1 / 22

Apply Prefix-based matching and Fuzy Art to IDS

Apply Prefix-based matching and Fuzy Art to IDS. Outline. Introduction ( The Proposed Two-Stage PC Algorithm) Our Method ANN – ART(Adaptive Resonace Theory).

carr
Download Presentation

Apply Prefix-based matching and Fuzy Art to IDS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Apply Prefix-based matching and Fuzy Art to IDS

  2. Outline • Introduction(The Proposed Two-Stage PC Algorithm) • Our Method • ANN – ART(Adaptive Resonace Theory)

  3. Introduction --The Proposed Two-Stage PC Algorithm (2003, IEEE 17th International Conference Advanced Information Networking and Applications) network1 (0**, 0**, TCP, 7,6) network2 Router network3 Routing Table (Policy)

  4. The Proposed Two-Stage PC Algorithm (2003, IEEE 17th International Conference Advanced Information Networking and Applications) Stage 1 10 00 01 00 TCP UDP TCP, UDP The Prefix-matching-tree (PMT)

  5. The Proposed Two-Stage PC Algorithm (2003, IEEE 17th International Conference Advanced Information Networking and Applications) R7 2, 3, 4, 5 R8 3 R9 3 Stage 2 4-5,4-6 2-3,1-3 2-3,4-6 4-5,1-3 3,3 2,1-2 2,4-5 4-5,3 4-5, 6 3,6 2,3 4-5,1-2 2,6 4-5,4-5 3,1-2 3,4-5 R7 R7 R7 R7 R7 R7, R8 R7 R7 2,2 2,1 3,1 3,2 3,3 2,3 2,3 R7 R7 R7 R7 R7, R8 R7, R8,R9

  6. Our method Two-Stage PC Algorithm Log Packet Routing table(policy) Our method Prefix-based matching Log Assemble Policy Compare Routing table(policy)

  7. Our method Transfer 1. 38 records 2. 233 records FireWall Log Frefix-based FireWall Log 1. 10,000 records 2. 10,000 records Clustering(Neural Network:Art) Correct FireWall Policy Reduce FireWall Rules 7 categories

  8. Our method • step1: Prefix-based Matching (built prefix matching tree) • step2: Fuzzy Art Clustering • Step3: Compare to Routing table(Policy)

  9. Our method FireWall Log Prefix-based FireWall Log R2 R0tcp, 192.168.*202.12.27.33 R3 Key= Rule + Protocol + SA + DA R5

  10. Our method Prefix-based FireWall Log Fuzzy ART(Clustering) Attribute transfer to 0~1 因Fuzzy Art 只能處理介於0至1 的數值,故必須將資料正規化,其公式如下: 語意轉換

  11. Our method Routing Table Policy FireWall Log(Prefix-based matching and Fuzzy Art Clustering) Compare

  12. INTRODUCTIONANN – ART(Adaptive Resonace Theory)

  13. ANN – ART(Adaptive Resonace Theory) • Proposed by Grossberg in 1976 • ART has many models, ex: ART1(input:0,1), ART2(input:real number), and Fuzzy ART. • The network features • Use the bottom-up competitive learning and the top-down outstar pattern learning • It is an unsupervised learning network • Message are fed in and back between layers until it resonate. • When unfamiliar input is fed in, the new output node is generated for learning input. Y1 Y2 Y1 Competive Learning X2 X2

  14. ANN – ART(Adaptive Resonace Theory) • The network structure Y1 Output layer Input layer X1 X2 … Xn Input layer: it must have value of 0 & 1 Output layer: It is a cluster layer. The network starts from only one node and grows until all the input patterns are learned. Connections: Every input node has one bottom-up link to output node and one top-down link from output node to input node.

  15. ANN – ART(Adaptive Resonace Theory) • The network structure Y1 Output layer 1/4 1 1 1/4 1 1/4 Input layer =1 X1 X2 =0 X3 =1 1. Initial: = {1, 1, 1} = = {1/4, 1/4, 1/4 } 2. calculate: = 1* 1/4 + 0 * 1/4 + 1 * 1/4 = 0.5

  16. ANN – ART(Adaptive Resonace Theory) • The network structure Y1 Net1 = 0.5 Net2 = 0.2 Y2 1 1 1 X1 =1 X2 =0 X3 =1 3. Find the winning node : Net1 = 0.5 4. Calculate “Similar value” : = (1*1+0*1+1*1) / (1+1+1) = 0.7

  17. 5. Vigilance Test for winning node : Case 2. Vj >ρ Case 1. Vj <ρ Y1 ρ= 0.6 ρ= 0.9 V1 = 0.7 V1 = 0.7 0 Y1 Y3 1 1 1 0 1 X1 =1 X2 =0 X3 =1 X1 =1 X2 1. = {1*1, 1*0, 0*1} = {1, 0, 0} =0 X3 =1 1. set new node Y3 2. = {1, 0, 1} • = {1/1.5, 0/1.5, 0/1.5} 3. = {1/2.5, 0/2.5, 1/2.5}

  18. ANN – ART(Adaptive Resonace Theory) Y1 Ym … • Method • Set up network • Let = 1 and = • Input the pattern x • Calculate “matching value” for every output • Find the winning node j* , • Caculate “Similar value” , • Vigilance Test for winning nodeCase 1: if Vj < ρ (Vigilance Value) => Input pattern does not similar. Setup Output node: If j = j*, then Yj= 1 X1 X2 Xn …

  19. ANN – ART(Adaptive Resonace Theory) • Method Case 2: if Vj ≧ p (Vigilance Value) => Input pattern match output node j*. Update weights: 8. Repeat 3~8 until all the input patterns are learned and there are no more output nodes generated.

  20. ANN – ART(Example) Let ρ = 0.5 1 0 1 0 1 0 Set Weights: 3 4 Update weights 5 1 2 {1,1,1,1,1,1}

  21. ANN – ART(Example) Weights: 4 5 Set new node Y2 and set new weights for Y2 1 2 Y2 3 Y1 0 1 0 1 0 1

  22. ANN – Y2 Y1 1 1 1 0 0 0 Weights: 2 3 4 > 3 5 Update weights (Y1) 1

More Related