Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Save to My Library
Look up keyword
Like this
4Activity
0 of .
Results for:
No results containing your search query
P. 1
An Anomaly-Based Network Intrusion Detection System Using Fuzzy Logic

An Anomaly-Based Network Intrusion Detection System Using Fuzzy Logic

Ratings: (0)|Views: 555 |Likes:
Published by ijcsis
IDS which are increasingly a key part of system defense are used to identify abnormal activities in a computer system. In general, the traditional intrusion detection relies on the extensive knowledge of security experts, in particular, on their familiarity with the computer system to be protected. To reduce this dependence, various data-mining and machine learning techniques have been used in the literature. In the proposed system, we have designed fuzzy logic-based system for effectively identifying the intrusion activities within a network. The proposed fuzzy logic-based system can be able to detect an intrusion behavior of the networks since the rule base contains a better set of rules. Here, we have used automated strategy for generation of fuzzy rules, which are obtained from the definite rules using frequent items. The experiments and evaluations of the proposed intrusion detection system are performed with the KDD Cup 99 intrusion detection dataset. The experimental results clearly show that the proposed system achieved higher precision in identifying whether the records are normal or attack one.
IDS which are increasingly a key part of system defense are used to identify abnormal activities in a computer system. In general, the traditional intrusion detection relies on the extensive knowledge of security experts, in particular, on their familiarity with the computer system to be protected. To reduce this dependence, various data-mining and machine learning techniques have been used in the literature. In the proposed system, we have designed fuzzy logic-based system for effectively identifying the intrusion activities within a network. The proposed fuzzy logic-based system can be able to detect an intrusion behavior of the networks since the rule base contains a better set of rules. Here, we have used automated strategy for generation of fuzzy rules, which are obtained from the definite rules using frequent items. The experiments and evaluations of the proposed intrusion detection system are performed with the KDD Cup 99 intrusion detection dataset. The experimental results clearly show that the proposed system achieved higher precision in identifying whether the records are normal or attack one.

More info:

Published by: ijcsis on Dec 04, 2010
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

09/29/2012

pdf

text

original

 
An Anomaly-Based Network Intrusion DetectionSystem Using Fuzzy Logic
 
R. Shanmugavadivu
Assistant professor, Department of Computer SciencePSG College of Arts & Science, Coimbatore-14
 
shanmugavadivuphd@gmail.com
Dr.N.Nagarajan
Principal, Coimbatore Institute of Engineering andInformation Technology, Coimbatore.swekalnag@gmail.com 
 Abstract—
IDS which are increasingly a key part of systemdefense are used to identify abnormal activities in a computersystem. In general, the traditional intrusion detection relies onthe extensive knowledge of security experts, in particular, ontheir familiarity with the computer system to be protected. Toreduce this dependence, various data-mining and machinelearning techniques have been used in the literature. In theproposed system, we have designed fuzzy logic-based system foreffectively identifying the intrusion activities within a network.The proposed fuzzy logic-based system can be able to detect anintrusion behavior of the networks since the rule base contains abetter set of rules. Here, we have used automated strategy forgeneration of fuzzy rules, which are obtained from the definiterules using frequent items. The experiments and evaluations of the proposed intrusion detection system are performed with theKDD Cup 99 intrusion detection dataset. The experimentalresults clearly show that the proposed system achieved higherprecision in identifying whether the records are normal or attackone.
 
 Keywords-Intrusion Detection System (IDS); Anomaly based intrusion detection; Fuzzy logic; Rule learning; KDD Cup 99 dataset.
 
I.
 
I
NTRODUCTION
 Intrusion incidents to computer systems are increasingbecause of the commercialization of the Internet and localnetworks [1]. Computer systems are turning out to be moreand more susceptible to attack, due to its extended network connectivity. The usual objective of the aforesaid attacks is toundermine the conventional security processes on the systemsand perform actions in excess of the attacker’s permissions.These actions could encompass reading secure or confidentialdata or just doing vicious destruction to the system or userfiles [2]. A system security operator can detect possiblymalicious behaviors as they take place by setting up intricatetools, which incessantly monitors and informs activities [22].Intrusion detection systems are turning out to be progressivelysignificant in maintaining adequate network protection [1, 3,4, 5]. An intrusion detection system (IDS) watches networkeddevices and searches for anomalous or malicious behaviors inthe patterns of activity in the audit stream [6]. Capability of discriminating between standard and anomalous userbehaviors should be present in a good intrusion detectionsystem [7]. This would comprise of any event, state, content,or behavior that is regarded as abnormal by a pre-definedcriterion [8].Intrusion detection has emerged as a significant field of research, because it is not theoretically possible to set up asystem with no vulnerabilities [9]. One main confrontation inintrusion detection is that we have to find out the concealedattacks from a large quantity of routine communicationactivities [10]. Several machine learning (ML) algorithms, forinstance Neural Network [11], Support Vector Machine [12],Genetic Algorithm [13], Fuzzy Logic [14], and Data Mining[15] and more have been extensively employed to detectintrusion activities both known and unknown from largequantity of complex and dynamic datasets. Generating rules isvital for IDSs to differentiate standard behaviors from strangebehavior by examining the dataset which is a list of taskscreated by the operating system that are registered into a file inhistorical sorted order [16]. Various researches with datamining as the chief constituent has been carried to find outnewly encountered intrusions [17]. The analysis of data todetermine relationships and discover concealed patterns of data which otherwise would go unobserved is known as datamining. Many researchers have used data mining to focus intothe subject of database intrusion detection in databases [18].According to the detection strategy used, data mining-based intrusion detection systems can be classified into twomain categories [23]. They are misuse detection whichidentifies intrusions using patterns of well known intrusions orweak spots of the system and anomaly detection, whichattempts to find out if departure from the recognized standardusage patterns can be flagged as attacks [19]. (a)
MisuseDetection
: On the basis of the impressions of knownintrusions and known system weaknesses misuse detectiontries to model abnormal activities. (b)
Anomaly Detection
:Both user and system behavior can be predicted using normalbehavior patterns. Anomaly detectors identify possible attack attempts by constructing profiles representing normal usageand then comparing it with current behavior data to find out alikely mismatch [20]. For specified, well-known intrusionexcellent detection results are achieved by signature-basedmethods. But, they cannot find out unfamiliar intrusionsthough constructed as a least alteration of previously knownattacks. Conversely, the capability of discovering intrusion
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 8, November 2010185http://sites.google.com/site/ijcsis/ISSN 1947-5500
 
events which are previously unobserved is the main advantageof anomaly-based detection techniques [21].In the proposed system, we have designed anomaly basedintrusion detection using fuzzy logic. The input to theproposed system is KDD Cup 1999 dataset, which is dividedinto two subsets such as, training dataset and testing dataset.At first, the training dataset is classified into five subsets sothat, four types of attacks (DoS (Denial of Service), R2L(Remote to Local), U2R (User to Root), Probe) and normaldata are separated. After that, we simply mine the 1-lengthfrequent items from attack data as well as normal data. Thesemined frequent items are used to find the important attributesof the input dataset and the identified effective attributes areused to generate a set of definite and indefinite rules usingdeviation method. Then, we generate fuzzy rule in accordancewith the definite rule by fuzzifying it in such a way, we obtaina set of fuzzy if-then rules with consequent parts that representwhether it is a normal data or an abnormal data. These rulesare given to the fuzzy rule base to effectively learn the fuzzysystem. In the testing phase, the test data is matched withfuzzy rules to detect whether the test data is an abnormal dataor a normal data.The rest of the paper is organized as follows: Section IIpresents literature review of the proposed system and sectionIII describes the detailed analysis of the KDD cup 99 dataset.The proposed intrusion detection system using fuzzy logic isgiven in section IV. Experimentation and performanceanalysis of the proposed system is discussed in section V.Finally, the conclusion is given in section VI.II.
 
R
EVIEW
O
F
R
ECENT
R
ESEARCH
 Several techniques are available in the literature fordetecting the intrusion behavior. In recent times, intrusiondetection has received a lot of interest among the researcherssince it is widely applied for preserving the security within anetwork. Here, we present some of the techniques used forintrusion detection.S. F. Owens and R. R. Levary [24] have stated thatintruder detection systems have been commonly constructedusing expert system technology. But, Intrusion DetectionSystem (IDS) researchers have been biased in constructingsystems that are difficult to handle, lack insightful userinterfaces and are inconvenient to use in real-lifecircumstances. The proposed adaptive expert system hasutilized fuzzy sets to find out attacks. The expert systemcomparatively easy to implement when used with computersystem networks has the capability of adjusting to the natureand/or degree of the threat. Experiments with Clips 6.10 havebeen used to prove the adjusting capability of the system. Alok Sharma
et al.
[25] have focused on the use of text processingtechniques on the system call sequences for intrusiondetection. Host-based intrusions have been detected byintroducing a kernel based similarity measure. Processes havebeen classified either as normal or abnormal using the k-nearest neighbor (kNN) classifier. They have assessed theproposed method on the DARPA-1998 database and comparedits operation with other existing methods present in theliterature.Shi-Jinn Horng
et al.
[26] have used a combination of hierarchical clustering algorithm, easy feature selectionmethod, and SVM technique in their proposed SVM-basedintrusion detection system. Fewer, abstracted, and higher-qualified training instances that are derived from the KDDCup 1999 training set has been given to the SVM by thehierarchical clustering algorithm. The simple feature selectionmethod employed for the removal of insignificant featuresfrom the training set has enabled the proposed SVM model toachieve more precise classification of the network traffic data.The proposed system has been assessed using the renownedKDD Cup 1999 dataset. Compared to other intrusion detectionsystems that are based on the same dataset, the proposedmethod has exhibited superior performance in identifying DoSand Probe attacks and an overall best performance in accuracy.B. Shanmugam and Norbik Bashah Idris [28] haveproposed an advanced fuzzy and data mining methods basedhybrid model to find out both misuse and anomaly attacks.Their objective was to decrease the quantity of data kept forprocessing and also to improve the detection rate of theexisting IDS using attribute selection process and data miningtechnique respectively. A modified version of APRIORIalgorithm which is an improved Kuok fuzzy data miningalgorithm utilized for implementing fuzzy rules has enabledthe generation of if-then rules that show common ways of expressing security attacks. They have achieved fasterdecision making using mamdani inference mechanism withthree variable inputs in the fuzzy inference engine which theyhave employed. The DARPA 1999 data set has been used totest and benchmark the efficiency of the proposed model. Inaddition, the test results against the “live” networkingenvironment within the campus have been analyzed.O. A. Adebayo
et al.
[29] have presented a method thatuses Fuzzy-Bayesian to detect real-time network anomalyattack for discovering malicious activity against computernetwork. They have established the effectiveness of themethod by describing the framework. The overall performanceof the intrusion detection system (IDS) based on Bayes hasbeen improved by a combination of fuzzy with Bayesianclassifier. In addition, by the experiment carried out on KDD1999 IDS data set, the practicability of the method has beenverified. Abadeh, M.S. and Habibi, J. [27] have proposed amethod to develop fuzzy classification rules for intrusiondetection use in computer networks. The method of fuzzy rulebase system design has been based on the iterative rulelearning approach (IRL). Using the evolutionary algorithm tooptimize one fuzzy classifier rule at a time, the fuzzy rule basehas been created in an incremental fashion. Intrusion detectionproblem has been used as a high-dimensional classificationproblem to analyze the functioning of the final fuzzyclassification system. Results have demonstrated that the fuzzyrules generated by the proposed algorithm can be utilized tobuild a reliable intrusion detection system.Arman Tajbakhsh
et al.
[30] have presented a data miningtechnique based framework for constructing an IDS. In theframework, Association Based Classification (ABC) has beenused by the classification engine which is in fact the centralpart of the IDS. Fuzzy association rules have been used by theproposed classification to construct classifiers. Some matching
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 8, November 2010186http://sites.google.com/site/ijcsis/ISSN 1947-5500
 
measures have been used to evaluate the consistency of anynew sample (which is to be categorized) with various classrulesets and the label of the sample has been declared as theclass that is analogous to the best matched ruleset. A methodwhich decreases the items that may be included in extractedrules has also been proposed to reduce the time taken by therule induction algorithm. The framework has been assessedusing KDD-99 dataset. The results have shown that theachieved total detection rate and detection rate of knownattacks are large and false positive rate is small, though theresults are not bright for unknown attacks.Zhenwei Yu
et al.
[31] have presented an automaticallytuning intrusion detection system (ATIDS). According to thefeedback supplied by the system operator, when falsepredictions are detected, the proposed system automaticallytunes the detection model on-the-fly. The KDDCup'99intrusion detection dataset has been used to assess the system.In the experimental results, the system has demonstrated a35% enhancement with regard to misclassification costcompared to a system that is not using the tuning feature. If the model has been tuned using only 10% false predictionsstill a 30% improvement is achieved by the system. Moreover,the model tuned using only 1.3% of the false predictions havebeen capable of achieving about 20% improvement providedthe tuning is not delayed too long. Building a practical systembased on ATIDS has been proved to be feasible by the resultsof the experiments: Because predictions ascertained to be falsehave been used for tuning the detection model, systemoperators can concentrate on confirmation of predictions withlow confidence.III.
 
K
DD
C
UP
99
 
D
ATASET
 In 1998, DARPA in concert with Lincoln Laboratory atMIT launched the DARPA 1998 dataset for evaluating IDS[36]. The DARPA 1998 dataset contains seven weeks of training and also two weeks of testing data. In total, there are38 attacks in training data as well as in testing data. Therefined version of DARPA dataset which contains onlynetwork data (i.e. Tcpdump data) is termed as KDD dataset[37]. The Third International Knowledge Discovery and DataMining Tools Competition were held in colligation with KDD-99, the Fifth International Conference on KnowledgeDiscovery and Data Mining. KDD dataset is a datasetemployed for this Third International Knowledge Discoveryand Data Mining Tools Competition. KDD training datasetconsists of relatively 4,900,000 single connection vectorswhere each single connection vectors consists of 41 featuresand is marked as either normal or an attack, with exactly oneparticular attack type [38]. These features had all forms of continuous and symbolic with extensively varying rangesfalling in four categories:• In a connection, the first category consists of the
intrinsic
 features which comprises of the fundamental features of eachindividual TCP connections. Some of the features for eachindividual TCP connections are duration of the connection, thetype of the protocol (TCP, UDP, etc.) and network service(http, telnet, etc.).• The
 content
features suggested by domain knowledge areused to assess the payload of the original TCP packets, such asthe number of failed login attempts.• Within a connection, the
 same host
features observe therecognized connections that have the same destination host aspresent connection in past two seconds and the statisticsrelated to the protocol behavior, service, etc are estimated.• The
 similar same service
features scrutinize theconnections that have the same service as the currentconnection in past two seconds.A variety of attacks incorporated in the dataset fall intofollowing four major categories:
Denial of Service Attacks:
 A denial of service attack is an attack where the attackerconstructs some computing or memory resource fullyoccupied or unavailable to manage legitimate requirements, orreject legitimate users right to use a machine.
User to RootAttacks:
User to Root exploits are a category of exploitswhere the attacker initiate by accessing a normal user accounton the system (possibly achieved by tracking down thepasswords, a dictionary attack, or social engineering) and takeadvantage of some susceptibility to achieve root access to thesystem.
Remote to User Attacks:
A Remote to User attack takes place when an attacker who has the capability to sendpackets to a machine over a network but does not have anaccount on that machine, makes use of some vulnerability toachieve local access as a user of that machine.
Probes:
 Probing is a category of attacks where an attacker examines anetwork to collect information or discover well-knownvulnerabilities. These network investigations are reasonablyvaluable for an attacker who is staging an attack in future. Anattacker who has a record, of which machines and services areaccessible on a given network, can make use of thisinformation to look for fragile points.Table I illustrates a number of attacks falling into fourmajor categories and table II presents a complete listing of aset of features characterized for the connection records.
T
ABLE
I.
 
V
ARIOUS TYPES OF ATTACKS DESCRIBED IN FOUR MAJOR CATEGORIES
 
Denial of Service AttacksBack, land, neptune, pod, smurf, teardropUser to RootAttacksBuffer_overflow, loadmodule, perl, rootkit,Remote toLocal AttacksFtp_write, guess_passwd, imap, multihop,phf, spy, warezclient, warezmasterProbes Satan, ipsweep, nmap, portsweep
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 8, November 2010187http://sites.google.com/site/ijcsis/ISSN 1947-5500

Activity (4)

You've already reviewed this. Edit your review.
1 hundred reads
1 thousand reads
BGSorin liked this

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->