Survey

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Document related concepts

Nonlinear dimensionality reduction wikipedia, lookup

Transcript
Anomaly Detection Using GAs
Umer Khan
28-sept-2005
1
Limitations
• GAs provide Optimization rather than
Classification
• Tends to be rule based
• Usually applied to Misuse Detection rather
than Anomaly detection
• Learns according to a scenario i.e. specific
to scenario
• But, Integration with Fuzzy Logic
integrated with Data Mining may work well.
2
Fuzzy Logic
• Appropriate for intrusion detection for two
reasons.
• Quantitative features (Fuzzy Variables) are
involved intrusion detection.
• Measurements of CPU usage time,
connection detection, number of different
TCP/UDP connections initiated by same
source host.
3
Fuzzy Logic
• 2nd motivation, “Security includes
fuzziness”
• Helps to smooth abrupt separation of
normality and abnormality.
• Allows representation of overlapping
categories.
• Standard set theory VS Fuzzy set theory
4
Anomaly Detection via Fuzzy Data Mining
• Data mining, is used to automatically learn
patterns from large quantities of data.
• If the number different destination
addresses during the last 2 seconds was
high Then an unusual situation exists.
• What number falls in the set High?
• The degree of membership in the fuzzy set
high determines whether or not the rule is
activated.
5
Typical Way
6
Fuzzy Logic
7
Data Mining
• 2 methods:
• “Association Rules and Frequency
Episodes”.
• Mine audit data to find normal patterns for
anomaly intrusion detection.
8
Association Rules
• if a customer who buys a soft drink (A)
usually also buys potato chips (B), then
potato chips are associated with soft
drinks using the rule AB.
• A Fuzzy Association rule can be like:
{ SN=LOW, FN=LOW } → { RN=LOW }
• We mine a set rules from dataset with no
intrusions and designate it as normal
behavior.
9
Association Rules
• Considering new set of audit data, a new
set of set of association rules is mined and
its similarity with reference set is analyzed.
• If the similarity is low, then the new data
will cause an alarm.
10
11