fuzzy learning classifier system for intrusion detection monu bambroo
TRANSCRIPT
![Page 1: Fuzzy Learning Classifier System for Intrusion Detection Monu Bambroo](https://reader035.vdocuments.us/reader035/viewer/2022062511/551c10da550346ad4f8b53de/html5/thumbnails/1.jpg)
Fuzzy Learning ClassifierFuzzy Learning ClassifierSystem for Intrusion System for Intrusion
DetectionDetection
Monu BambrooMonu Bambroo
![Page 2: Fuzzy Learning Classifier System for Intrusion Detection Monu Bambroo](https://reader035.vdocuments.us/reader035/viewer/2022062511/551c10da550346ad4f8b53de/html5/thumbnails/2.jpg)
Motivation
Total revenue losses in 2002 due to network breaches were about $10 billion.
Computer security problem is inherently modeling in nature.
Fuzzy logic is robust with respect to modeling imprecision and vagueness
![Page 3: Fuzzy Learning Classifier System for Intrusion Detection Monu Bambroo](https://reader035.vdocuments.us/reader035/viewer/2022062511/551c10da550346ad4f8b53de/html5/thumbnails/3.jpg)
Inductive Learning
Inductive learning is learning by example.
C4.5 program constructs classifiers in the form of a decision tree.
Decision trees are sometimes too complex to understand.
C4.5 re-expresses the classification model as production-rules.
![Page 4: Fuzzy Learning Classifier System for Intrusion Detection Monu Bambroo](https://reader035.vdocuments.us/reader035/viewer/2022062511/551c10da550346ad4f8b53de/html5/thumbnails/4.jpg)
Experimental Data Set
KDD’99 dataset was used for the experiments.Each connection in the dataset is labeled as either
normal or an attack type with exactly one specific attack type.
Attacks fall into 4 main categories.– DOS– R2L– U2R– Probing
R2L attack warez-master is our experimental attack-type.
![Page 5: Fuzzy Learning Classifier System for Intrusion Detection Monu Bambroo](https://reader035.vdocuments.us/reader035/viewer/2022062511/551c10da550346ad4f8b53de/html5/thumbnails/5.jpg)
Crisp Versus Fuzzy Sets
CloseClose
00 750750 15001500 Distance[mmDistance[mm]]
MediumMedium FarFarμμ
Crisp SetCrisp Set
Fuzzy SetFuzzy Set0 600 900 1350 1650 Distance[mm]0 600 900 1350 1650 Distance[mm]
μμCloseClose MediumMedium FarFar
![Page 6: Fuzzy Learning Classifier System for Intrusion Detection Monu Bambroo](https://reader035.vdocuments.us/reader035/viewer/2022062511/551c10da550346ad4f8b53de/html5/thumbnails/6.jpg)
Fuzzy Inference Steps
Input FuzzificationInput Fuzzification
Implication MethodImplication Method
AggregationAggregation
DefuzzificationDefuzzification
![Page 7: Fuzzy Learning Classifier System for Intrusion Detection Monu Bambroo](https://reader035.vdocuments.us/reader035/viewer/2022062511/551c10da550346ad4f8b53de/html5/thumbnails/7.jpg)
Fuzzy Logic, How it works?
Input FuzzificationInput Fuzzification
![Page 8: Fuzzy Learning Classifier System for Intrusion Detection Monu Bambroo](https://reader035.vdocuments.us/reader035/viewer/2022062511/551c10da550346ad4f8b53de/html5/thumbnails/8.jpg)
Fuzzy Logic, How it works?
Volatility index = 0.6Volatility index = 0.6 Cyclomatic Complexity = 32Cyclomatic Complexity = 32
Rule across Antecedents Rule across Antecedents
![Page 9: Fuzzy Learning Classifier System for Intrusion Detection Monu Bambroo](https://reader035.vdocuments.us/reader035/viewer/2022062511/551c10da550346ad4f8b53de/html5/thumbnails/9.jpg)
Quality RiskQuality Risk
Fuzzy Logic, How it works?
Volatility index = 0.6Volatility index = 0.6 Cyclomatic Complexity = 32Cyclomatic Complexity = 32
Implication methodImplication method
![Page 10: Fuzzy Learning Classifier System for Intrusion Detection Monu Bambroo](https://reader035.vdocuments.us/reader035/viewer/2022062511/551c10da550346ad4f8b53de/html5/thumbnails/10.jpg)
Fuzzy Logic, How it works?
AggregationAggregation Quality RiskQuality Risk
![Page 11: Fuzzy Learning Classifier System for Intrusion Detection Monu Bambroo](https://reader035.vdocuments.us/reader035/viewer/2022062511/551c10da550346ad4f8b53de/html5/thumbnails/11.jpg)
Fuzzy Logic, How it works?
DefuzzificationDefuzzification
![Page 12: Fuzzy Learning Classifier System for Intrusion Detection Monu Bambroo](https://reader035.vdocuments.us/reader035/viewer/2022062511/551c10da550346ad4f8b53de/html5/thumbnails/12.jpg)
7 6 3 : 17 6 3 : 17 6 2 : 27 6 2 : 27 6 2 : 27 6 2 : 2
Fuzzy rulesFuzzy rules
00 254254 00 normal.normal.00 73217321 00 normal.normal.282282 158158 22 warezmaster.warezmaster.
All Rules MatchAll Rules Match
![Page 13: Fuzzy Learning Classifier System for Intrusion Detection Monu Bambroo](https://reader035.vdocuments.us/reader035/viewer/2022062511/551c10da550346ad4f8b53de/html5/thumbnails/13.jpg)
No Classifier Strength Message Matched Bid Tax
1 #010:0011 200 0.1*200 = 20
2 #101:0001 200 Env 0.2*200 = 40 0.1*200 = 20
3 ##01:0010 200 Env 0.2*200 = 40 0.1*200 = 20
4 010#:0010 200 Env 0.2*200 = 40 0.1*200 = 20
5 ##1#:1000 200 0.1*200 = 20
6 #011:0100 200 0.1*200 = 20
7 1###:0101 200 0.1*200 = 20
Environment 0 0101
![Page 14: Fuzzy Learning Classifier System for Intrusion Detection Monu Bambroo](https://reader035.vdocuments.us/reader035/viewer/2022062511/551c10da550346ad4f8b53de/html5/thumbnails/14.jpg)
No Classifier Strength Message Matched Bid Tax
1 #010:0011 180 0.1*180 = 18
2 #101:0001 140 0001 0.1*140 = 14
3 ##01:0010 140 2 0.2*140 = 28 0.1*140 = 14
4 010#:0010 140 0.1*140 = 14
5 ##1#:1000 180 0.1*180 = 18
6 #011:0100 180 0.1*180 = 18
7 1###:0101 180 0.1*180 = 18
Environment 120
![Page 15: Fuzzy Learning Classifier System for Intrusion Detection Monu Bambroo](https://reader035.vdocuments.us/reader035/viewer/2022062511/551c10da550346ad4f8b53de/html5/thumbnails/15.jpg)
No Classifier Strength Message Matched Bid Tax
1 #010:0011 162 3 0.2*162 = 32.4 0.1*162 = 16.2
2 #101:0001 154 0.1*154 = 15.4
3 ##01:0010 98 0010 0.1*98 = 9.8
4 010#:0010 126 0.1*126 = 12.6
5 ##1#:1000 162 3 0.2*162 = 32.4 0.1*162 = 16.2
6 #011:0100 162 0.1*162= 16.2
7 1###:0101 162 0.1*162 = 16.2
Environment 120
![Page 16: Fuzzy Learning Classifier System for Intrusion Detection Monu Bambroo](https://reader035.vdocuments.us/reader035/viewer/2022062511/551c10da550346ad4f8b53de/html5/thumbnails/16.jpg)
What is a ‘Learning Fuzzy Classifier System’ (LFCS)
Learn rules where clauses are Learn rules where clauses are labels associated with fuzzy setslabels associated with fuzzy sets
Each fuzzy set represents a Each fuzzy set represents a membership function for a variablemembership function for a variable
A Genetic algorithm operates on fuzzy A Genetic algorithm operates on fuzzy sets evolving best solutionsets evolving best solution
![Page 17: Fuzzy Learning Classifier System for Intrusion Detection Monu Bambroo](https://reader035.vdocuments.us/reader035/viewer/2022062511/551c10da550346ad4f8b53de/html5/thumbnails/17.jpg)
Comparing ‘LCS’ and ‘LFCS’
MatchingMatching
Rule ActivationRule Activation
Reinforcement DistributionReinforcement Distribution
Genetic AlgorithmGenetic Algorithm
![Page 18: Fuzzy Learning Classifier System for Intrusion Detection Monu Bambroo](https://reader035.vdocuments.us/reader035/viewer/2022062511/551c10da550346ad4f8b53de/html5/thumbnails/18.jpg)
Rule Base
Representation TypeRepresentation Type
7 6 3 : 17 6 3 : 1
If (duration is 7) and (srcbytes is 6) and (hot is 3) then (attack is ware-master) (1)If (duration is 7) and (srcbytes is 6) and (hot is 3) then (attack is ware-master) (1)
![Page 19: Fuzzy Learning Classifier System for Intrusion Detection Monu Bambroo](https://reader035.vdocuments.us/reader035/viewer/2022062511/551c10da550346ad4f8b53de/html5/thumbnails/19.jpg)
Contd.Contd.
Rules are represented using the Rules are represented using the ‘‘Michigan ApproachMichigan Approach’’
PittsburghPittsburgh requires large amount of requires large amount of computational effortcomputational effort
Genetic activity destroys Genetic activity destroys local optimumlocal optimum
In Michigan approach, genetic operator In Michigan approach, genetic operator operate on single rulesoperate on single rules
![Page 20: Fuzzy Learning Classifier System for Intrusion Detection Monu Bambroo](https://reader035.vdocuments.us/reader035/viewer/2022062511/551c10da550346ad4f8b53de/html5/thumbnails/20.jpg)
Reinforcement Distribution
Fuzzy Bucket Brigade AlgorithmFuzzy Bucket Brigade Algorithm
I.I. Compute the bid basing on action sets of Compute the bid basing on action sets of active classifieractive classifier
II.II. Reduce strength of active classifiers by a Reduce strength of active classifiers by a quantity equal to its contribution to the quantity equal to its contribution to the bidbid
III.III. Distribute the bid to classifier belonging Distribute the bid to classifier belonging to action set which led to reward.to action set which led to reward.
![Page 21: Fuzzy Learning Classifier System for Intrusion Detection Monu Bambroo](https://reader035.vdocuments.us/reader035/viewer/2022062511/551c10da550346ad4f8b53de/html5/thumbnails/21.jpg)
Genetic Algorithm
‘Name’ ‘Description’
Representation Integer
Recombination One-Point Crossover
Mutation Uniform Mutation
Mutation Probability 70%
Crossover Probability 20%
Parent Selection Rank Based
Survival Selection Generational
Initialization C4.5 heuristic Rules
![Page 22: Fuzzy Learning Classifier System for Intrusion Detection Monu Bambroo](https://reader035.vdocuments.us/reader035/viewer/2022062511/551c10da550346ad4f8b53de/html5/thumbnails/22.jpg)
Name='srcbytes'Name='srcbytes'Range=[0 5135678]Range=[0 5135678]NumMFs=6NumMFs=6MF1='1':'trimf',[0 149.4455 245.9026]MF1='1':'trimf',[0 149.4455 245.9026]MF2='2':'trimf',[195.1873 232.6335 305.2674]MF2='2':'trimf',[195.1873 232.6335 305.2674]MF3='3':'trimf',[288.2449 335.5554 352.726]MF3='3':'trimf',[288.2449 335.5554 352.726]MF4='4':'trimf',[335 479.0667 979.6835]MF4='4':'trimf',[335 479.0667 979.6835]MF5='5':'trimf',[872.45944836 976.71911992 MF5='5':'trimf',[872.45944836 976.71911992 1476407.9375]1476407.9375]MF6='6':'trimf',[1003.3344398 4241231.9102 MF6='6':'trimf',[1003.3344398 4241231.9102 5135678]5135678]
InputInput
Input/Output for the System
![Page 23: Fuzzy Learning Classifier System for Intrusion Detection Monu Bambroo](https://reader035.vdocuments.us/reader035/viewer/2022062511/551c10da550346ad4f8b53de/html5/thumbnails/23.jpg)
Input/Output for the System
Name='duration'Name='duration'Range=[0 29296]Range=[0 29296]Num M F’s=8Num M F’s=8MF1='1':'trimf',[0 3.9672 7.3611]MF1='1':'trimf',[0 3.9672 7.3611]MF2='2':'trimf',[2.84113 6.52038 11.4731]MF2='2':'trimf',[2.84113 6.52038 11.4731]MF3='3':'trimf',[10 10.4385 13.2237]MF3='3':'trimf',[10 10.4385 13.2237]MF4='4':'trimf',[11.7093 14.9302 46.311]MF4='4':'trimf',[11.7093 14.9302 46.311]MF5='5':'trimf',[15.8705 37.2474 70]MF5='5':'trimf',[15.8705 37.2474 70]MF6='6':'trimf',[74.830436 780.36685 MF6='6':'trimf',[74.830436 780.36685 2422.6428]2422.6428]MF7='7':'trimf',[1225.35095 2561.29491 MF7='7':'trimf',[1225.35095 2561.29491 13717.8565]13717.8565]MF8='8':'trimf',[2576.6364 18682.0544 MF8='8':'trimf',[2576.6364 18682.0544 29296]29296]
InputInput
![Page 24: Fuzzy Learning Classifier System for Intrusion Detection Monu Bambroo](https://reader035.vdocuments.us/reader035/viewer/2022062511/551c10da550346ad4f8b53de/html5/thumbnails/24.jpg)
Name='hot'Name='hot'Range=[0 30]Range=[0 30]NumMFs=4NumMFs=4MF1='1':'trimf',[0 1.1054 8.8699]MF1='1':'trimf',[0 1.1054 8.8699]MF2='2':'trimf',[2.09904 11.0163 MF2='2':'trimf',[2.09904 11.0163 20.0822]20.0822]MF3='3':'trimf',[16.0978 19.0139 MF3='3':'trimf',[16.0978 19.0139 26.1328]26.1328]MF4='4':'trimf',[22.1838 26.9372 MF4='4':'trimf',[22.1838 26.9372 30]30]
InputInput
Input/Output for the System
![Page 25: Fuzzy Learning Classifier System for Intrusion Detection Monu Bambroo](https://reader035.vdocuments.us/reader035/viewer/2022062511/551c10da550346ad4f8b53de/html5/thumbnails/25.jpg)
Name='attack'Name='attack'Range=[0 1]Range=[0 1]NumMFs=3NumMFs=3MF1='normal':'trimf',[0 0.2 0.35]MF1='normal':'trimf',[0 0.2 0.35]MF2='warezclient':'trimf',[0.35 0.5 MF2='warezclient':'trimf',[0.35 0.5 0.65]0.65]MF3='warezmaster':'trimf',[0.65 MF3='warezmaster':'trimf',[0.65 0.797 1]0.797 1]
OutputOutput
Input/Output for the System
![Page 26: Fuzzy Learning Classifier System for Intrusion Detection Monu Bambroo](https://reader035.vdocuments.us/reader035/viewer/2022062511/551c10da550346ad4f8b53de/html5/thumbnails/26.jpg)
Results
Number of Records
Percentage of Records
Negative Detection
Missed Alarms 410
98.10
25.59
61014
Positive Detection
False Alarms
1180
2
73.66
0.0048