the derivative has no effect on the weight update. The size of the weight change is determined by a separate update value. The update value for each weight and bias is increased by a factor whenever the derivative of the performance function with respect to that weight has the same sign for two successive iterations. The update value is decreased by a factor whenever the derivative with respect that weight changes sign from the previous iteration. If the derivative is zero, then the update value remains the same. Whenever the weights are oscillating the weight change will be reduced. If the weight continues to change in the same direction for several iterations, then the magnitude of the weight change will be increased [17].

2.2

### Support Vector Machines (SVMs)

The SVM approach transforms data into a feature space F that usually has a huge dimension. It is interesting to note that SVM generalization depends on the geometrical characteristics of the training data, not on the dimensions of the input space [18,19]. Training a support vector machine (SVM) leads to a quadratic optimization problem with bound constraints and one linear equality constraint. Vapnik shows how training a SVM for the pattern recognition problem leads to the following quadratic optimization problem [20].

l

^{Minimize: W }^{(α) = −}∑

i =1

+ i α

∑ ∑ i =1 j j =1 i l j i j i l x x k y y ) , ( 2 1 α α

(1)

l

### Subject to

y i ∑ α

i =1

i

(2)

C i i ≤ ≤ ∀ α 0 Where l is the number of training examples α is a vector of l variables and each : c o m p o n e n t i α c o r r e s p o n d s t o a t r a i n i n g e x a m p l e ( x i , y i ) . T h e s o l u t i o n o f ( 1 ) i s t h e

v e c t o r f o r w h i c h ( 1 ) i s m i n i m i z e d a n d ( 2 ) i s f u l f i l l e d . * α

# 3 Intrusion Detection Data

In the 1998 DARPA intrusion detection evaluation program, an environment was set up to acquire raw TCP/IP dump data for a network by simulating a typical U.S. Air Force LAN. The LAN was operated like a real environment, but being blasted with multiple attacks [21,22]. For each TCP/IP connection, 41 various quantitative and qualitative features were extracted [11,23]. Of this database a subset of 494021 data were used, of which 20% represent normal patterns.

Attack types fall into four main categories namely (1) Probing: surveillance and other probing (2) DoS: denial of service (3) U2Su: unauthorized access to local super user (root) privileges and (4) R2L: unauthorized access from a remote machine