Fuzzy Logic Based Anomaly Detection for Embedded Network Security Cyber Sensor

Transcription

1 INL/CON PREPRINT Fuzzy Logc Bsed Anomly Detecton for Embedded Network Securty Cyber Sensor 2011 IEEE Symposum on Computtonl Intellgence n Cyber Securty Ondre Lnd Mlos Mnc Todd Vollmer Json Wrght Aprl 2011 Ths s preprnt of pper ntended for publcton n ournl or proceedngs. Snce chnges my be mde before publcton, ths preprnt should not be cted or reproduced wthout permsson of the uthor. Ths document ws prepred s n ccount of work sponsored by n gency of the Unted Sttes Government. Nether the Unted Sttes Government nor ny gency thereof, or ny of ther employees, mkes ny wrrnty, expressed or mpled, or ssumes ny legl lblty or responsblty for ny thrd prty s use, or the results of such use, of ny nformton, pprtus, product or process dsclosed n ths report, or represents tht ts use by such thrd prty would not nfrnge prvtely owned rghts. The vews expressed n ths pper re not necessrly those of the Unted Sttes Government or the sponsorng gency.

2 Fuzzy Logc Bsed Anomly Detecton for Embedded Network Securty Cyber Sensor Ondre Lnd, Mlos Mnc Unversty of Idho Idho Flls, ID, USA Todd Vollmer, Json Wrght Idho Ntonl Lbortory Idho Flls, ID, USA Abstrct Reslency nd securty n crtcl nfrstructure control systems n the modern world of cyber terrorsm consttute relevnt concern. Developng network securty system specfclly tlored to the requrements of such crtcl ssets s of prmry mportnce. Ths pper proposes novel lernng lgorthm for nomly bsed network securty cyber sensor together wth ts hrdwre mplementton. The presented lernng lgorthm constructs fuzzy logc rule bse modelng the norml network behvor. Indvdul fuzzy rules re extrcted drectly from the strem of ncomng pckets usng n onlne clusterng lgorthm. Ths lernng lgorthm ws specfclly developed to comply wth the constrned computtonl requrements of low-cost embedded network securty cyber sensors. The performnce of the system ws evluted on set of network dt recorded from n expermentl test-bed mmckng the envronment of crtcl nfrstructure control system. Keywords- Anomly Detecton; Cyber Sensor; Embedded Systems; Fuzzy Logc System; Onlne Clusterng; I. INTRODUCTION Crtcl nfrstructure control systems, typclly composed of nterconnected computer-bsed sttons, exchnge crucl nformton v the computer network. These crtcl components, whch cn be found n systems such s SCADA or nucler power plnts, consttute focus of n ncresed cyber securty [1], [2]. Brekng nto such systems wth network ntruson ttcks cn hve severe effects on multple levels, such s securty, publc sfety, ndustrl or economcl. The dnger s even hgher consderng tht crtcl nfrstructures re not mmune to these threts nd tht they possbly my be more vulnerble thn common nformton technology systems [3]. Therefore, network trffc nomly detecton for crtcl nfrstructures s n obvous need [4]. Network ntruson detecton systems orgnted n 1980 s nd n the semnl work of Dennng [5], [6]. Generlly spekng, two knds of IDS cn be found; nomly detecton nd sgnture bsed detecton systems. Sgnture bsed detecton system ttempt to mtch the observed behvor gnst dtbse of known ttck sgntures. On the other hnd, n nomly bsed detecton system seeks devtons from the lerned model of norml behvor [7], [8]. The system bulds representtve model exclusvely bsed on the prevously collected norml behvor. The system s cpble Fg. 1 Schemtc dgrm of the network securty cyber sensor [20]. of detectng novel nd dynmclly chngng ntruson nstnces, ssumng tht these re substntlly dfferent from the model of norml behvor. Unfortuntely, ny norml cceptble behvor not ncluded n the trnng set wll lkely not mtch the model nd generte flse lrm. Hence, cqurng descrptve trnng dtset s of crucl mportnce. The nomly detecton pproch s dopted n the presented pper. Computtonl ntellgence technques hve been extensvely ppled to the problem of network ntruson detecton [7], [9]. Technques such s rtfcl neurl networks [10] [13], support vector mchnes [14], genetc lgorthms [15], fuzzy logc [16], [17] or unsupervsed clusterng [18]-[20], proved to be powerful lernng tools for modelng the network behvor. The ttrctveness of computtonl ntellgence comes from the blty to lern from mult-dmensonl non-lner dt [9]. The presented pper proposes lernng lgorthm for fuzzy logc bsed nomly detecton system specfclly developed for the constrned resources of embedded network securty cyber sensors [21]. A schemtc vew of the presented system s depcted n Fg. 1. Here the mplemented cyber sensor cretes secure zone round the control system. The lernng lgorthm bulds fuzzy rule bse, whch descrbes the prevously seen norml network communcton behvorl ptterns. Ths fuzzy rule bse s constructed drectly from the strem of ncomng pckets usng the onlne verson of the nerest neghbor clusterng lgorthm. Subsequently, the set of extrcted clusters s trnsformed nto ndvdul fuzzy rules. Moreover, the lgorthm cn be retrned on newly vlble norml behvor dt, whle

3 mntnng the prevously cqured knowledge. The performnce of the lgorthm ws tested on n expermentl test-bed mmckng the crtcl nfrstructure control system. The rest of the pper s structured s follows. Secton II provdes bref overvew of fuzzy logc systems nd the nerest neghbor clusterng lgorthm. The consdered hrdwre pltform for the embedded network securty devce s descrbed n Secton III. Secton IV nd V expln the network behvor feture extrcton technque nd the proposed nomly detecton lgorthm, respectvely. The system s expermentlly evluted n Secton VI nd Secton VII concludes the pper. II. BACKGROUND OVERVIEW Ths secton provdes bref bckground overvew of fuzzy logc systems nd the nerest neghbor clusterng lgorthm. A. Fuzzy Logc Systems Fuzzy logc hs been orgnlly proposed by Zdeh s tool for delng wth lngustc uncertnty nd vgueness ubqutous n the mprecse menng of words [23]. A Fuzzy Logc System (FLS) s composed of four prmry prts nput fuzzfcton, fuzzy nference engne, fuzzy rule bse nd output defuzzfcton, s depcted n Fg. 2. The Mmdn FLS consdered n ths work mntns fuzzy rule bse populted wth fuzzy lngustc rules n n mplctve form. Consder rule R k tht s descrbed s follows [24], [25]: Rule R k : IF x 1 s k k A n A 1 AND AND x n s THEN y k s B k (1) Here, symbol A k nd B k denote the th nput fuzzy set nd the output fuzzy set of the k th rule, respectvely, n s the dmensonlty of the nput vector x nd y k s the ssocted output vrble. Ech element of the nput vector x s frst fuzzfed usng the respectve fuzzy membershp functon (e.g. Gussn, trngulr, trpezodl, etc.). The fuzzfcton of nput vlue x nto fuzzy set A yelds fuzzy membershp grde k ( x ). Usng the mnmum t-norm the degree of A frng of rule R k cn be clculted s: ( x) mn{ k ( x )}, 1... n R k Fg. 2 Fuzzy logc system. A After pplyng the rule frng strength v the t-norm opertor to ech rule consequent, the output fuzzy sets re ggregted usng the t-conorm opertor (e.g. the mxmum (2) opertor) resultng n output fuzzy set B. For detled descrpton of the fuzzy nference process refer to [24], [25]. In order to obtn the crsp output vlue, one of the vlble defuzzfcton technques s ppled. Upon dscretzng the output domn nto N smples, for exmple the centrod defuzzfer cn be ppled: y N 1 N 1 y ( y ) B B ( y ) B. Nerest Neghbor Clusterng The Nerest Neghbor Clusterng (NNC) lgorthm s n unsupervsed clusterng technque [9]. The clusterng process s controlled by n estblshed mxmum cluster rdus prmeter. The smller the rdus the more clusters wll be generted nd vce vers. Assume n nput dtset X composed of N nput ptterns denoted s: n X x 1,..., x N, x (4) Here, n denotes the dmensonlty of the nput domn. Vector x cn be expressed s x { 1,..., n x x }. Ech cluster consttutes prototype of smlr nstnces, subect to specfc smlrty mesure. The Euclden dstnce smlrty mesure s consdered n ths work. Ech cluster P s descrbed by ts Center Of Grvty (COG) c nd ts ssocted weght w. The weght w stores the number of ptterns prevously ssgned to cluster P. Followng ths notton, cluster P cn be expressed s: P, n c, w, c w The lernng process of the NNC lgorthm begns by cretng n ntl cluster P 1 t the locton of the frst nput pttern x 1. Next, nput ptterns from dtset X re selected n sequentl mnner. The nerest prototype from the set of vlble clusters s determned for ech nstnce. For n nput pttern x, the nerest cluster P s determned usng the Euclden dstnce norm: dst n n 2 c, x mn c x... c x, 1 C Here, C denotes the number of currently cqured clusters. Usng the mxmum cluster rdus prmeter - rd, the nput pttern x s ssgned to cluster P f the followng condton holds: dstc, x rd. In ths cse, the prmeters of cluster P re updted s: (3) (5) (6)

4 Fg. 3 Photo of the TOFINO network securty cyber sensor plugged-n nto the test system. c w c x w 1, w w 1 If dstc, x rd, new cluster s creted t the locton of nput pttern x, nd ts weght s set to 1. III. EMBEDDED NETWORK SECURITY CYBER SENSOR The Tofno embedded network securty devce, depcted n Fg. 3, s mnufctured by Byres Securty Inc. [22]. Orgnlly, the devce ws developed for pre-emptve thret detecton, termnton nd reportng, specfclly tlored for the needs of SCADA nd ndustrl control systems. Its mor dvntges re prmrly ts low-cost nd ese of deployment n rel world systems. In the presented work, the Tofno cyber sensor ws used s n embedded development pltform for mplementton of the proposed nomly bsed detecton lernng lgorthm. The Tofno pltform conssts of n Arcom Vulcn sngle bord computer. The mn processor s n Intel IXP425 XScle processor runnng t 533MHz wth 64MB of DRAM nd 32MB of flsh memory. The Intel IXP425 XScle s bsed on n ARM V5TE nstructon set [26]. Two Ethernet ports re provded long wth two USB ports. The Ethernet ports re used n processng pcket dt nd the USB ports re used for storge of sttstcs. The opertng system s bsed on the OpenWRT dstrbuton of Lnux. One of the specfcs of ths embedded pltform s tht the Intel IXP425 XScle processor used n the Tofno pltform does not hve flotng pont unt (FPU). Insted, the flotng pont rthmetc used n the presented lgorthm s emulted. Future work wll nclude modfcton of the current mplementton to use fxed pont (nteger) rthmetc. Dependng on the mplementton, lrge performnce gn my be cheved by usng the SIMD Multply-Accumulte unt coprocessor unt vlble on the IXP425. Ths coprocessor llows 16x32 multply-ccumulte opertons to complete n sngle cycle. Whle not of utmost concern n n cdemc settng, the mplementton of the proposed lgorthm on hrdwre pltform s relevnt. Sommer nd Pxson [7] rgue tht t n (7) terms of cpbltes nd lmttons t s mportnt to obtn nsght nto the performnce of n nomly detecton system from n opertonl pont of vew. The focused mplementton s here t very low level wth n envsoned deployment ust before some crtcl equpment, such s Progrmmble Logc Controller (PLC). Wth the ncresngly common usge of network bsed control systems nd the current deployment of smrt grd systems hundreds, thousnds nd possbly mllons of devces wll be nterconnected. Ths mkes the cost nd relblty of n mplemented hrdwre soluton relevnt concern. In ddton, the proposed hrdwre mplementton of the embedded network securty cyber sensor provdes performnce bselne tht mght prove useful for comprson n future work. IV. DATA ACQUISITION AND FEATURE EXTRACTION Ths secton descrbes the network dt cquston process nd revews the prevously publshed wndow bsed feture extrcton technque. A. Control System Expermentl Test-Bed The hrdwre expermentl test-bed system tht ws used for network dt cquston represents severl spects of n opertonl control system, such s opertonl control structure, control system network nd hrdwre control of ctul physcl processes. RSVew32, Rockwell Softwre HMI product, provdes n ntegrted component bsed nterfce for montorng of the system behvor. The nterfce runs on Wndows XP lptop connected v n IPv4 network. A Mox EDS-505A operted Ethernet swtch provdes network connectvty for the controller. Ths swtch s mounted on DIN-Rl nd powered by the control system source. All network trffc to nd from the controller s trnsported v the swtch. Port mrrorng hs been enbled on the control trffc port connected to the HMI mchne. A Lnux lptop wth the tcpdump softwre pplcton ws Fg. 4 Network dt cquston setup. A PLC s connected through hub to the control PC stton usng n Ethernet network.

5 Fg. 5 Wndow bsed feture extrcton process [13]. TABLE I SELECTED WINDOW-BASED FEATURES Num. of IP ddresses Num. pckets wth 0 wn. sze Avg. ntervl between pckets Num. pckets wth 0 dt length Num. of protocols Averge wndow sze Num. of flg codes Averge dt length ttched to the mrror port llowng for network trffc cpturng nd montorng. Fnlly, second Lnux-bsed lptop representng the ttcker-compromsed mchne ws ttched to thrd port. All nomlous trffc ws nstntted from ths mchne. The control system tself conssts of n Allen-Brdley McroLogx 1100 PLC [27]. Attched to the PLC re 6 lghted buttons, 7 lghts, 2 potento-meters, 2 temperture sensors nd smll electrc fn consttutng both dgtl nd nlog nput/output ponts. All of the tems re cpble of beng controlled ndvdully from the PLC or drectly by pressng button. The expermentl s depcted n Fg. 4. B. Feture Extrcton from Pcket Strem In prevous work of the uthors, n Artfcl Neurl Network (ANN) bsed ntruson detecton system ws developed [13]. The ANN ws trned on sub-set of vlble network trffc fetures extrcted by wndow-bsed feture extrcton technque ppled drectly to the strem of pckets. Ths feture extrcton technque s lso utlzed n the presented work. Here, the nherent tme seres nture of the pcket strem dt s descrbed by vector cpturng the sttstcl behvor of the network trffc. The ppled wndow segments the pcket strem nd montors only lmted set of consecutve pckets. As descrbed n [13], wndow of specfed length s beng shfted over the strem of network pckets. At ech poston of the wndow feture vector r s computed from ll the pckets v currently presented n the wndow. The next rrvng pcket s pushed nto the wndow, whle the lst pcket s removed from the end. The process of wndow bsed feture extrcton s llustrted n Fg. 5. Tble I summrzes the lst of extrcted wndow-bsed sttstcl fetures. Ths set of fetures ws emprclly selected bsed on the nlyss of the recorded network trffc nd the motvton to most ccurtely cpture the tme seres nture of the pcket strem. For further detls nd evluton of the wndow bsed feture extrcton refer to [13]. V. ONLINE LEARNING FOR ANOMALY IDS Ths secton presents the lernng lgorthm for the fuzzy logc bsed nomly detecton for n embedded network securty cyber sensor. Frst, rule extrcton v dpted onlne NNC lgorthm s presented. Next, the fuzzy rule bsed norml behvor modelng s explned. A. Rule Extrcton v Onlne Clusterng The proposed rule extrcton lgorthm tkes nto ccount the constrned computtonl resources of the vlble embedded network securty cyber sensor. Other lernng pproches, such s the prevously publshed IDS-NNM lgorthm [13], pursue offlne lernng pproch once ll trnng dt hve been cqured. However, such lernng process s typclly computtonlly unfesble for the consdered embedded devces, gven the typclly encountered network trffc densty [21]. Ths pper proposes new low-cost onlne rule extrcton technque. The presented lgorthm lerns drectly from the strem of ncomng pckets. In ths mnner, the need for storng ll pcket nformton nto memory s elmnted. The fnl norml network behvor model s composed of set of fuzzy rules. Ech rule s extrcted usng n onlne verson of the dpted NNC lgorthm. The lgorthm mntns ddtonl nformton bout the spred of dt ponts ssocted wth ech cluster throughout the clusterng process. Ech cluster P of encountered norml network behvor s descrbed by ts center of grvty c, weght w nd mtrx of boundry prmeters M. Hence: 1 n c c P { c, w, M}, c { c,..., c }, M (8) c c Here, s the ndex of prtculr cluster, c s the ttrbute vlue n the th dmenson, c nd c re the upper nd lower bounds on the encountered vlues of the th ttrbute for dt ponts ssgned to cluster P nd n denotes the dmensonlty of the nput. The lgorthm mntns set of clusters. Intlly, the lgorthm strts wth sngle cluster P 1 postoned t the frst suppled trnng dt pont x 1. Ths ntl dt pont becomes vlble once the shftng wndow frst flls wth the ncomng pckets. Upon cqurng new dt pont x from the shftng wndow buffer, the set of clusters s updted ccordng to the NNC lgorthm. Frst, the Euclden dstnce to ll 1 1 n n Fg. 6 Illustrton of the non-symmetrc nput Gussn fuzzy set A.

6 vlble clusters wth respect to the new nput feture vector x s clculted. The nerest cluster P s dentfed. If the computed nerest dstnce s greter thn the estblshed mxmum cluster rdus prmeter, new cluster s creted. Otherwse the nerest cluster P s updte smlrly s n (7): w c x c, w w 1 w 1 (9) c mx( x, c ), c mn( x, c ) 1... n (10) Hence, the modfed NNC lgorthm lso keeps trck of the lower nd upper bounds of the encountered nput vlues n ech dmenson for every cluster. If the nerest cluster s further wy thn the estblshed mxmum cluster rdus, new cluster s creted ccordng to the stndrd NNC lgorthm. B. Fuzzy Rule Bsed Behvor Modelng Once the rule extrcton phse of the lernng process s fnlzed (e.g. user decson, tme lmt, lmt on the number of pckets, etc.), the lernng lgorthm mntns fnl set of clusters tht descrbe the norml network communcton behvorl ptterns observed n the provded trnng dt. In the next phse of the lgorthm, ech cluster s converted nto fuzzy logc rule. Ech fuzzy rule descrbes the belongng of prtculr sub-regon of the mult-dmensonl nput spce to the clss of norml behvor. An n-dmensonl cluster P s trnsformed nto ts ssocted fuzzy rule R s follows. Rule R s composed of n ntecedent fuzzy sets A, 1... n. Ech fuzzy set A, locted n the th dmenson of the nput spce, s modeled usng nonsymmetrcl Gussn fuzzy membershp functon wth dstnct left nd rght stndrd devtons. There re three prmeters of the membershp functon, nmely men m nd the left nd the rght stndrd devtons,, s shown n Fg. 6. The prmeter vlues re extrcted bsed on the computed cluster P n the followng mnner: m c (11) ( c c ) (12) ( c c ) (13) Here, symbol denotes the fuzzness prmeter, whch s used to dust the spred of the membershp functons. Usng the mnmum t-norm, the frng strength of fuzzy rule R s then computed s: ( x) mn{ ( x )} (14) R 1... n In ths specfc pplcton, the output of the fuzzy rule s sngleton fuzzy set ssgnng the nput pttern to the norml behvor clss. Hence, n ths specl cse the fred output of prtculr fuzzy rule s ctully ts own frng strength R (x). The fnl output decson y of the nomly detecton system s obtned by pplyng to mxmum t-conorm to the output of ll vlble rules: y( x) mx ( x) (15) 1... C Here, C denotes the number of extrcted fuzzy rules. The vlue of the output y denotes the degree of belongng of nput pttern x to the clss of norml behvor. By pplyng crsp decson threshold the nput pttern cn be lbeled s ether nomlous or norml network behvor. R A () (b) (c) (d) (e) (f) Fg. 7 Prmeter control nlyss of the proposed nomly detecton lgorthm. Fgures show the number of generted clusters (), correct clssfcton rte (b), zoomed-n vew of the clssfcton rte (c), flse postve rte (d), flse negtve rte (e), nd zoomed-n vew of the flse negtve rte (f) for dfferent vlues of wndow sze nd mxmum cluster rdus prmeters.

7 () (b) (c) Fg. 8 Prmeter control nlyss of the proposed nomly detecton lgorthm. Fgures show the correct clssfcton rte (), the flse negtve rte (b), nd the flse postve rte (c) for dfferent vlues of wndow sze nd the senstvty threshold. VI. EXPERIMENTAL RESULTS Ths secton frst descrbes the cqured expermentl dtsets. Next, the sutble vlues of control prmeters re found by nlyzng ther mpct on the performnce of the lgorthm. Fnlly, the clssfcton performnce s evluted on the cqured testng dtsets. A. Expermentl Dtsets The Nmp [28] nd Nessus [29] softwre utltes were used to crete nomlous network trffc behvor n n ttempt to emulte the probes of cyber ttcker. Nmp s network scnnng tool commonly used to dentfy hosts, scn ports, opertng systems nd to determne pplctons tht re lstenng on open ports. It hs mny optons nd provdes useful reconnssnce nformton for determnng further courses of cton. Nessus s network scnnng tool tht provdes udtng cpbltes, vulnerblty ssessments nd proflng nformton. In ddton to generl computer relted ssessments, control system specfc vulnerbltes re vlble nd were used on the prevously descrbed expermentl test-bed. The smulted ntruson ttempts nclude: ARP pngs, SYN stelth scns, port scnnng, open port dentfcton nd others. Cyber ttcks rnged from long ttcks composed of mny pckets to very short ntruson sequences. Two sets of expermentl dt hve been recorded. The recorded trnng set s composed of 6 dtset wth only norml network behvor. Overll, 60,661 pckets of norml network trffc were cqured ncludng speclzed norml behvor such s system ntlzton nd system component reconnecton. The second set s testng set composed of 11 dtsets, whch nclude smulted bnorml behvor. Overll 213,924 pckets hve been recorded. B. Prmeter Tunng The performnce of the presented nomly detecton lgorthm depends on the vlues of severl control prmeters: ) wndow sze of the wndow feture extrcton, ) mxmum cluster rdus for the onlne NNC lgorthm, ) the fuzzness prmeter of the fuzzy membershp functons, nd v) the vlue of the crsp threshold for norml/nomly trffc lbelng. The correct clssfcton, the flse negtve nd the flse postve rtes were used s performnce mesures. The correct clssfcton rte s the percentge of the overll correctly clssfed dt nstnces. The flse negtve rte s the rto of ncorrectly lbeled norml behvor nputs nd the overll number of norml behvor nstnces. The flse postve rte s the rto of ncorrectly lbel nomlous nputs nd the overll number of nomles. Fg. 7 nd Fg. 8 depct the performnce for dfferent vlues of wndow sze, mxmum cluster rdus nd the crsp decson threshold. Fg. 7() shows the number of generted clusters. Ths number monotonclly ncreses wth the decresng mxmum cluster rdus nd reches ts mxmum for wndow sze round 6. The more clusters generted, the more detled the model. However, more detled model ncreses the chnce of overfttng nd requres ddtonl computtonl tme. From Fg. 7(b)-(f) t cn be seen tht the clssfcton performnce prmrly depends on the wndow sze. Smll vlues of wndow sze (e.g. 2, 4 or 6) generte ncresed number of flse negtves wth non-zero flse postve rte (~4%). From the detled vew n Fg. 7(c) nd Fg. 7(f) t s pprent tht there s slght grdent towrds smller vlues of wndow sze. Hence, vlues of wndow sze round 10 seem to yeld optml results for the gven dtsets. () (b) (c) Fg. 9 Anomly detecton performnce on dtset 1 for vlues of prmeter = 0.5 (), 1 (b), nd 2.0 (c).

8 () (b) (c) Fg. 10 Anomly detecton performnce of the proposed lgorthm on segments of pckets from dtsets 2 (), 3 (b), nd 4 (c). Thn lne represents system decson, thck lne denotes the known nomlous behvor. Fg. 8 nvestgtes the nfluence of the crsp decson threshold nd the wndow sze. Hgh rtes of both flse postves nd negtves cn be gn seen for smller vlues of wndow sze nd for smller vlues of decson threshold. The fgures demonstrte tht wth wndow sze of pproxmtely 20 pckets, the lgorthm s lest senstve to the vlue of the crsp decson threshold. Ths s lkely to be where the best seprton between norml nd nomly behvor s obtned. The nfluence of the fuzzness prmeter of the membershp functon s brefly demonstrted n Fg. 9. Here, the response of the lgorthm ppled to dtset 1 (thn lne s lgorthm output, thck lne mrks known ntrusons) s plotted. It cn be observed tht smller vlues of the fuzzness prmeter produce nrrower membershp functons, whch tend to reect more nstnces of more unusul norml behvor. However, lrger vlues of the fuzzness prmeters would eventully led to ncresed flse postve rte s nomly nstnces would become less dstnct from the norml behvor. In summry, the followng prmeters hve been selected s the optml vlues for the cqured expermentl dt: wndow sze = 20, mxmum cluster rdus = 0.01, the fuzzness prmeter = 2.0, nd crsp threshold = 0.9. TABLE II CLASSIFICATION PERFORMANCE OF THE FUZZY LOGIC BASED ANOMALY DETECTION ALGORITHM ON DIFFERENT DATASETS Dtsets Number of Pckets Clssfcton Rte Flse Negtves Flse Postves Processng Tme per Pcket Dt 1 35, % 1.485% % ms Dt 2 29, % % % ms Dt 3 34, % % % ms Dt 4 13, % % % ms Dt 5 10, % % % ms Dt 6 5, % % % ms Dt 7 7, % % % ms Dt 8 23, % % % ms Dt 9 24, % % % ms Dt 10 15, % % % ms Dt 11 15, % % % ms Sum / Averge 213, % % % ms

9 C. Clssfcton Performnce Evluton The fuzzy logc bsed nomly detecton lgorthms ws ppled to the 11 cqured testng dtsets. The lgorthm ws trned on the 6 trnng dtsets composed of 60,661 norml behvor pckets. The trnng took s resultng n potentlly mxmum processng speed of over 5,000 pckets per second. Altogether 71 fuzzy rules were extrcted. The clssfcton performnce s summrzed n Tble II. Here, the clssfcton rte, the flse negtve nd the flse postve rtes re depcted for ech dtset nd the verge vlues re clculted. It cn be observed tht the lgorthm mntned 0% flse postve rte nd 0.9% verge flse negtve rte. Hence, no ntruson ttempts were mssed, whle mntnng low flse negtve rte. Fg. 10 vsully demonstrtes the clssfcton of dtsets 2, 3 nd 4. The thn lne denotes the predcton of the nomly detecton system nd the thck lne bove the system response mrks the known occurrence of the nomlous behvor. It cn be seen tht the proposed nomly detecton system responded well to both long nd short ntruson ttempts. VII. CONCLUSION Ths pper presented novel fuzzy logc bsed nomly detecton lgorthm for embedded network securty cyber sensors. The nomly detecton lgorthm ws specfclly desgned to llow for both fst lernng nd fst clssfcton on the constrned computtonl resources of the embedded devce. The lgorthm extrcts fuzzy rules usng n dpted verson of the onlne nerest neghbor clusterng lgorthm drectly to the strem of pckets. The proposed lgorthm ws tested on n expermentl testbed mmckng the envronment of crtcl nfrstructure control system wth emulted probes of cyber ttcker. The control prmeters of the presented lgorthm were tuned v performnce nlyss. The fnl performnce evluton ws performed on set of 11 test dtsets wth over 200,000 pckets wth wde rnge of nomlous network behvor. The expermentl nlyss yelded 99.36% correct clssfcton rte wth 0.0% flse postve rte nd 0.9% flse negtve rtes. The prmry drecton for future work ncludes ncorportng type-2 fuzzy logc nto the lgorthm desgn, fusng the nomly-detecton bsed system wth ntruson sgntures to mprove the clssfcton performnce nd deployng the lgorthm n rel opertonl settngs. REFERENCES [1] D. Yng, A. Usynn, J. W. Hnes, Anomly-Bsed Intruson Detecton for SCADA Systems, n Proc. of 5 th Intl. Topcl Meetng on Nucler Plnt Instrumentton, Control nd Humn Mchne Interfce Technologes (NPIC&HMIT 05), Albuquerque, NM, Nov 12-16, [2] H. S. Km, J. M. Lee, T. Prk, W. H. Kwon, Desgn of networks for dstrbuted dgtl control systems n nucler power plnts, Intl. Topcl Meetng on Nucler Plnt Instrumentton, Controls, nd Humn- Mchne Interfce Technologes (NPIC&HMIT 2000), Wshngton, DC, November [3] Dn A. She, Crtcl Infrstructure: Control Systems nd the Terrorst Thret, Report for Congress RL31534, Februry, [4] C. G. Reger, D. I. Gertmn, M. A. McQueen, Reslent Control Systems: Next Generton Desgn Reserch, n Proc. 2 nd IEEE Conf. on Humn System Interctons, Ctn, Itly, pp , My [5] J. P. Anderson, Computer securty thret montorng nd survellnce, Techncl report, Jmes P. Anderson Co, [6] D. E. Dennng, An Intruson Detecton Model, n IEEE Trns. on Softwre Engneerng,vol. SE-13, pp , Februry [7] R. Sommer, V. Pxson, Outsde the Closed World: On Usng Mchne Lernng For Network Intruson Detecton, n Proc. of IEEE Symp. on Securty nd Prvcy, Oklnd, Clforn, pp , [8] V. Chndol, A. Bneree, V. Kumr, Anomly Detecton: A Survey, Techncl Report, Unversty of Mnnesot, [9] I. H. Wtten, E. Frnk, Dt Mnng: Prctcl Mchne Lernng Tools nd Technques, Morgn Kufmnn Publshers, [10] Z. Zhng, J. L, C. Mnkopulos, J. Jorgenson, J. Ucles, HIDE: Herrchcl Network Intruson Detecton System Usng Sttstcl Preprocessng nd Neurl Network Clssfcton, n Proc. IEEE Workshop on Informton Assurnce nd Securty, [11] J. Ryn, M. Lln, R. Mkkulnen, Intruson Detecton wth Neurl Networks, n Advnces n Neurl Informton Processng Systems 10, Cmbrdge, MA, MIT Press, [12] H. Debr, B Dorzz, An Applcton of Recurrent Network to n Intruson Detecton System, n Proc. of the Interntonl Jont Conference on Neurl Networks, pp [13] O. Lnd, T. Vollmer, M. Mnc, Neurl Network Bsed Intruson Detecton System for Crtcl Infrstructures, n Proc. Int. Jont INNS- IEEE Conf. on Neurl Networks, Atlnt, Georg, June 14-19, [14] W. Hu, Y. Lo, V. R. Vemur, Robust Anomly Detecton Usng Support Vector Mchnes, n Proc. Interntonl Conference on Mchne Lernng, [15] G. Sten, B. Chen, A. S. Wu, K. A. Hu, Decson Tree Clssfer For Network Intruson Detecton Wth GA-bsed Feture Selecton, n Proc. of the 43 rd ACM Southest Conference, Kennesw, GA, Mrch [16] F. Gonzlez, D. Dsgupt, J. Gomez, M. Kngnt, An Evolutonry Approch to Generte Fuzzy Anomly Sgntures, n Proc. the IEEE Informton Assurnce Workshop, June [17] J. Gomez, D. Dsgupt, F. Gonzlez, Detectng Cyber Attcks wth Fuzzy Dt Mnng Technques, n Proc. of the Workshop on Dt Mnng for Counter Terrorsm nd Securty, 3 rd SIAM Conference on Dt Mnng, Sn Frncsco, CA, My, [18] S. Zhong, T. Khoshgoftr, N. Sely, Clusterng-bsed network ntruson detecton, n Intl. Journl of Relblty, Qulty nd Sfety, Vol. 14, No. 2, 2007, pp [19] Q. Wng, V. Mehlookonomou, A Clusterng Agorthm for Intruson Detecton, n SPIE Conference on Dt Mnng, Intruson Detecton, Informton Assurnce, nd Dt Networks Securty, Orlndo, Flord, USA, [20] L. Portnoy, E. Eskn, S. Solfo, Intruson detecton wth unlbeled dt usng clusterng, n Proc. Of ACM CSS Workshop on Dt Mnng Appled Securty, Phldelph, PA, November 5-8, [21] R. Sommer, V. Pxson, N. Wever, An rchtecture for explotng mult-core processor to prllelze network ntruson preventon, Concurrency Computton: Prctce nd Experence, 21: , [22] Tofno webpge [URL], Avlble: from October [23] L. A. Zdeh, Fuzzy Sets, n Informton nd Control, vol. 8, pp , [24] J. M. Mendel, Uncertn Rule-Bsed Fuzzy Logc Systems: Introducton nd New Drectons, Upper Sddle Rver, NJ: Prentce Hll PTR, [25] G. J. Klr, B. Yun, Fuzzy Sets nd Fuzzy Logc Theory nd Applctons, Prentce Hll, New York, [26] Intel Corporton, Dtsheet Intel IXP42X Product Lne of Network Processors nd IXC1100 Control Plne Processor, June [27] Alln Brdley PLC 5 Controller webpge, Avlble: from October [28] Nmp webpge [URL], Avlble: from October [29] Nessus webpge [URL], Avlble: from October 2010.