Download - Fuzzy Learning Classifier System for Intrusion Detection

Fuzzy Learning ClassifierFuzzy Learning ClassifierSystem for Intrusion System for Intrusion

DetectionDetection

Monu BambrooMonu Bambroo

Motivation

Total revenue losses in 2002 due to network breaches were about $10 billion.

Computer security problem is inherently modeling in nature.

Fuzzy logic is robust with respect to modeling imprecision and vagueness

Inductive Learning

Inductive learning is learning by example.

C4.5 program constructs classifiers in the form of a decision tree.

Decision trees are sometimes too complex to understand.

C4.5 re-expresses the classification model as production-rules.

Experimental Data Set

KDD’99 dataset was used for the experiments.Each connection in the dataset is labeled as either

normal or an attack type with exactly one specific attack type.

Attacks fall into 4 main categories.– DOS– R2L– U2R– Probing

R2L attack warez-master is our experimental attack-type.

Crisp Versus Fuzzy Sets

CloseClose

00 750750 15001500 Distance[mmDistance[mm]]

MediumMedium FarFarμμ

Crisp SetCrisp Set

Fuzzy SetFuzzy Set0 600 900 1350 1650 Distance[mm]0 600 900 1350 1650 Distance[mm]

μμCloseClose MediumMedium FarFar

Fuzzy Inference Steps

Input FuzzificationInput Fuzzification

Implication MethodImplication Method

AggregationAggregation

DefuzzificationDefuzzification

Fuzzy Logic, How it works?

Input FuzzificationInput Fuzzification


Volatility index = 0.6Volatility index = 0.6 Cyclomatic Complexity = 32Cyclomatic Complexity = 32

Rule across Antecedents Rule across Antecedents

Quality RiskQuality Risk


Volatility index = 0.6Volatility index = 0.6 Cyclomatic Complexity = 32Cyclomatic Complexity = 32

Implication methodImplication method


AggregationAggregation Quality RiskQuality Risk


DefuzzificationDefuzzification

7 6 3 : 17 6 3 : 17 6 2 : 27 6 2 : 27 6 2 : 27 6 2 : 2

Fuzzy rulesFuzzy rules

00 254254 00 normal.normal.00 73217321 00 normal.normal.282282 158158 22 warezmaster.warezmaster.

All Rules MatchAll Rules Match

No Classifier Strength Message Matched Bid Tax

1 #010:0011 200 0.1*200 = 20

2 #101:0001 200 Env 0.2*200 = 40 0.1*200 = 20

3 ##01:0010 200 Env 0.2*200 = 40 0.1*200 = 20

4 010#:0010 200 Env 0.2*200 = 40 0.1*200 = 20

5 ##1#:1000 200 0.1*200 = 20

6 #011:0100 200 0.1*200 = 20

7 1###:0101 200 0.1*200 = 20

Environment 0 0101


1 #010:0011 180 0.1*180 = 18

2 #101:0001 140 0001 0.1*140 = 14

3 ##01:0010 140 2 0.2*140 = 28 0.1*140 = 14

4 010#:0010 140 0.1*140 = 14

5 ##1#:1000 180 0.1*180 = 18

6 #011:0100 180 0.1*180 = 18

7 1###:0101 180 0.1*180 = 18

Environment 120


1 #010:0011 162 3 0.2*162 = 32.4 0.1*162 = 16.2

2 #101:0001 154 0.1*154 = 15.4

3 ##01:0010 98 0010 0.1*98 = 9.8

4 010#:0010 126 0.1*126 = 12.6

5 ##1#:1000 162 3 0.2*162 = 32.4 0.1*162 = 16.2

6 #011:0100 162 0.1*162= 16.2

7 1###:0101 162 0.1*162 = 16.2

Environment 120

What is a ‘Learning Fuzzy Classifier System’ (LFCS)

Learn rules where clauses are Learn rules where clauses are labels associated with fuzzy setslabels associated with fuzzy sets

Each fuzzy set represents a Each fuzzy set represents a membership function for a variablemembership function for a variable

A Genetic algorithm operates on fuzzy A Genetic algorithm operates on fuzzy sets evolving best solutionsets evolving best solution

Comparing ‘LCS’ and ‘LFCS’

MatchingMatching

Rule ActivationRule Activation

Reinforcement DistributionReinforcement Distribution

Genetic AlgorithmGenetic Algorithm

Rule Base

Representation TypeRepresentation Type

7 6 3 : 17 6 3 : 1

If (duration is 7) and (srcbytes is 6) and (hot is 3) then (attack is ware-master) (1)If (duration is 7) and (srcbytes is 6) and (hot is 3) then (attack is ware-master) (1)

Contd.Contd.

Rules are represented using the Rules are represented using the ‘‘Michigan ApproachMichigan Approach’’

PittsburghPittsburgh requires large amount of requires large amount of computational effortcomputational effort

Genetic activity destroys Genetic activity destroys local optimumlocal optimum

In Michigan approach, genetic operator In Michigan approach, genetic operator operate on single rulesoperate on single rules

Reinforcement Distribution

Fuzzy Bucket Brigade AlgorithmFuzzy Bucket Brigade Algorithm

I.I. Compute the bid basing on action sets of Compute the bid basing on action sets of active classifieractive classifier

II.II. Reduce strength of active classifiers by a Reduce strength of active classifiers by a quantity equal to its contribution to the quantity equal to its contribution to the bidbid

III.III. Distribute the bid to classifier belonging Distribute the bid to classifier belonging to action set which led to reward.to action set which led to reward.

Genetic Algorithm

‘Name’ ‘Description’

Representation Integer

Recombination One-Point Crossover

Mutation Uniform Mutation

Mutation Probability 70%

Crossover Probability 20%

Parent Selection Rank Based

Survival Selection Generational

Initialization C4.5 heuristic Rules

Name='srcbytes'Name='srcbytes'Range=[0 5135678]Range=[0 5135678]NumMFs=6NumMFs=6MF1='1':'trimf',[0 149.4455 245.9026]MF1='1':'trimf',[0 149.4455 245.9026]MF2='2':'trimf',[195.1873 232.6335 305.2674]MF2='2':'trimf',[195.1873 232.6335 305.2674]MF3='3':'trimf',[288.2449 335.5554 352.726]MF3='3':'trimf',[288.2449 335.5554 352.726]MF4='4':'trimf',[335 479.0667 979.6835]MF4='4':'trimf',[335 479.0667 979.6835]MF5='5':'trimf',[872.45944836 976.71911992 MF5='5':'trimf',[872.45944836 976.71911992 1476407.9375]1476407.9375]MF6='6':'trimf',[1003.3344398 4241231.9102 MF6='6':'trimf',[1003.3344398 4241231.9102 5135678]5135678]

InputInput

Input/Output for the System


Name='duration'Name='duration'Range=[0 29296]Range=[0 29296]Num M F’s=8Num M F’s=8MF1='1':'trimf',[0 3.9672 7.3611]MF1='1':'trimf',[0 3.9672 7.3611]MF2='2':'trimf',[2.84113 6.52038 11.4731]MF2='2':'trimf',[2.84113 6.52038 11.4731]MF3='3':'trimf',[10 10.4385 13.2237]MF3='3':'trimf',[10 10.4385 13.2237]MF4='4':'trimf',[11.7093 14.9302 46.311]MF4='4':'trimf',[11.7093 14.9302 46.311]MF5='5':'trimf',[15.8705 37.2474 70]MF5='5':'trimf',[15.8705 37.2474 70]MF6='6':'trimf',[74.830436 780.36685 MF6='6':'trimf',[74.830436 780.36685 2422.6428]2422.6428]MF7='7':'trimf',[1225.35095 2561.29491 MF7='7':'trimf',[1225.35095 2561.29491 13717.8565]13717.8565]MF8='8':'trimf',[2576.6364 18682.0544 MF8='8':'trimf',[2576.6364 18682.0544 29296]29296]

InputInput

Name='hot'Name='hot'Range=[0 30]Range=[0 30]NumMFs=4NumMFs=4MF1='1':'trimf',[0 1.1054 8.8699]MF1='1':'trimf',[0 1.1054 8.8699]MF2='2':'trimf',[2.09904 11.0163 MF2='2':'trimf',[2.09904 11.0163 20.0822]20.0822]MF3='3':'trimf',[16.0978 19.0139 MF3='3':'trimf',[16.0978 19.0139 26.1328]26.1328]MF4='4':'trimf',[22.1838 26.9372 MF4='4':'trimf',[22.1838 26.9372 30]30]

InputInput


Name='attack'Name='attack'Range=[0 1]Range=[0 1]NumMFs=3NumMFs=3MF1='normal':'trimf',[0 0.2 0.35]MF1='normal':'trimf',[0 0.2 0.35]MF2='warezclient':'trimf',[0.35 0.5 MF2='warezclient':'trimf',[0.35 0.5 0.65]0.65]MF3='warezmaster':'trimf',[0.65 MF3='warezmaster':'trimf',[0.65 0.797 1]0.797 1]

OutputOutput


Results

Number of Records

Percentage of Records

Negative Detection

Missed Alarms 410

98.10

25.59

61014

Positive Detection

False Alarms

1180

2

73.66

0.0048

Download - Fuzzy Learning Classifier System for Intrusion Detection

Top Related