ICNSC 2007Slide 1 A Novel Soft Computing Model Using Adaptive Neuro-Fuzzy Inference System for Intrusion Detection Authors: A. Nadjaran Toosi; M. Kahani; Presentation By: Dr. Mohsen Kahani IEEE Conference on Networking, Sensing, Control London Spring 2007
ICNSC 2007Slide 2 Objectives l Network Intrusion Detection System (NIDS) l Soft computing and Intrusion Detection l DARPA dataset KDD cup 99 l Proposed System System Architecture The Data Sources The Neuro-Fuzzy Classifiers The Fuzzy Decision Module Genetic Algorithm Module l Results and Experiments l Conclusion
ICNSC 2007Slide 3 Network Intrusion Detection l Widespread use of computer networks Number of attacks and New hacking tools and Intrusive methods l An Intrusion Detection System (IDS) is one way of dealing with suspicious activities within a network. l IDS Monitors the activities of a given environment Decides whether these activities are malicious (intrusive) or legitimate (normal).
ICNSC 2007Slide 4 Soft Computing l Zadeh's Soft computing Definition: “Soft computing is an innovative approach to construct a computationally intelligent system which parallels the extraordinary ability of the human mind to reason and learn in an environment of uncertainty and imprecision”. l Soft Computing paradigms Neural Networks Fuzzy Approximate Reasoning, Genetic Algorithms Simulated Annealing, etc.
ICNSC 2007Slide 5 Soft Computing and IDS l Many soft computing approaches have been applied to the intrusion detection field. l Our Novel Network IDS includes Neuro-Fuzzy Fuzzy Genetic algorithms l Key Contributions Utilization of outputs of neuro-fuzzy network as linguistic variables which expresses how reliable current output is.
ICNSC 2007Slide 6 KDD Cup 99 dataset l Comparison of different works in IDS area and needing Standard Dataset l DARPA dataset Audits data in form of TCP dump data in simulated Network,1998 and l KDD Cup 99 dataset Fifth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining Purpose: demonstrating the learning contest collected and generated TCP dump data provided by the DARPA in the form of train-and-test sets whose features are defined for the connection records »A connection is a sequence of TCP packets starting and ending at some well-defined times).
ICNSC 2007Slide 7 KDD Cup 99 Dataset cont. l 41 Features in each connection record l Totally Records. l Features had forms Continuous, Discrete And Symbolic and fall into four categories: Intrinsic features of a connection, the content features the same host features and the similar same service features. l Attacks fall into four main categories: DoS(Denial of Service) R2L (Remote to Local) U2R (User to Root) Probing.
ICNSC 2007Slide 8 KDD Cup 99 Dataset cont. l KDD dataset is divided into following record sets: Training Testing l Original training dataset was too large for our purpose10% training dataset, was employed here for training phase.
ICNSC 2007Slide 9 KDD Cup 99 Sample Distribution ClassNumber of SamplesSamples Percent Normal % Probe % DoS % U2R520.01% R2L % % T HE SAMPLE DISTRIBUTIONS ON THE SUBSET OF 10% DATA OF KDD C UP 99 DATASET ClassNumber of SamplesSamples Percent Normal % Probe % DoS % U2R % R2L % % T HE SAMPLE DISTRIBUTIONS ON THE TEST DATA WITH THE CORRECTED LABELS OF KDD C UP 99 DATASET
ICNSC 2007Slide 10 Proposed System (System architecture) l System architecture.
ICNSC 2007Slide 11 Proposed System (Data Sources) l The distribution of the samples in the two subsets that were used for the training S AMPLE DISTRIBUTIONS ON THE F IRST T RAINING AND C HECKING DATA RANDOMLY SELECTED OF 10% DATA OF KDD CUP 99 DATASET OF 10% DATA OF KDD CUP 99 DATASET NormalProbeDoSU2RR2L ANFIS-NTraining Checking ANFIS-PTraining Checking ANFIS-DTraining Checking ANFIS-UTraining Checking ANFIS-RTraining Checking
ICNSC 2007Slide 12 Proposed System (Data Sources) cont. S AMPLE DISTRIBUTIONS ON THE S ECOND T RAINING AND C HECKING DATA RANDOMLY SELECTED OF 10% DATA OF KDD CUP 99 DATASET OF 10% DATA OF KDD CUP 99 DATASET NormalProbeDoSU2RR2L ANFIS-NTraining Checking ANFIS-PTraining Checking ANFIS-DTraining Checking ANFIS-UTraining Checking ANFIS-RTraining Checking
ICNSC 2007Slide 13 Proposed System (ANFIS Classifiers) l The subtractive clustering method with r a =0.5 (neighborhood radius) has been used to partition the training sets and generate an FIS structure for each ANFIS. l For further fine-tuning and adaptation of membership functions, training sets were used for training ANFIS. l Each ANFIS trains at 50 epochs of learning and final FIS that is associated with the minimum checking error has been chosen. l All the MFs of the input fuzzy sets were selected in the form of Gaussian functions with two parameters.
ICNSC 2007Slide 14 Proposed System (The Fuzzy Decision Module) l A five ‑ input, single ‑ output of Mamdani fuzzy inference system l Centroid of area defuzzification l Each input output fuzzy set includes two MFs l All the MFs are Gaussian functions which are specified by four parameters. l The output of the fuzzy inference engine, which varies between -1 and 1, l Sspecifies how intrusive the current record is, 1 to show completely intrusive and ‑ 1 for completely normal F UZZY ASSOCIATIVE MEMORY FOR THE PROPOSED FUZZY INFERENCE RULES PROBEDoSU2RR2LOutput High----Normal -¬High Normal -High---Attack --High--Attack ---High-Attack ----HighAttack Low----Attack -Low Normal
ICNSC 2007Slide 15 Proposed System (Genetic Algorithm Module) l A chromosome consists of 320 bits of binary data. l 8 bits of a chromosome determines one parameter out of the four parameters of an MF.
ICNSC 2007Slide 16 Proposed System (Some Metrics) l How GA optimize Fuzzy decision Engine? l First introducing some metrics… Detection rate »Ratio between the number of correctly detected attacks and the total number of attacks False alarm rate(false positive) »Ratio between the number of normal connections that is incorrectly misclassified as attacks and the total number of normal connections. Classification rate. »For each class of data is defined as the ratio between the number of test instances correctly classified and the total number of test instances of this class.
ICNSC 2007Slide 17 Proposed System (Some Metrics) Cost Per Example »Where CM is a confusion matrix Each column corresponds to the predicted class, while rows correspond to the actual classes. An entry at row i and column j, CM (i, j), represents the number of misclassified instances that originally belong to class i, although incorrectly identified as a member of class j. The entries of the primary diagonal, CM (i,i), stand for the number of properly detected instances. »C is a cost matrix As well as CM,Entry C(i,j) represents the cost penalty for misclassifying an instance belonging to class i into class j. » N represents the total number of test instances, »m is the number of the classes in classification.
ICNSC 2007Slide 18 Proposed System (Fitness Function For GA) l Two different fitness functions Cost Per Example with equal misclassification costs cost per examples used for evaluating results of the KDD'99 competition Predicted NormalPROBEDoSU2RR2L Actual Normal01111 PROBE10111 DoS11011 U2R11101 R2L11110 Predicted NormalPROBEDoSU2RR2L Actual PROBE10222 DoS21022 U2R32202 R2L42220
ICNSC 2007Slide 19 Proposed System (Data Sources For GA) NormalProbeDoSU2RR2L Number of Samples T HE SAMPLE DISTRIBUTIONS ON THE SELECTED SUBSET OF 10% DATA OF KDD C UP 99 DATASET FOR THE OPTIMIZATION PROCESS WHICH IS USED BY G A
ICNSC 2007Slide 20 Results l 10 subsets of training data for both series were used for the classifiers. l The genetic algorithm was performed three times, each time for one of the five series of selected subsets. l Totatally 150 different structures were used and the result is the average of the results of this 150 structures. l Two different training datasets for training the classifiers and two different fitness functions to optimize the fuzzy decision-making module were used. A BBREVIATIONS USED FOR OUR APPROACHES AbbreviationApproach ESC-KDD-1First Training set with fitness function of KDD ESC-EQU-1First Training set with fitness function of equal misclassification cost ESC-KDD-2Second Training set with fitness function of KDD ESC-EQU-2Second Training set with fitness function of equal misclassification cost
ICNSC 2007Slide 21 Results cont. ModelNormalProbeDoSU2RR2LDTRFACPE ESC ‑ KDD ‑ ESC ‑ EQU ‑ ESC ‑ KDD ‑ ESC ‑ EQU ‑ ModelNormalProbeDoSU2RR2LDTRFACPE ESC-IDS RSS-DSS n/r Parzen ‑ Window n/r Multi ‑ Classifier n/r n/r Winner of KDD Runner Up of KDD PNrule C LASSIFICATION RATE, D ETECTION RATE (DTR), F ALSE A LARM RATE (FA) AND C OST P ER E XAMPLE OF KDD(CPE) FOR THE DIFFERENT APPROACHES OF ESC-IDS ON THE TEST DATASET WITH CORRECTED LABELS OF KDD C UP 99 DATASET C LASSIFICATION RATE, D ETECTION RATE (DTR), F ALSE A LARM RATE (FA) AND C OST P ER E XAMPLE OF KDD (CPE) FOR THE DIFFERENT ALGORITHMS PERFORMANCES ON THE TEST DATASET WITH CORRECTED LABELS OF KDD C UP 99 DATASET ( N / R STANDS FOR N OT R EPORTED )
ICNSC 2007Slide 22 Conclusion l An evolutionary soft computing approach for intrusion detection was introduced l Successfully demonstrated its usefulness on the training and testing subset of KDD cup 99 dataset. l The ANFIS network was used as a neuro-fuzzy classifier for intrusion detection. ANFIS is capable of producing fuzzy rules without the aid of human experts. Subtractive clustering has been utilized to determine the number of rules and membership functions with their initial locations for better classification. l A fuzzy decision-making engine was developed to make the system more powerful for attack detection, using the fuzzy inference approach. l Proposed a method to use genetic algorithms to optimize the fuzzy decision-making engine. l Experimentation results showed that the proposed method is effective in detecting various intrusions in computer networks. l Future Works Reducing features for the classifiers by methods of feature selection. Study the fitness function of the genetic algorithm to manipulate more parameters of the fuzzy inference module, even concentrating on fuzzy rules themselves.
ICNSC 2007Slide 23 THANK YOU