Fuzzy Learning Classifier System for Intrusion Detection

Download Fuzzy Learning Classifier System for Intrusion Detection

Post on 12-Jan-2016




0 download

Embed Size (px)


Fuzzy Learning Classifier System for Intrusion Detection. Monu Bambroo. Motivation. Total revenue losses in 2002 due to network breaches were about $10 billion. Computer security problem is inherently modeling in nature. Fuzzy logic is robust with respect to modeling imprecision and vagueness. - PowerPoint PPT Presentation


<ul><li><p>Fuzzy Learning ClassifierSystem for Intrusion Detection Monu Bambroo</p></li><li><p>MotivationTotal revenue losses in 2002 due to network breaches were about $10 billion.</p><p>Computer security problem is inherently modeling in nature.</p><p>Fuzzy logic is robust with respect to modeling imprecision and vagueness</p></li><li><p>Inductive LearningInductive learning is learning by example.C4.5 program constructs classifiers in the form of a decision tree.Decision trees are sometimes too complex to understand.C4.5 re-expresses the classification model as production-rules. </p></li><li><p>Experimental Data Set KDD99 dataset was used for the experiments.Each connection in the dataset is labeled as either normal or an attack type with exactly one specific attack type.Attacks fall into 4 main categories.DOSR2LU2RProbingR2L attack warez-master is our experimental attack-type.</p></li><li><p>Crisp Versus Fuzzy Sets</p></li><li><p>Fuzzy Inference Steps Input Fuzzification Implication Method Aggregation Defuzzification</p></li><li><p>Fuzzy Logic, How it works?Input Fuzzification</p></li><li><p>Fuzzy Logic, How it works?Volatility index = 0.6Cyclomatic Complexity = 32Rule across Antecedents </p></li><li><p>Fuzzy Logic, How it works?Quality RiskVolatility index = 0.6</p><p>Cyclomatic Complexity = 32Implication method</p></li><li><p>Fuzzy Logic, How it works?AggregationQuality Risk</p></li><li><p>Fuzzy Logic, How it works?Defuzzification</p></li><li><p>7 6 3 : 17 6 2 : 27 6 2 : 2Fuzzy rules02540normal.073210normal.2821582warezmaster.All Rules Match</p></li><li><p>What is a Learning Fuzzy Classifier System (LFCS)</p></li><li><p>Comparing LCS and LFCSMatchingRule ActivationReinforcement DistributionGenetic Algorithm</p></li><li><p>Rule Base7 6 3 : 1If (duration is 7) and (srcbytes is 6) and (hot is 3) then (attack is ware-master) (1)</p></li><li><p>Contd.Rules are represented using the Michigan ApproachPittsburgh requires large amount of computational effortGenetic activity destroys local optimumIn Michigan approach, genetic operator operate on single rules</p></li><li><p>Reinforcement DistributionFuzzy Bucket Brigade AlgorithmCompute the bid basing on action sets of active classifierReduce strength of active classifiers by a quantity equal to its contribution to the bidDistribute the bid to classifier belonging to action set which led to reward.</p></li><li><p>Genetic Algorithm</p></li><li><p>Input/Output for the SystemName='srcbytes'Range=[0 5135678]NumMFs=6MF1='1':'trimf',[0 149.4455 245.9026]MF2='2':'trimf',[195.1873 232.6335 305.2674]MF3='3':'trimf',[288.2449 335.5554 352.726]MF4='4':'trimf',[335 479.0667 979.6835]MF5='5':'trimf',[872.45944836 976.71911992 1476407.9375]MF6='6':'trimf',[1003.3344398 4241231.9102 5135678]</p><p>Input</p></li><li><p>Input/Output for the SystemName='duration'Range=[0 29296]Num M Fs=8MF1='1':'trimf',[0 3.9672 7.3611]MF2='2':'trimf',[2.84113 6.52038 11.4731]MF3='3':'trimf',[10 10.4385 13.2237]MF4='4':'trimf',[11.7093 14.9302 46.311]MF5='5':'trimf',[15.8705 37.2474 70]MF6='6':'trimf',[74.830436 780.36685 2422.6428]MF7='7':'trimf',[1225.35095 2561.29491 13717.8565]MF8='8':'trimf',[2576.6364 18682.0544 29296]Input</p></li><li><p>Input/Output for the SystemName='hot'Range=[0 30]NumMFs=4MF1='1':'trimf',[0 1.1054 8.8699]MF2='2':'trimf',[2.09904 11.0163 20.0822]MF3='3':'trimf',[16.0978 19.0139 26.1328]MF4='4':'trimf',[22.1838 26.9372 30]</p><p>Input</p></li><li><p>Input/Output for the SystemName='attack'Range=[0 1]NumMFs=3MF1='normal':'trimf',[0 0.2 0.35]MF2='warezclient':'trimf',[0.35 0.5 0.65]MF3='warezmaster':'trimf',[0.65 0.797 1]</p><p>Output</p></li><li><p>Results Number of RecordsPercentage of RecordsNegative DetectionMissed Alarms41098.1025.5961014Positive DetectionFalse Alarms1180273.660.0048</p></li></ul>