(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 2, 2010
On Multi-Classifier Systems for Network AnomalyDetection and Features Selection
Munif M. Jazzer
Faculty of ITC,Arab Open University-KuwaitKuwait.
Mahmoud Jazzar
Dept. of Computer ScienceBirzeit UniversityBirzeit, Palestine
Aman Jantan
School of Computer SciencesUniversity of Science MalaysiaPulau Pinang, Malaysia
Abstract
—Due to the irrelevant patterns and noise of networkdata, most of network intrusion detection sensors suffer from thefalse alerts which the sensors produce. This condition gets worsewhen deploying intrusion detection measures in real-timeenvironment. In addition, most of the existing IDS sensorsconsider all network packets features. Using all packets featuresfor network intrusion detection will result in lengthy andcontaminated intrusion detection. In this research we highlightthe necessity of using important features in various anomalydetection cases. The paper presents a new multi-classifier systemfor intrusion detection. The basic idea is to quantify the causalinference relation to attacks and attacks free data to determinethe attack detection and the severity of odd packets. Initially, wehave refined the data patterns and attributes to classify thetraining data and then we have used the SOM clustering methodand the fuzzy cognitive maps diagnosis to replicate attacks andnormal network connection. Experimental results shows that theclassifiers gives better representation of normal and attackconnection using significant features.
Keywords- Anomaly Detection; SOM; FCM; Security
I.
I
NTRODUCTION
The basic function of anomaly-based sensors is to detectany deviation from normal system behavior. However, clearmerits between normal and abnormal patterns are very difficultto realize in practice especially when new systems are added orremoved from the system network [1, 2]. As a solution, we aretrying to tackle this problem by implementing unsupervisedlearning and knowledge discovery techniques such that there isno need for training the system on clean data.The typical network-based IDS process system activitiesbased on network data and make a decision to evaluate theprobability of action of these data to decide whether theseactivities are normal or intrusions [1]. In order to evaluate thesystem activity and trace the probability of action of normal vs.intrusive data, the basic knowledge of network attacks isnecessary. The problem is that network attacks may not happenat single action such that one massive attack may start byseemingly innocuous or by small probe action to take place [3].Such situation articulates the need for a defense-in-depthstrategy. At this point, we have considered the domainknowledge of network data, thus we need to extract the causalrelation of these data and make inference with it. First, wecleanse the data and then diagnose the clean data patterns.In this paper, we have used fuzzy cognitive maps (FCM) [4,5] to express the causal relation of data and calculate theseverity and relevance to attacks or normal connection. Wehave also used the SOM method [6] to help us evaluate therelated data patterns and attributes. As a result, benign conceptscan be dropped or ignored and other can be addressed as apotential risk of attacks or error caused.The main objective of this paper is to present a new multi-classifier system based on causal knowledge acquisition andshow its effectiveness for anomaly detection. Features selectionmeasures are also considered and illustrated in variousdetection cases. The detailed system process overview isillustrated in Fig. 3. A brief summary of the explorationmodules and its processes details are available in Table II. Therest of the paper is organized as follows: Anomaly detection innetwork-based IDS and related issues are discussed in sectionII, the related works are discussed in section VI, the classifiersdetection process in section III, and the features selectionprocess in section IV. Section V describes the performanceevaluation, related discussion, concluding remakes and futurework.II.
A
NOMALY
D
ETECTION
A typical anomaly-based detection system works on thenotion that abnormal behaviors and activities are differentenough from normal (legitimate) behaviors profile.In anomaly detection, patterns are analyzed based on somemeasures (statistical, threshold, rule-based ...) to determine theevents or activities that are malicious or abnormal. The mostattractive thing here is that the IDS that employ these kinds of detection mechanisms have abilities to detect symptoms of attacks without previous knowledge of their attack detailswhich makes them ideal for detecting the newly rising attackssignatures [7]. Furthermore, information produced by anomaly-based detection systems can be used to define signatures formisuse-based detection systems. On the other hand, the outputproduced from anomaly-based detectors can be in turn used asinformation source for misuse-based detectors i.e. to doublecheck for legitimate activities that might be intrusion [8]. Asresult, anomaly detectors are attractive and can play a measurepart in the future IDS. A block diagram of a typical anomalydetection system is shown in Figure 1.
254http://sites.google.com/site/ijcsis/ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 2, 2010
Figure 1. A typical anomaly IDS [7].
The main issues with the anomaly-based detectors are thatthey produce high number of false alerts [7]. According to [9],anomaly detectors are tending to be computationally expensive.This is because there are several metrics which are oftenmaintained and often need to be updated against every systemactivity; and they might be gradually trained incorrectly torecognize abnormal behaviors as normal in the long run due tothe insufficient data.In this study, we have assumed that the neural networksbehaviors in SOM will learn patterns of the normal systembehavior and continually produce profiles to incorporate withthe fuzzy logic behaviors in the FCM. This is also to determinethe appropriate membership function which will help inreducing false alerts and increasing the detection accuracy of the detection sensor [10].III.
T
HE
C
LASSIFIER
I
NTRUSION
D
ETECTION
The ability of detecting/preventing new attacks withoutprior knowledge of the attack behavior is a tough task,especially the way of determining the input features to monitornormal versus intrusive behavior. For this challenging task, wedecide on unsupervised learning techniques as they are the bestsuited for such situation [27].The focus here is to provide a multi-classifier system whichcan work as an inference engine supplement for enhancementof the IDS capability. Using the classifiers system, we candetermine the importance of features in various anomalydetection cases.In order to build the inference engine classifiers system, wehave used the unsupervised learning method so-calledKohonen’s maps (SOM) [6] for clustering and recognition of input data and the fuzzy cognitive maps (FCM) [5] to detectfeatures relevancy. The FCM use causal reasoning to assess theSOM output and then model the final decision. FCM are idealcausal knowledge acquiring tool with fuzzy signed graphswhich can be presented as an associative single layer neuralnetwork [4]. Using FCM, our methodology attempt to diagnoseand direct network traffic data based on its relevance to attack or normal connections.
By quantifying the causal inference process we candetermine the attack detection and the severity of odd packets.As such, packets with low causal relations to attacks can bedropped or ignored and/or packets with high causal relations toattacks are to be highlighted. In the following subsections, weelaborate the classifiers system modules. Figure 3 shows theoverall detection process.
A.
Preprocessor Module
Data preprocessing module performs the final preparationof the target data records. This includes the slicing of the largedataset. The selection criteria based on pre-user definedmechanisms or threshold value, and the number of the startingrow in the given dataset. First, we introduce the input file withall the input vectors then we put the number of vectors requiredto read, the number of levels and the threshold value. In thismodule, the user can introduce the number of neurons and theselected features which will be used in each SOM level. Afterthat, the user can train and save the neurons state accordinglyfor each training level. The elapse time is the differencebetween the first and the last level according to the userpredefined number of levels.
Figure 2. Preprocessing module.
This module involves slicing the dataset into five classes.Each class symbolic-valued features are mapped into numeric-valued features. Symbolic features such as protocol typesymbols (TCP, UDP, and ICMP) were mapped into integervalues. More details about the data used and the data classesare available in section V. Each symbol data is corresponded toa position in the labels array and this position will be used tofill the input vector. In this module, we have focused on thefinal preparation of the target data to be presented to thesubsequent module.The prime importance of this module join up by the factthat finding or discovering related patterns in a data set is aninstructive process, with slight or even no former knowledgeabout the structure of the given dataset to be examined [21].Hence, dependence on clean dataset can give more confidencethat the assumption drawn from the pattern exploration outputcan be treated as being precise to the model of the data beingexamined. Moreover, the redundant and non related patternscan be dropped earlier to avoid congestion on the subsequentoperations. Thus, it gives the system vigilant and the flexibilityof features selection for further exploration of attacks details.
B.
Data Mining Module
Data mining module is the first important component of theclassifiers system. The task of this module is to generate clusterinformation such that generates logical and homogeneousclusters from the input dataset. To achieve that task, a network
KDD’99Dataset
PREPROCESSINGTarget DataSLICINGREADINGSELECTION
UserDefinedThreshold
Audit Data System ProfileAttack StateStatisticallyDeviant?Update profileGenerate new profiles dynamically
255http://sites.google.com/site/ijcsis/ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 2, 2010
classifier (SOM) is used to do an initial recognition of thenetwork traffic flow to detect abnormal behaviors. To achievethe key objective of the data mining module, the data is firstpassed through the SOM such that the data and its relevantfeatures are represented by the SOM. The learnt SOM thenpassed through the fine tuning module for knowledgediscovery using the FCM exploration.Two stages are required in order to create the SOM whichare the initialization and the training of the SOM. Theinitialization process sets up the map with the desireddimensions and initial weights for each unit of the map. Thetraining process allows the map to adapt to the features of thedata set during a number of epochs.At each epoch one input vector
x
is compared to allneurons weights
w
with a distance function (Euclidean orManhattan) to identify the most similar nodes so-called the bestmatching unit (BMU). Once the BMU has been found, theneighboring neurons and the BMU itself are updated accordingto the following rule:
)]()()[()()1(
t wt xt ht wt w
iciii
−+=+
(1)Where: t is an integer which denotes time,
)(
t h
ci
is theneighborhood function around the winner unit
c
and
)(
t x
isthe input vector drawn at time t. By updating the BMU andother units in the neighborhood, the distance between theBMU and the neighbors are brought closer together. Theneighborhood function consists of two parts, one that definethe form of the neighborhood and the other is the learning rate.To increase the correlation among the neurons in theproduced map grid, we minimize the neighborhood functionand the learning rate by considering the minimum timeinterval according to the following rule:
)(),()(
t t r r ht h
icci
∝−=
(2)Where:
c
r
is the location of the winner unit;
i
r
is thelocation of the unit
i
on the grid map and
)(
t
∝
is the learningrate factor over minimum time
t
interval. At this stage the mapconverge to an inactive stage which approximates theprobability density function of the high dimensional input data.The learning rate and the neighborhood proceed by time untilconvergence. Once the maps are trained, usually the concept of BMU which is used to facilitate the labeling of the consequentlevels of fine tuning and refinement for the sake of tracing therelated and diverse patterns.The objective of the SOM visualization component is torender the SOM text file to a graphical representation. In SOMcluster files, the problem arose with neighboring neurons whichare out of clusters and did not reflect exactly the severity of attack-ness in network connections [9]. That is because anetwork attack may not happen at a single action such that onemassive attack may be start by seemingly innocuous or bysmall probe actions to take place [3]. In SOM classificationprocess per example in [28], a genetic or clustering algorithmwas used at certain attack zone to classify each attack by classwhereas suspicious neurons which near the attack zone or outof the cluster area are not analyzed and remain suspicious werethey might be benign. As one potential solution to this problemin the hierarchical SOM [2], they consider the potential of studying the domain knowledge of features to be applied to thewhole SOM concepts.In this study, we suggest an improvement to this process byconsidering the domain knowledge of particular neurons (oddneurons). Therefore, we used the FCM to calculate theseverity/relevance of odd concepts (neurons) to attacks. Thus,
Data MiningModule
•
SOM Training
•
SOMClustering
•
Inference
FCM Exploration Module
DATAPreprocessingTargetData
Preprocessing Module
(Data Mining and KnowledgeDiscovery Steps)
Pattern
VisualExploration HypothesisformulationExplorationSelectionEvaluation / InterpretationKnowledgeReduced odd patternsOddPatternsPatterndefinitionFigure 3. The classifiersanomaly detectionsystem.Causal Knowledge Discovery (Exploration)
256http://sites.google.com/site/ijcsis/ISSN 1947-5500
Search History:
Result 00 of 00
00 results for result for
p.
On Multi-Classifier Systems for Network Anomaly Detection and Features Selection
TDue to the irrelevant patterns and noise of network data, most of network intrusion detection sensors suffer from the false alerts which the sensors produce. This condition gets worse when deploying intrusion detection measures in real-time…
(More)
700
Reads
4
Readcasts
0
Embed Views
More From This User
Notes
Load more
