Presentation is loading. Please wait.

Presentation is loading. Please wait.

Implementation of Machine Learning and Chaos Combination for Improving Attack Detection Accuracy on Intrusion Detection System (IDS) Bisyron Wahyudi Kalamullah.

Published byAnnabelle Baldwin Modified over 9 years ago

Similar presentations

Presentation on theme: "Implementation of Machine Learning and Chaos Combination for Improving Attack Detection Accuracy on Intrusion Detection System (IDS) Bisyron Wahyudi Kalamullah."— Presentation transcript:

1 Implementation of Machine Learning and Chaos Combination for Improving Attack Detection Accuracy on Intrusion Detection System (IDS) Bisyron Wahyudi Kalamullah Ramli Department of Electrical Engineering Universitas Indonesia

2 Network Security

3  The most important element In the network security: IDS  Intrusion detection principles:  Misuse detection (signature base)  Anomaly detection (statistics)  Classification with Machine Learning (research) Background: IDS

4  Intrusion detection too many false alarm  More often arise new types of attack  Required effective and adaptable detection method  Classification with Machine Learning gives the best result depend on the kernel function and its parameters, and network data attributes/features.  There are no systematic theories concerning how to choose the appropriate kernel/parameters. Background: Problem

5 1.Capturing packets transferred on the network. 2.Extracting an extensive set of attributes/features of the network packets data that can describe a network connection or a host session. 3.Learning a model that can accurately describe the behavior of abnormal and normal activities by applying data mining techniques. 4.Detecting the intrusions by using the learned models. Data Mining Approach for IDS

6 Classification (Supervised) Clustering (Unsupervised) K Nearest Neighbor (K-NN)K-Means Naïve BayesHierarchical Clustering Artificial Neural NetworkDBSCAN Support Vector MachineFuzzy C-Means Fuzzy K-NNSelf Organizing Map Data Mining Approach

7 Machine Learning Input Training Data (x,y) Input Training Data (x,y) Model Development Learning Algorithm Model Implementation Input Test Data (x,?) Input Test Data (x,?) Output Test Data (x,y) Output Test Data (x,y)

8 SVM Classification

9 Kernel NameDefinition of Function Linear K(x,y)= x.y PolynomialK(x,y)= (x.y + c) d Gaussian RBF K(x,y)= exp(- II x-y II 2 /2.σ 2 ) Sigmoid (Tangent Hyperbolic) K(x,y)= tanh(σ(x.y) + c) Inverse Multiquadric K(x,y)= 1 / √ II x-y II 2 + c Kernel Function x and y pair of data from train dataset σ, c, d > 0 constant parameter

10  How to choose the optimal/significant input dataset feature.  How to set the best kernel function and parameters: σ, ε and C. SVM Performance

11  Three important dynamic properties: the intrinsic stochastic property, ergodicity and regularity  Advantage of chaos escape from local minima  More efficient to obtain optimization parameters by means of its powerful global searching ability Chaos

12 System Design

13 Metodologi Data Collection Data Preprocessing Model Development Data Classification Training Dataset Test Dataset KDDCUP ’99 DARPA Dataset Predicted Intrusion Data

14 Data Preprocessing Dataset Transformation Dataset Normalization Range Discretization Format Conversion Dataset Division: Training & Test KDDCUP ’99 DARPA Dataset Test Dataset Training Dataset

15 Model Development Input Training Data (x,y) Input Training Data (x,y) Parameter Selection with Chaos Optimization Learning Algorithm (SVM) Learning Algorithm (SVM) Model Implementation Input Test Data (x,?) Input Test Data (x,?) Output Test Data (x,y) Output Test Data (x,y) Kernel Function Selection

16 Fitur 1-9 : intrinsic feature extracted from header paket Fitur 10-22 : atribut konten yang didapat dari pengetahuan ahli dari paket Fitur 23-31 : atribut konten dari koneksi 2 detik sebelumnya Fitur 32-41 : atribut trafik dari mesin yang didapat dari 100 koneksi sebelumnya Fitur Payload : payload berdasarkan waktu (minggu) Feature in KddCup

17 Intrinsic Attributes These attributes are extracted from the headers' area of the network packets

18 Content Attributes These attributes are extracted from the contents area of the network packets based on expert person knowledge

19 Time Traffics Attributes To calculate these attributes we considered the connections that occurred in the past 2 seconds

20 Machine Traffic Attributes To calculate these attributes we took into account the previous 100 connections

21 21 Network Traffic Classification

22 The features that used in previous works are eight features from Mukkamala are: src_bytes, dst_bytes, Count, srv_count, dst_host_count, dst_host_srv_count, dst_host_same_src_port_rate, dst_host_srv_diff _host_rate. Selected Features

23 The features that used in previous works are 24 features from Natesan are: Duration, protocol_type, Service, Flag, src_bytes, dst_bytes, Hot, num_failed_logins, logged-in, num_compromised, root_shell, num_root, num_file_creations, num_shells, num_access_files, is_host_login, is_guest_login, Count, serror_rate, rerror_rate, diff_srv_rate, dst_host_count, dst_host_diff_srv_rate, dst_host_srv_serror_rate. Selected Features

24 Proposed Features

25

26 Data Pre-processing

27 Simulation Experiment

28 Simulation Process Design

29 Using payload can improve accuracy of IDS in detecting R2L. Using SVM with RBF kernel, accuracy detection rates up to 98.2%. Based on experiment, average detection of all features are best using 28 features using payload : Experiment Result

Download ppt "Implementation of Machine Learning and Chaos Combination for Improving Attack Detection Accuracy on Intrusion Detection System (IDS) Bisyron Wahyudi Kalamullah."

Similar presentations

ECG Signal processing (2)

ECG Signal processing (2)
ONLINE ARABIC HANDWRITING RECOGNITION By George Kour Supervised by Dr. Raid Saabne.

ONLINE ARABIC HANDWRITING RECOGNITION By George Kour Supervised by Dr. Raid Saabne.
Support Vector Machines

Support Vector Machines
Particle swarm optimization for parameter determination and feature selection of support vector machines Shih-Wei Lin, Kuo-Ching Ying, Shih-Chieh Chen,

Particle swarm optimization for parameter determination and feature selection of support vector machines Shih-Wei Lin, Kuo-Ching Ying, Shih-Chieh Chen,
Performance Evaluation of the Fuzzy ARTMAP for Network Intrusion Detection Nelcileno Araújo Ruy de Oliveira Ed’Wilson Tavares Ferreira Valtemir Nascimento.

Performance Evaluation of the Fuzzy ARTMAP for Network Intrusion Detection Nelcileno Araújo Ruy de Oliveira Ed’Wilson Tavares Ferreira Valtemir Nascimento.
An Overview of Machine Learning

An Overview of Machine Learning
CS 590M Fall 2001: Security Issues in Data Mining Lecture 3: Classification.

CS 590M Fall 2001: Security Issues in Data Mining Lecture 3: Classification.
Properties of Machine Learning Applications for Use in Metamorphic Testing Chris Murphy, Gail Kaiser, Lifeng Hu, Leon Wu Columbia University.

Properties of Machine Learning Applications for Use in Metamorphic Testing Chris Murphy, Gail Kaiser, Lifeng Hu, Leon Wu Columbia University.
Learning Classifier Systems to Intrusion Detection Monu Bambroo 12/01/03.

Learning Classifier Systems to Intrusion Detection Monu Bambroo 12/01/03.
Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.

Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.
Copyright 2002, Center for Secure Information Systems 1 Panel: Role of Data Mining in Cyber Threat Analysis Professor Sushil Jajodia Center for Secure.

Copyright 2002, Center for Secure Information Systems 1 Panel: Role of Data Mining in Cyber Threat Analysis Professor Sushil Jajodia Center for Secure.
Neural Networks Chapter 8. 8.1 Feed-Forward Neural Networks.

Neural Networks Chapter Feed-Forward Neural Networks.
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.

Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
Machine Learning as Applied to Intrusion Detection By Christine Fossaceca.

Machine Learning as Applied to Intrusion Detection By Christine Fossaceca.
CS 478 - Instance Based Learning1 Instance Based Learning.

CS Instance Based Learning1 Instance Based Learning.
LLNL-PRES-671957 This work was performed under the auspices of the U.S. Department of Energy by Lawrence Livermore National Laboratory under Contract DE-AC52-07NA27344.

LLNL-PRES This work was performed under the auspices of the U.S. Department of Energy by Lawrence Livermore National Laboratory under Contract DE-AC52-07NA27344.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
1. Introduction Generally Intrusion Detection Systems (IDSs), as special-purpose devices to detect network anomalies and attacks, are using two approaches.

1. Introduction Generally Intrusion Detection Systems (IDSs), as special-purpose devices to detect network anomalies and attacks, are using two approaches.
Data Mining for Intrusion Detection: A Critical Review Klaus Julisch From: Applications of data Mining in Computer Security (Eds. D. Barabara and S. Jajodia)

Data Mining for Intrusion Detection: A Critical Review Klaus Julisch From: Applications of data Mining in Computer Security (Eds. D. Barabara and S. Jajodia)
A Geometric Framework for Unsupervised Anomaly Detection: Detecting Intrusions in Unlabeled Data Authors: Eleazar Eskin, Andrew Arnold, Michael Prerau,

A Geometric Framework for Unsupervised Anomaly Detection: Detecting Intrusions in Unlabeled Data Authors: Eleazar Eskin, Andrew Arnold, Michael Prerau,

Similar presentations

Ads by Google