1 / 26

Fuzzy Learning Classifier System for Intrusion Detection

Fuzzy Learning Classifier System for Intrusion Detection. Monu Bambroo. Motivation. Total revenue losses in 2002 due to network breaches were about $10 billion. Computer security problem is inherently modeling in nature. Fuzzy logic is robust with respect to modeling imprecision and vagueness.

drea
Download Presentation

Fuzzy Learning Classifier System for Intrusion Detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Fuzzy Learning ClassifierSystem for Intrusion Detection Monu Bambroo

  2. Motivation Total revenue losses in 2002 due to network breaches were about $10 billion. Computer security problem is inherently modeling in nature. Fuzzy logic is robust with respect to modeling imprecision and vagueness

  3. Inductive Learning Inductive learning is learning by example. C4.5 program constructs classifiers in the form of a decision tree. Decision trees are sometimes too complex to understand. C4.5 re-expresses the classification model as production-rules.

  4. Experimental Data Set KDD’99 dataset was used for the experiments. Each connection in the dataset is labeled as either normal or an attack type with exactly one specific attack type. Attacks fall into 4 main categories. • DOS • R2L • U2R • Probing R2L attack warez-master is our experimental attack-type.

  5. μ Close Medium Far Crisp Set Fuzzy Set 07501500Distance[mm] Close Medium Far μ 0 600 900 1350 1650 Distance[mm] Crisp Versus Fuzzy Sets

  6. Fuzzy Inference Steps • Input Fuzzification • Implication Method • Aggregation • Defuzzification

  7. Fuzzy Logic, How it works? Input Fuzzification

  8. Fuzzy Logic, How it works? Volatility index = 0.6 Cyclomatic Complexity = 32 Rule across Antecedents

  9. Fuzzy Logic, How it works? Quality Risk Volatility index = 0.6 Cyclomatic Complexity = 32 Implication method

  10. Fuzzy Logic, How it works? Aggregation Quality Risk

  11. Fuzzy Logic, How it works? Defuzzification

  12. 0 254 0 normal. 0 7321 0 normal. 282 158 2 warezmaster. All Rules Match 7 6 3 : 1 7 6 2 : 2 7 6 2 : 2 Fuzzy rules

  13. Learn rules where clauses are labels associated with fuzzy sets Each fuzzy set represents a membership function for a variable A Genetic algorithm operates on fuzzy sets evolving best solution What is a ‘Learning Fuzzy Classifier System’ (LFCS)

  14. Comparing ‘LCS’ and ‘LFCS’ Matching Rule Activation Reinforcement Distribution Genetic Algorithm

  15. Representation Type Rule Base 7 6 3 : 1 If (duration is 7) and (srcbytes is 6) and (hot is 3) then (attack is ware-master) (1)

  16. Contd. Rules are represented using the ‘Michigan Approach’ Pittsburgh requires large amount of computational effort Genetic activity destroys local optimum In Michigan approach, genetic operator operate on single rules

  17. Reinforcement Distribution Fuzzy Bucket Brigade Algorithm • Compute the bid basing on action sets of active classifier • Reduce strength of active classifiers by a quantity equal to its contribution to the bid • Distribute the bid to classifier belonging to action set which led to reward.

  18. Genetic Algorithm

  19. Input/Output for the System Input Name='srcbytes' Range=[0 5135678] NumMFs=6 MF1='1':'trimf',[0 149.4455 245.9026] MF2='2':'trimf',[195.1873 232.6335 305.2674] MF3='3':'trimf',[288.2449 335.5554 352.726] MF4='4':'trimf',[335 479.0667 979.6835] MF5='5':'trimf',[872.45944836 976.71911992 1476407.9375] MF6='6':'trimf',[1003.3344398 4241231.9102 5135678]

  20. Input/Output for the System Input Name='duration' Range=[0 29296] Num M F’s=8 MF1='1':'trimf',[0 3.9672 7.3611] MF2='2':'trimf',[2.84113 6.52038 11.4731] MF3='3':'trimf',[10 10.4385 13.2237] MF4='4':'trimf',[11.7093 14.9302 46.311] MF5='5':'trimf',[15.8705 37.2474 70] MF6='6':'trimf',[74.830436 780.36685 2422.6428] MF7='7':'trimf',[1225.35095 2561.29491 13717.8565] MF8='8':'trimf',[2576.6364 18682.0544 29296]

  21. Input/Output for the System Input Name='hot' Range=[0 30] NumMFs=4 MF1='1':'trimf',[0 1.1054 8.8699] MF2='2':'trimf',[2.09904 11.0163 20.0822] MF3='3':'trimf',[16.0978 19.0139 26.1328] MF4='4':'trimf',[22.1838 26.9372 30]

  22. Input/Output for the System Output Name='attack' Range=[0 1] NumMFs=3 MF1='normal':'trimf',[0 0.2 0.35] MF2='warezclient':'trimf',[0.35 0.5 0.65] MF3='warezmaster':'trimf',[0.65 0.797 1]

  23. Results Number of Records Percentage of Records Positive Detection 1180 73.66 Negative Detection 61014 98.10 False Alarms 2 0.0048 410 25.59 Missed Alarms

More Related