Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Anomaly Detection Using GAs Umer Khan 28-sept-2005 1 Limitations • GAs provide Optimization rather than Classification • Tends to be rule based • Usually applied to Misuse Detection rather than Anomaly detection • Learns according to a scenario i.e. specific to scenario • But, Integration with Fuzzy Logic integrated with Data Mining may work well. 2 Fuzzy Logic • Appropriate for intrusion detection for two reasons. • Quantitative features (Fuzzy Variables) are involved intrusion detection. • Measurements of CPU usage time, connection detection, number of different TCP/UDP connections initiated by same source host. 3 Fuzzy Logic • 2nd motivation, “Security includes fuzziness” • Helps to smooth abrupt separation of normality and abnormality. • Allows representation of overlapping categories. • Standard set theory VS Fuzzy set theory 4 Anomaly Detection via Fuzzy Data Mining • Data mining, is used to automatically learn patterns from large quantities of data. • If the number different destination addresses during the last 2 seconds was high Then an unusual situation exists. • What number falls in the set High? • The degree of membership in the fuzzy set high determines whether or not the rule is activated. 5 Typical Way 6 Fuzzy Logic 7 Data Mining • 2 methods: • “Association Rules and Frequency Episodes”. • Mine audit data to find normal patterns for anomaly intrusion detection. 8 Association Rules • if a customer who buys a soft drink (A) usually also buys potato chips (B), then potato chips are associated with soft drinks using the rule AB. • A Fuzzy Association rule can be like: { SN=LOW, FN=LOW } → { RN=LOW } • We mine a set rules from dataset with no intrusions and designate it as normal behavior. 9 Association Rules • Considering new set of audit data, a new set of set of association rules is mined and its similarity with reference set is analyzed. • If the similarity is low, then the new data will cause an alarm. 10 11 Future Task • Analyzing the working of “Frequency Episode” method of data mining. • Use of Genetic Algorithms in tuning Fuzzy Membership Functions. 12