Presentation is loading. Please wait.

Presentation is loading. Please wait.

Amir Hossein Momeni Azandaryani Course : IDS Advisor : Dr. Shajari 26 May 2008.

Similar presentations


Presentation on theme: "Amir Hossein Momeni Azandaryani Course : IDS Advisor : Dr. Shajari 26 May 2008."— Presentation transcript:

1 Amir Hossein Momeni Azandaryani Course : IDS Advisor : Dr. Shajari 26 May 2008

2 Outline Introduction Classification in intrusion detection Fuzzy sets theory Fuzzy classifiers proposed approach Extract fuzzy membership functions Extract fuzzy rules Learning parameter of fuzzy operators

3 Classification in Intrusion Detection Intrusion detection can be thought of as a classification problem Input : audit records Output : a discrete set of possible categories (normal or a particular kind of intrusion)

4 Fuzzy Sets Theory Crisp Facts : Distinct boundaries Probability : Incomplete Facts Fuzzy : Imprecise Facts Membership to a class: Crisp : Yes or No Fuzzy : Yes or No or Partially in the set (0≤degree≤1) Membership to multiple classes Provides smoother transitions

5 Fuzzy Sets Theory (Cont’d) Fuzzy Logic Process Fuzzification Fuzzy Inference Defuzzification Crisp Input Crisp Output Membership Functions Fuzzy Rule- base

6 Fuzzy Sets Theory (Cont’d) Membership Functions Fuzzy Rules if (temp is hot) AND (wind_speed is calm) then (change_in_valve is big_negative) More precise output Fusing of membership functions (multiple class membership) Mixing output of multiple rules

7 Fuzzy Sets Theory (Cont’d) Fuzzy Operators T-Norm (Intersection) Popular : Min S-Norm (Union) Popular : Max

8 Fuzzy Sets Theory (Cont’d) Strength of Fuzzy Operators

9 Fuzzy Sets Theory (Cont’d) Parametric Fuzzy Operators Of tunable strength Dombi class Yager class Dubois class Hamacher, Frank, …

10 Proposed Approach Most of the Classifiers (and also fuzzy classifiers) use a single model for all of the data regardless of how much these records are different from each other In our approach, the classification model and its parameters varies based on the content of audit record We use clustering to distinguish groups of audit records that have similarities. Maximum independence from expert knowledge Fast generation of new methods for intrusion

11 Proposed Approach (Cont’d) Fuzzy Membership Functions Extracting them from data (No expert is needed) Use of entropy Fuzzy Rules Extracting them from data (No expert is needed) Association rules A-Priori Algorithm for extracting association rules (Data Mining) Proposing a fuzzy modification of the A-Priori Algorithm

12 Proposed Approach (Cont’d) Building Fuzzy Membership functions from Data Based on entropy In [x 1, x 2 ], find the x that minimum S(x) (Threshold) Sort the thresholds and build Membership Functions

13 Proposed Approach (Cont’d) Building Fuzzy Fuzzy Rules from Data Association rules Broccoli, green peppers, corn Asparagus, squash, corn Corn, tomatoes, beans, squash A-Priori Algorithm

14 Proposed Approach (Cont’d) Extracting parameter value of Fuzzy Operators Training Phase Execution Phase Clustering (K-Means) Local search for optimum (Cluster #1) Local search for optimum (Cluster #2) … Local search for optimum (Cluster #k) Optimum parameter values for clusters Center of Clusters Find distance from each cluster center Calculate a weighted mean New audit record Parameter Value for record Training Audit Records

15 Thanks for your attention !


Download ppt "Amir Hossein Momeni Azandaryani Course : IDS Advisor : Dr. Shajari 26 May 2008."

Similar presentations


Ads by Google