Detecting Intrusion Using Neural Fuzzy

Published Date: 02 Nov 2017

Abstract

As the attackers in global Network are increasing day by day it is much necessary to provide a secure Network. So attackers in Network can be detected with the help of Intrusion Detection System (IDS). Genetic Network Programming (GNP) employed for the detection process. Combining the Fuzzy set theory with the GNP makes the detection process more accurate. GNP contains two pools Normal pool and Attack pool in which Normal pool holds the normal record set and Attack pool contains the Intruder record set. Information System Technologies simulated real traffic with real and normal connection carried out for 7 weeks and they released KDD dataset 99. The experimental process was done with the help of KDD dataset 99 Record set which contains both the discrete and continuous of 41 fields in which Fuzzy set theory used for continuous fields. Triangular Fuzzy concept used here to find out low, middle and high values in each field. Trained dataset contain 42 fields in which last field specify the attack which help to generate the rules to detect the intruder in the Network more accurately. Both signature based IDS and Anomaly based IDS can be carried out successfully. Since the rules are generated based on trained record set we can able to obtain high Detection Rate.

I. Introduction

An Intrusion Detection System (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station. IDS is split into two categories: misuse detection systems and anomaly detection systems. Misuse detection is used to identify intrusions that match known attack scenarios.

* II Year M.E CSE

** Professor

Department of Computer Science & Engineering

Ponjesly College of Engineering,

Nagercoil-629003.

However, anomaly detection is an attempt to search for malicious behaviour that deviates from established normal patterns. In this paper our interesting is in anomaly detection. In order to detect the intrusion, various approaches have been developed and proposed over the last decade. In the early stage, rule-based expert systems and statistical approaches are two typical ways to detect intrusion. A rule-based expert IDS can detect some well-known intrusions with high detection rate, but it is difficult to detect new intrusions, and its signature database needs to be updated manually and frequently.

Four different types of attacks have been identified which makes the need for an IDS critical

Denial of service

Network-based denial-of-service attacks are one of the easiest types of attacks. It often requires little effort to fully consume resources on the target computer, to starve the target computer of resources, or to cause critical services to fail or malfunction

Threat to Confidentiality

Some viruses attach themselves to existing files on the system they infect and they send the infected files to others. This can result in confidential information being distributed without the author’s permission.

Modification of contents

Intruders might be able to modify news sites, produce bogus press releases, and conduct other activities, all of which could have economic impact.

Masquerade

A masquerade takes place when one entity pretends to be a different entity. Authentication sequences can be captured and replayed after a valid authentication sequence has taken place, thus enabling an authorized entity with few privileges to obtain extra privileges by impersonating an entity that has those privileges.

II. Overview of GNP

A class-association –rule mining algorithm based on GNP has been proposed. In this section, the outline of GNP and its class association-rule mining is briefly reviewed.

Structure of GNP

GNP is one of the evolutionary optimization techniques, which uses directed graph structures instead of strings and trees. GNP is composed of three types of nodes: start node, judgment node, and processing node. Judgment nodes, J1, J2 , . . . , Jm (m is the total number of judgment functions), serve as decision functions that return judgment results so as to determine the next node. Processing nodes, P1, P2, . . . , Pn (n is the total number of processing functions), serve as action/processing functions. Once GNP is booted up, the execution starts from the start node, then the next node to be executed is determined according to the connection between nodes and a judgment result of the current activated node.

NTi represents the node type such as 0 for start node, 1 for judgment node and 2 for processing node. IDi serves as an identification number of a judgment or processing node, for example, NTi = 1 and IDi = 2 represents node function J2. Ci1, Ci2, . . . , denote the node numbers connected from node i. The total number of nodes in an individual remains the same during every generation. Three kinds of genetic operators, i.e., selection, mutation, and crossover, are implemented in GNP.

Selection: Individuals are selected according to their fitness.

Crossover: Two new offspring are generated from two parents by exchanging the genetic information. The selected nodes and their connections are swapped each other by crossover rate Pc.

Mutation: One new individual is generated from one original individual by the following operators. Each node branch is selected with the probability Pm1 and reconnected to another node. Each node function is selected with the probability Pm2 and changed to another one.

Fig 1.Basic Structure of GNP

GNP Based Rule Mining

A judgment node in GNP has a role in checking an attribute value in a tuple. Candidate class association rules are represented by the connections of judgment nodes. An example of the representation is shown in Fig. 1.2. Processing node P1 serves as the beginning of class-association rules. A1 = 1, A2 = 1, and A3 = 1 denote the judgment functions. If a tuple satisfies the condition of the judgment function, Yes-side branch is selected and the condition of the next judgment function is examined in order to find longer rules. No-side is connected to processing node P2 to start examining other rules. Therefore, the branch from the judgment node represents the antecedent part of class-association rules, while the fixed consequent part can be predefined.

Fig 2 Node transition to find class-association rules.

For example, the class-association rules such as

(A1 = 1) ^ (C = 1)

(A1 = 1) ^ (A2 = 1) ^ (C = 1)

(A1 = 1) ^ (A2 = 1) ^ (A3 = 1) ⇒ (C = 1)

(A1 = 1) ^ (C = 0)

(A1 = 1) ^ (A2 = 1) ^ (C = 0)

(A1 = 1) ^ (A2 = 1) ^ (A3 = 1) ^ (C = 0)

are examined by the node transition in Fig. 2

The procedure of examining tuples is as follows. The first tuple in the database is read and the node transition starts from processing node P1. Then, if Yes-side branch is selected, the current node is transferred to the next judgment node. If No-side branch is selected, the current node is transferred to processing node P2 to find other rules. The same procedure is repeated until the node transition started from the last processing node Pn is finished. After examining the first tuple in the database, the second tuple is read and the node transition starts from processing node P1 again. Finally, all the tuples are examined by repeating the above node transitions. Note that the number of judgment functions (J1, J2, . . .) equals the number of attributes (A1, A2 , . . .) in the database.

III. GNP-Based Fuzzy Concept

A. Data Preprocessing

In 1998 DARPA Intrusion Detection Evaluation Program was prepared and managed by MIT Lincoln Labs. The objective was to survey and evaluate research in intrusion detection.  A standard set of data to be audited, which includes a wide variety of intrusions simulated in a military network environment, was provided.  The 1999 KDD intrusion detection contest uses a version of this dataset. Each connection is labelled as either normal, or as an attack, with exactly one specific attack type.  Each connection record consists of about 100 bytes.

B. Subattribute Utilization

Network connection data have their own characteristics, such as discrete and continuous attributes, and these attribute values are important information that cannot be lost. We introduce a subattribute-utilization mechanism concerning binary, symbolic, and continuous attributes to keep the completeness of data information. Binary attributes are divided into two subattributes corresponding to judgment functions. For example, binary attribute A1 (=land) was divided into A_11 (representing land= 1) and A_12 (representing land= 0). The symbolic attribute was divided into several subattributes, while the continuous attribute was also divided into three subattributes concerning the values represented by linguistic terms (low, middle, and high) of fuzzy membership functions predefined for each continuous attribute. Fig. 3 shows a division example of the three attributes.

Fig. 3 Subattribute utilization.

C. Fuzzy Membership Function

Fuzzy Logic, intersection, union and complement are defined in terms of their membership functions. The membership function fully defines the fuzzy set which provides a measure of the degree of similarity of an element to a fuzzy set.

Membership functions can either be chosen by the user arbitrarily, based on the user’s experience (MF chosen by two users could be different depending upon their experiences, perspectives, etc.) Or be designed using machine learning methods (e.g., artificial neural networks, genetic algorithms, etc.). There are different shapes of membership functions; triangular, trapezoidal, piecewise-linear, Gaussian, bell-shaped, etc. Triangular membership function a, b and c represent the x coordinates of the three vertices of µA(x) in a fuzzy set A (a: lower boundary and c: upper boundary where membership degree is zero, b: the centre where membership degree is 1).

Fig: 4 Triangular membership functions

A predefined membership function is assigned to each continuous attribute and the linguistic terms can be expressed by the membership function shown in Fig.5

Fig. 5 Definition of the fuzzy membership function.

The parameters α, β, and γ in a fuzzy membership function for attribute Ai are set as follows:

β = average value of attribute Ai in the

database;

γ = the largest value of attribute Ai in the

database;

α + γ = 2β.

D. Rule Extraction by GNP

A class association rule mining approach based on Genetic Network Programming (GNP) for detecting network intrusion combining misuse detection and anomaly detection. By using GNP it can detect and distinguish normal, known intrusion and unknown intrusion. The detection rate is improved compared with traditional intrusion detection approach, and normal, known intrusion and unknown intrusion are distinguished with high accuracy.

In an application of misuse detection, the training database contains both normal connections and several kinds of intrusion connections. Thus, GNP examines all the tuples of the connections in the database and counts the numbers a, b, c, a(1), b(1), c(1), a(2), b(2), and c(2), where a, b, and c are the numbers of tuples moving to Yes-side at the judgment nodes, a(1), b(1), and c(1) are those with class C = 1 (nor- mal) and a(2), b(2), and c(2) are those with class C = 2 (intrusion). Then, the criteria of sup > 0.25, conf > 0.6, and χ2 > 6.64 are used to pick up the rules to be stored in two independent rule pools; normal rule pool and intrusion rule pool.

IV. Neuro-Fuzzy with GNP

Artificial Neural Networks

Many researches have argued that Artificial Neural Networks (ANNs) can improve the performance of intrusion detection systems (IDS) when compared with traditional methods. New approach, called FC-ANN, based on ANN and fuzzy clustering, to solve the problem and help IDS achieve higher detection rate, less false positive rate and stronger stability. The general procedure of FC-ANN is as follows: firstly fuzzy clustering technique is used to generate different training subsets. Subsequently, based on different training subsets, different ANN models are trained to formulate different base models. Finally, a meta-learner, fuzzy aggregation module, is employed to aggregate these results. Prevention of security breaches completely using the existing security technologies is unrealistic.

As a result, intrusion detection is an important component in network security. IDS offers the potential advantages of reducing the manpower needed in monitoring, increasing detection efficiency, providing data that would otherwise not be available, helping the information security community learn about new vulnerabilities and providing legal evidence. FC-ANN approach can get higher detection precision, especially for low-frequent attacks, and stronger detection stability. Moreover, if the ANNi in ANN module can operate in parallel, less training time can also be achieved. Such improvement may be largely attributed to the fuzzy clustering module. It makes a heterogeneous training set divided into several homogeneous subsets.

For high-frequent attacks, i.e., normal, DoS, and PRB attacks, the precision, recall and F-value is relatively stable, For low-frequent attacks, i.e., R2L and U2R attacks, the precision, recall and F-value are generally increasing with k increasing. This is the reason why FC-ANN can get more detection precision and stability. Subsequently, we can see that for normal, DoS and PRB attacks, the precision, recall and F-value will decrease with k increasing further.

V. Performance Analysis

Intrusion detection is carried out with KDD99Cup database in order to compare with other machine-learning methods. The training dataset contains 3342 connections randomly selected from KDD99Cup database, among which 1705 connections are normal and the other 1637 connections are intrusion.

The rules are written based on the training record set from KDD data cup 99. The detection rates are calculated with the help of test database from KDD data cup 99.

The testing database contains 750 unlabeled normal connections and 240 unlabeled intrusion connections (the same types as the training database). The detection results obtained by the proposed misuse detection classifier, where T represents the label of the testing results given by the classifier and C represents the correct label. Three criteria are used to evaluate our testing results, i.e., DR, PFR, and NFR. DR means the total DR, PFR means the rate at which the normal data are labeled as intrusion, and NFR means the rate at which the intrusion data are labeled as normal.

After generating rules by considering 3 types of attack the Detection Rate will be DR=(746+231)/990 = 98.7% but after generating rules by considering 22 types of attacks the Detection Rate will be DR=(751+231)/990 = 99.1%.

Since the rules are written manually the Detection Rate can be less which is improved with the help of Neuro-Fuzzy concept.

Fig.6 Detection Rate graph

VI. Conclusion

A GNP-based fuzzy class-association-rule mining with subattribute utilization and the classifiers based on the extracted rules have been proposed, which can consistently use and combine discrete and continuous attributes in a rule and efficiently extract many good rules for classification. As an application, intrusion-detection classifiers for both misuse detection and anomaly detection have been developed and their effectiveness is confirmed using KDD99Cup and DARPA98 data.

GNP can extract many rules of normal connections and known intrusion connections from the training database in this paper. When we use them for misuse detection, the matching of a new connection with the normal rules and the intrusion rules are calculated, respectively, and the connection is classified into the normal class or intrusion class. When we use the rules for anomaly detection, only the rules of the normal connections are used to calculate the deviation of a new connection from the normal area. Therefore, many rules extracted by GNP cover the spaces of the classes widely. In another application of the data mining of GNP, even if the information of some attributes in some tuples is missing, GNP can extract rules by complementing such parts by other attributes. Many statistically significant rules contribute to solving such problem, and it is useful in the network security field when some information is missing because of the privacy problems. With the concept of Neuro-Fuzzy with GNP can provide high Decetion Rate and provide more accurate Intrusion Detection.

REFFERENCES

[1] R. Agrawal and R. Srikant, (1994) "Fast algorithms formining association rules," in Proc. 20th VLDB Conf., Santiago, Chile, pp. 487–499.

[2] Z. Bankovi´c, S. Bojani´c, O. Nieto-Taladriz, and D. Stepanovi´c, (2007) "Improving network security using genetic algorithm approach," Comput. Elect. Eng., vol. 33, pp. 438–451.

[3] J. G.-P. A. El Semaray, J. Edmonds, and M. Papa, (2006) "Applying data mining of fuzzy association rules to network intrusion detection," presented at the IEEE Workshop Inf., United States Military Academy, West Point, NY.

[4] T. Eguchim, K. Hirasawa, S. Markon, L. Yu and J. Zhou, (2008) "A doubledeck elevator group supervisory control system using genetic network programming," IEEE Trans. Syst., Man, Cybern. C, Appl. Rev., vol. 38, no. 4, pp. 535–550.

[5] K. Hirasawa, J. Hu, and K. Shimada, (2006) "Genetic network programming with acquisition mechanisms of association rules," J. Adv. Comput. Intell. Intell. Inf., vol. 10, no. 1, pp. 102–111.

[6] K. Hirasawa, J. Hu, and K. Shimada, (2007) "Genetic network programming with class association rule acquisition mechanisms from incomplete databases," in Proc. SICE Annu. Conf., Kagawa, Japan, pp. 2708– 2714.

[7] K. Hirasawa, J. Hu, and K. Shimada, (2008) "Class association rule mining from incomplete database using genetic network programming," (in Japanese), IEEJ Trans. EIS, vol. 128, no. 5, pp. 795–803.

[8] K. Hirasawa, J. Hu, H. Katagiri, J. Murata, M. Okubo, and M. Okubo, (2001) "Comparison between genetic network programming (GNP) and genetic programming (GP)," in Proc. Congr. Evol. Comput., pp. 1276–1282.

[9] K. Hirasawa, J. Hu and S. Mabu, (2007) "A graph-based evolutionary algorithm: Genetic network programming (GNP) and its extension using reinforcement learning," Evol. Comput, vol. 15, no. 3, pp. 369-398.

[10] W. Lu and I. Traore, (2004) "Detecting new forms of network intrusion using genetic programming," Comput. Intell., vol. 20, no. 3, pp. 474–494.

[11] P. Tsai, T. Weigert and Z. Yu, (2006) "An automatically tuning intrusion detection system," IEEE Trans. Syst., Man, Cybern. B, Cybern., vol. 37, no. 2, pp. 373–384.

[12] Kddcup 1999 data [Online]. Available : kdd.ics.uci.edu/databases/kddcup99/kddcup99.html.