Detecting Network Violation Based on Fuzzy Class-Association-Rule Mining Using Genetic Network Programming

Abstract: A Novel Fuzzy Class-Association-Rule Mining method based on genetic network programming (GNP) for detecting network intrusions. GNP is an evolutionary optimization technique, which uses directed graph structures instead of strings in genetic algorithm or trees in genetic programming, which leads to enhancing the representation ability with compact programs derived from the reusability of nodes in a graph structure. By combining fuzzy set theory with GNP, the proposed method can deal with the mixed database that contains both discrete and continuous attributes and also extract many important class-association rules that contribute to enhancing detection ability.

Introduction: Systems over the Internet such as Online shopping, Internet Banking, Foreign Exchange etc., have been developed. Due to Open Society of the Internet, the security of our computer systems and data is always at risk. Network Intrusion Detection can be defined as identifying a set of Malicious actions that threaten the integrity, confidentiality and availability of a network resource.

Existing System: An Intrusion Detection System (IDS) is a system that can be placed in a network to stop and detect network intrusions and anomalies. IDS is designed to identify malicious behaviors that threaten the integrity, confidentiality and availability of network resources. Existing system have difficulty in identifying new attack that had no previously describe patterns. Existing System have high false alarm rate because it is difficult to generate practical normal behavior profiles for protected systems

Proposed System: Genetic Network Programming (GNP) is a newly developed evolutionary algorithm with directed graph gene structures, and it has been applied to data mining for intrusion detection systems providing good performances in intrusion detection. An integrated rule mining algorithm based on fuzzy GNP and probabilistic classification is proposed. The integrated rule mining uses fuzzy class association rule mining algorithm to extract rules with different classes.

Methodology Used: There are two major conventional Intrusion Detection Techniques: ◦ Misuse Detection ◦ Anomaly Detection.

Mis-use Detection Misuse Detection uses known attacks and attempts to match the current behavior against those attack patterns. The main advantage of Misuse Detection is that it focuses on the analysis of the audit data and typically produces few false results. However, an inherent drawback of this method is that it cannot detect novel attacks. Nepture, Smurf, Portsweep are the kinds of misuse attacks in our dataset.

Anomaly Detection Anomaly Detection, which uses normal behaviors of network traffic, can detect unknown attacks by detecting significant deviations from the established normal patterns. Whereas, the disadvantage of detecting previously unknown attacks is paid for in terms of high False Positive Rate.(FPR) Back, ipsweep, land, pod, satan,teardrop are the kinds of anomaly attacks in our dataset.

Need of GNP: GNP for Class Association Rule-Mining was introduced into Network Intrusion Detection in the former research and it has important advantages over other methods with pre-experienced knowledge. In the former research, the sub-attribute utilization method was also proposed to deal with both discrete and continuous attributes. Furthermore, Fuzzy Class Association Rule Mining using GNP and probabilistic classification for Intrusion Detection were studied independently. The proposed hybrid method integrates the extended Fuzzy Association Rule Mining and probabilistic classification to improve the performance of GNP- based Intrusion Detection System.

Need of GNP: (Contd..) GNP is an evolutionary optimization algorithm which evolves directed graph structures as solutions instead of using strings in genetic algorithms or trees in genetic programming. GNP is composed of three kinds of nodes, which are Start Node, Judgment Node and Processing Node, respectively. Start Node is used to determine the first node to be executed. Judgment Nodes are the set of J1, J2,..., Jm, which work as decision making functions. Whereas, Processing Nodes are set of P1,P2,...,Pn, which work as functions of actions or processes. The Node transition begins from the Start Node, then the next node which will be executed is determined by the node transition.

Fuzzy Class Association Rule Mining Consider a case, where user A is a authenticated user and works for certain process. At times user A may behave opposite to the rules. After achieving the target information, user will behave by following the rules and conditions. So this user can’t be identified as the intruder by the Association Rule Mining.

Continuation… To overcome this problem we club the fuzzy logic with association rule mining and propose a “Novel Fuzzy Class Association Rule Mining and GNP”. This novel method will go through each and every sessions of the user’s behavior and if found any abnormal behavior user is identified as intruder.

Modules: Data Conversion Association Rule Mining GNP Based Sub-Attribute Utilization Fitness Calculation Misuse and Anomaly Analysis.

Module Description: Data Conversion: ◦ Data Conversion is the process of converting the dataset of KDD99Cup to our database using specialized splitting process. ◦ The Dataset is entirely converted as fields in our database in order to freely access the information regarding the database KDD99Cup and DARPA. ◦ Where as the Database contains information on required parameters. Such as:  Duration  Protocol Type  Service  Flag  Source Bytes  Destination Bytes,  Land,  Logged in  Etc,.

Module Description: (Contd..) Association Ruling ◦ The fields that are required for our comparison is taken into account that satisfies our Association rule. ◦ The fields can describe its functionality through specific functionalities such as.  Duration  Protocol  Count  Source Byte  Destination Byte  And Land value. ◦ The rule contains specific constraints depending on values in order to enhance the detection ability.

Module Description: (Contd..) GNP Based Sub-Attribute Utilization: ◦ The operations to be carried out are:  Data Preprocessing.  Sub attribute Utilization. ◦ To Identify the particular record using its “count” value which specifies “High”, ”Medium” and ”Low”. ◦ To Identify the particular record using its Protocol Type such as TCP, UDP and ICMP. ◦ To Identify particular set using its Land value. Which represent Boolean value as 0 or 1.

Module Description: (Contd..) Fitness Calculation ◦ The scale of the fitness value is [–1, 1]. Higher fitness of a rule results in high DR and low positive false rate (PFR), which means the rate of incorrectly assigning normal connections to a intrusion class. ◦ On the other hand, lower fitness results in low DR and high PFR. Misuse and Anomaly Analysis: ◦ The Misuse and Anomaly analysis is calculated by following rules. ◦ The testing database contains 750 unlabeled normal connections and 240 unlabeled intrusion connections. ◦ The detection results obtained by the proposed misuse detection classifier are shown in Table V, where T represents the label of the testing results given by the classifier and C represents the correct label. ◦ Three criteria are used to evaluate our testing results, i.e., DR, PFR, and NFR. DR means the total DR, PFR means the rate at which the normal data are labeled as intrusion, and NFR means the rate at which the intrusion data are labeled as normal.

Works Carried Out: Data Extraction and Data Processing is to be carried out first. Testing the Converted Data by supplying association rules i.e. judgments. Creation of Fuzzy Rule Pool from KDD99Cup by extracting Attack behaviors. Calculating Detection Rate, Positive False Rate and Negative False Rate for Misuse and Anomaly Detection. Analysis on Misuse and Anomaly violations.

Implementation by Simulation Results: Here, We constructing a simulated environment of Network Violation Detection. First gaining rules from the discrete database KDD99Cup, and storing the rules in a rule pool. Using the rule pool we are extracting the Network Violations from the continuous database DARPA.

Hardware Requirements:  System:Pentium IV 2.4 GHz  Hard Disk:40 GB  Monitor:15” Color  Mouse:Logitech.  RAM:512 MB

Software Requirements:  Operating System:Windows XP  Language:C#.NET  Front End:Visual Studio 2008  Back End:MS SQL SERVER 2005

Screen Shots:

Conclusion: GNP can extract many rules of normal connections and known as Intrusion connections. Using rules for Misuse Detection, the matching of a new connection with the normal rules and the Intrusion rules are calculated and the connection is classified into Normal Class and Intrusion Class. Using rules for Anomaly Detection, only the rules for the normal connections are used to calculate the deviation of a new connection from the normal area. In the Future, let focus on building distributions (Probability Density Functions - PDF) of Normal and Intrusion access based Fuzzy GNP. Using PDF, the data can be classified into Normal class, known Intrusion class and Unknown Intrusion class.