Fuzzy Learning Classifier System for Intrusion Detection Monu Bambroo.
-
Upload
bailee-bovey -
Category
Documents
-
view
220 -
download
0
Transcript of Fuzzy Learning Classifier System for Intrusion Detection Monu Bambroo.
Fuzzy Learning ClassifierFuzzy Learning ClassifierSystem for Intrusion System for Intrusion
DetectionDetection
Monu BambrooMonu Bambroo
Motivation
Total revenue losses in 2002 due to network breaches were about $10 billion.
Computer security problem is inherently modeling in nature.
Fuzzy logic is robust with respect to modeling imprecision and vagueness
Inductive Learning
Inductive learning is learning by example.
C4.5 program constructs classifiers in the form of a decision tree.
Decision trees are sometimes too complex to understand.
C4.5 re-expresses the classification model as production-rules.
Experimental Data Set
KDD’99 dataset was used for the experiments.Each connection in the dataset is labeled as either
normal or an attack type with exactly one specific attack type.
Attacks fall into 4 main categories.– DOS– R2L– U2R– Probing
R2L attack warez-master is our experimental attack-type.
Crisp Versus Fuzzy Sets
CloseClose
00 750750 15001500 Distance[mmDistance[mm]]
MediumMedium FarFarμμ
Crisp SetCrisp Set
Fuzzy SetFuzzy Set0 600 900 1350 1650 Distance[mm]0 600 900 1350 1650 Distance[mm]
μμCloseClose MediumMedium FarFar
Fuzzy Inference Steps
Input FuzzificationInput Fuzzification
Implication MethodImplication Method
AggregationAggregation
DefuzzificationDefuzzification
Fuzzy Logic, How it works?
Input FuzzificationInput Fuzzification
Fuzzy Logic, How it works?
Volatility index = 0.6Volatility index = 0.6 Cyclomatic Complexity = 32Cyclomatic Complexity = 32
Rule across Antecedents Rule across Antecedents
Quality RiskQuality Risk
Fuzzy Logic, How it works?
Volatility index = 0.6Volatility index = 0.6 Cyclomatic Complexity = 32Cyclomatic Complexity = 32
Implication methodImplication method
Fuzzy Logic, How it works?
AggregationAggregation Quality RiskQuality Risk
Fuzzy Logic, How it works?
DefuzzificationDefuzzification
7 6 3 : 17 6 3 : 17 6 2 : 27 6 2 : 27 6 2 : 27 6 2 : 2
Fuzzy rulesFuzzy rules
00 254254 00 normal.normal.00 73217321 00 normal.normal.282282 158158 22 warezmaster.warezmaster.
All Rules MatchAll Rules Match
No Classifier Strength Message Matched Bid Tax
1 #010:0011 200 0.1*200 = 20
2 #101:0001 200 Env 0.2*200 = 40 0.1*200 = 20
3 ##01:0010 200 Env 0.2*200 = 40 0.1*200 = 20
4 010#:0010 200 Env 0.2*200 = 40 0.1*200 = 20
5 ##1#:1000 200 0.1*200 = 20
6 #011:0100 200 0.1*200 = 20
7 1###:0101 200 0.1*200 = 20
Environment 0 0101
No Classifier Strength Message Matched Bid Tax
1 #010:0011 180 0.1*180 = 18
2 #101:0001 140 0001 0.1*140 = 14
3 ##01:0010 140 2 0.2*140 = 28 0.1*140 = 14
4 010#:0010 140 0.1*140 = 14
5 ##1#:1000 180 0.1*180 = 18
6 #011:0100 180 0.1*180 = 18
7 1###:0101 180 0.1*180 = 18
Environment 120
No Classifier Strength Message Matched Bid Tax
1 #010:0011 162 3 0.2*162 = 32.4 0.1*162 = 16.2
2 #101:0001 154 0.1*154 = 15.4
3 ##01:0010 98 0010 0.1*98 = 9.8
4 010#:0010 126 0.1*126 = 12.6
5 ##1#:1000 162 3 0.2*162 = 32.4 0.1*162 = 16.2
6 #011:0100 162 0.1*162= 16.2
7 1###:0101 162 0.1*162 = 16.2
Environment 120
What is a ‘Learning Fuzzy Classifier System’ (LFCS)
Learn rules where clauses are Learn rules where clauses are labels associated with fuzzy setslabels associated with fuzzy sets
Each fuzzy set represents a Each fuzzy set represents a membership function for a variablemembership function for a variable
A Genetic algorithm operates on fuzzy A Genetic algorithm operates on fuzzy sets evolving best solutionsets evolving best solution
Comparing ‘LCS’ and ‘LFCS’
MatchingMatching
Rule ActivationRule Activation
Reinforcement DistributionReinforcement Distribution
Genetic AlgorithmGenetic Algorithm
Rule Base
Representation TypeRepresentation Type
7 6 3 : 17 6 3 : 1
If (duration is 7) and (srcbytes is 6) and (hot is 3) then (attack is ware-master) (1)If (duration is 7) and (srcbytes is 6) and (hot is 3) then (attack is ware-master) (1)
Contd.Contd.
Rules are represented using the Rules are represented using the ‘‘Michigan ApproachMichigan Approach’’
PittsburghPittsburgh requires large amount of requires large amount of computational effortcomputational effort
Genetic activity destroys Genetic activity destroys local optimumlocal optimum
In Michigan approach, genetic operator In Michigan approach, genetic operator operate on single rulesoperate on single rules
Reinforcement Distribution
Fuzzy Bucket Brigade AlgorithmFuzzy Bucket Brigade Algorithm
I.I. Compute the bid basing on action sets of Compute the bid basing on action sets of active classifieractive classifier
II.II. Reduce strength of active classifiers by a Reduce strength of active classifiers by a quantity equal to its contribution to the quantity equal to its contribution to the bidbid
III.III. Distribute the bid to classifier belonging Distribute the bid to classifier belonging to action set which led to reward.to action set which led to reward.
Genetic Algorithm
‘Name’ ‘Description’
Representation Integer
Recombination One-Point Crossover
Mutation Uniform Mutation
Mutation Probability 70%
Crossover Probability 20%
Parent Selection Rank Based
Survival Selection Generational
Initialization C4.5 heuristic Rules
Name='srcbytes'Name='srcbytes'Range=[0 5135678]Range=[0 5135678]NumMFs=6NumMFs=6MF1='1':'trimf',[0 149.4455 245.9026]MF1='1':'trimf',[0 149.4455 245.9026]MF2='2':'trimf',[195.1873 232.6335 305.2674]MF2='2':'trimf',[195.1873 232.6335 305.2674]MF3='3':'trimf',[288.2449 335.5554 352.726]MF3='3':'trimf',[288.2449 335.5554 352.726]MF4='4':'trimf',[335 479.0667 979.6835]MF4='4':'trimf',[335 479.0667 979.6835]MF5='5':'trimf',[872.45944836 976.71911992 MF5='5':'trimf',[872.45944836 976.71911992 1476407.9375]1476407.9375]MF6='6':'trimf',[1003.3344398 4241231.9102 MF6='6':'trimf',[1003.3344398 4241231.9102 5135678]5135678]
InputInput
Input/Output for the System
Input/Output for the System
Name='duration'Name='duration'Range=[0 29296]Range=[0 29296]Num M F’s=8Num M F’s=8MF1='1':'trimf',[0 3.9672 7.3611]MF1='1':'trimf',[0 3.9672 7.3611]MF2='2':'trimf',[2.84113 6.52038 11.4731]MF2='2':'trimf',[2.84113 6.52038 11.4731]MF3='3':'trimf',[10 10.4385 13.2237]MF3='3':'trimf',[10 10.4385 13.2237]MF4='4':'trimf',[11.7093 14.9302 46.311]MF4='4':'trimf',[11.7093 14.9302 46.311]MF5='5':'trimf',[15.8705 37.2474 70]MF5='5':'trimf',[15.8705 37.2474 70]MF6='6':'trimf',[74.830436 780.36685 MF6='6':'trimf',[74.830436 780.36685 2422.6428]2422.6428]MF7='7':'trimf',[1225.35095 2561.29491 MF7='7':'trimf',[1225.35095 2561.29491 13717.8565]13717.8565]MF8='8':'trimf',[2576.6364 18682.0544 MF8='8':'trimf',[2576.6364 18682.0544 29296]29296]
InputInput
Name='hot'Name='hot'Range=[0 30]Range=[0 30]NumMFs=4NumMFs=4MF1='1':'trimf',[0 1.1054 8.8699]MF1='1':'trimf',[0 1.1054 8.8699]MF2='2':'trimf',[2.09904 11.0163 MF2='2':'trimf',[2.09904 11.0163 20.0822]20.0822]MF3='3':'trimf',[16.0978 19.0139 MF3='3':'trimf',[16.0978 19.0139 26.1328]26.1328]MF4='4':'trimf',[22.1838 26.9372 MF4='4':'trimf',[22.1838 26.9372 30]30]
InputInput
Input/Output for the System
Name='attack'Name='attack'Range=[0 1]Range=[0 1]NumMFs=3NumMFs=3MF1='normal':'trimf',[0 0.2 0.35]MF1='normal':'trimf',[0 0.2 0.35]MF2='warezclient':'trimf',[0.35 0.5 MF2='warezclient':'trimf',[0.35 0.5 0.65]0.65]MF3='warezmaster':'trimf',[0.65 MF3='warezmaster':'trimf',[0.65 0.797 1]0.797 1]
OutputOutput
Input/Output for the System
Results
Number of Records
Percentage of Records
Negative Detection
Missed Alarms 410
98.10
25.59
61014
Positive Detection
False Alarms
1180
2
73.66
0.0048