an overview of intrusion detection using soft computing archana sapkota palden lama cs591 fall 2009
TRANSCRIPT
An Overview of Intrusion Detection Using Soft
Computing
Archana Sapkota
Palden Lama
CS591 Fall 2009
Introduction
Intrusion Any set of actions that attempt to compromise the integrity,
confidentiality or availability of a resource.
Intrusion Detection: Additional line of defense. First line of defense being
authentication, data encryption, avoiding programming errors and firewalls
Classified into two types: 1. Misuse Intrusion Detection 2. Anomaly Intrusion Detection
CS591 Fall 2009
Introduction
Misuse intrusion detection : Uses well-defined patterns of the attack that exploit weaknesses in
system and application software to identify the intrusions. These patterns are encoded in advance and used to match against the
user behavior to detect intrusion.
Anomaly intrusion detection: Uses the normal usage behavior patterns to identify the intrusion. The
normal usage patterns are constructed from the statistical measures of the system features.
The behavior of the user is observed and any deviation from the constructed normal behavior is detected as intrusion
CS591 Fall 2009
Soft Computing The essence of soft computing is that, unlike the traditional,
hard computing it is aimed at an accommodation with the pervasive imprecision of the real world. Thus, the guiding principle of soft computing is:
'...exploit the tolerance for imprecision, uncertainty and partial truth to achieve tractability, robustness, low solution cost and better rapport with reality'.
The role model for soft computing is the human mind.
CS591 Fall 2009
Soft Computing Techniques used for IDS
K – Nearest Neighbor Artificial Neural Networks Support Vector Machines Self Organizing Map Decision Tree Bayes’ Networks Genetic Algorithms Fuzzy Logic
CS591 Fall 2009
Classifier Design
Single Classifiers Ensemble Classifiers Hybrid Classifiers
CS591 Fall 2009
Hybrid Classifier
CS591 Fall 2009
Ensemble Classifier
CS591 Fall 2009
Experimental Data (KDD) Prepared by the 1998 DARPA Intrusion Detection Evaluation program
by MIT Lincoln Labs (MIT Lincoln Laboratory) Nine weeks of raw TCP dump data. The raw data was processed into
connection records, which consist of about 5 million connection records.
The data set has 41 attributes for each connection record plus one class label
Consist of 4 types of attack:
1. Denial of Service(DDoS)
2. Remote to User (R2L)
3. User to Root(U2R)
4. Probinghttp://kdd.ics.uci.edu/databases/kddcup99/
CS591 Fall 2009
Sample Experimental Data(KDD)Positive Training Examples:
0,tcp,http,SF,181,5450,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,8,8,0.00,0.00,0.00,0.00,1.00,0.00,0.00,9,9,1.00,0.00,0.11,0.00,0.00,0.00,0.00,0.00,normal.
0,tcp,http,SF,239,486,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,8,8,0.00,0.00,0.00,0.00,1.00,0.00,0.00,19,19,1.00,0.00,0.05,0.00,0.00,0.00,0.00,0.00,normal.
0,tcp,http,SF,235,1337,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,8,8,0.00,0.00,0.00,0.00,1.00,0.00,0.00,29,29,1.00,0.00,0.03,0.00,0.00,0.00,0.00,0.00,normal.
Negative Training Examples:
0,icmp,ecr_i,SF,1032,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,511,511,0.00,0.00,0.00,0.00,1.00,0.00,0.00,255,255,1.00,0.00,1.00,0.00,0.00,0.00,0.00,0.00,smurf
0,icmp,ecr_i,SF,1032,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,511,511,0.00,0.00,0.00,0.00,1.00,0.00,0.00,255,255,1.00,0.00,1.00,0.00,0.00,0.00,0.00,0.00,smurf.
0,icmp,ecr_i,SF,1032,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,511,511,0.00,0.00,0.00,0.00,1.00,0.00,0.00,255,255,1.00,0.00,1.00,0.00,0.00,0.00,0.00,0.00,smurf.
CS591 Fall 2009
Case Study: Performance comparison Fuzzy Rule Based Technique
• Rule Generation Based on the Histogram of Attribute Values(FR1)
• Rule Generation Based on Partition of Overlapping Areas (FR2)
• Neural learning of Fuzzy Rules (Neuro-Fuzzy Inference system – FR3)
Linear Genetic Programming (LGP) Decision Trees (DT) Support Vector Machines (SVM)
CS591 Fall 2009
Evaluation Strategy
Attribute Reduction/Feature Selection
Training
Testing
CS591 Fall 2009
Data Attributes used for Intrusion Detection
CS591 Fall 2009
Results : Single Classifiers
CS591 Fall 2009
IDS with ensemble of intelligent paradigms
CS591 Fall 2009
Results : Ensemble Classifier
CS591 Fall 2009
Thank you!!
CS591 Fall 2009