1. Cyber Intrusion Detection Algorithm Based on Bayes’ Theorem
Stephanie Steren-Ruta- West High School ‘12
Syeda Faiza Islam- Farragut High School ‘15
Young Scholars Program
July 17, 2012
Knoxville, Tennessee

2. The problem
Securing the Smart Grid
Effective ways

3. http://www.youtube.com/watch?v=P0xfRhM1J p8

4. Terms Intrusion Detection Pattern recognition Bayes Theorem
Maximum a-posterior probability (MAP)

5. Intrusion Detection
identify unauthorized use, misuse and abuse of computer systems by both system insiders and external predators.

6. Types of Intrusions Denial of Service (DOS) Remote to Local (R2L)
User to Root (U2R)
Probing

7. Pattern Recognition
identifying the patterns in a set of data and classifying and categorizing it

8. Bayes' Theorem
is a mathematical formula used for calculating conditional probabilities

9. Maximum a-posterior probability (MAP)
Assigning to the sample of interest the membership based on which the sample has the highest a-posterior probability.

10. Bayes' Theorem
𝑃 𝑋 𝐵 = 𝑃 𝐵 𝑋 ∗𝑃(𝑋) 𝑃(𝐵)

11. Multivariate Gaussian Distribution
𝑃 𝑥 = 1 2𝜋 𝑑 2 Σ 𝑒𝑥𝑝(− 𝑥 − 𝑢 𝑡 Σ −1 𝑥 − 𝑢 )

12. Discriminant Function
𝑙𝑛𝑃 𝑋 𝐵 =ln𝑃 𝐵 𝑋 +lnP X −lnP(B) =− 1 2 𝑥 − 𝑢 𝑡 Σ −1 𝑥 − 𝑢 − 1 2 𝑙𝑛 Σ +ln[P(B)]

13. Analysis of Data
Have a training data and testing data that have results.
Take the training and separate into the different categories
Acquire the covariance and mean
Make a loop that tests all categories with the discriminant function
Check for accuracy
Change prior-probability until acquiring most accurate result

14. Data Set

15. Code for i=1:length(test_data); current_entry = test_data(i,:);
Function_1 = (-.5*((current_entry-mean_1)*inv(cov_1)*(current_entry-mean_1)'))- (.5*(log(det(cov_1))))+(log(.7));%Table_0 discriminant function
Function_2 = (-.5*(current_entry-mean_2)*inv(cov_2)*(current_entry-mean_2)')- (.5*(log(det(cov_2))))+(log(.0025));%Table_1 discriminant function
Function_3 = (-.5*((current_entry-mean_3)*inv(cov_3)*(current_entry-mean_3)'))- (.5*(log(det(cov_3))))+(log(.0025));%Table_0 discriminant function
Function_4 = (-.5*(current_entry-mean_4)*inv(cov_4)*(current_entry-mean_4)')- (.5*(log(det(cov_4))))+(log(.05));%Table_1 discriminant function
Function_5 = (-.5*((current_entry-mean_5)*inv(cov_5)*(current_entry-mean_5)'))- (.5*(log(det(cov_5))))+(log(.2));%Table_0 discriminant function
[C,I] = max([Function_1,Function_2,Function_3,Function_4,Function_5]);
Decision(i,1)= I;
end

16. Results
Accuracy
Prior Probability

17. Confusion Matrix 1-DOS 2- R2L 3- U2R 4- Probing 5- Normal Connection 1 2 3 4 5

18. 1 2 3 4 5

19. Error
Future Improvements

20. References
[1]Mukherjee, B.; Heberlein, L.T.; Levitt, K.N.; , "Network intrusion detection," Network, IEEE , vol.8, no.3, pp.26-41, May-June doi: / URL:  3931&isnumber=7023
[2]Jain, A.K.; Duin, R.P.W.; Jianchang Mao; , "Statistical pattern recognition: a review," Pattern Analysis and Machine Intelligence, IEEE Transactions on , vol.22, no.1, pp.4-37, Jan doi: / URL:  4819&isnumber=17859
[3]Anonymous. Maximum Security: A Hacker's Guide to Protecting Your Internet Site and Network, Chapter 15, pp Sams.net , 201 West 103rd Street, Indianapolis, IN,
[4] Simson Garfinkel and Gene Spafford. Practical Unix & Internet Security. O'Reilly & Associates, Inc., 101 Morris Street, Sebastopol CA, 95472, 2nd edition, April 1996.
[5]. N.p., n.d. Web. 10 Jul <
[6]Joyce, James, "Bayes' Theorem", The Stanford Encyclopedia of Philosophy (Fall Edition), Edward N. Zalta (ed.), URL = <