1 Utilizing fuzzy logic and trend analysis for effective intrusion detection Author: Martin Botha and Rossouw von Solms Source: Computers & Security Vol 22, No 5, pp , 2003 Speaker: Su-Ping Chen Date: 2006/1/3

2 Outline Overview of current Intrusion Detection Systems and fuzzy logic The fuzzy methodology HIDS Conclusion Comments

3 Overview of current Intrusion Detection Systems and fuzzy logic Current Intrusion Detection System are based on two major intrusion detection approaches namely, misuse and anomaly intrusion detection. Immunology approach for Intrusion detection Systems. The first shortcoming of current anomaly intrusion detection system is lack of precise data. The simple approach will gather precise data from the firewall and operating system audit logs as well as the various user profiles.

4 Overview of current Intrusion Detection Systems and fuzzy logic A simple Intrusion Detection approach.

5 Overview of current Intrusion Detection Systems and fuzzy logic The second shortcoming of current anomaly intrusion detection system is no precise method. The object of the strategy is to compare the generic intrusion phases to the actions of a user or intruder. These graphs will then be compared using pattern recognition techniques. Template and user action graph.

6 The fuzzy methodology Fuzzy logic provides a comprehensive approach that can be used to construct the user action graph and template. The approach is based on four steps. The four steps are: 1. Fuzzification step 2. Inference step 3. Composition step 4. Defuzzification step

7 The fuzzy methodology Fuzzification step The object of this step is to define input variables as well as input membership functions for each input variable.

8 The fuzzy methodology Fuzzification step The information gained from the input variables represents real-world values and must be converted to truth-values For input variable 2 (Illegal firewall access) one can define the following membership expression for this input: Illegal firewall access (x) = {0,if number of attempts < %,if number of attempts = %,if number of attempts = 4 1,if number of attempts > 4}

9 The fuzzy methodology Fuzzification step Membership function for Illegal Firewall Access Input.

10 The fuzzy methodology Fuzzification step The fuzzy set for the membership expression for illegal firewall access is as follows: A (Illegal firewall access) = 0/2U0.33/3U0.66/4U1/5

11 The fuzzy methodology Inference step The purpose of the inference process is to categorize each input variable according to standard fuzzy values. Such as; low, medium or high. A (Illegal firewall access) = 0/0U0.33/2.75U0.66/5.5U1/8.34U0.66/11.09U0.33/13.84U0/16.67

12 The fuzzy methodology Inference step The fuzzy rules for illegal firewall access input variable are as follows: Rule 1: If the user types his/her password incorrectly zero to two times, then the contribution of this input should be zero. Rule 2: If the user types his/her password incorrectly three times, then the contribution of this input should be low. Rule 3: If the user types his/her password incorrectly four times, then the contribution of this input should be medium. Rule 4: If the user types his/her password incorrectly five or more times, then the contribution of this input should be high.

13 The fuzzy methodology Composition step During the composition step, all 11-input membership functions will be combined.

14 The fuzzy methodology Defuzzification step This step will explain how this geometrical graph can be used to map the user’s/intruder’s actions onto the six generic intrusion phases. The mapping strategy consists of three phases, namely: 1. Construction of template graph 2. Construction of user action graph 3. Mapping the two graphs

15 The fuzzy methodology Defuzzification step (Construction of template graph) The template represents an intruder’s typical actions when progressing through all six phases of the generic intrusion phases. The various output membership functions can mathematically be maximized and combined by employing the following expression: μ ∪ (x) = μ1(x) Λμ2(x) Λ.. Λμj(x) x ∈ X ∴ μ ∪ (Template) = 0/0 ∪ 1/8.34 ∪ 1/16.6 ∪ 1/25.02 ∪ 1/33.33 ∪ 1/41.67 ∪ 1/50.51 ∪ 1/58.35 ∪ 1/66.69 ∪ 1/75.03 ∪ 1/83.37 ∪ 1/91.71 ∪ 0/100

16 The fuzzy methodology Defuzzification step (Construction of the user action graph) The user action graph can be constructed by reading the various audit logs and user profiles.

17 The fuzzy methodology Defuzzification step (Mapping the two graphs) The mapping strategy can be conducted by employing the defuzzification step of the fuzzy logic process. The centre of gravity (COG) represents a numerical categorization of the total area of the graph.

18 The fuzzy methodology Defuzzification step (Mapping the two graphs) The mapping process

19 HIDS A working prototype called Hybrid Intrusion Detection System. HIDS is a software suite written in Visual Basic and Visual C programming languages. The prototype allows for two types of testing and real- time testing.

20 Conclusion A novice fuzzy methodology that will identify the different levels of an intrusion attack has been proposed in this paper. The model will identify the intrusion attack, by reading audit log files and user profiles on the operating system and then by constructing the user graphs according to the information. The methodology will also construct a typical intrusion graph (template graph) and it will then map the user graph onto this template graph.

21 Conclusion If the two graphs match, the methodology will then alert the security officer that someone is carrying out an intrusion attack. If not, the methodology will then compute which phase the intruder reached. Fuzzy logic will be used in both the mapping and phase determining processes.

22 Comments