# Evolving Fuzzy Classifiers for Intrusion Detection

Document Sample

```					    Evolving Fuzzy
Classifiers for
Intrusion Detection
Jonatan Gomez
Dipankar Dasgupta
Presented By: Sohraab Soltani
Intrusion Detection
   Misuse Detection
 Use signatures of known intrusions.
 Low false alarm rate.
 Unable to detect unknown attacks.
   Anomaly Detection
 Builds a profile based on system   normal behavior.
 Label any behavior that deviates   from a normal
distribution as anomaly.
 Enable to detect unknown attacks.
 High false alarm rate.
Overview
Find Fuzzy Classifier Rules
Training Data        For normal and abnormal
behaviors

Label each data      Trigger an alarm
Data Flow         point as           if it is abnormal
normal or abnormal
Fuzzy Logic
   Classic: An Object entirely in a set or
not.

x  {r | r  {0,1}}
   Fuzzy: An object can partially be in a
set.

x  r | r [0,1]
Fuzzy Operators
Fuzzy Rule
   Rule: IF condition THEN consequence
[weight]
   TV(R) = TV(condition) * weight
   Example: IF x is HIGH and y is LOW THEN pattern is
normal [0.4]

TV ( R)  TV (( x  HIGH )and ( y  LOW ))  0.4
 min( 0.2,0.4) * 0.4  0.08
A Fuzzy Classifier as an Intrusion
Detector
Class Prediction
Steps to generate a fuzzy rule for
class k using GA
Representation of the condition
part of the fuzzy rule.

x is C or z is E and w is not D
Binary Tree representation
   Free parenthesis expression:
   A or B and C and D or E.
   Represents the logical expression:
   (((A or E) and C) or (B and D))
   Can also be represented by complete tree:
Genetic operators- Crossover                                        Crossing Point

A or B and C and D or E
W and X or Y and Z

or                                                          and

and                                                    and
and                                                                  or

or                   C                  B                          D       W         Y         X              Z

A                 E

and                                                     or

and                                               and
or                                                             and

or                  H                  X                          D             M             B              Z
A

W                   E

Because the crossover point was selected inside nodes C and Y,
then these nodes interchange their code and create new fuzzy
expressions H and M.
deletion
A or B and C and D or E
A or B and C and D or E or X
or

or
and

and
and
or                           B             D
or

or         C        B           D

A        E              C            X

A        E

Deletion
Genetic operators- Mutation
Mutation Point

W and X or Y and Z
W and X and Y and Z

and
and

and
and                             and
or

A         M         B         Z
W         Y         X          Z

Mutation
Fitness Function – Confusion
Matrix
Predicted class

Actual                 Intrusion   Normal
Class
Intrusion     True        False
Positive    Negative
Normal        False       True
Positive    Negatve
Fitness Function
KDDCUP DATASET
   duration: continuous.
    protocol_type: symbolic.
    service: symbolic.
   flag: symbolic.
   src_bytes: continuous.
   dst_bytes: continuous.
   land: symbolic.
   wrong_fragment: continuous.
   Overally 41 features + class attribute.
Experimental Settings
   Normalize each continuous attribute.
   A five-fold cross validation.
   A genetic algorithm was initialized by 200
random chromosome.
   Length of each chromosome is between one to
six.
   Maximum number of iteration is 200.
   GA runs 5 times, one for each class.
Accuracy
ROC Curve
Conclusion
   Curse of Dimensionality
 As the dimension of the data increases, it
impacts the performance of the algorithm.
   Multimodality
 It
may possible that more than one normal
pattern exist in a data set.
   False alarm rate

```
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
 views: 7 posted: 6/4/2012 language: pages: 21