Intrusion Detection Using Artificial Neural Network

Published on December 2016 | Categories: Documents | Downloads: 51 | Comments: 0 | Views: 543
of 10
Download PDF   Embed   Report

Comments

Content

INTRUSION DETECTION USING ARTIFICIAL NEURAL NETWORK

Presented by: RAMI REDDY.K,CHANDRA SEKHAR REDDY (09691A0571,10695A0502)

Contact:

[email protected]

Ph:

7893798979

Madanapalli Institute Of Technology And Sciences Madanapalli Chittoor District.

ABSTRACT:

Intrusion Detection is the task of detecting, preventing and possibly reacting to the attack and intrusions in a network based computer systems. In the literature paradigms several have been machine-learning proposed for

systems.

Enlargement

of

computer

infrastructure have raised the vulnerability of these systems to security threats, attacks and intrusions. Some specific examples of intrusions that concern system administrators include attempted break-in, masquerading, or successful break-in, penetration by legitimate user, leakage by legitimate user, inference by legitimate user, Trojan-horse virus and denial-ofservice. Generally these intrusions would cause loss/damage to our system resources in terms of unauthorized modifications of system files, user files or information and any other system information in network components. Hence a system is needed that detects any unauthorized modification forced by an attacker and able to run continually with minimal human supervision inspects all inbound and outbound network activity and identifies suspicious patterns that may indicate a network or system attack from someone

developing an intrusion detection system. This paper proposes an artificial neural network approach for intrusion detection. A feed forward neural network trained by back propagation algorithm is developed to classify the intrusions using a profile data set (ten percent of the KDD cup 99 data) with the information related to the computer network during normal behavior and during intrusive (abnormal) behavior. Test results shows that the proposed approach works well in detecting different attacks accurately with less false positive and negative rate and it is comparable to those reported in the literature.

KEYWORDS: Intrusion detection, Feed forward neural network, Back propagation algorithm, KDD cup’99 data.

attempting to break into or compromise a system. According to the detection principles there are two types of intrusion detection system: Misuse and Anomaly detection in misuse detection, attack patterns or the behavior of the intruder is

I.INTRODUCTION: Confidentiality, integrity and availability of the system resources are the major concerns in the development and exploitation of network based computer

modeled (attack signature is modeled). Here the system will signal the intrusion once a match is detected. In anomaly detection system, the normal behavior of the system is modeled and the system will

raise an alarm once the behavior of the network doesn’t match with its normal behavior. According to the sources of data there are two types of intrusion detection: Network based IDS (NIDS) and Hostbased IDS (HIDS). A network based IDS captures all networks traffic and analyses the content of individual packets for malicious traffic where as a host based IDS identifies intrusions by analyzing system calls, application logs, file system modifications(binaries, activities and state. In the literature several machine learning paradigms have been proposed for developing an intrusion detection system. Statistical techniques like Hidden Markov Model [1], Multivariate Adaptive Regression Splines [2], Bayesian Classifier and Classification and Regression Trees (CART) [3] have been applied to intrusion detection. These statistical approaches usually results in an inflexible detection system that is unable to detect an attack if the sequence of events slightly different from the predefined profile. Most current approaches to the process of detecting intrusions utilize some form of rule-based analysis as proposed by Denning [4].Expert systems are the most common form of rule-based intrusion detection approaches .They permit the incorporation of an extensive amount of human password files, capability/acl databases) and other host

experience in to a computer application that then utilizes that knowledge to identify activities that match the defined characteristics of misuse and attack. The constantly changing nature of network analyzing attacks the requires enormous a flexible of defensive system that is capable of amount network traffic in a manner which is less structured than rule based systems .In [5] fuzzy logic approach has been combined with data mining techniques for mining association rules which can be applied for detecting intrusions. Recently, artificial neural networks have been successfully the IDS. applied has for the developing ANN

advantage of easier representation of nonlinear relationship between input and output and its inherent computational speed. Even if the data were incomplete or distorted a neural network would be capable of analyzing the data from a network. A multilayer perceptron (MLP) was used in [6] for misuse detection with a Single hidden layer. Self-organizing map was applied to perform the clustering of network traffic and to detect attacks in[8,9]. The self-organizing map was combined with the resilient propagation neural network (RPROP) for visualizing and classifying intrusion and normal patterns. In this paper, a feed-forward neural network trained by back

propagation algorithm is used to classify the intrusion using a profile data set(ten percent of the KDD cup 99 data).with the information related to the computer network during neural behavior artificial neural networks [12] provide the potential to identify and classify network activity based on limited, incomplete and nonlinear data sources .with the ability to generalize from learned data they seem to be an appropriate approach to intrusion detection. PROPOSED MODEL FOR INTRUSION DETECTION: The proposed methodology for intrusion detection in computer networks is based on using artificial neural networks (ANN) for detecting the normal and abnormal conditions of the given parameters, which leads to various attacks. The neural network approach for this purpose has two phases; training and testing. During the training phase, neural network is trained to capture the under lying relationship between the chosen inputs and outputs. After training, the networks are tested with a test data set, which was not used for training. Once the networks are trained and tested, they are ready for detecting the intrusions at different operating conditions. The following issues are to be addressed while developing an ANN for intrusion detection [13]:




Data collection Data preprocessing and representation Data normalization Selection of network source Network training and testing. Fig.1 shows the schematic

• • •

representation of the issues to be addressed while developing an ANN model for intrusion detection. DATA COLLECTION: There are two ways to build IDS, one is to create our own simulation network, and collect relevant data and the other one is by using previously collected datasets. Issues like privacy, security, completeness greatly restrict people from generating data. The beauty of using previously collected datasets is that the results can be compared with others in the literature. Not many datasets have being collected that could built IDS systems. Some of the popularly used IDS datasets are DARPA 1998 dataset and KDD cup 1999 dataset which are available in the MIT Lincoln labs [14]. DATA PREPROCESSING: Before training the neural network, the dataset should be processed to remove the redundancy present in the data and the non-numerical attributes should be represented in numerical form suitably. Fig. 1 Proposed ANN Model for IDS

inputs as well as to prevent saturation of

Data collection (KDD cup 99 data)

the neuron activation function, the input data is normalized before being presented to the neural network. The expression for normalizing data is given by:

Data preprocessing and representation
Xn =

(x-xmin)×range + starting (xmax-xmin) value

Data normalization

Where xn is the normalized value and xmin

Selection of network structure (feed forward neural network)

and xmax are the minimum and maximum values of the data. 2.4 Selection of Network Structure: To make a neural network to perform some specific task, one must choose number of input neurons, output

Network training and testing (back propagation algorithm)

Attack classes (normal, DOS, probe, U2R, R2L)

neurons, hidden neurons and how the neurons are connected to one another. For the best network performance, an optimal number of hidden units must be properly determined using the trial and error procedure. The hidden layer neurons have tangent hyperbolic function as the activation function and the output have linear activation function. 2.5 Network Training and Testing Once the appropriate structures of the network are selected, the ANN model is trained to capture the underlying relationship between the input and output using the training data. In this

DATA NORMALIZATION: During training of the neural network, higher valued input variables may tend to suppress the influence of smaller ones. Also, if the raw data is directly applied to the network, there is a risk of the simulated neurons reaching the saturated conditions. If the neurons get saturated, then the changes in the input value will produce a very small change or no change in the output value. This affects the network training to a great extent. To minimize the effects of magnitude among

work, back propagation algorithm is used to train the network, which propagates the error from the output layer to the hidden layer to update the weight matrix. After training, the networks are tested with the test data set to access the generalization capability of the developed network. 3. Review of Artificial Neural Network: Artificial neural networks [13] can be viewed as parallel and distributed processing systems which consists of a huge number of simple and massively connected processors. The MLP architecture is the most popular paradigm of artificial neural networks in use today.Fig-1 shows a standard multilayered feed forward network with three layers. The neural network architecture in this class shares a common feature that all neurons in a layer are connected to all neurons in adjacent layers through unidirectional branches. That is, the

Fig2: Architecture of FFNN

input/output pairs, the network can have its weights adjusted by the back propagation algorithm to capture the nonlinear relationship. After training, the networks with fixed weights can provide the output for the given input. The standard back propagation algorithm for training the network is based on the minimization of an energy function representing the instantaneous error. In other words, we desire to minimize a function defined as:
q

branches and links can only broadcast information in one direction, that is, the “forward direction”. The branches have associated weights that can be adjusted according to a defined learning rule. propagation algorithm. Training the network with back propagation algorithm results in a non linear mapping between Feed forward neural network training is usually carried out using the Back input and output variables Thus given the

E (m) =1/2 ∑ [dq - yq]2
q=1

where dq represents the desired network output for the qth input pattern and yq is the actual output of the neural network. Each weight is changed according to the rule:

wij = -k dE/dwij where, k is a constant of proportionality, E is the error function and wij represents the weight of the connection between neuron j and neuron i. The weight adjustment process is repeated until the difference between the node output and actual output are with in some acceptable tolerance. 4. Simulation Result: This section presents the details of the simulation study carried out on KDD cup 1999 dataset [15] using the proposed method. This dataset was collected by simulating a typical U.S Air Force local area network (LAN), operated like a real environment and being blasted with multiple attacks. Each KDD records contains 41 input features which is given in table1 and one output that is labeled as either normal or as an attack. With exactly one specific attack type (DOS, Probe, U2R, R2L). Table1: Names of KDD cup’99 data Feature Number F1 F2 F3 F4 F5 F6 Feature Name Duration Protocol type Service Flag Src-bytes Dst-bytes input features in

F7 F8 F9 F10 F11 F12 F13 F14 F15 F16 F17 F18 F19 F20 F21 F22 F23 F24 F25 F26 F27 F28 F29 F30 F31 F32 F33 F34 F35 F36 F37 F38 F39 F40

Land Wrong-fragment Urgent Hot Num-failed-logins Logged-in Num-compromised Root-shell Su-attempted Num-root Num-file-creations Num-shells Num-access-files Num-outboundcmds Is Host Login Is-guest-login Count Srv-count Serror-rate Srv-serror-rate Rerror-rate Srv-rerror-rate Same-srv-rate Diff-srv-rate Srv-diff-host-rate Dst-host-count Dst-host-srv-count Dst-host-same-srvrate Dst-host-diff-srvrate Dst-host-same src port rate Dst-host-srv-diffhost-rate Dst-host-serrorrate Dst-host-srv-serror rate Dst-host-rerror rate

F41

Dst-host-srvrerror-rate

continuous variables and 9 features are discrete variables. Suitable integer numbers are assigned to these discrete

The 41 input features are divided into four feature subsets. They are basic or intrinsic features, content features, time-based features and host-based features. basic features are features to every network connection like duration of connection, service requested, bytes transferred between source and destination machine etc. content features are collected by using domain knowledge of U2R and R2L attacks since these attack categories did not contain any frequently occurring patterns eg: logged in flag, number of compromised conditions, hot indicators, etc. Time-based features are collected by observing various connections in “twosecond” time window with respect to current connection.eg: SYN error rates, rejection rates, number of different services requested etc. Host based features are collected based on the past 100 connections similar to the one under consideration. The original data contain 744MB data with 4,940,000 records. a ten percent subset of this data contain 75MB data with 4,94,021 contain records 20% which represent approximately

variables. For example, for the discrete variable protocol type which describes the type of protocol we assigned 1 for TCP 2 for UDP 3 for HTTP and so on. Accordingly suitable integer numbers are assigned to other discrete variables. The output attack label is represented as [0000] for normal, [0001] for DOS, [0010] for probe, [0100] for R2L and [1000] for U2R. There are about forty one neurons in the input layer that corresponds to the number of input features and four neurons in the output layer in which all neurons set to zero corresponds to normal and one in each neuron corresponds to any one of the four attacks (DOS, probe, R2L and U2R).the number of output neurons is kept constant while the number of input neurons are varied depending on the features selected by mutual information. The neural network model is developed using MATLAB 6.5 neural network toolbox in Pentium 4 with 2.40 GHz processor with 256 MB of RAM. The network is trained with least mean square algorithm until it reaches the mean square algorithm until it reaches the mean square error of 0.001.trial and error procedure was followed to identify the optimal number of hidden nodes. The mean square

normal patterns and the rest 80%of patterns are attacks belonging to four categories(DOS,probe,U2R,R2L). Among the 41 input features, 32 features are

error achieved during training is 9.9975e004.with ten hidden nodes, the network took257.7030 seconds to reach the error goal. The performance of the network during training is shown in fig 3.

Normal DOS Probe R2L U2R

2494 1500 1500 570 7

99.76% 100% 97.8% 67.7% 36.84%

Conclusion and Future Work: In this paper, a simple feed forward neural networks trained by the back propagation algorithm was developed to classify the intrusions into one of the attacks (Normal, DOS, probe, R2L, U2R).The performance of the network was tested using ten percent of the KDD cup 1999 dataset which is available in the UCI KDD Archive and is compared with other approaches. Test results shows that the

PERFORMANCEIS 0.0009997870...GOALIS 0.001 10^ 1 Train ing– 10^ 0 blue Goal-1 black 10^ 10^ -2 10^ -3 200 10^ -4 1137 Epochs Fig 3: TrainingPerformance Of The Neural Network 400 600 800 1000

After

training,

the

generalization

proposed approach works well in detecting Normal, DOS and probe attacks but weak in detecting R2L and U2R cases. The weakness of neural network based approaches is that if the dimensions of the input data are very large then it is difficult for it to interpret the relationship between inputs and outputs. The input data used in this work contains 41 input features which may possible to have redundant data and false correlations which hinder the process of detecting intrusions. To make the neural network applicable to very large data set,

performance of the network is evaluated with the 6360 test data. The proposed neural network classifies 6038 data correctly which shows an overall detection rate of 94.93%.during testing the mean square error achieved by the network is 0.0097.the performance of the network during testing is presented in table III.

Table III Performance of the proposed ANN model Testing performance No correctly classified class of Percentage of classifier accuracy

some

dimensionality

reduction

is

mandatory. Hence as an enhancement to this proposed work, future research will be

directed

towards

the

dimensionality

5) DARPA

Intrusion

Detection

reduction techniques which remove the unwanted input futures and only the optimal feature for training the neural network thereby increases the detection rate especially for the R2L and U2R type of attacks. REFERENCE:
1) Denning DE “An Intrusion-Detection

Evaluation_ MIT Lincoln Laboratory.
6) KDD-cupdataset,

http://kdd.ics.uci.edu/databases/kddcup 99/kddcup99.htm

Model. IEEE Transactions on Software Engineering”, Feb 1987, vol.SE-13, NO, 2, 222-232.
2) R.P. Lipmann and R.K. Cunningham

“Improving and Neural

Intrusion Networks”,

Detection Computer

Performance Using Keyword Selection Networks (Amsterdam, Netherlands: 1999).
3) James Canady and Jim Mahaffey, “The

application of Artificial Intelligence to Misuse Detection”, in proceedings of the first recent advances in intrusion detection(RAID) conference, 1998.
4) P. Ganesh Kumar, D. Devaraj, V.

Vasudevan, “Artificial neural network for Misuse Detection In Computer Network”, Utilization Engineering proceedings and College, of the International conference on Resource Intelligent Kongu perunduari, Systems(INCRUIS-2006),

Erode, 4-6 Jan’2006,pp.889-893.

Sponsor Documents

Recommended

No recommend documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close