170 likes | 325 Views
An Overview of Intrusion Detection Using Soft Computing. Archana Sapkota Palden Lama. Introduction. Intrusion Any set of actions that attempt to compromise the integrity, confidentiality or availability of a resource. Intrusion Detection:
E N D
An Overview of Intrusion Detection Using Soft Computing Archana Sapkota Palden Lama CS591 Fall 2009
Introduction Intrusion • Any set of actions that attempt to compromise the integrity, confidentiality or availability of a resource. Intrusion Detection: • Additional line of defense. First line of defense being authentication, data encryption, avoiding programming errors and firewalls • Classified into two types: • 1. Misuse Intrusion Detection • 2. Anomaly Intrusion Detection CS591 Fall 2009
Introduction Misuse intrusion detection : • Uses well-defined patterns of the attack that exploit weaknesses in system and application software to identify the intrusions. • These patterns are encoded in advance and used to match against the user behavior to detect intrusion. Anomaly intrusion detection: • Uses the normal usage behavior patterns to identify the intrusion. The normal usage patterns are constructed from the statistical measures of the system features. • The behavior of the user is observed and any deviation from the constructed normal behavior is detected as intrusion CS591 Fall 2009
Soft Computing • The essence of soft computing is that, unlike the traditional, hard computing it is aimed at an accommodation with the pervasive imprecision of the real world. Thus, the guiding principle of soft computing is: • '...exploit the tolerance for imprecision, uncertainty and partial truth to achieve tractability, robustness, low solution cost and better rapport with reality'. • The role model for soft computing is the human mind. CS591 Fall 2009
Soft Computing Techniques used for IDS • K – Nearest Neighbor • Artificial Neural Networks • Support Vector Machines • Self Organizing Map • Decision Tree • Bayes’ Networks • Genetic Algorithms • Fuzzy Logic CS591 Fall 2009
Classifier Design • Single Classifiers • Ensemble Classifiers • Hybrid Classifiers CS591 Fall 2009
Hybrid Classifier CS591 Fall 2009
Ensemble Classifier CS591 Fall 2009
Experimental Data (KDD) • Prepared by the 1998 DARPA Intrusion Detection Evaluation program by MIT Lincoln Labs (MIT Lincoln Laboratory) • Nine weeks of raw TCP dump data. The raw data was processed into connection records, which consist of about 5 million connection records. • The data set has 41 attributes for each connection record plus one class label • Consist of 4 types of attack: 1. Denial of Service(DDoS) 2. Remote to User (R2L) 3. User to Root(U2R) 4. Probing http://kdd.ics.uci.edu/databases/kddcup99/ CS591 Fall 2009
Sample Experimental Data(KDD) Positive Training Examples: 0,tcp,http,SF,181,5450,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,8,8,0.00,0.00,0.00,0.00,1.00,0.00,0.00,9,9,1.00,0.00,0.11,0.00,0.00,0.00,0.00,0.00,normal. 0,tcp,http,SF,239,486,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,8,8,0.00,0.00,0.00,0.00,1.00,0.00,0.00,19,19,1.00,0.00,0.05,0.00,0.00,0.00,0.00,0.00,normal. 0,tcp,http,SF,235,1337,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,8,8,0.00,0.00,0.00,0.00,1.00,0.00,0.00,29,29,1.00,0.00,0.03,0.00,0.00,0.00,0.00,0.00,normal. Negative Training Examples: 0,icmp,ecr_i,SF,1032,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,511,511,0.00,0.00,0.00,0.00,1.00,0.00,0.00,255,255,1.00,0.00,1.00,0.00,0.00,0.00,0.00,0.00,smurf 0,icmp,ecr_i,SF,1032,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,511,511,0.00,0.00,0.00,0.00,1.00,0.00,0.00,255,255,1.00,0.00,1.00,0.00,0.00,0.00,0.00,0.00,smurf. 0,icmp,ecr_i,SF,1032,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,511,511,0.00,0.00,0.00,0.00,1.00,0.00,0.00,255,255,1.00,0.00,1.00,0.00,0.00,0.00,0.00,0.00,smurf. CS591 Fall 2009
Case Study: Performance comparison • Fuzzy Rule Based Technique • Rule Generation Based on the Histogram of Attribute Values(FR1) • Rule Generation Based on Partition of Overlapping Areas (FR2) • Neural learning of Fuzzy Rules (Neuro-Fuzzy Inference system – FR3) • Linear Genetic Programming (LGP) • Decision Trees (DT) • Support Vector Machines (SVM) CS591 Fall 2009
Evaluation Strategy Attribute Reduction/Feature Selection Training Testing CS591 Fall 2009
Data Attributes used for Intrusion Detection CS591 Fall 2009
Results : Single Classifiers CS591 Fall 2009
IDS with ensemble of intelligent paradigms CS591 Fall 2009
Results : Ensemble Classifier CS591 Fall 2009
Thank you!! CS591 Fall 2009