1 / 38

Feature Ranking and Selection for Intrusion Detection using Support Vector Machines

This study focuses on feature ranking and selection for intrusion detection using support vector machines. The dataset used is raw TCP/IP dump data from a simulated U.S. Air Force LAN, with four main attack classes. The performance-based ranking method is used to determine the importance of features.

vincent-browning
Download Presentation

Feature Ranking and Selection for Intrusion Detection using Support Vector Machines

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Feature Ranking and Selectionfor Intrusion Detectionusing Support Vector Machines Srinivas Mukkamala & Andrew H. Sung Computer Science Department New Mexico Tech

  2. Intrusion Data • Raw TCP/IP dump data collected form a network by simulating a typical U.S. Air Force LAN. • For each TCP/IP connection, 41 various quantitative and qualitative features were extracted.

  3. Attack Classes Attacks fall into four main classes: • Probing: surveillance and other probing. • DOS: denial of service. • U2R: unauthorized access to local super user (root) privileges. • R2L: unauthorized access from a remote machine.

  4. DARPA Data

  5. DARPA Data

  6. Support Vector Machines • Learning systems that use a hypothesis space of linear functions in a high dimensional feature space. • Trained with a learning algorithm from optimisation theory. • Implements a hyperplane to perform a linear (2-class) separation.

  7. Support Vector Classification • Consider a 2 class problem F (x ) = -1: class A +1: class B

  8. The Feature Selection Problem • Modeling an unknown function of a number of variables (features) based on data • Relative significance of variables are unknown, they may be • Important variables • Secondary variables • Dependent variables • Useless variables

  9. The Feature Selection Problem • Which features are truly important? • Difficult to decide due to: • Limited amount of data • Lack of algorithm • Exhaustive analysis requires 2n experiments (n = 41 in DARPA data). • Need an empirical method.

  10. Performance-Based Feature Ranking Method • Delete one feature at a time. • Use same training & testing sets (SVM & NN). • If performance decreases, then feature is important. • If performance increases, then feature is insignificant. • If performance unchanges, then feature is secondary.

  11. Performance-Based Feature Ranking: Procedure • Compose the training and testing set; for each feature do the following • Delete the feature from the training and the testing data; • Use the resultant data set to train the classifier; • Analyze the performance of the classifier using the test set, in terms of the selected performance criteria; • Rank the importance of the feature according to the rules;

  12. IDS Feature Ranking:Performance Factors • Effectiveness. • Training time. • Testing time. • False Positive Rate. • False Negative Rate. • Other relevant measures.

  13. Feature Ranking: Sample Rules Support Vector Machines A (accuracy), LT (learning time), TT (testing time). • If A  and LT  and TT , then feature is insignificant. • If A  and LT  and TT , then feature is important. • If A  and LT  and TT , then feature is important. . . . • Otherwise, feature is secondary.

  14. Feature Ranking: Sample RulesNeural Networks A (accuracy), FP (false positive rate), FN (false negative rate). • If A  and FP  and FN , then feature is insignificant. • If A  and FP  and FN , then feature is important. • If A  and FP  and FN , then feature is important. . . . • Otherwise, feature is secondary.

  15. Rule Set • Ifaccuracydecreasesand training time increasesand testing time decreases, then the feature is important • Ifaccuracy decreasesand training time increasesand testing time increases, then the feature is important • If accuracydecreasesand training time decreasesand testing time increases, then the feature is important • Ifaccuracyunchangesand training time increasesand testing time increases, then the feature is important • Ifaccuracyunchangesand training time decreasesand testing time increases, then the feature is secondary

  16. Rule Set • Ifaccuracyunchangesand training time increasesand testing time decreases, then the feature is secondary • Ifaccuracyunchangesand training time decreases and testing time decreases, then the feature is unimportant • Ifaccuracyincreasesand training time increasesand testing time decreases, then the feature is secondary • Ifaccuracyincreasesand training time decreasesand testing time increases, then the feature is secondary • Ifaccuracyincreasesand training time decreasesand testing time decreases, then the feature is unimportant

  17. Performance-Based Feature Ranking Advantages • General applicability (ANNs, SVMs, etc.) • Linear complexity (requiring only O(n) experiments). • Tuning of rules to improve results. • Multi-level ranking is possible.

  18. Performance-BasedFeature Ranking ResultsImportantSecondary Unimportant

  19. SVM: Using All 41 Features

  20. SVM: Using Important Features

  21. SVM: Using Union of Important Featuresof All Classes, 30 Total

  22. SVM: Using Important Features + Secondary Features

  23. Performance Statistics(using performance-based ranking)

  24. Performance Statistics(using performance-based ranking) 99.59 99.59% 99.59 99.55 99.51 99.70 99.67 99.65 99.38 99.25 99.25 99.22 99.22 99.87 99.87 99.87 99.87 99.80 99.78 99.78 99.78

  25. Feature Ranking using Support Vector Decision Function F(X) = SWiXi + b • F(X) depends on the contribution of WiXi • Absolute value of Wi measures the strength of classification of classification

  26. Feature Ranking using Support Vector Decision Function (SVDF) • if Wi is a large positive value then the ith feature is a key factor for the positive class • if Wi is a large negative value then the ith feature is a key factor for the negative class • if Wi is a value close to zero on either the positive or negative side then the ith feature does not contribute significantly to the classification

  27. SVM Based Feature Ranking Method • Calculate the weights from the support vector decision function. • Rank the importance of the features by the absolute values of the weights. • Delete the insignificant features from the training and the testing data. • Use the resultant data set to train the classifier. • Analyze the performance of the classifier using the test set, in terms of the selected performance criteria (threshold values of the weights for ranking the features).

  28. SVM Based Feature Ranking: Advantages • Uses SVMs decision function. • Linear complexity (requiring only O(n) experiments). • Tuning of the ranking process by adjusting the threshold values. • Multi-level ranking is possible.

  29. SVM-Based Feature Ranking ResultsImportant Secondary

  30. SVM: Using Important Features as ranked by SVDF

  31. SVM: Union of Important Featuresof All Classes : 19 Totaltraining : testing 5092 : 6890

  32. Performance Statistics(using SVM-based ranking)

  33. Performance Statistics(using SVM-based ranking) 99.59 99.56% 99.55 99.55 99.70 99.42 99.35 99.25 99.19 99.14 99.87 99.87 99.85 99.78 99.78 99.78

  34. IDS Feature Ranking:Performance Factors • Effectiveness. • Training time. • Testing time. • False Positive Rate. • False Negative Rate. • Other relevant measures.

  35. Two Feature Ranking Methods: Performance Summary • Important features selected by two methods heavily overlap. • Different levels of SVM IDS performance are achieved by • using all features • using important features • using union of important features • However, the performance difference is small

  36. Internet SVM 1 (Normal) IDS Flag? Network Data Preprocessor Firewall System Administrator A New IDS ArchitectureUsing SVMs Servers SVM 2 (Probe) SVM 3 (DOS) SVM 4 (U2Su) SVM 5 (R2L)

  37. Conclusions • IDS based on SVMs. • SVMs generally outperform NNs (cf. reference 2) • Two methods for feature ranking of 41 inputs, for each of the 5 classes. • Using important features give comparable performance. • New IDS comprising 5 SVMs delivers high accuracy and faster (than NN) running time.

  38. References • S. Mukkamala, G. Janowski, A. H. Sung, Intrusion Detection Using Support Vector Machines, Proceedings of the High Performance Computing Symposium – HPC 2002, April 2002, pp.178-183. • S. Mukkamala, G. Janowski, A. H. Sung, Intrusion Detection Using Neural Networks and Support Vector Machines, Proceedings of IEEE IJCNN, May 2002, pp.1702-1707. • Srinivas Mukkamala, Andrew Sung,Feature Ranking and Selection for Intrusion Detection,Proceedings of the International Conference on Information and Knowledge Engineering – IKE 2002, June 2002, pp.503-509.

More Related