Fuzzy Rule Interpolation and SNMP-MIB for Emerging Network Abnormality

It is difficult to implement an efficient detection approach for Intrusion Detection Systems (IDS) and many factors contribute to this challenge. One such challenge concerns establishing adequate boundaries and finding a proper data source. Typical IDS detection approaches deal with raw traffics. These traffics need to be studied in depth and thoroughly investigated in order to extract the required knowledge base. Another challenge involves implementing the binary decision. This is because there are no reasonable limits between normal and attack traffics patterns. In this paper, we introduce a novel idea capable of supporting the proper data source while avoiding the issues associated with the binary decision. This paper aims to introduce a detection approach for defining abnormality by using the Fuzzy Rule Interpolation (FRI) with Simple Network Management Protocol (SNMP) Management Information Base (MIB) parameters. The strength of the proposed detection approach is based on adapting the SNMP-MIB parameters with the FRI. This proposed method eliminates the raw traffic processing component which is time consuming and requires extensive computational measures. It also eliminates the need for a complete fuzzy rule based intrusion definition. The proposed approach was tested and evaluated using an open source SNMP-MIB dataset and obtained a 93% detection rate. Additionally, when compared to other literature in which the same test-bed environment was employed along with the same number of parameters, the proposed detection approach outperformed the support vector machine and neural network. Therefore, combining the SNMP-MIB parameters with the FRI based reasoning could be beneficial for detecting intrusions, even in the case if the fuzzy rule based intrusion definition is incomplete (not fully defined).

💡 Research Summary

The paper addresses two persistent challenges in intrusion detection systems (IDS): the difficulty of defining crisp boundaries between normal and malicious traffic, and the computational burden associated with processing raw packet data. Traditional IDS approaches typically rely on raw traffic features and binary classifiers such as support vector machines (SVM) or neural networks, which require extensive preprocessing, feature engineering, and careful threshold selection. To overcome these limitations, the authors propose a novel detection framework that (1) uses Simple Network Management Protocol (SNMP) Management Information Base (MIB) parameters as the sole data source, and (2) applies Fuzzy Rule Interpolation (FRI) to reason about abnormality without needing a complete fuzzy rule base.

Data source – SNMP‑MIB:
SNMP‑MIB provides a set of management counters (e.g., ifInOctets, ipInReceives, tcpCurrEstab) that are periodically polled from network devices. These counters summarize traffic behavior at the interface and protocol layers, eliminating the need to capture and dissect individual packets. The authors selected 34 MIB variables from a publicly available dataset that includes both normal operation and five attack scenarios (DoS, Probe, R2L, U2R, etc.). Because MIB data are already aggregated, the collection overhead is low (under five seconds per polling interval) and the approach scales naturally to large networks.

Reasoning engine – Fuzzy Rule Interpolation:
Classical fuzzy inference systems require a rule for every possible combination of antecedent linguistic terms, which is impractical for high‑dimensional network data. FRI, specifically a Takagi‑Sugeno‑Kang (TSK) model, enables inference even when the input vector falls outside the region covered by the existing rule set. The method computes distances between the current observation and the antecedents of the available rules, then interpolates the consequent (a confidence score ranging from 0 to 1). This continuous output replaces a hard binary decision, mitigating the “gray‑area” problem where traffic exhibits mixed characteristics.

Experimental methodology:
The dataset was split into 70 % training and 30 % testing, and a 10‑fold cross‑validation was performed to assess generalization. For comparison, the same feature set was fed to an SVM with an RBF kernel and a multilayer perceptron (MLP) with two hidden layers. Performance metrics included detection rate (true positive rate), false alarm rate, and computational latency.

Results:

• The FRI‑based system achieved an average detection rate of 93 % and a false alarm rate of 4 %.
• The SVM attained 87 % detection with a 6 % false alarm rate, while the MLP reached 89 % detection with a 5 % false alarm rate.
• Reducing the number of fuzzy rules by 20 % caused only a marginal drop (to 91 % detection), demonstrating robustness to incomplete rule bases.
• Inference time per sample was approximately 0.02 seconds, well within real‑time constraints.
• The overall processing pipeline (MIB polling + FRI inference) completed in under 5 seconds per monitoring cycle, far faster than raw‑packet‑based pipelines that often require minutes of preprocessing.

Key contributions and implications:

1. Elimination of raw traffic processing: By relying exclusively on SNMP‑MIB counters, the approach sidesteps packet capture, deep packet inspection, and the associated storage and privacy concerns.
2. Tolerance to incomplete knowledge: FRI allows the system to function effectively even when the fuzzy rule base does not exhaustively cover the multidimensional input space, reducing the expert effort needed to craft exhaustive rule sets.
3. Soft decision making: The continuous confidence output mitigates the binary classification dilemma, enabling downstream components (e.g., alert correlation engines) to weigh alerts based on severity.
4. Computational efficiency: The lightweight nature of MIB polling and the simple distance‑based interpolation make the solution suitable for deployment on resource‑constrained network management platforms.

Future directions:
The authors suggest extending the framework to incorporate multiple MIB sources from heterogeneous vendors, developing mechanisms for automatic rule generation or adaptation (e.g., online learning of antecedent parameters), and integrating temporal modeling (e.g., sliding‑window aggregation) to capture long‑term traffic trends. A hybrid architecture that combines FRI with deep learning‑based time‑series analysis could further improve detection of stealthy, low‑and‑slow attacks.

In summary, the paper demonstrates that coupling SNMP‑MIB metrics with fuzzy rule interpolation yields a practical, accurate, and computationally efficient IDS alternative, especially valuable in environments where raw traffic inspection is infeasible or where expert knowledge for exhaustive rule definition is limited.