Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Evolutionary Neural Networks. 2 Why NN+EC? “Evolving brains”: Biological neural networks compete and evolve –The way that intelligence was created Global.

Similar presentations

Presentation on theme: "1 Evolutionary Neural Networks. 2 Why NN+EC? “Evolving brains”: Biological neural networks compete and evolve –The way that intelligence was created Global."— Presentation transcript:

1 1 Evolutionary Neural Networks

2 2 Why NN+EC? “Evolving brains”: Biological neural networks compete and evolve –The way that intelligence was created Global search Adaptation to dynamic environments without human intervention –Architecture evolution Initial weights Optimal solution Local Max Population Samples Backgrounds

3 3 General Framework of EANN [X. Yao] Backgrounds

4 4 Evolution of Connection Weights 1.Encode each individual neural network’s connection weights into chromosomes 2.Calculate the error function and determine individual’s fitness 3.Reproduce children based on selection criterion 4.Apply genetic operators Backgrounds

5 5 Representation Binary representation –Weights are represented by binary digits e.g. 8 bits can represent connection weights between -127 and +127 –Limitation on representation precision too few bits → some numbers cannot be approximated too many bits → training might be prolonged To overcome binary representation, some proposed using real number –i.e., one real number per connection weight Standard genetic operators such as crossover not applicable to this representation –However, some argue that it is possible to perform evolutionary computation with only mutation –Fogel, Fogel and Porto (1990): adopted one genetic operator – Gaussian random mutation Backgrounds

6 6 Evolution of Architectures 1.Encode each individual neural network’s architecture into chromosomes 2.Train each neural network with predetermined learning rule 3.Calculate the error function and determine individual’s fitness 4.Reproduce children based on selection criterion 5.Apply genetic operators Backgrounds

7 7 Direct Encoding All information is represented by binary strings, i.e. each connection and node is specified by some binary bits An N by N matrix can represent the connectivity with N nodes, where Does not scale well since large NN needs a big matrix to represent Backgrounds

8 8 Indirect Encoding Only the most important parameters or features of an architecture are represented. Other details are left to the learning process to decide –e.g. specify the number of hidden nodes and let the learning process decide how they are connected (e.g. fully connected) More biologically plausible as it is impossible for genetic information encoded in humans to specify the whole nervous system directly according to the discoveries of neuroscience Backgrounds

9 9 Evolution of Learning Rules 1.Decode each individual into a learning rule 2.Construct a neural network (either pre-determined or randomly) and train it with decoded learning rule refers to adapting the learning function, in this case, the connection weights are updated with an adaptive rule 3.Calculate the error function and determine individual’s fitness 4.Reproduce children based on selection criterion 5.Apply genetic operators Backgrounds

10 10 Two Case Studies Evolving intrusion detector Evolving classifier for DNA microarray data

11 11 Evolutionary Learning Program ’ s Behavior In Neural Networks for Anomaly Detection

12 12 Motivation (1) Attacker ’ s strategy: Leading to malfunctions by using program ’ s bug –Showing different behavior compared to normal one Anomaly detection –Learning normal program ’ s behavior from audit data –Classifying programs which show different behavior with normal one as intrusion –Adopted in many host-based intrusion detection system System audit data and machine learning techniques –Basic security module (BSM) –Rule-based learning, neural network and HMM

13 13 Motivation (2) Machine learning methods such as Neural network (NN) and HMM –Effective for intrusion detection based on program ’ s behavior Architecture of classifier –The most important thing in classification –Searching for appropriate architecture for the problems is crucial NN: the number of hidden neurons and connection information HMM: the number of states and connection information Traditional methods –Trial-and-error Train 90 neural networks [Ghosh99]  It took too much time because the size of audit data is too large Optimizing architectures as well as connection weights

14 14 Related Works S. Forrest (1998, 1999) –First intrusion detection by learning program ’ s behavior –HMM performed better than other methods J. Stolfo (1997) : Rule-based learning (RIPPER) N. Ye (2001) –Probabilistic methods: Decision tree, chi-square multivariate test and one order Markov chain model (1998 IDEVAL data) Ghosh (1999, 2000) –Multi-layer perceptrons and Elman neural network –Elman neural network performed the best (1999 IDEVAL data) Vemuri (2003) –kNN and SVM (1998 IDEVAL data)

15 15 The Proposed Method Architecture –System call audit data and evolutionary neural networks

16 16 Normal Behavior Modeling Evolutionary neural networks –Simultaneously learning weights and architectures using genetic algorithm –Partial training: back-propagation algorithm –Representation: matrix Rank-based selection, crossover, mutation operators Fitness evaluation : Recognition rate on training data (mixing real normal sequences and artificial intrusive sequences) Generating neural networks with optimal architectures for learning program’s behavior

17 17 ENN (Evolutionary Neural Network) Algorithm

18 18 Representation I1 H1 H3 H2O1 0.4 0.5 0.1 0.7 0.1 0.2 0.7 Generation of Neural Network Weight Connectivity Hidden Node Input Node Output Node

19 19 Crossover (1) I1 H1 H3 H2O1 0.4 0.5 0.1 0.7 0.1 0.2 0.7 I1 H1 H3 H2O1 0.1 0.5 0.2 0.1 0.5 Crossover 0.4 I1 H1 0.40.7 O1 I1 H1 O1 0.10.2 H3 H2 0.5 0.1 0.2 0.7 0.1 0.4 H3 H2 0.5 0.1

20 20 Crossover (2) Crossover

21 21 Mutation I1 H1 H3 H2O1 0.4 0.5 0.1 0.7 0.1 0.2 0.7 Add Connection I1 H1 H3 H2O1 0.4 0.5 0.1 0.7 0.1 0.2 0.7 0.3 I1 H1 H3 H2O1 0.4 0.5 0.1 0.7 0.1 0.2 0.7 Delete Connection I1 H1 H3 H2O1 0.4 0.5 0.1 0.7 0.1 0.2

22 22 Anomaly Detection (1) 280 system calls in BSM audit data –45 frequently occurred calls (indexing as 0~44) –Indexing remaining calls as 45 10 input nodes, 15 hidden nodes (Maximum number of hidden nodes), 2 output nodes –Normalizing input values between 0 and 1 –Output nodes: Normal and anomaly exitfcntlioctlmunmap forkrenamepipeseteuid creatmkdirsetuidputmsg unlinkfchdirutimegetmsg chownopen -readsetgidauditon accessopen - write mmapmemcntl statopen - write,creatauditsysinfo lstatopen - write,truncsetgroupsclose readlinkopen - write,creat,truncsetpgrpgetaudit execveopen - read,writechdirpathconf vforkopen - read,write,crea

23 23 Anomaly Detection (2) Evaluation value will rise up shortly when intrusion occurs –Detection of locally continuous anomaly sequence is important –Considering previous values Normalizing output values for applying the same threshold to all neural networks –m: Average output value for training data, d: std

24 24 Experimental Design 1999 DARPA IDEVAL data provided by MIT Lincoln Lab –Denial of Service, probe, Remove-to-local (R2L), User-to-root (U2R) –Main focus: Detection of U2R attack Bearing marks of traces in audit data Monitoring program ’ s behavior which has SETUID privilege –Main target for U2R attack atrshsendmaildeallocate atqsuutmp_updatelist_devices atmuptimeacctonffbconfig chkeywxlockptree crontabyppasswdff.corepwait ejectvolcheckkcms_configuressh fdformatctkcms_calibratesulogin loginnispasswdmkcookieadmintool newgrptopallocatesulogin passwdquotamkdevallocwhodo psufsdumpmkdevmapspt_chmod rcpufsrestorepingrlogin rdistexrecoversacadm

25 25 Experimental Design (2) 1999 IDEVAL : audit data for 5 weeks –1, 3 weeks (attack free)  training data –4-5 weeks  test data Test data includes totally 11 attacks with 4 types of U2R Setting of genetic algorithm –Population size: 20, crossover rate: 0.3 mutation rate: 0.08, Maximum generation:100 –The best individual in the last generation NameDescriptionTimes ejectexploiting buffer overflow in the 'eject' program2 ffbconfigexploiting buffer overflow in the 'ffbconifg' program2 fdformatexploiting buffer overflow in the 'fdformat' program3 psrace condition attack in 'ps' program4

26 26 Evolution Results Convergence to fitness 0.8 near 100 generations

27 27 Learning Time Environments –Intel Pentium Zeon 2.4GHz Dual processor, 1GB RAM –Solaris 9 operating system Data –Login program –Totally 1905 sequences Parameters –Learning for 5000epoch –Average of 10 runs Types Hidden Nodes Running Time (sec) MLP 10235.5 15263.4 20454.2 25482 30603.6 35700 40853.6 501216 601615 ENN154460

28 28 Detection Rates 100% detection rate with 0.7 false alarm per day Elman NN which shows the best performance for the 1999 IDEVAL data : 100% detection rate with 3 false alarms per day  Effectiveness of Evolutionary NN for IDS

29 29 Results Analysis – Architecture of NN The best individual for learning behavior of ps program –Effective for system call sequence and more complex than general MLP

30 30 Comparison of Architectures Comparison of the number of connections between ENN learned for 100 generations using ps program data and MLP They have the similar number of connections However, ENN has different types of connections and sophisticated architectures FROM ╲ T O InputHiddenOutput Input08615 Hidden06719 Output000 FROM ╲ T O InputHiddenOutput Input01500 Hidden0030 Output000 MLP ENN

31 31 Evolving Artificial Neural Networks for DNA Microarray Analysis

32 32 Motivation Colon cancer : The second only to lung cancer as a cause of cancer-related mortality in Western countries The development of microarray technology has supplied a large volume of data to many fields It has been applied to prediction and diagnosis of cancer, so that it expectedly helps us to exactly predict and diagnose cancer Proposed method –Feature selection + evolutionary neural network (ENN) –ENN : no restriction on architecture (design without human’s prior knowledge)

33 33 What is Microarray? Microarray technology –Enables the simultaneous analysis of thousands of sequences of DNA for genetic and genomic research and for diagnostics Two Major Techniques –Hybridization method cDNA microarray/ Oligonucleotide microarray –Sequencing method SAGE

34 34 Acquiring Gene Expression Data

35 35 Machine Learning for DNA Microarray

36 36 Related Works 91.9Quadratic discriminant 93.5Logistic discriminant Partial least square 87.1Quadratic discriminant 87.1Logistic discriminant Principal component analysis Nguyen et al. 72.6AdaBoost 74.2SVM with quadratic kernel 80.6Nearest neighbor All genes, TNoM scoreBen-Dor et al. 94.1KNNGenetic algorithmLi et al. 90.3SVMSignal to noise ratioFurey et al. ClassifierFeature Accuracy (%) Method Authors

37 37 Overview

38 38 Colon Cancer Dataset Alon’s data Colon dataset consists of 62 samples of colon epithelial cells taken from colon-cancer patients –40 of 62 samples are colon cancer samples and the remaining are normal samples Each sample contains 2000 gene expression levels Each sample was taken from tumors and normal healthy parts of the colons of the same patients and measured using high density oligonucleotide arrays Training data: 31 of 62, Test data: 31 of 62

39 39 Experimental Setup Feature size : 30 Parameters of genetic algorithm –Population size : 20 –Maximum generation number : 200 –Crossover rate : 0.3 –Mutation rate : 0.1 Fitness function : recognition rate for validation data Learning rate of BP : 0.1

40 40 Performance Comparison

41 41 Sensitivity/Specificity Sensitivity = 100% Specificity = 81.8% Cost comparison –Classifying cancer person as normal person > classifying normal person as cancer person 2001 (Cancer) 290 (Normal) Actual 1 (Cancer)0 (Normal) Predicted EANN

42 42 Architecture Analysis Whole architecture From input to hidden neuron

43 43 Architecture Analysis (2) Input to output Hidden neuron to hidden neuron Hidden neuron to output neuron Input to output relationship is useful to analyze

Download ppt "1 Evolutionary Neural Networks. 2 Why NN+EC? “Evolving brains”: Biological neural networks compete and evolve –The way that intelligence was created Global."

Similar presentations

Ads by Google