1 / 14

Improvement of NID According to Selection of Continuous Measures in Tree Induction Algorithm

Improvement of NID According to Selection of Continuous Measures in Tree Induction Algorithm. 2004. 8. 24. Il-Ahn Cheong Linux Security Research Center Chonnam National University, Korea. Contents. Introduction Related Works Automatic Generation of Rules using TIA The Experiments

shanae
Download Presentation

Improvement of NID According to Selection of Continuous Measures in Tree Induction Algorithm

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Improvement of NID According to Selection of Continuous Measures in Tree Induction Algorithm 2004. 8. 24. Il-Ahn Cheong Linux Security Research Center Chonnam National University, Korea

  2. Contents • Introduction • Related Works • Automatic Generation of Rules using TIA • The Experiments • Conclusions LSRC, Chonnam National University

  3. I. Introduction • Signature-based Network Intrusion Detection • Require more time generating rules because of dependence on knowledge of experts • Varies according to selection of network measures in the detection • Our approaches • Automatically generates the detection rules by using tree induction algorithms • Improve the detection by automatic selection of network measures • Our expectations • Detection rules generated independent of knowledge of experts • The performance of detection could be improved LSRC, Chonnam National University

  4. II. Related Works • The previous researches • Florida Univ. • LERAD (Learning Rules for Anomaly Detection) • Generating conditional rules • New Mexico Univ. • SVM (Support Vector Machine) • SVM based Ranking method • Applied Research Lab. of Teas Univ. • NEDAA (Exploitation Detection Analyst Assistant) • Genetic algorithm & Decision Tree • Problems • Used limited measures (src/dst. IP/Port, Protocol, etc.) • Not treats of the continuous measures LSRC, Chonnam National University

  5. III. Automatic Generation of Rules (1/5) • Tree Induction Algorithms • A classification method using data mining • The constructed trees provide • a superior measure selection • an easy explanation for constructed tree models • The C4.5 algorithm • Automatically generates trees by calculating the IG (Information Gain) according to the Entropy Reduction • Could be classified in case of existing along with variables having continuous and discrete attributes LSRC, Chonnam National University

  6. Automatic Generation of Rules (2/5) • Automatic Generation Model of Rules LSRC, Chonnam National University

  7. Automatic Generation of Rules (3/5) • Modified C4.5 algorithm LSRC, Chonnam National University

  8. Automatic Generation of Rules (4/5) • Treatment of Continuous Distributions f(x) Continuous  Discrete LSRC, Chonnam National University

  9. Automatic Generation of Rules (5/5) • Change of Selection for Network Measures • GRR (Good Rule Rate) • To select measures having high priority • Threshold value is 0.5 as binary (G | B) • RG (Good Rule) • affected positively generating of detection rules • Reflected next learning • RB (Bad Rule) • affected negatively generating of detection rules • Excluded next learning LSRC, Chonnam National University

  10. IV. The Experiments (1/3) • Experiment Dataset • The 1999 DARPA IDS Evaluation dataset (DARPA99) • 191,077 TCP sessions in Week 4 dataset • After treats of continuous measures • The detection rate increased 20% • The false rate decreased 15% LSRC, Chonnam National University

  11. The Experiments (2/3) • The Result of GRR Calculation • Network measure selected from Ostermann’s TCPtrace (80 measures) • G(Good), B(Bad), I(Ignore), RST(Result;G|B|I), SLT(Select; O|X) • Step#: The # of repeat experiment Threshold value = 0.5 LSRC, Chonnam National University

  12. Step0 Step1 Step2 Step3 Step0 Step1 Step2 Step3 The Experiments (3/3) • The ROC Evaluation • According to selection of priority measures • Detection rate increased • False rate decreased LSRC, Chonnam National University

  13. V. Conclusions • Automatically generates detection rules • using Tree Induction algorithm • without support of experts • Solve the problems according to measure selection • continuous type converting into categorical type • selection of priority measures by calculating GRR • detection rate was increased and false rate was decreased LSRC, Chonnam National University

  14. Q & A • Contact Us E-mail: mir@lsrc.jnu.ac.kr • Thank You! LSRC, Chonnam National University

More Related