Presentation is loading. Please wait.

Presentation is loading. Please wait.

Modeling IDS using hybrid intelligent systems

Published byCaren Susanna Bruce Modified over 4 years ago

Similar presentations

Presentation on theme: "Modeling IDS using hybrid intelligent systems"— Presentation transcript:

1 Modeling IDS using hybrid intelligent systems
Peddabachigari et al. (2007) Presenter: Andy Tang

2 Background Intrusion defense system (IDS): 2nd line of defense, after authentication / encryption Two main types: Misuse intrusion – well-defined patterns of attack, encoded in advance Anomaly intrusion – deviation from baseline behaviors, approximated by differences Machine learning (ML) paradigm of IDS: model intrusion detection as a binary classification task with input features from various sensors Neural nets (NN) Genetic programming (GP) Fuzzy logic (FL) Decision trees (DT) Support vector machines (SVM)

3 General IDS model

4 General IDS model Sequence of events E(1) – E(2) – … – E(n)
⇒ E(n) General IDS model

5 Updated rules (statistical or rule-based) dependent on recent behaviors
General IDS model

6 Updates baseline behaviors
General IDS model

7 General IDS model Some Limitations:
A misuse detector paradigm, requires complimentary anomaly detection. Rule-based (ES), limited representation power w.r.t. transition patterns. Does not scale with complex (i.e., non-linear) sequences of behaviors. Depends on quality and quantity of pre-defined rules. General IDS model

8 Goal: represent characteristics of intrusion behavior by adaptive behavioral “models”.
ML style of IDS

9 Goal: represent characteristics of intrusion behavior by adaptive behavioral “models”.
End-to-end pipeline from input data streams to classification rules. Direct feedback from empirical performance to adjust extracted patterns and model parameters. ML style of IDS

10 ML style of IDS Neural Nets
Inputs: a sliding window of w previous records. Output: classification rule Learning Mechanism: backpropagation by vector-jacobian products. “Hidden layers” are intermediary transformed feature spaces ≈ behavioral patterns. ML style of IDS

11 ML style of IDS Fuzzy logic (FL)
Inputs: set of rules, operators and knowledge base(i.e., user-specified graph dependencies). Output: classification rule Learning Mechanism: linear combinations of pre-defined rules on transformed features. ML style of IDS

12 ML style of IDS Support Vector Machines (SVM) Inputs: feature space
Output: classification rule Learning Mechanism: linear combinations of support vectors based Deals w/ nonlinearity in decision space by transforming the feature dimensions (Kernel Trick) More on this later. ML style of IDS

13 SVM Background

14 SVM Background

15 SVM Background e = vector of 1’s
Q is SPD, also called the “kernel” matrix. SVM Background

16 Kernel Trick

17 SVM Cost Sample complexity:
Runtime of QP-solver for support vector selection: w/ sparse feature space w/ dense feature space Key assumption in paper: Kernel selection (and support vector computation separate from “runtime” of SVM during training / testing)! SVM Cost

18 ML style of IDS Decision Trees (DT)
Inputs: joint feature and output space Output: a set of decision rules in the joint space Learning Mechanism: weighted combination of decision rules User redefines the max number of leaves, leading to fixed complexity Already an ensemble system! ML style of IDS

19 Decision tree example

20 Others: Evolutionary computation (EC) and genetic programs (GP) Hybrid system: DT-SVM ML style of IDS

21 Hybrid DT-SVM mode.

22 Experiments KDD cup 1999 data: 5 million connection records, 24 attack types categorized into 4 classes of intrusions: Denial of service (DOS): sequence of behaviors leading to overload of resources for service. Remote to user (R2L): static attack sending packages over network to gain access in vulnerable nodes. User to Root (U2R): static attack with access to normal user account, gains root access by system vulnerabilities. Probing: sends sequential information over network to identify new vulnerabilities.

23 SVM vs. DT vs. DT-SVM Experiment Design:
Input features: 41 attributes for each connection (e.g., content features, no. of failed logins) Labels: multilabel (1 for each class of attack) for decision trees, multiclass (5 classes for SVM and DT-SVM) “Ensemble” = DT-SVM + SVM + DT. Train-test split over 11,982 records (5092 Tr, 6890 Te) Kernel selection for SVM on training sets (Polynomial p=2) selected. SVM vs. DT vs. DT-SVM

24 DT vs. SVM performance

25 Comparison w/ DT-SVM and ensemble
Key observations: Performance gain almost exclusively from DT No insight into statistical significance was investigated 1 train-test split for each task, failure to provide variance of performance Remark: DT is already an ensemble approach. Lack of systematic approach for picking ensemble combinations. Comparison w/ DT-SVM and ensemble

26 Moving Forward: Addition of Transfer Learning?

27 Discussion 1) It is interesting to consider how this ensemble combination (DT-SVM) would fair against other ensemble combinations: decision tree with neural nets (DT-NN), SVM-NN, RBF-SVM with Linear-SVM, ... etc. Do you think there is a general rule for choosing ensemble pairs (or feature / kernel spaces and loss functions) that best compliment each other? 2) What feasibility issues (e.g., cost, runtime issues) may occur when trying to implement this ensemble IDS in CAVs? 3) Why do you think the U2R attack predictions had the lowest performance across all the learning models? Can you think of other classes of attacks similar to U2R that may be difficult for the proposed method to identify correctly?

28 Q & A

Download ppt "Modeling IDS using hybrid intelligent systems"

Similar presentations

Introduction to Support Vector Machines (SVM)

Introduction to Support Vector Machines (SVM)
1 Machine Learning: Lecture 4 Artificial Neural Networks (Based on Chapter 4 of Mitchell T.., Machine Learning, 1997)

1 Machine Learning: Lecture 4 Artificial Neural Networks (Based on Chapter 4 of Mitchell T.., Machine Learning, 1997)
Image classification Given the bag-of-features representations of images from different classes, how do we learn a model for distinguishing them?

Image classification Given the bag-of-features representations of images from different classes, how do we learn a model for distinguishing them?
Support Vector Machines

Support Vector Machines
Machine learning continued Image source: https://www.coursera.org/course/mlhttps://www.coursera.org/course/ml.

Machine learning continued Image source:
Lecture 14 – Neural Networks

Lecture 14 – Neural Networks
Image classification Given the bag-of-features representations of images from different classes, how do we learn a model for distinguishing them?

Image classification Given the bag-of-features representations of images from different classes, how do we learn a model for distinguishing them?
Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.

Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.
Machine Learning as Applied to Intrusion Detection By Christine Fossaceca.

Machine Learning as Applied to Intrusion Detection By Christine Fossaceca.
Statistical Learning: Pattern Classification, Prediction, and Control Peter Bartlett August 2002, UC Berkeley CIS.

Statistical Learning: Pattern Classification, Prediction, and Control Peter Bartlett August 2002, UC Berkeley CIS.
Aula 4 Radial Basis Function Networks

Aula 4 Radial Basis Function Networks
Review Rong Jin. Comparison of Different Classification Models  The goal of all classifiers Predicating class label y for an input x Estimate p(y|x)

Review Rong Jin. Comparison of Different Classification Models  The goal of all classifiers Predicating class label y for an input x Estimate p(y|x)
An Introduction to Support Vector Machines Martin Law.

An Introduction to Support Vector Machines Martin Law.
Combining Supervised and Unsupervised Learning for Zero-Day Malware Detection © 2013 Narus, Inc. Prakash Comar 1 Lei Liu 1 Sabyasachi (Saby) Saha 2 Pang-Ning.

Combining Supervised and Unsupervised Learning for Zero-Day Malware Detection © 2013 Narus, Inc. Prakash Comar 1 Lei Liu 1 Sabyasachi (Saby) Saha 2 Pang-Ning.
Intrusion Detection Using Neural Networks and Support Vector Machine

Intrusion Detection Using Neural Networks and Support Vector Machine
This week: overview on pattern recognition (related to machine learning)

This week: overview on pattern recognition (related to machine learning)
Copyright R. Weber Machine Learning, Data Mining ISYS370 Dr. R. Weber.

Copyright R. Weber Machine Learning, Data Mining ISYS370 Dr. R. Weber.
1 Selecting Features for Intrusion Detection: A Feature Relevance Analysis on KDD 99 Benchmark H. Güneş Kayacık Nur Zincir-Heywood Malcolm I. Heywood.

1 Selecting Features for Intrusion Detection: A Feature Relevance Analysis on KDD 99 Benchmark H. Güneş Kayacık Nur Zincir-Heywood Malcolm I. Heywood.
CS 8751 ML & KDDSupport Vector Machines1 Support Vector Machines (SVMs) Learning mechanism based on linear programming Chooses a separating plane based.

CS 8751 ML & KDDSupport Vector Machines1 Support Vector Machines (SVMs) Learning mechanism based on linear programming Chooses a separating plane based.
Intrusion Detection Using Hybrid Neural Networks Vishal Sevani (07405010)

Intrusion Detection Using Hybrid Neural Networks Vishal Sevani ( )

Similar presentations

Ads by Google