as follows:
It can be inferred that every relationship is related to
two capability states: one is prerequisite state providing
the necessary strength for a new relationship, and the
other the consequence state, which includes the new
achieved strengths. This, in turn, raises a new concept of
an alert which embeds existing alert level, prerequisite
state and the consequence state. This new alert may be
classified as Yellow alert (Y_Alert), and defined as a
{,,,,,} Capabilitysrc trgtactn srvcprprty crdntls (9)
where capability describes the initiator (source ~src) of
the relationship to perform an action (~actn) on the
property (~prprty) of the service (~srvc) with given cre-
dentials (~crdntls) on the target (~trgt) destination. In
order to illustrate this, a state transition diagram can be
used where edges are new relationships and nodes are
new capabilities. This is shown in Figure 3, where Co is
the initial capability state. After a relationship Ri is
formed, a new strength Si is achieved. Looking at Figure
3 as an example, the union of C1, C2 and C3 is the
pre-requisite to new relationship R4. After R4 is formed,
a new strength is achieved and reaches capability state
C4. Thus, a capability state has a prerequisite before a
new relationship can be formed. This gives rise to new
relationships and capability states. Thus, this may form a
chain of relationships, one derived from the preceding
one and so on, in a temporal fashion.
Y_Alert (YA)=(Alert,Prerequisite,Consequence) (10)
where Alert is a four-tuple message from RDS and it
carries four information components: name, time, sour c e,
target. The name is name of the relationship that triggers
this alert, time = (begin, end) of the relationship, source
and target are net addresses of the relationship entities;
Prerequisite includes prerequisite capability of the alert,
and Consequence is the current capability state after alert
is finished. To find new relationship patterns, alerts are
transformed into Y_Alerts, then correlated into a new
relationship incident to uncover logic relations. The
Y_Alerts can be listed along with their capabilities states
and corresponding timing ranges. This helps in correlat-
ing Y_Alerts with Meta-Relationship (R), and thus new
relationships can be discovered and ultimately stored in
the database. This Meta-relationship triggers another
level alert, say Red_Alert (RA), and is defined as a three-
R_Alert ‘RA’ = {set_R, set_C, Time} (11)
where set_R is the set of correlated Y_Alert, set_C is the
set of the capabilities of all consequences of the Y_alert,
Time is begin_time and end_time of these Y_Alerts.
Meta relationship R resulting in R_Alert can be easily
proved that it is a partial relationship. For this, it can be
Figure 3. State transition based on new relationships and
Q. A. MEMON 307
easily seen that they do not follow Equation (1) and (2).
For reflectivity, it can be easily verified that end_time of
YA1> begin_time of YA1 and the reverse is not true, if
YA1 ε R. For symmetry, it is also easy to see that YA2 is
derived from the other YA1 and the converse is not true.
Based on these Y_Alerts and Meta-relationship “R”,
an experimental model for alert correlation and generat-
ing Red Alert ‘RA’ is depicted as shown in Figure 4.
The Figure 4 shows a self-evolving model for relation-
ship correlation and detection. The alerts are correlated
and the ones which exist in the database are reported as
existing relationship incidence. This step reduces a
greater number of alerts for modeling of relationships in
the network. In the second step, the isolated alerts are
correlated with Meta-relationship ‘R’. If correlated, the
Meta- relationship is reported as R_Alert and termed as a
new relationship. After that, it is described in the data-
base. The setup illustrated in Figure 4 may be summa-
rized in an algorithm as follows:
Relationship Detection Algorithm: After an alert is
sensed, the following sequence of events takes place:
1) If there is an existing Red_Alert ‘RA’, whose set_C
contains consequence of new YA, go to step “g”, else go
to step “b”.
2) If prerequisite of ‘YA’ is empty go to step “e”, else
go to step “c”.
3) If there is a Red_Alert ‘RA’ and union of capability
of RA’s set_C implies prerequisite of ‘YA’, go to step
e”, else go to step “d”.
4) If there are some meta-relationships existing and
the union of the set_C of these meta-attacks implies the
prerequisite of YA, then combine these
meta_relationship to a new Red_Alert RA, go to step “e”,
else go to step “f ”.
5) If the union of set_C of the newly combined
meta-relationship ‘R’ implies consequence of YA, go to
step “g”, else go to step “f ”.
6) Let YA join the red_alert ‘RA’, put YA into RA’s
set_R and let consequence of RA join set_C, determine
RA’s time stamp. Break
7) Discard false alert YA; go to ‘a’ to deal with next
yellow alert ‘YA’.
In the next section, an experimental setup is described
to simulate the discovery and clustering of relationships
developed in a local area network.
4. Experimental Setup
A typical local area network was selected with about five
hundred and fifty user accounts. The accounts were
grouped into five categories of access (i.e. credentials)
on the network. These categories were ‘administration’,
‘faculty’, ‘student’, ‘staff’, and ‘public’. The actions sup-
posed to be carried through these accounts during net-
work access involved five different types of actions on
twelve different target hosts or servers. The actions in-
volved were ‘create’, ‘modify’, ‘read’, ‘delete’, and ‘not
available/unauthorized’. The target hosts were centrally
placed in a room. The service available on different tar-
get hosts contained files and programs. The objective
was to examine the network setup vis-à-vis Figure 4,
usi- ng the procedure outlined in the algorithm described
in the previous section.
Based on this information, six-tuple data was gener-
ated using Equation (9) for any user access. A data map-
ping followed that coverts these tuples to numerical val-
ues to train the network. The time stamp was added to
make it to seven-tuple data to show evolution of the rela-
tionships during run time. These data values enable
self-organizing feature of Kohonen network to allow data
values to be mapped onto a two-dimensional plane with
similar data residing in closer proximity.
The architecture of such a network can be reduced to
two key issues: input layer and output layer [14]. The
number of input nodes (say 7 based on source address,
time stamp, target, service, property, action, credentials)
equals the dimension of the input vector. The output lay-
er processes the input data and gives an output. The num-
ber of output nodes determines the maximum number of
Figure 4. Relationship measurement & description model.
opyright © 2010 SciRes. IJCNS
clusters to be found. Each neuron (node) in the output
sheet has a location in the configuration and represents a
cluster, or alternatively a set of common features.
The proposed system uses Kohonen Self Organizing
Maps (SOM) to plot a matrix of the available data. This
is a two dimensional plane containing 1024 cells (32x32
plot). The size of 32x32 clusters is arbitrary (although
above than required number of clusters adequate for pos-
sible relationship clusters in a typical local area network)
and has been selected only for experimental purposes.
Activity on the network was monitored for users on a
full working day. The period of network activity for a
typical user ranged from few minutes to less than sev-
enty minutes.Out of five hundred and fifty user accounts,
one hundred and eighty–five users accessed the network
at different times. The mapped values for these users
accumulated in a database were processed to train the
SOM network to generate capability clusters.
Once built, the SOM takes the data from the database
and decides the position of a user entity or the source of
activity in the network based on the attributes attached to
it. It contains 32 × 32 output nodes along with input
nodes, hence total of (7 × 32 × 32 ) 7168 weights of the
network were updated each time an input pattern (i.e.,
seven-tuple data) was presented for training. This proc-
ess continued till convergence of its training algorithm.
The algorithm used for training of the network typically
undergoes the following steps [14]:
Define input value range
Present an input pattern (i.e., twenty data values)
Compute distance between input and weight, and
sum them
Select the output node with minimum distance – this
is the node that is closest to the input vector
Alter weights for the closest node (and its neigh-
bours) so that it is even nearer to the input vector.
Go to step 2 until convergence is achieved.
Effectively, this training algorithm is very simple, fol-
lowing a familiar equation:
(iiwjk xw (12)
where k is the learning coefficient, x is input pattern, wij
is weight in two dimensions, and wij is the change in
the weight. So all neurons in neighbourhood (say N) to
neuron xd0 (i.e., the one with minimum distance) have
their weights adjusted. The adjustment of k and N is an
area of much research, but Kohonen suggested splitting
the training up into two phases. Phase 1 reduces down
the learning coefficient from 0.9 to 0.1 (or similar val-
ues), and the neighbourhood reduces from half the di-
ameter of the network down to the immediately sur-
rounding cells (N = 1). Following that, phase 2 reduces
the learning coefficient from perhaps 0.1 to 0.0 but over
double or more the number of iterations in phase 1. The
neighbourhood value is fixed at 1. It was seen that the
two phases allow firstly the network to quickly ‘fill out
the space’ with the second phase fine-tuning the network
to a more accurate representation of the space. The re-
sulting output diagram may be visualized showing clus-
ters, evolving as time progresses. The examples of typi-
cal clusters include each user accessing the network,
each object to be accessed on the network, each targeted
host, each action, each service, and each credential of the
user, etc.
This part of the experiment did not involve any corre-
lation as there were previously, in fact no capability clus-
ters present in the database. Rather, this activity filled up
the database with relationship description, to the extent
of entering second part of the activity where correlation
is to be examined and database is to be enriched with
new relationships. This part of the experiment is also con-
sidered equivalently as setting threshold for correlation.
For the second part of the experiment, the network was
monitored for second and third day of the experiment.
This enabled to see most of the users accessing the similar
objects on the network, thus generating an alert. In this
part of the experiment, a total of seventy (70) new users
were identified, and thus relationships were described in
the database, and clusters created onto the map.
A visualization application was added to the network
(with the database) to enable analysis of emerging in-
formation from these activities, as access to the network
evolves. The double click, for example on an object clu-
ster shows data from the database, about how many users
accessed it with respective credentials and actions with
respect to time. Though, it was visualized in real time
through alerts. In another example, a user access along
with its credential was monitored in real time with a
range of objects accessed on a particular host with re-
spective actions. In each instance, respective alert gener-
ated was observed.
5. Comparative Discussion
The clustering approach proposed in this work is simple
and addresses the objectives for real time notification of
(registered) alerts and enriches the database with evolv-
ing relationships.
An important component of network policy in many
commercial environments is separation of duty and
monitoring of network traffic for network management
purposes. Nowadays, many networks deploy policy
based access to the network to implement separation of
duty. The role based access control (RBAC) model [5]
provides a conceptual framework for implementing a
role based activity in a policy. However, it does not de-
tect an evolving capability of the user growing beyond its
legitimate strength or access limits. This weakness is
Copyright © 2010 SciRes. IJCNS
Q. A. MEMON 309
generally found in networks, when the status of a (pri-
vate & secured) object on the network that is being ac-
cessed, modified or deleted by a user exceeding one’s
role. The approach in this work identifies the relation-
ships while they are evolving or in other words the object
contents are to be accessed. Such a weakness in the sys-
tem deploying only RBAC may be addressed using the
proposed approach by setting role of the respective ac-
count with objects on the targeted hosts. The threshold is
set accordingly to generate alert. Thus, the system gets
added capability.
In fact, the proposed model provides a self-adaptable
approach to trigger the tolerance level of the system. The
six-tuple capability data is user-defined and may replace
source with an IP address by its role; or capability may
even be increased beyond six-tuple by adding role of the
user entity to existing six-tuple data. This tends to in-
crease the number of clusters and in turn strengths the
correlation process of the system.
The other examples of undetected activities include
access to the object by interaction of (internal or external)
users, etc. This situation may be addressed using our
approach, as described in Equation (10), and outlined in
the algorithm. In other words, the evolving relationship
between the user and the object is alerted during the cor-
relation stage, earlier than it takes place.
The proposed approach is independent of many con-
straints. At a centralized place, it provides a real time
discovery of evolving relationships amongst users or
between users and network object. The proposed ap-
proach can also be easily embedded in distributed envi-
ronments to trigger alerts before systems become vul-
nerable to attacks. In that case, a modification may be
suggested such that the six-tuple capability data would
be provided by distributed sniffers rather than a set of
closely and fixed-placed sniffers.
There are many correlation algorithms available in the
literature like [19,20], which may be used in conjunction
with our proposed approach.
6. Conclusions and Future Work
The proposed model for detecting relationships is highly
customizable as it is dependent on capability model
which is user defined. The approach may be independ-
ently deployed or used in conjunction with existing ap-
proaches, for example, intrusion detection. The database
evolves with time as new relationships are discovered
and capabilities are formed as clusters. The detection of
relationships may be done using network sensors or
sniffers by reading the network packets. Two stages of
correlation are performed; first one detects using cluster
knowledge compared with capability of the entity; the
second stage meta-correlation enables enriching of net-
work database by identifying new relationships. As more
and more events are registered, lesser becomes the prob-
ability of finding new patterns of relationships and easier
becomes the job of the network management.
As a future work, we intend to modify some parame-
ters of the clustering: first we want to confirm the rele-
vance of the pattern with role based access and set the
threshold to initiation of possible new relationship; sec-
ondly we want to develop distributed monitoring of these
relationships and observe frequency of such events to
discover new associations within the data.
7. Acknowledgement
This work was financially supported by the Research
Affairs at the UAE University under a contract no.
8. References
[1] T. Shinohara, “Ubiquitous network vision for new
growth,” ITU Telecom Report, 2003.
[2] L. Srivastava, “The network of the future: What is over
the horizon,” Billing Asia 2006, Shanghai, China, 13
March 2006.
[3] Y. Zhang and W. Lee, “An integrated environment for
testing mobile ad-hoc networks,” Proceedings of 3rd
ACM Symposium on Mobile Ad Hoc Networking and
Computing (MobiHoc), June 2002.
[4] R. Fernandez, “Enterprise dynamic access control (EDA
C) case study,” CS1/06-0078 Project, United States Navy,
March 2006.
[5] National Institute of Standards and Technology-RBAC.
[6] D. Hammerstrom, “Neural networks at work,” IEEE
Spectrum, pp. 2632, June 1993.
[7] Aleksander, et al., “An Introduction to neural comput-
ing,” Chapman and Hall, 1990.
[8] N. Ye, X. Li, Q. Chen, S. Emran, and M. Xu, “Probabil-
istic techniques for intrusion detection based on computer
audit data,” IEEE Transactions on Systems, Man, and
Cybernetics-Part A: Systems and Humans, Vol. 31, No. 4,
pp. 266274, 2001.
[9] R. Fuller and M. Kantardzic, “Distributed monitoring of
frequent items,” Transactions on Machine Learning and
Data Mining, Vol. 1, No. 2, pp. 6782, 2008.
[10] F. Anjum, D. Subhadrabandhu, and S. Sarkar, “Signature
based intrusion detection for wireless ad hoc networks: A
comparative study of various routing protocols,” IEEE
Vehicular Technology Conference, Orlando, FL, Vol. 58,
pp. 2152–2156, 69 October 2003.
[11] A. Mishra, K. Nadkarni, and A. Patcha, “Intrusion detec-
tion in wireless ad hoc networks,” IEEE Wireless Com-
munications, pp. 4860, February 2004.
opyright © 2010 SciRes. IJCNS
Copyright © 2010 SciRes. IJCNS
[12] D. Subhadrabandhu, S. Sarkar, and F. Anjum, “Efficacy
of misuse detection in ad hoc networks,” Proceedings of
the Annual IEEE Communications Society Conference
on Sensor and Ad Hoc Communications and Networks,
pp. 97107, 2004.
[13] T. Chen and V. Venkataramanan, “Dempster-Shafer the-
ory for intrusion detection in ad hoc networks,” IEEE
Internet Computing, pp. 3541, December 2005.
[14] T. Otto, A. Meyer-Baese, M. Hurdal, D. Sumners, D.
Auer, and A. Wismuller, “Model-free functional MRI
analysis using cluster-based methods,” Proceedings of
SPIE, Vol. 5103, pp. 1724, August 2003.
[15] S. Przylucki, W. Wojcik, K. Plachecki, and T. Golec, “An
analysis of self-organization process for data classifica-
tion in multisensor systems,” Proceedings of SPIE, Vol.
5124, pp. 325332, September 2003.
[16] P. D’Urso and L. Giovanni, “Temporal self-organizing
maps for telecommunications market segmentation,”
Neurocomputing, Vol. 71, pp. 28802892, 2008.
[17] T. Voegtlin and P. Dominey, “Recursive self-organizing
maps,” Neural Networks, Vol. 15, No. 89, pp. 979991,
[18] B. Hammer, A. Micheli, A. Sperduti, and M. Strickert,
“Recursive self-organizing network models,” Neural
Networks, Vol. 17, No. 89, pp. 10611085, 2004.
[19] Y. Shidara, M. Mineichi Kudo, and A. Nakamura, “Clas-
sification based on consistent itemset rules,” Transactions
on Machine Learning and Data Mining, Vol. 1, No. 1, pp.
17–30, 2008.
[20] A. Fornells, E. Armengol, E. Golobardes, S. Puig, and J.
Malvehy, “Experiences using clustering and generaliza-
tions for knowledge discovery in melanomas domain,”
Transactions on Machine Learning and Data Mining, Vol.
1, No. 2, pp. 4965, 2008.
[21] K. Rosen, “Discrete mathematics and its applications,”
4th Edition, McGraw-Hill Publishers, 2000.
[22] V. Krebs, “Introduction to social network analysis,” 15
January 2007.