Cyber Intrusion Detection Algorithm Based on Bayes’ Theorem

Stephanie Steren-Ruta- West High School ‘12Syeda Faiza Islam- Farragut High School ‘15

Young Scholars ProgramJuly 17, 2012

Knoxville, Tennessee

The problem

•Securing the Smart Grid

▫Effective ways

06-3

•http://www.youtube.com/watch?v=P0xfRhM1Jp8

Terms

•Intrusion Detection

•Pattern recognition

•Bayes Theorem

•Maximum a-posterior probability (MAP)

Intrusion Detection

•identify unauthorized use, misuse and

abuse of computer systems by both

system insiders and external predators.

Types of Intrusions

•Denial of Service (DOS)

•Remote to Local (R2L)

•User to Root (U2R)

•Probing

Pattern Recognition

•identifying the patterns in a set of data

and classifying and categorizing it

06-7

Bayes' Theorem

•is a mathematical formula used for

calculating conditional probabilities

Maximum a-posterior probability (MAP)

•Assigning to the sample of interest the

membership based on which the sample

has the highest a-posterior probability.

Bayes' Theorem

Multivariate Gaussian Distribution

𝑃 (�⃑� )= 1

(2𝜋 ) 𝑑2|Σ|

12

𝑒𝑥𝑝(−12

( �⃑�−�⃑�)𝑡 Σ−1 ( �⃑�− �⃑�))

Discriminant Function

=ln

+ln[P(B)]

Analysis of Data

• Have a training data and testing data that have results.

• Take the training and separate into the different categories

• Acquire the covariance and mean

• Make a loop that tests all categories with the discriminant

function

• Check for accuracy

• Change prior-probability until acquiring most accurate result

Data Set

06-14

Code• for i=1:length(test_data);• current_entry = test_data(i,:);

• Function_1 = (-.5*((current_entry-mean_1)*inv(cov_1)*(current_entry-mean_1)'))-(.5*(log(det(cov_1))))+(log(.7));%Table_0 discriminant function

• Function_2 = (-.5*(current_entry-mean_2)*inv(cov_2)*(current_entry-mean_2)')-(.5*(log(det(cov_2))))+(log(.0025));%Table_1 discriminant function

• Function_3 = (-.5*((current_entry-mean_3)*inv(cov_3)*(current_entry-mean_3)'))-(.5*(log(det(cov_3))))+(log(.0025));%Table_0 discriminant function

• Function_4 = (-.5*(current_entry-mean_4)*inv(cov_4)*(current_entry-mean_4)')-(.5*(log(det(cov_4))))+(log(.05));%Table_1 discriminant function

• Function_5 = (-.5*((current_entry-mean_5)*inv(cov_5)*(current_entry-mean_5)'))-(.5*(log(det(cov_5))))+(log(.2));%Table_0 discriminant function

• [C,I] = max([Function_1,Function_2,Function_3,Function_4,Function_5]);• Decision(i,1)= I;• end

Results

•Accuracy

•Prior Probability

Confusion Matrix

12345

1 2 3 4 5

1-DOS2- R2L3- U2R4- Probing5- Normal Connection

12345

1 2 3 4 5

•Error

•Future Improvements

References• [1]Mukherjee, B.; Heberlein, L.T.; Levitt, K.N.; , "Network intrusion detection," Network,

IEEE , vol.8, no.3, pp.26-41, May-June 1994doi: 10.1109/65.283931URL: http://ieeexplore.ieee.org.proxy.lib.utk.edu:90/stamp/stamp.jsp?tp=&arnumber=283931&isnumber=7023

• [2]Jain, A.K.; Duin, R.P.W.; Jianchang Mao; , "Statistical pattern recognition: a review," Pattern Analysis and Machine Intelligence, IEEE Transactions on , vol.22, no.1, pp.4-37, Jan 2000doi: 10.1109/34.824819URL: http://ieeexplore.ieee.org.proxy.lib.utk.edu:90/stamp/stamp.jsp?tp=&arnumber=824819&isnumber=17859

• [3]Anonymous. Maximum Security: A Hacker's Guide to Protecting Your Internet Site and Network, Chapter 15, pp. 359-362. Sams.net , 201 West 103rd Street, Indianapolis, IN, 46290. 1997.

• [4] Simson Garfinkel and Gene Spafford. Practical Unix & Internet Security. O'Reilly & Associates, Inc., 101 Morris Street, Sebastopol CA, 95472, 2nd edition, April 1996.

• [5]. N.p., n.d. Web. 10 Jul 2012. <http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/docs/attackDB.html

• [6]Joyce, James, "Bayes' Theorem", The Stanford Encyclopedia of Philosophy (Fall 2008 Edition), Edward N. Zalta (ed.), URL = <http://plato.stanford.edu/archives/fall2008/entries/bayes-theorem/>.