Evolving Fuzzy Classifiers for Intrusion Detection

Document Sample
Evolving Fuzzy Classifiers for Intrusion Detection Powered By Docstoc
					    Evolving Fuzzy
     Classifiers for
  Intrusion Detection
Jonatan Gomez
Dipankar Dasgupta
Presented By: Sohraab Soltani
            Intrusion Detection
   Misuse Detection
     Use signatures of known intrusions.
     Low false alarm rate.
     Unable to detect unknown attacks.
   Anomaly Detection
     Builds a profile based on system   normal behavior.
     Label any behavior that deviates   from a normal
      distribution as anomaly.
     Enable to detect unknown attacks.
     High false alarm rate.
                 Overview
                    Find Fuzzy Classifier Rules
Training Data        For normal and abnormal
                            behaviors




                 Label each data      Trigger an alarm
  Data Flow         point as           if it is abnormal
                normal or abnormal
                               Fuzzy Logic
   Classic: An Object entirely in a set or
    not.

    x  {r | r  {0,1}}
   Fuzzy: An object can partially be in a
    set.


    x  r | r [0,1]
Fuzzy Operators
                   Fuzzy Rule
   Rule: IF condition THEN consequence
    [weight]
   TV(R) = TV(condition) * weight
   Example: IF x is HIGH and y is LOW THEN pattern is
    normal [0.4]

    TV ( R)  TV (( x  HIGH )and ( y  LOW ))  0.4
     min( 0.2,0.4) * 0.4  0.08
A Fuzzy Classifier as an Intrusion
           Detector
Class Prediction
Steps to generate a fuzzy rule for
        class k using GA
Representation of the condition
    part of the fuzzy rule.



 x is C or z is E and w is not D
         Binary Tree representation
   Free parenthesis expression:
        A or B and C and D or E.
   Represents the logical expression:
        (((A or E) and C) or (B and D))
   Can also be represented by complete tree:
Genetic operators- Crossover                                        Crossing Point


               A or B and C and D or E
               W and X or Y and Z

                                           or                                                          and




                                                              and                                                    and
                        and                                                                  or




              or                   C                  B                          D       W         Y         X              Z




      A                 E




                                                and                                                     or




                                                                    and                                               and
                              or                                                             and




                   or                  H                  X                          D             M             B              Z
                                                                                         A




          W                   E




Because the crossover point was selected inside nodes C and Y,
then these nodes interchange their code and create new fuzzy
expressions H and M.
Genetic operators- Gene addition,
            deletion
     A or B and C and D or E
     A or B and C and D or E or X
                                                                                or



                   or
                                        Addistion                                            and
                                                                 and


                            and
         and
                                                        or                           B             D
                                                                       or


    or         C        B           D


                                                    A        E              C            X



A        E


                                         Deletion
    Genetic operators- Mutation
                                   Mutation Point



         W and X or Y and Z
         W and X and Y and Z


                                                                  and
              and




                                                                            and
                        and                             and
    or




                                                    A         M         B         Z
W         Y         X          Z




                                   Mutation
  Fitness Function – Confusion
             Matrix
                     Predicted class

Actual                 Intrusion   Normal
Class
         Intrusion     True        False
                       Positive    Negative
         Normal        False       True
                       Positive    Negatve
Fitness Function
                 KDDCUP DATASET
   duration: continuous.
    protocol_type: symbolic.
    service: symbolic.
   flag: symbolic.
   src_bytes: continuous.
   dst_bytes: continuous.
   land: symbolic.
   wrong_fragment: continuous.
   Overally 41 features + class attribute.
         Experimental Settings
   Normalize each continuous attribute.
   A five-fold cross validation.
   A genetic algorithm was initialized by 200
    random chromosome.
   Length of each chromosome is between one to
    six.
   Maximum number of iteration is 200.
   GA runs 5 times, one for each class.
Accuracy
ROC Curve
                  Conclusion
   Curse of Dimensionality
     As the dimension of the data increases, it
      impacts the performance of the algorithm.
   Multimodality
     It
       may possible that more than one normal
      pattern exist in a data set.
   False alarm rate

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:7
posted:6/4/2012
language:
pages:21