Professional Documents
Culture Documents
Introductio
Systems are now designed with more exibility and less barrier security. Accordingly, the
security breech is an area with increasing concern to the Internet community. There are
proposed techniques that could identify attacks; however, the very success of these
techniques may also lead to their own downfall. Attackers will study the rationales behind
these techniques and subsequently change their behaviour to evade these techniques.
New ways to identify attacks are now necessary. The goal of using ANN and SVM for
attack detection is to develop a generalisation capability from limited training data
Intrusion detection techniques can be categorised into misuse detection and anomaly
detection. Although misuse detection can achieve a low false positive rate (the rate of
misclassi ed normal behaviour), minor variations of a known attack occasionally cannot
be detected. Anomaly detection can detect novel attacks, yet it suffers a higher false
positive rate
I use a training set of size 1200 vectors out of which around 900 are normal and 300 are
attack vectors. The test set used is of size around 4500, all the results are for testing
stage
It encodes the system calls by using the frequency of the system calls in the database
which are appearing in the process
AMAL PRASAD 1
.
fi
.
fl
fi
:
AN
I use a hidden layer of size 50 with sigmoid activatio
AMAL PRASAD 2
N
AMAL PRASAD 3
%
SV
I use a gaussian kerne
AMAL PRASAD 4
M
AMAL PRASAD 5
%
Comparison
Model Anomaly Detection False Positive Rate roc auc score
Rate
Conclusion:
• All the techniques perform good with desirable roc auc score, attack detection and false
positive rates
• SVM with tf-idf encoding gives the best tradeoff and is the best model out of the 4.
AMAL PRASAD 6
.