Machine Learning Techniques for Intrusion Detection Systems

Slide Note
Embed
Share

An Intrusion Detection System (IDS) is crucial for defending computer systems against attacks, with machine learning playing a key role in anomaly and misuse detection approaches. The 1998/1999 DARPA Intrusion Set and Anomaly Detection Systems are explored, alongside popular machine learning classifiers like K-Nearest Neighbors.

shoshana
shoshana Follow

Uploaded on Jul 24, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. Intrusion Detection Techniques using Machine Learning

  2. What is an IDS? An Intrusion Detection System is a wall of defense to confront the attacks of computer systems on the internet. The main assumption of the IDS is that the behavior of intruders is different from legal users.

  3. Types of IDS Anomaly approaches: Determine whether deviations from normal usage patterns can be flagged as intrusions Misuse or Signature detection approaches: This kind of approach uses patterns of well- known attacks to identify intrusions. Clearly Machine Learning is well suited for the first kind of approach.

  4. The 1998/1999 DARPA Intrusion set The data set contains 24 attack types that could be classified into four main categories: Denial of Service(DOS), Remote to User (R2L), User to Root (U2R), and Probing The original data contain 744 MB data with 4,940,000 records. The data set has 41 attributes for each connection record plus one class label. Variable No Variable Name x1 duration x2 protocol_type x3 service x4 flag x5 src_bytes x6 dst_bytes x7 land x8 wrong_fragment x9 urgent x10 hot x11 num_failed_logins x12 logged_in x13 num_compromised x14 root_shell x15 su_attempted x16 num_root x17 num_file_creations x18 num_shells x19 num_access_files x20 num_outbound_cmds x21 is_host_login Variable type continuous discrete discrete discrete continuous continuous discrete continuous continuous continuous continuous discrete continuous continuous continuous continuous continuous continuous continuous continuous discrete Variable No Variable Name x22 is_guest_login x23 count x24 srv_count x25 serror_rate x26 srv_serror_rate x27 rerror_rate x28 srv_rerror_rate x29 same_srv_rate x30 diff_srv_rate x31 srv_diff_host_rate x32 dst_host_count x33 dst_host_srv_count x34 dst_host_same_srv_rate x35 dst_host_diff_srv_rate x36 dst_host_same_src_port_rate x37 dst_host_srv_diff_host_rate x38 dst_host_serror_rate x39 dst_host_srv_serror_rate x40 dst_host_rerror_rate x41 dst_host_srv_rerror_rate Variable type discrete continuous continuous continuous continuous continuous continuous continuous continuous continuous continuous continuous continuous continuous continuous continuous continuous continuous continuous continuous

  5. Anomaly Detection Systems Three main parts in anomaly detection system are: 1. Feature selection 2. Model of normal behavior 3. Comparison

  6. Machine Learning Techniques: 1. Single Classifiers 2. Hybrid Classifiers 3. Ensemble Classifiers

  7. Single Classifiers K-Nearest Neighbors (k-NN) Computes the approximate distance between different points on the input vectors and assigns the unlabeled point to the class of its K-nearest neighbors. The k parameter affects performance and accuracy. k-NN is instance based learning. It contains no model training stage; only searches for examples of input vectors and classifies new distances.

  8. Liao, Y., & Vemuri, V. R. (2002). Use of K- nearest neighbor classifier for intrusion detection. Computer and Security, 21(5), 439 448. Li, Y., & Guo, L. (2007). An active learning based TCM-KNN algorithm for supervised network intrusion detection. Computer and Security, 26, 459 467.

  9. Single Classifiers Support Vector Machines (SVM) SVM maps the input vector into a higher dimensional feature space and obtains an optimal separating hyper-plane in the higher dimensional hyper plane. The decision boundary is determined by support vectors and extremely robust to outliers.

  10. Chen, W.-H., Hsu, S.-H., & Shen, H.-P. (2005). Application of SVM and ANN for intrusion detection. Computer and Operations Research, 32, 2617 2634. Heller, K. A., Svore, K. M., Keromytis, A. D., & Stolfo, S. J. (2003). One class support vector machines for detecting anomalous window registry accesses. In Paper presented at the 3rd IEEE conference data mining workshop on data mining for computer security. Florida. Khan, L., Awad, M., & Thuraisingham, B. (2007). A new intrusion detection system using support vector machines and hierarchical clustering. The VLDB Journal, 16, 507 521. Tian, M., Chen, S. -C., Zhuang, Y., & Liu, J. (2004). Using statistical analysis and support vector machine classification to detect complicated attacks. In Paper presented at the proceedings of the third international conference on machine learning and cybernetics. Shanghai.

  11. Single Classifiers Artificial Neural Networks Information is processed in units that mimic neurons. Multi-Layer Perceptron: Consists of an input layer including a set of sensory nodes as input nodes, one or more hidden layers of computation nodes and an output layer. Each interconnection has a scalar weight associated with it that is calculated during the training phase.

  12. Artificial Neural Networks Chen, Y., Abraham, A., & Yang, B. (2007). Hybrid flexible neural-tree-based intrusion detection systems.International Journal of Intelligent Systems, 22, 337 352.

  13. Chen, Y., Abraham, A., & Yang, B. (2007). Hybrid flexible neural-tree-based intrusion detection systems. International Journal of Intelligent Systems, 22, 337 352. Joo, D., Hong, T., & Han, I. (2003). The neural network models for IDS based on the asymmetric costs of false negative errors and false positive errors. Expert System with Applications, 25, 69 75. Liu, G., Yi, Z., & Yang, S. (2007). A hierarchical intrusion detection model based on the PCA neural networks. Neurocomputing, 70, 1561 1568. Moradi, M., & Zulkernine, M. (2004). A neural network based system for intrusion detection and classification of attacks. In Paper presented at the proceeding of the 2004 IEEE international conference on advances in intelligent systems Theory and applications. Luxembourg. Zhang, C., Jiang, J., & Kamel, M. (2005). Intrusion detection using hierarchical neural network. Pattern Recognition Letters, 26, 779 791.

  14. Single Classifiers Self-Organizing Maps (SOM) Used to reduce the dimension of data for visualization. SOM projects and clusters high dimensional input vectors into a low dimensional (usually 2) visualization map. Consists of an Input layer and a Kohonen layer. The Kohonen layer is a two dimensional arrangement of neurons that maps the n-dimensional input to two dimensions. SOM maps similar input vectors onto the same or similar output units on the two dimensional map. Outputs self-organize to an ordered map and output units with similar weights are placed nearby after training.

  15. Hierarchical SOM architecture (a) Architecture (b) Data partitioning Kayacik, H. G., Nur, Z.-H., & Heywood, M. I. (2007). A hierarchical SOM-based intrusion detection system. Engineering Applications of Artificial Intelligence, 20, 439 451.

  16. Single Classifiers Decision Trees A sample is classified through a sequence of decisions, in which the current decision helps to make the subsequent decision. Tree structure where each node is a decision and each leaf a classification category.

  17. Final Decision Tree Classifier Randomly Generated Population Decision Tree Constructor Decision Tree Evaluator Feature Selection Fitness Computation Training Data Validation Data Testing Data Generate Next Generation GA/Decision Tree Hybrid Stein, G., Chen, B., Wu, A. S., & Hua, K. A. (2005). Decision tree classifier for network intrusion detection with GA-based feature selection. In Paper presented at the proceedings of the 43rd annual Southeast regional conference. Kennesaw, Georgia.

  18. Single Classifiers Na ve Bayes Networks (NBN) Provides an answer to questions like What is the probability that it is a certain type of attack, given some observed system events , by using a conditional probability formula. Usually represented by a directed acyclic graph (DAG), where each node represents one of the system variables and each link encodes the influence of one node upon another. Scott, S. L. (2004). A Bayesian paradigm for designing intrusion detection systems. Computational Statistics and Data Analysis, 45, 69 83.

  19. Single Classifiers Genetic Algorithms (GA) Uses the computer to implement the natural selection and evolution. GA usually starts by randomly generating a large population of candidate programs. Some type of fitness measure is used to evaluate the performance of each individual in a population. A large number of iterations is then performed where low performing programs are replaced by genetic recombinations of high-performing programs. Abadeh, M. S., Habibi, J., Barzegar, Z., & Sergi, M. (2007). A parallel genetic local search algorithm for intrusion detection in computer networks. Engineering Applications of Artificial Intelligence, 20, 1058 1069. Liu, Y., Chen, K., Liao, X., & Zhang, W. (2004). A genetic clustering method for intrusion detection. Pattern Recognition, 37, 927 942.

  20. Single Classifiers Fuzzy Logic Fuzzy set theory the degree of truth of a statement is not 0 or 1 but it can range between the two truth values (true/false). Chavan, S., Shah, K. D. N., & Mukherjee, S. (2004). Adaptive neuro-fuzzy intrusion detection systems. In Paper presented at the in proceedings of the international conference on information technology: Coding and computing (ITCC 04). Florez, G., Bridges, S. M., & Vaughn, R. B. (2002). An improved algorithm for fuzzy data mining for intrusion detection. In Paper presented at the proceedings of the North American fuzzy information processing society conference (NAFIPS 2002). New Orleans, LA.

  21. Incorrect (Training Needed) Correct (No Training) Teacher Winner (Decision) Y(1) Y(2) Y(3) Y(n) 1 2 3 n w1 w2 w3 wn X(1) X(2) X(3) X(4) Chavan, Sampada, et al. "Adaptive neuro-fuzzy intrusion detection systems. "Information Technology: Coding and Computing, 2004. Proceedings. ITCC 2004. International Conference on. Vol. 1. IEEE, 2004.

  22. Hybrid Classifiers Typically consists of two functional components. The first one takes raw data a input and generates intermediate results. The second one takes the intermediate result as an input and produces the final result.

  23. Examples of Hybrid Classifiers a. Cascading classifiers: For example neuro- fuzzy techniques b. Clustering based approach to process the input and eliminate outliers, then results are used as training examples for a classifier. c. Integrating techniques where the first aims to optimize the learning performance (parameter tuning) of the second model for prediction

  24. Peddabachigari, S., Abraham, A., Grosan, C., & Thomas, J. (2007). Modeling intrusion detection system using hybrid intelligent systems. Journal of Network and Computer Applications, 30, 114 132. Shon, T., & Moon, J. (2007). A hybrid machine learning approach to network anomaly detection. Information Sciences, 177, 3799 3821.

  25. Hybrid Decision Tree SVM Approach Support Vector Machine Intrusion Detection Data Decision Trees Peddabachigari, Sandhya, et al. "Modeling intrusion detection system using hybrid intelligent systems." Journal of network and computer applications 30.1 (2007): 114-132.

  26. Shon, T., & Moon, J. (2007). A hybrid machine learning approach to network anomaly detection. Information Sciences, 177, 3799 3821.

  27. Ensemble Classifiers Combination of multiple weak learners. The learners are trained on different samples to improve the overall performance. To combine the outputs of the weak learners the most common techniques are: a. Majority Rule b. Boosting c. Bagging

  28. Intrusion Detection as a Pattern Recognition Problem Multiple Classifier System for Intrusion Detection Giacinto, Giorgio, Fabio Roli, and Luca Didaci. "Fusion of multiple classifiers for intrusion detection in computer networks." Pattern recognition letters 24.12 (2003): 1795-1803.

  29. Neural Networks (Backpropagation) Neural Networks (Scale Conjugate Gradient) Data Neural Network (One Step Secant) Ensemble preprocessor Support Vector Machine Multivariate Regression Splines Mukkamala, Srinivas, Andrew H. Sung, and Ajith Abraham. "Intrusion detection using an ensemble of intelligent paradigms." Journal of network and computer applications 28.2 (2005): 167-182.

  30. Classification Problems Inputs are divided into two or more classes, and the learner must produce a model that assigns unseen inputs to one or more of these classes. This is typically tackled in a supervised way. Anomaly detection can be described as a classification problem: Activities are divided into normal and not normal .

  31. Outlier detection: Closed world assumption The idea that specifying only positive examples and adopting the standing assumption that the rest are negative is not of much practical use in real-life problems because they rarely involve closed worlds in which you can be certain that all cases have been covered.

  32. High cost of errors A very small rate of false positives can render a NIDS unusable: operators wasting too much time looking at incident reports of benign activity. Even one false negative might compromise the entire IT infrastructure.

  33. Diversity of network traffic Network characteristics Bandwidth Duration of connections Application mix Can vary a lot, rendering them unpredictable over short intervals of time

  34. Semantic gap It is very challenging to translate the results from a classifier into a report that can be read by a human. Systems are not designed to identify malicious behavior, but rather, behavior that has not been seen before.

  35. Only two publicly available datasets: DARPA Network traces dataset KDD Cup dataset. Best way to train is real network data, but it is difficult to anonymize. KDD Lack of training Data

  36. Recommendations for using machine learning Understand what the system is doing Understand the Threat Model Target environment Attack cost Who are the attackers Robustness requirements Keep the scope narrow Reduce the costs

Related


Understanding Snort: An Open-Source Network Intrusion Detection System

Understanding Snort: An Open-Source Network Intrusion Detection System

farah
Semantics-Aware Intrusion Detection for Industrial Control Systems by Mer Yksel

Semantics-Aware Intrusion Detection for Industrial Control Systems by Mer Yksel

madilyn
Automated Melanoma Detection Using Convolutional Neural Network

Automated Melanoma Detection Using Convolutional Neural Network

shiloh
Counterfeit Detection Techniques in Currency to Combat Financial Fraud

Counterfeit Detection Techniques in Currency to Combat Financial Fraud

tova
Deception Game on Decoy Systems and Honeypots

Deception Game on Decoy Systems and Honeypots

danger
Seminar on Machine Learning with IoT Explained

Seminar on Machine Learning with IoT Explained

lark
CSEP 546 Machine Learning Course Overview

CSEP 546 Machine Learning Course Overview

makaveli
Yale Intrusion Alarm System Overview

Yale Intrusion Alarm System Overview

misha
Automated Anomaly Detection Tool for Network Performance Optimization

Automated Anomaly Detection Tool for Network Performance Optimization

sana
Colorimetric Detection of Hydrogen Peroxide Using Magnetic Rod-Based Metal-Organic Framework Composites

Colorimetric Detection of Hydrogen Peroxide Using Magnetic Rod-Based Metal-Organic Framework Composites

gaspard
Overview of Unsupervised Learning in Machine Learning

Overview of Unsupervised Learning in Machine Learning

neave
DoS Detection for IoT Networks Using Machine Learning: Study Overview

DoS Detection for IoT Networks Using Machine Learning: Study Overview

aqua
Drone Detection Using mmWave Radar for Effective Surveillance

Drone Detection Using mmWave Radar for Effective Surveillance

tallulah
Introduction to Machine Learning Concepts

Introduction to Machine Learning Concepts

raif
Role of AI in Threat Detection and Zero-day Attacks

Role of AI in Threat Detection and Zero-day Attacks

kacey
Advanced Machine Learning: Data Preparation and Exploration Part 1

Advanced Machine Learning: Data Preparation and Exploration Part 1

karina
Exploration of Learning and Privacy Concepts in Machine Learning

Exploration of Learning and Privacy Concepts in Machine Learning

marmaduke
Understanding Machine Learning for Stock Price Prediction

Understanding Machine Learning for Stock Price Prediction

kamilah
Hands-on Machine Learning with Python: Implement Neural Network Solutions

Hands-on Machine Learning with Python: Implement Neural Network Solutions

affan
NC22Plex STR Detection Kit: Advanced 5-Color Fluorescence Detection System

NC22Plex STR Detection Kit: Advanced 5-Color Fluorescence Detection System

iqra
VIIRS Boat Detection (VBD) Research Overview

VIIRS Boat Detection (VBD) Research Overview

jamareon
Comprehensive Guide to Hacking Techniques & Intrusion Detection

Comprehensive Guide to Hacking Techniques & Intrusion Detection

anton
Virtual Labs and Cybersecurity Overview at 2021 Winter ICT Educators Conference

Virtual Labs and Cybersecurity Overview at 2021 Winter ICT Educators Conference

ellierose
Understanding Data Flow in Machine Learning Systems

Understanding Data Flow in Machine Learning Systems

zakai

More Related Content

Machine Learning Framework for Algo Trading in Limit Order Book Prediction
Machine Learning Framework for Algo Trading in Limit Order Book Prediction
Understanding Adversarial Threats in Machine Learning
Understanding Adversarial Threats in Machine Learning
Model evaluation strategy impacts the interpretation and performance of machine learning models
Model evaluation strategy impacts the interpretation and performance of machine learning models
Introduction to Econometrics and Machine Learning
Introduction to Econometrics and Machine Learning
Generalization Bounds and Algorithms in Machine Learning
Generalization Bounds and Algorithms in Machine Learning
Understanding Adversarial Machine Learning Attacks
Understanding Adversarial Machine Learning Attacks
Hands-On Training with P4 and Hardware Switches at University of South Carolina
Hands-On Training with P4 and Hardware Switches at University of South Carolina
Overview of UTSA's IS-6353 Incident Response Course
Overview of UTSA's IS-6353 Incident Response Course
Cryptographic Hash Functions in Data Security: Mustansiriyah University Course Overview
Cryptographic Hash Functions in Data Security: Mustansiriyah University Course Overview
Search for Dark Photons Utilizing Advanced Germanium Detectors at University of South Dakota
Search for Dark Photons Utilizing Advanced Germanium Detectors at University of South Dakota
Understanding Error Detection and Checksum Methods
Understanding Error Detection and Checksum Methods
Understanding Information Systems in Organizational Management
Understanding Information Systems in Organizational Management
Introduction to Machine Learning: Opportunities and Applications
Introduction to Machine Learning: Opportunities and Applications
Understanding Active Learning in Machine Learning
Understanding Active Learning in Machine Learning
Understanding Gravitational Waves: Basics and Detection Challenges
Understanding Gravitational Waves: Basics and Detection Challenges
Machine Transcription for Call Center Efficiency
Machine Transcription for Call Center Efficiency
Machine Shop Safety Guidelines
Machine Shop Safety Guidelines
Understanding Programming Languages: Levels and Basics
Understanding Programming Languages: Levels and Basics
Graph Machine Learning Overview: Traditional ML to Graph Neural Networks
Graph Machine Learning Overview: Traditional ML to Graph Neural Networks
Understanding Neural Networks: Models and Approaches in AI
Understanding Neural Networks: Models and Approaches in AI
Machine Learning-Ready Data Sets in Heliophysics
Machine Learning-Ready Data Sets in Heliophysics
Understanding Data Pipelines and MLOps in Machine Learning
Understanding Data Pipelines and MLOps in Machine Learning
Exploring Adversarial Machine Learning in Cybersecurity
Exploring Adversarial Machine Learning in Cybersecurity
Understanding Machine Learning and Algorithms in Digital Citizenship
Understanding Machine Learning and Algorithms in Digital Citizenship