1

Utilizing fuzzy logic and trend analysis for effective intrusion detection

Author: Martin Botha and Rossouw von SolmsAuthor: Martin Botha and Rossouw von Solms

Source: Computers & Security Vol 22, No 5, pp 423-434, 2003 Source: Computers & Security Vol 22, No 5, pp 423-434, 2003

Speaker: Su-Ping ChenSpeaker: Su-Ping Chen

Date: 2006/1/3Date: 2006/1/3

2

Outline

Overview of current Intrusion Detection Systems and fuzzy logic

The fuzzy methodology HIDS Conclusion Comments

3

Overview of current Intrusion Detection Systems and fuzzy logic Current Intrusion Detection System are based on two

major intrusion detection approaches namely, misuse and anomaly intrusion detection.

Immunology approach for Intrusion detection Systems. The first shortcoming of current anomaly intrusion

detection system is lack of precise data. The simple approach will gather precise data from the

firewall and operating system audit logs as well as the various user profiles.

4

Overview of current Intrusion Detection Systems and fuzzy logic A simple Intrusion Detection approach.

5

Overview of current Intrusion Detection Systems and fuzzy logic The second shortcoming of current anomaly intrusion

detection system is no precise method. The object of the strategy is to compare the generic

intrusion phases to the actions of a user or intruder. These graphs will then be compared using pattern

recognition techniques. Template and user action graph.

6

The fuzzy methodology

Fuzzy logic provides a comprehensive approach that can be used to construct the user action graph and template.

The approach is based on four steps. The four steps are:

1. Fuzzification step

2. Inference step

3. Composition step

4. Defuzzification step

7

The fuzzy methodologyFuzzification step The object of this step is to define input variables as well

as input membership functions for each input variable.

8

The fuzzy methodologyFuzzification step The information gained from the input variables represen

ts real-world values and must be converted to truth-values

For input variable 2 (Illegal firewall access) one can define the following membership expression for this input:

Illegal firewall access (x) = {0,if number of attempts < 3 0.33%,if number of attempts = 3 0.66%,if number of attempts = 4 1,if number of attempts > 4}

9

The fuzzy methodologyFuzzification step Membership function for Illegal Firewall Access Input.

10

The fuzzy methodologyFuzzification step The fuzzy set for the membership expression for illegal fi

rewall access is as follows:

A (Illegal firewall access) =

0/2U0.33/3U0.66/4U1/5

11

The fuzzy methodology

Inference step The purpose of the inference process is to categorize

each input variable according to standard fuzzy values. Such as; low, medium or high.

A (Illegal firewall access) =

0/0U0.33/2.75U0.66/5.5U1/8.34U0.66/11.09U0.33/13.84U0/16.67

12

The fuzzy methodologyInference step The fuzzy rules for illegal firewall access input variable

are as follows: Rule 1: If the user types his/her password incorrectly zero to two times, then

the contribution of this input should be zero. Rule 2: If the user types his/her password incorrectly three times, then the

contribution of this input should be low. Rule 3: If the user types his/her password incorrectly four times, then the

contribution of this input should be medium. Rule 4: If the user types his/her password incorrectly five or more times,

then the contribution of this input should be high.

13

The fuzzy methodology

Composition step During the composition step, all 11-input membership

functions will be combined.

14

The fuzzy methodologyDefuzzification step This step will explain how this geometrical graph can be

used to map the user’s/intruder’s actions onto the six generic intrusion phases.

The mapping strategy consists of three phases, namely: 1. Construction of template graph

2. Construction of user action graph

3. Mapping the two graphs

15

The fuzzy methodologyDefuzzification step (Construction of template graph) The template represents an intruder’s typical actions wh

en progressing through all six phases of the generic intrusion phases.

The various output membership functions can mathematically be maximized and combined by employing the following expression:

μ (x) = μ1(x) Λμ2(x) Λ .. Λμj(x) x X∪ ∈ ∴ μ (Template) =∪ 0/0 1/8.34 1/16.6 1/25.02 1/33.33 1/41.67 1/50.51 1/58.35∪ ∪ ∪ ∪ ∪ ∪ ∪ ∪1/66.69 1/75.03 1/83.37 1/91.71 0/100∪ ∪ ∪ ∪

16

The fuzzy methodologyDefuzzification step (Construction of the user action graph) The user action graph can be constructed by reading the

various audit logs and user profiles.

17

The fuzzy methodologyDefuzzification step (Mapping the two graphs) The mapping strategy can be conducted by employing th

e defuzzification step of the fuzzy logic process. The centre of gravity (COG) represents a numerical cate

gorization of the total area of the graph.

18

The fuzzy methodologyDefuzzification step (Mapping the two graphs) The mapping process

19

HIDS

A working prototype called Hybrid Intrusion Detection System.

HIDS is a software suite written in Visual Basic and Visual C programming languages.

The prototype allows for two types of testing and real-time testing.

20

Conclusion

A novice fuzzy methodology that will identify the different levels of an intrusion attack has been proposed in this paper.

The model will identify the intrusion attack, by reading audit log files and user profiles on the operating system and then by constructing the user graphs according to the information.

The methodology will also construct a typical intrusion graph (template graph) and it will then map the user graph onto this template graph.

21

Conclusion If the two graphs match, the methodology will then alert

the security officer that someone is carrying out an intrusion attack.

If not, the methodology will then compute which phase the intruder reached.

Fuzzy logic will be used in both the mapping and phase determining processes.

22

Comments