Download fuzzy data mining and genetic algorithms - TKS

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
Document related concepts

Human genetic clustering wikipedia , lookup

Cluster analysis wikipedia , lookup

Nonlinear dimensionality reduction wikipedia , lookup

Transcript 
FUZZY DATA MINING AND GENETIC ALGORITHMS APPLIED
TO
INTRUSION DETECTION
Name:-TAPASI PATI
Roll No-0401101238
5/1/2017
1
Contents
FUZZY DATA MINING AND GENETIC ALGORITHMS
APPLIED TO INTRUSION DETECTION
Introduction
Cyber Attacks - Intrusions
Intrusion Detection
Why We Need Intrusion Detection
System Goals and Preliminary Architecture
Models Of Intrusion Detection
 Anomaly Detection
 Misuse Detection
How Genetic Algorithm is used in IDS
Conclusion
References
5/1/2017
2
Contents
Introduction
Firewall
Contents
Contents
FUZZY DATA MINING AND GENETIC ALGORITHMS
APPLIED TO INTRUSION DETECTION
The wide spread use of computer networks in today’s
society, especially the sudden surge in importance of
e-commerce to the world economy, has made
computer network security an international priority.
Since it is not technically feasible to build a system with
no vulnerabilities, intrusion detection has become an
important area of research.
Intelligent intrusion detection system (IIDS) has been
developed to demonstrate the effectiveness of data
mining techniques that utilize fuzzy logic and genetic
algorithms.
5/1/2017
3
FUZZY DATA MINING AND GENETIC ALGORITHMS
APPLIED TO INTRUSION DETECTION
Cyber Attack-Intrusion
Cyber attacks (intrusions) are actions that attempt to bypass security
mechanisms of computer systems.
They are caused by:
Attackers accessing the system from Internet
Insider attackers - authorized users attempting to gain and misuse
non-authorized privileges
􀂊 Typical intrusion scenario
5/1/2017
4
FUZZY DATA MINING AND GENETIC ALGORITHMS
APPLIED TO INTRUSION DETECTION
Cyber Attack-Intrusion
5/1/2017
5
Intrusion Detection
FUZZY DATA MINING AND GENETIC ALGORITHMS
APPLIED TO INTRUSION DETECTION
Intrusion Detection: Intrusion detection is the process of monitoring the
events occurring in a computer system or network and analyzing them for
signs of intrusions,defined as attempts to bypass the security mechanisms
of a computer or network (“compromise the confidentiality, integrity,
availability of information resources”)
Intrusion Detection System (IDS)
combination of software and hardware that attempts to perform intrusion
detection
raise the alarm when possible intrusion happens
FUZZY DATA MINING AND GENETIC ALGORITHMS
APPLIED TO INTRUSION DETECTION
Need of Intrusion Detection
Security mechanisms always have inevitable vulnerabilities
Current firewalls are not sufficient to ensure security in
computer networks
“Security holes” caused by allowances made to
users/programmers/administrators
􀂊 Insider attacks
Multiple levels of data confidentiality in commercial and
government organizations needs multi-layer protection in
firewalls
5/1/2017
7
System Goals
FUZZY DATA MINING AND GENETIC ALGORITHMS
APPLIED TO INTRUSION DETECTION
The long term goal to design and build an intelligent intrusion detection
system that are
Accurate (low false negative and false positive rates),
Flexible
Not easily fooled by small variations in intrusion patterns
Adaptive in new environments,
Modular with both misuse and anomaly detection components
Distributed
Real-time
5/1/2017
5/1/2017
5/1/2017
8 8
8
Architecture
5/1/2017
FUZZY DATA MINING AND GENETIC ALGORITHMS
APPLIED TO INTRUSION DETECTION
9
Data Mining
for Intrusion Detection
FUZZY DATA MINING AND GENETIC ALGORITHMS
APPLIED TO INTRUSION DETECTION
Misuse detection
Predictive models are built from labeled data sets (instances are
labeled as “normal” or “intrusive”)
These models can be more sophisticated and precise than manually
created signatures
Unable to detect attacks whose instances have not yet been observed
Anomaly detection
Build models of “normal” behavior and detect anomalies as
deviations from it .
Possible high false alarm rate - previously unseen (yet legitimate)
system behaviors may be recognized as anomalies
5/1/2017
10
Anomaly Detection via
Fuzzy Data Mining
FUZZY DATA MINING AND GENETIC ALGORITHMS
APPLIED TO INTRUSION DETECTION
The integration of fuzzy logic with data mining methods helps to create more
abstract and flexible patterns for intrusion detection.
Fuzzy logic
One to represent concepts that could be considered to be in more than one
category (or from another point of view—it allows representation of
overlapping categories).
Partial membership in sets or categories.
Data Mining
Automatically learn patterns from large quantities of data.
5/1/2017
11
Fuzzy Logic Method
Fuzzy Logic
FUZZY DATA MINING AND GENETIC ALGORITHMS
APPLIED TO INTRUSION DETECTION
ID using Fuzzy Logic
FUZZY DATA MINING AND GENETIC ALGORITHMS
APPLIED TO INTRUSION DETECTION
Suppose one wants to write a rule such as
If the number different destination addresses during the last 2 seconds was high
Then an unusual situation exists.
Using fuzzy logic, a rule like the one shown above could be written as
If the DP = high
Then an unusual situation exists
DP is a fuzzy variable and high is a fuzzy set.
The degree of membership of the number of destination ports in the fuzzy
set high determines whether or not the rule is activated.
ID using Fuzzy Logic
FUZZY DATA MINING AND GENETIC ALGORITHMS
APPLIED TO INTRUSION DETECTION
ID using
Using Data
DataMining
ID
Mining
FUZZY
FUZZY DATA
DATA MINING
MINING AND
AND GENETIC
GENETIC ALGORITHMS
ALGORITHMS
APPLIED
TO
INTRUSION
DETECTION
APPLIED TO INTRUSION DETECTION
Two data mining methods, have been used to mine audit data to find
normal patterns for anomaly intrusion detection
Association Rules
Fuzzy Association Rules
Frequency episodes
Fuzzy Frequency episodes
Association Rules
FUZZY DATA MINING AND GENETIC ALGORITHMS
APPLIED TO INTRUSION DETECTION
Association rules are developed
transactions using retail data.
to
find
correlations
in
For example, if a customer who buys a soft drink (A) usually also
buys potato chips (B), then potato chips are associated with soft
drinks using the rule A B. Suppose that 25% of all customers buy
both soft drinks and potato chips and that 50% of the customers
who buy soft drinks also buy potato chips. Then the degree of
support for the rule is s = 0.25 and the degree of confidence in the
rule is c = 0.50.
The Apriori algorithm requires two thresholds of minconfidence
(representing minimum confidence) and minsupport (representing
minimum support).
Fuzzy Association Rules
FUZZY DATA MINING AND GENETIC ALGORITHMS
APPLIED TO INTRUSION DETECTION
This gives rise to the “sharp boundary problem” in which a very
small change in value causes an abrupt change in category.
Their method allows a value to contribute to the support of more
than one fuzzy set
An example of a fuzzy association rule from one set of audit data is:
{ SN=LOW, FN=LOW } → { RN=LOW },
c = 0.924, s = 0.49
where SN is the number of SYN flags, FN is the number of FIN flags
and RN is the number of RST flags in a 2 second period.
For anomaly detection, we mine a set of rules from a data set with
no intrusions (termed a reference data set) and use this as a
description of normal behavior. When considering a new set of audit
data, a set of association rules is mined from the new data and the
similarity of this new rule set and the reference set is computed.
Fuzzy Association Rules
FUZZY DATA MINING AND GENETIC ALGORITHMS
APPLIED TO INTRUSION DETECTION
Figure shows results from one experiment comparing the similarities
with the reference set of rules mined from data without intrusions and
with intrusions.
Comparison of Similarities Between Training Data Set and Different Test Data Sets for
Fuzzy Association Rules (minconfidence=0.6; minsupport=0.1Training Data Set: reference
(representing normal behavior) Test Data Sets: baseline (representing normal behavior),
network1 (including simulated IP spoofing intrusions), and
network3 (including simulated port scanning intrusions)
Frequency Episodes
FUZZY DATA MINING AND GENETIC ALGORITHMS
APPLIED TO INTRUSION DETECTION
This algorithm for discovering simple serial frequency episodes
from event sequences based on minimal occurrences.Later it is
used to mine to fuzzy frequency episodes.
An event is characterized by a set of attributes at a point in time.
An episode P(e1,e2, …, ek) is a sequence of events that occurs
within a time window [t,t’]. The episode is minimal if there is no
occurrence of the sequence in a subinterval of the time interval.
Given a threshold of window (representing timestamp bounds),
the frequency of P(e1,e2, …, ek) in an event sequence S is the
total number of its minimal occurrences in any interval smaller than
window.
So, given another threshold minfrequency (representing minimum
frequency), an episode P(e1,e2, …, ek) is called frequent,
if frequency(P)/n ≥minfrequency.
FUZZY DATA MINING AND GENETIC ALGORITHMS
APPLIED TO INTRUSION DETECTION
Fuzzy Frequency Episodes
This is Integration of fuzzy logic with frequency episodes
The fuzzy frequency episodes involves quantitative attributes in
an event.
An example of a fuzzy frequency episode given below:
{ E1: PN=LOW, E2: PN=MEDIUM } →{ E3: PN=MEDIUM },
c = 0.854, s = 0.108, w = 10 seconds
where E1, E2, and E3 are events that occur in that order
PN is the number of distinct destination ports within a 2
second period.
The use of fuzzy logic with frequency episodes results in a
reduction of the false positive error rate.
Misuse Detection
FUZZY DATA MINING AND GENETIC ALGORITHMS
APPLIED TO INTRUSION DETECTION
The misuse detection components are small rule-based expert
systems that look for known patterns of intrusive behavior. The
FuzzyCLIPS system allows us to implement both fuzzy and nonfuzzy rules.
A simple example of a rule from the misuse detection
component is
IF the number of consecutive logins by a user is greater than 3
THEN the behavior is suspicious
Information from a number of misuse detection components will
be combined by the decision component to determine if an alarm
should be result.
Genetic Algorithms
FUZZY DATA MINING AND GENETIC ALGORITHMS
APPLIED TO INTRUSION DETECTION
Genetic algorithms are search procedures often used for optimization
problems. When using fuzzy logic, it is often difficult for an expert to provide
“good” definitions for the membership functions for the fuzzy variables.
Each fuzzy membership function can be defined using two parameters as
shown in Figure 3. Each chromosome for the GA consists of a sequence of
these parameters (two per membership function). An initial population of
chromosomes is generated randomly where each chromosome represents a
possible solution to the problem (an set of parameters).
The goal is to increase the similarity of rules mined from data without
intrusions and the reference rule set while decreasing the similarity of rules
mined from intrusion data and the reference rule set.
The genetic algorithm works by slowly “evolving” a population of chromosomes
that represent better and better solutions to the problem.
Genetic Algorithms
FUZZY DATA MINING AND GENETIC ALGORITHMS
APPLIED TO INTRUSION DETECTION
The evolution process of the fitness of the population,including the
fitness of the most fit individual, the fitness of the least fit individual
and the average fitness of the whole population
Genetic Algorithms
FUZZY DATA MINING AND GENETIC ALGORITHMS
APPLIED TO INTRUSION DETECTION
Figure 7: The evolution process for tuning fuzzy membership
functions in terms of similarity of data sets containing intrusions
(mscan1) and not containing intrusions (normal1) with the
reference rule set.
Figure 7 demonstrates the evolution of the population of solutions in terms of
the two components of the fitness function (similarity of mined ruled to the
“normal” rules and similarity of the mined rules to the “abnormal” rules.) This
graph also demonstrates that the quality of the solution increases as the
evolution process proceeds.
Genetic Algorithms
FUZZY DATA MINING AND GENETIC ALGORITHMS
APPLIED TO INTRUSION DETECTION
Conclusion
FUZZY DATA MINING AND GENETIC ALGORITHMS
APPLIED TO INTRUSION DETECTION
The integrated data mining techniques with fuzzy logic provide
new techniques to support both anomaly detection and misuse
detection components at both the individual workstation level and
at the network level.The genetic algorithms to tune the
membership functions for the fuzzy variables used by our system
to and select the most effective set of features for particular types
of intrusions.
Currently it is used for misuse detection components, the decision
module, additional machine learning components, and a graphical user
interface for the system. Now it is Planning to extend this system to
operate in a high performance cluster computing environment.
Referrences
FUZZY DATA MINING AND GENETIC ALGORITHMS
APPLIED TO INTRUSION DETECTION
Ilgun, K., and A. Kemmerer.1995. State transition analysis: A rule-based
intrusion detection approach. IEEE Transaction on Software Engineering
21(3): 181-99
Orchard, R. 1995. FuzzyCLIPS version 6.04 user’s guide. Knowledge
System Laboratory, National Research Council Canada.
Kuok, C., A. Fu, and M. Wong. 1998. Mining fuzzy association rules in
databases. SIGMOD Record 17(1): 41-6. (Downloaded from
http://www.acm.org/sigs/sigmod/record/ issues/9803 on 1 March 1999).
Allen, J., Alan Christie, Willima Fithen, John McHugh, Jed Pickel, Ed
Stoner. 2000.State of the Practice of Intrusion Detection Technologies.
CMU/SEI-99-TR-028.Carnegie Mellon Software Engineering Institute.
(http://sei.cmu.edu/publications/documents/99.reports/99tr028abstract.html)
.
Queries???
5/1/2017
5/1/2017
FUZZY DATA MINING AND GENETIC ALGORITHMS
APPLIED TO INTRUSION DETECTION
28
28
Related documents
M.Tech. IN ADVANCED INFORMATION TECHNOLOGY - INTELLIGENT SYSTEMS AND ROBOTICS (MTECHSR) Term-End Examination
M.Tech. IN ADVANCED INFORMATION TECHNOLOGY - INTELLIGENT SYSTEMS AND ROBOTICS (MTECHSR) Term-End Examination
601323 Data Mining
601323 Data Mining
Anomaly Detection Using GAs
Anomaly Detection Using GAs
Intrusion Detection using Genetic Programming
Intrusion Detection using Genetic Programming
DAFTAR PUSTAKA
DAFTAR PUSTAKA
Intrusion Detection Technique by using K
Intrusion Detection Technique by using K
Overview of Part II, CMSC5707 Advanced Topics in Artificial
Overview of Part II, CMSC5707 Advanced Topics in Artificial
Abstract-The paper`s object is to develop a network intrusion
Abstract-The paper`s object is to develop a network intrusion
EE4285 - NTU EEE
EE4285 - NTU EEE
Machine Learning syl..
Machine Learning syl..
Automating the design of data mining algorithms with genetic
Automating the design of data mining algorithms with genetic
Bölüm
Bölüm
Applying Data Mining of Fuzzy Association Rules to Network
Applying Data Mining of Fuzzy Association Rules to Network
- VTUPlanet
- VTUPlanet
Intrusion Prevention Systems
Intrusion Prevention Systems