1 / 16

Bayesian Classifiers and Software Sensors for Intrusion Detection Systems.

Bayesian Classifiers and Software Sensors for Intrusion Detection Systems. By: Kaushal Mittal Guide: Prof. Sunita Sarawagi. Bayesian Classifiers. Classification Supervised learning Classes known Number of classes known Statistical classifiers Based on bayes theorem

yvonne
Download Presentation

Bayesian Classifiers and Software Sensors for Intrusion Detection Systems.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Bayesian Classifiers and Software Sensors for Intrusion Detection Systems. By: Kaushal Mittal Guide: Prof. Sunita Sarawagi

  2. Bayesian Classifiers • Classification • Supervised learning • Classes known • Number of classes known • Statistical classifiers • Based on bayes theorem • Calculates probability of a sample belonging to a class.

  3. Naive Bayesian classifier • Assumes attributes values to be conditionally independent given the target class. • Each training sample X is a vector of n attributes {an}. • Set of classes C { cm }. • Every new sample S is labeled to class with maximum posterior probability.

  4. Application • Text Classification. • All words as attributes. • Assume attributes to be independent. • Use Naive bayes classifier. • M. Shavlik and J. Shavlik have used naive bayesian classifiers for intrusion detection system. • Low detection rate of 59.2%. • Proposed a Winnow based Algorithm.

  5. Intrusion Detection System • Intrusion detection system • Anomaly detection • Misuse detection • Goals • High detection rates • Low false negative alarms • Low false positive alarms • Less CPU cycles • Quick detection rates

  6. IDS Cont. • Problem • Detect intrusion quickly with low false alarm rate and high intrusion detection rate. • Approaches • Naive Bayes Classifiers • Winnow based Algorithm • Alternative approaches • Density based Local Outlier approach • Elman Network

  7. IDS - Phases Data Collection Discretization Training Tuning Operational

  8. Data Collection • The training data • system properties like CPU, memory, network connections, number of threads. • Use of Perfmon on windows, strace on linux. • Features Like • Actual value measured. • Average of Last 10 values • Average of last 100 values • Difference between current and previous values • Difference between current and average of last 10 • Difference between current and average of last 100 • Difference between average of previous 10 and previous 100

  9. IDS - Phases Data Collection Discretization Training Tuning Operational

  10. Discretization • Data is continuous • Discretized into 10 bins • Divide the samples into 10 bins • Selects the best distribution function • Uniform • Guassian • Exponential • Erlang

  11. IDS - Phases Data Collection Discretization Training Tuning Operational

  12. Training • Initialize weights for each feature • For each training sample • Calculate votes for each feature • Relative probability for value of feature • Adjust weights • In Naive bayes approach • Use exact probability of feature.

  13. IDS - Phases Data Collection Discretization Training Tuning Operational

  14. Tuning • Goal To calculate W, threshmini , threshfull • W – window to avoid overlapping. • Threshmin – threshold for mini alarm • Threshfull – threshold for intrusion detection. • Test set used.

  15. Analysis • False negative alarms • System learning intruder’s behaviour. • False Positive alarms • Comparison to Naïve bayes classifier approach.

  16. Alternatives • All suffer from false learning and false alarms. • Another approach can be • Elman networks. • Density based

More Related