Intrusion Detection

Using ANN and SVM

SIV895 - Special Module on Intelligent Info.
Processin
Amal Prasad - 2017CS1032

Introductio
Systems are now designed with more exibility and less barrier security. Accordingly, the
security breech is an area with increasing concern to the Internet community. There are
proposed techniques that could identify attacks; however, the very success of these
techniques may also lead to their own downfall. Attackers will study the rationales behind
these techniques and subsequently change their behaviour to evade these techniques.
New ways to identify attacks are now necessary. The goal of using ANN and SVM for
attack detection is to develop a generalisation capability from limited training data

Intrusion detection techniques can be categorised into misuse detection and anomaly
detection. Although misuse detection can achieve a low false positive rate (the rate of
misclassi ed normal behaviour), minor variations of a known attack occasionally cannot
be detected. Anomaly detection can detect novel attacks, yet it suffers a higher false
positive rate

I use a training set of size 1200 vectors out of which around 900 are normal and 300 are
attack vectors. The test set used is of size around 4500, all the results are for testing
stage

Frequency Based Encoding

It encodes the system calls by using the frequency of the system calls in the database
which are appearing in the process

Term frequency - inverse document frequency

The encoding ci for each system call is de ned as :

AMAL PRASAD 1
.

fi
.

fl
fi
:

 AN
I use a hidden layer of size 50 with sigmoid activatio

(a) Frequency Based encodin

Train Accuracy: 99.24

Test Accuracy: 89.33
Confusion Matrix
Actual Attack Actual Normal

Predicted Attack 361 608

Predicted Normal 29 3764

Attack Detection Rate = 92.6

False Positive Rate = 13.9
roc auc score = 0.93

AMAL PRASAD 2
N

(b) Term frequency - inverse document frequenc

Train Accuracy: 94.8

Test Accuracy: 86.5
Confusion Matrix-1
Actual Attack Actual Normal

Predicted Attack 341 595

Predicted Normal 49 3777

Attack Detection Rate = 87.4

False Positive Rate = 13.6
roc auc score = 0.91

AMAL PRASAD 3
%

 SV
I use a gaussian kerne

(a) Frequency Based encodin

Train Accuracy: 99.24

Test Accuracy: 91.35
Confusion Matrix-2
Actual Attack Actual Normal

Predicted Attack 343 365

Predicted Normal 47 4007

Attack Detection Rate = 88

False Positive Rate = 8.34
roc auc score = 0.92

AMAL PRASAD 4
M

(b) Term frequency - inverse document frequenc

Train Accuracy: 99.66

Test Accuracy: 90.7
Confusion Matrix-3
Actual Attack Actual Normal

Predicted Attack 356 407

Predicted Normal 34 3965

Attack Detection Rate = 91.3

False Positive Rate = 10.26
roc auc score = 0.95

AMAL PRASAD 5
%

 Comparison
Model Anomaly Detection False Positive Rate roc auc score
Rate

ANN with frequency 92.6% 13.9% 0.93

encoding

ANN with tf-idf 87.4% 13.6% 0.91

SVM with frequency 88% 8.34% 0.92

encoding

SVM with tf-idf 91.3% 10.26% 0.95

Conclusion:

• All the techniques perform good with desirable roc auc score, attack detection and false
positive rates
• SVM with tf-idf encoding gives the best tradeoff and is the best model out of the 4.

AMAL PRASAD 6
.