Fuzzy Logic Based Anomaly Detection for Embedded Network Security Cyber Sensor


 Sherman Cobb
 1 years ago
 Views:
Transcription
1 INL/CON PREPRINT Fuzzy Logc Bsed Anomly Detecton for Embedded Network Securty Cyber Sensor 2011 IEEE Symposum on Computtonl Intellgence n Cyber Securty Ondre Lnd Mlos Mnc Todd Vollmer Json Wrght Aprl 2011 Ths s preprnt of pper ntended for publcton n ournl or proceedngs. Snce chnges my be mde before publcton, ths preprnt should not be cted or reproduced wthout permsson of the uthor. Ths document ws prepred s n ccount of work sponsored by n gency of the Unted Sttes Government. Nether the Unted Sttes Government nor ny gency thereof, or ny of ther employees, mkes ny wrrnty, expressed or mpled, or ssumes ny legl lblty or responsblty for ny thrd prty s use, or the results of such use, of ny nformton, pprtus, product or process dsclosed n ths report, or represents tht ts use by such thrd prty would not nfrnge prvtely owned rghts. The vews expressed n ths pper re not necessrly those of the Unted Sttes Government or the sponsorng gency.
2 Fuzzy Logc Bsed Anomly Detecton for Embedded Network Securty Cyber Sensor Ondre Lnd, Mlos Mnc Unversty of Idho Idho Flls, ID, USA Todd Vollmer, Json Wrght Idho Ntonl Lbortory Idho Flls, ID, USA Abstrct Reslency nd securty n crtcl nfrstructure control systems n the modern world of cyber terrorsm consttute relevnt concern. Developng network securty system specfclly tlored to the requrements of such crtcl ssets s of prmry mportnce. Ths pper proposes novel lernng lgorthm for nomly bsed network securty cyber sensor together wth ts hrdwre mplementton. The presented lernng lgorthm constructs fuzzy logc rule bse modelng the norml network behvor. Indvdul fuzzy rules re extrcted drectly from the strem of ncomng pckets usng n onlne clusterng lgorthm. Ths lernng lgorthm ws specfclly developed to comply wth the constrned computtonl requrements of lowcost embedded network securty cyber sensors. The performnce of the system ws evluted on set of network dt recorded from n expermentl testbed mmckng the envronment of crtcl nfrstructure control system. Keywords Anomly Detecton; Cyber Sensor; Embedded Systems; Fuzzy Logc System; Onlne Clusterng; I. INTRODUCTION Crtcl nfrstructure control systems, typclly composed of nterconnected computerbsed sttons, exchnge crucl nformton v the computer network. These crtcl components, whch cn be found n systems such s SCADA or nucler power plnts, consttute focus of n ncresed cyber securty [1], [2]. Brekng nto such systems wth network ntruson ttcks cn hve severe effects on multple levels, such s securty, publc sfety, ndustrl or economcl. The dnger s even hgher consderng tht crtcl nfrstructures re not mmune to these threts nd tht they possbly my be more vulnerble thn common nformton technology systems [3]. Therefore, network trffc nomly detecton for crtcl nfrstructures s n obvous need [4]. Network ntruson detecton systems orgnted n 1980 s nd n the semnl work of Dennng [5], [6]. Generlly spekng, two knds of IDS cn be found; nomly detecton nd sgnture bsed detecton systems. Sgnture bsed detecton system ttempt to mtch the observed behvor gnst dtbse of known ttck sgntures. On the other hnd, n nomly bsed detecton system seeks devtons from the lerned model of norml behvor [7], [8]. The system bulds representtve model exclusvely bsed on the prevously collected norml behvor. The system s cpble Fg. 1 Schemtc dgrm of the network securty cyber sensor [20]. of detectng novel nd dynmclly chngng ntruson nstnces, ssumng tht these re substntlly dfferent from the model of norml behvor. Unfortuntely, ny norml cceptble behvor not ncluded n the trnng set wll lkely not mtch the model nd generte flse lrm. Hence, cqurng descrptve trnng dtset s of crucl mportnce. The nomly detecton pproch s dopted n the presented pper. Computtonl ntellgence technques hve been extensvely ppled to the problem of network ntruson detecton [7], [9]. Technques such s rtfcl neurl networks [10] [13], support vector mchnes [14], genetc lgorthms [15], fuzzy logc [16], [17] or unsupervsed clusterng [18][20], proved to be powerful lernng tools for modelng the network behvor. The ttrctveness of computtonl ntellgence comes from the blty to lern from multdmensonl nonlner dt [9]. The presented pper proposes lernng lgorthm for fuzzy logc bsed nomly detecton system specfclly developed for the constrned resources of embedded network securty cyber sensors [21]. A schemtc vew of the presented system s depcted n Fg. 1. Here the mplemented cyber sensor cretes secure zone round the control system. The lernng lgorthm bulds fuzzy rule bse, whch descrbes the prevously seen norml network communcton behvorl ptterns. Ths fuzzy rule bse s constructed drectly from the strem of ncomng pckets usng the onlne verson of the nerest neghbor clusterng lgorthm. Subsequently, the set of extrcted clusters s trnsformed nto ndvdul fuzzy rules. Moreover, the lgorthm cn be retrned on newly vlble norml behvor dt, whle
3 mntnng the prevously cqured knowledge. The performnce of the lgorthm ws tested on n expermentl testbed mmckng the crtcl nfrstructure control system. The rest of the pper s structured s follows. Secton II provdes bref overvew of fuzzy logc systems nd the nerest neghbor clusterng lgorthm. The consdered hrdwre pltform for the embedded network securty devce s descrbed n Secton III. Secton IV nd V expln the network behvor feture extrcton technque nd the proposed nomly detecton lgorthm, respectvely. The system s expermentlly evluted n Secton VI nd Secton VII concludes the pper. II. BACKGROUND OVERVIEW Ths secton provdes bref bckground overvew of fuzzy logc systems nd the nerest neghbor clusterng lgorthm. A. Fuzzy Logc Systems Fuzzy logc hs been orgnlly proposed by Zdeh s tool for delng wth lngustc uncertnty nd vgueness ubqutous n the mprecse menng of words [23]. A Fuzzy Logc System (FLS) s composed of four prmry prts nput fuzzfcton, fuzzy nference engne, fuzzy rule bse nd output defuzzfcton, s depcted n Fg. 2. The Mmdn FLS consdered n ths work mntns fuzzy rule bse populted wth fuzzy lngustc rules n n mplctve form. Consder rule R k tht s descrbed s follows [24], [25]: Rule R k : IF x 1 s k k A n A 1 AND AND x n s THEN y k s B k (1) Here, symbol A k nd B k denote the th nput fuzzy set nd the output fuzzy set of the k th rule, respectvely, n s the dmensonlty of the nput vector x nd y k s the ssocted output vrble. Ech element of the nput vector x s frst fuzzfed usng the respectve fuzzy membershp functon (e.g. Gussn, trngulr, trpezodl, etc.). The fuzzfcton of nput vlue x nto fuzzy set A yelds fuzzy membershp grde k ( x ). Usng the mnmum tnorm the degree of A frng of rule R k cn be clculted s: ( x) mn{ k ( x )}, 1... n R k Fg. 2 Fuzzy logc system. A After pplyng the rule frng strength v the tnorm opertor to ech rule consequent, the output fuzzy sets re ggregted usng the tconorm opertor (e.g. the mxmum (2) opertor) resultng n output fuzzy set B. For detled descrpton of the fuzzy nference process refer to [24], [25]. In order to obtn the crsp output vlue, one of the vlble defuzzfcton technques s ppled. Upon dscretzng the output domn nto N smples, for exmple the centrod defuzzfer cn be ppled: y N 1 N 1 y ( y ) B B ( y ) B. Nerest Neghbor Clusterng The Nerest Neghbor Clusterng (NNC) lgorthm s n unsupervsed clusterng technque [9]. The clusterng process s controlled by n estblshed mxmum cluster rdus prmeter. The smller the rdus the more clusters wll be generted nd vce vers. Assume n nput dtset X composed of N nput ptterns denoted s: n X x 1,..., x N, x (4) Here, n denotes the dmensonlty of the nput domn. Vector x cn be expressed s x { 1,..., n x x }. Ech cluster consttutes prototype of smlr nstnces, subect to specfc smlrty mesure. The Euclden dstnce smlrty mesure s consdered n ths work. Ech cluster P s descrbed by ts Center Of Grvty (COG) c nd ts ssocted weght w. The weght w stores the number of ptterns prevously ssgned to cluster P. Followng ths notton, cluster P cn be expressed s: P, n c, w, c w The lernng process of the NNC lgorthm begns by cretng n ntl cluster P 1 t the locton of the frst nput pttern x 1. Next, nput ptterns from dtset X re selected n sequentl mnner. The nerest prototype from the set of vlble clusters s determned for ech nstnce. For n nput pttern x, the nerest cluster P s determned usng the Euclden dstnce norm: dst n n 2 c, x mn c x... c x, 1 C Here, C denotes the number of currently cqured clusters. Usng the mxmum cluster rdus prmeter  rd, the nput pttern x s ssgned to cluster P f the followng condton holds: dstc, x rd. In ths cse, the prmeters of cluster P re updted s: (3) (5) (6)
4 Fg. 3 Photo of the TOFINO network securty cyber sensor pluggedn nto the test system. c w c x w 1, w w 1 If dstc, x rd, new cluster s creted t the locton of nput pttern x, nd ts weght s set to 1. III. EMBEDDED NETWORK SECURITY CYBER SENSOR The Tofno embedded network securty devce, depcted n Fg. 3, s mnufctured by Byres Securty Inc. [22]. Orgnlly, the devce ws developed for preemptve thret detecton, termnton nd reportng, specfclly tlored for the needs of SCADA nd ndustrl control systems. Its mor dvntges re prmrly ts lowcost nd ese of deployment n rel world systems. In the presented work, the Tofno cyber sensor ws used s n embedded development pltform for mplementton of the proposed nomly bsed detecton lernng lgorthm. The Tofno pltform conssts of n Arcom Vulcn sngle bord computer. The mn processor s n Intel IXP425 XScle processor runnng t 533MHz wth 64MB of DRAM nd 32MB of flsh memory. The Intel IXP425 XScle s bsed on n ARM V5TE nstructon set [26]. Two Ethernet ports re provded long wth two USB ports. The Ethernet ports re used n processng pcket dt nd the USB ports re used for storge of sttstcs. The opertng system s bsed on the OpenWRT dstrbuton of Lnux. One of the specfcs of ths embedded pltform s tht the Intel IXP425 XScle processor used n the Tofno pltform does not hve flotng pont unt (FPU). Insted, the flotng pont rthmetc used n the presented lgorthm s emulted. Future work wll nclude modfcton of the current mplementton to use fxed pont (nteger) rthmetc. Dependng on the mplementton, lrge performnce gn my be cheved by usng the SIMD MultplyAccumulte unt coprocessor unt vlble on the IXP425. Ths coprocessor llows 16x32 multplyccumulte opertons to complete n sngle cycle. Whle not of utmost concern n n cdemc settng, the mplementton of the proposed lgorthm on hrdwre pltform s relevnt. Sommer nd Pxson [7] rgue tht t n (7) terms of cpbltes nd lmttons t s mportnt to obtn nsght nto the performnce of n nomly detecton system from n opertonl pont of vew. The focused mplementton s here t very low level wth n envsoned deployment ust before some crtcl equpment, such s Progrmmble Logc Controller (PLC). Wth the ncresngly common usge of network bsed control systems nd the current deployment of smrt grd systems hundreds, thousnds nd possbly mllons of devces wll be nterconnected. Ths mkes the cost nd relblty of n mplemented hrdwre soluton relevnt concern. In ddton, the proposed hrdwre mplementton of the embedded network securty cyber sensor provdes performnce bselne tht mght prove useful for comprson n future work. IV. DATA ACQUISITION AND FEATURE EXTRACTION Ths secton descrbes the network dt cquston process nd revews the prevously publshed wndow bsed feture extrcton technque. A. Control System Expermentl TestBed The hrdwre expermentl testbed system tht ws used for network dt cquston represents severl spects of n opertonl control system, such s opertonl control structure, control system network nd hrdwre control of ctul physcl processes. RSVew32, Rockwell Softwre HMI product, provdes n ntegrted component bsed nterfce for montorng of the system behvor. The nterfce runs on Wndows XP lptop connected v n IPv4 network. A Mox EDS505A operted Ethernet swtch provdes network connectvty for the controller. Ths swtch s mounted on DINRl nd powered by the control system source. All network trffc to nd from the controller s trnsported v the swtch. Port mrrorng hs been enbled on the control trffc port connected to the HMI mchne. A Lnux lptop wth the tcpdump softwre pplcton ws Fg. 4 Network dt cquston setup. A PLC s connected through hub to the control PC stton usng n Ethernet network.
5 Fg. 5 Wndow bsed feture extrcton process [13]. TABLE I SELECTED WINDOWBASED FEATURES Num. of IP ddresses Num. pckets wth 0 wn. sze Avg. ntervl between pckets Num. pckets wth 0 dt length Num. of protocols Averge wndow sze Num. of flg codes Averge dt length ttched to the mrror port llowng for network trffc cpturng nd montorng. Fnlly, second Lnuxbsed lptop representng the ttckercompromsed mchne ws ttched to thrd port. All nomlous trffc ws nstntted from ths mchne. The control system tself conssts of n AllenBrdley McroLogx 1100 PLC [27]. Attched to the PLC re 6 lghted buttons, 7 lghts, 2 potentometers, 2 temperture sensors nd smll electrc fn consttutng both dgtl nd nlog nput/output ponts. All of the tems re cpble of beng controlled ndvdully from the PLC or drectly by pressng button. The expermentl s depcted n Fg. 4. B. Feture Extrcton from Pcket Strem In prevous work of the uthors, n Artfcl Neurl Network (ANN) bsed ntruson detecton system ws developed [13]. The ANN ws trned on subset of vlble network trffc fetures extrcted by wndowbsed feture extrcton technque ppled drectly to the strem of pckets. Ths feture extrcton technque s lso utlzed n the presented work. Here, the nherent tme seres nture of the pcket strem dt s descrbed by vector cpturng the sttstcl behvor of the network trffc. The ppled wndow segments the pcket strem nd montors only lmted set of consecutve pckets. As descrbed n [13], wndow of specfed length s beng shfted over the strem of network pckets. At ech poston of the wndow feture vector r s computed from ll the pckets v currently presented n the wndow. The next rrvng pcket s pushed nto the wndow, whle the lst pcket s removed from the end. The process of wndow bsed feture extrcton s llustrted n Fg. 5. Tble I summrzes the lst of extrcted wndowbsed sttstcl fetures. Ths set of fetures ws emprclly selected bsed on the nlyss of the recorded network trffc nd the motvton to most ccurtely cpture the tme seres nture of the pcket strem. For further detls nd evluton of the wndow bsed feture extrcton refer to [13]. V. ONLINE LEARNING FOR ANOMALY IDS Ths secton presents the lernng lgorthm for the fuzzy logc bsed nomly detecton for n embedded network securty cyber sensor. Frst, rule extrcton v dpted onlne NNC lgorthm s presented. Next, the fuzzy rule bsed norml behvor modelng s explned. A. Rule Extrcton v Onlne Clusterng The proposed rule extrcton lgorthm tkes nto ccount the constrned computtonl resources of the vlble embedded network securty cyber sensor. Other lernng pproches, such s the prevously publshed IDSNNM lgorthm [13], pursue offlne lernng pproch once ll trnng dt hve been cqured. However, such lernng process s typclly computtonlly unfesble for the consdered embedded devces, gven the typclly encountered network trffc densty [21]. Ths pper proposes new lowcost onlne rule extrcton technque. The presented lgorthm lerns drectly from the strem of ncomng pckets. In ths mnner, the need for storng ll pcket nformton nto memory s elmnted. The fnl norml network behvor model s composed of set of fuzzy rules. Ech rule s extrcted usng n onlne verson of the dpted NNC lgorthm. The lgorthm mntns ddtonl nformton bout the spred of dt ponts ssocted wth ech cluster throughout the clusterng process. Ech cluster P of encountered norml network behvor s descrbed by ts center of grvty c, weght w nd mtrx of boundry prmeters M. Hence: 1 n c c P { c, w, M}, c { c,..., c }, M (8) c c Here, s the ndex of prtculr cluster, c s the ttrbute vlue n the th dmenson, c nd c re the upper nd lower bounds on the encountered vlues of the th ttrbute for dt ponts ssgned to cluster P nd n denotes the dmensonlty of the nput. The lgorthm mntns set of clusters. Intlly, the lgorthm strts wth sngle cluster P 1 postoned t the frst suppled trnng dt pont x 1. Ths ntl dt pont becomes vlble once the shftng wndow frst flls wth the ncomng pckets. Upon cqurng new dt pont x from the shftng wndow buffer, the set of clusters s updted ccordng to the NNC lgorthm. Frst, the Euclden dstnce to ll 1 1 n n Fg. 6 Illustrton of the nonsymmetrc nput Gussn fuzzy set A.
6 vlble clusters wth respect to the new nput feture vector x s clculted. The nerest cluster P s dentfed. If the computed nerest dstnce s greter thn the estblshed mxmum cluster rdus prmeter, new cluster s creted. Otherwse the nerest cluster P s updte smlrly s n (7): w c x c, w w 1 w 1 (9) c mx( x, c ), c mn( x, c ) 1... n (10) Hence, the modfed NNC lgorthm lso keeps trck of the lower nd upper bounds of the encountered nput vlues n ech dmenson for every cluster. If the nerest cluster s further wy thn the estblshed mxmum cluster rdus, new cluster s creted ccordng to the stndrd NNC lgorthm. B. Fuzzy Rule Bsed Behvor Modelng Once the rule extrcton phse of the lernng process s fnlzed (e.g. user decson, tme lmt, lmt on the number of pckets, etc.), the lernng lgorthm mntns fnl set of clusters tht descrbe the norml network communcton behvorl ptterns observed n the provded trnng dt. In the next phse of the lgorthm, ech cluster s converted nto fuzzy logc rule. Ech fuzzy rule descrbes the belongng of prtculr subregon of the multdmensonl nput spce to the clss of norml behvor. An ndmensonl cluster P s trnsformed nto ts ssocted fuzzy rule R s follows. Rule R s composed of n ntecedent fuzzy sets A, 1... n. Ech fuzzy set A, locted n the th dmenson of the nput spce, s modeled usng nonsymmetrcl Gussn fuzzy membershp functon wth dstnct left nd rght stndrd devtons. There re three prmeters of the membershp functon, nmely men m nd the left nd the rght stndrd devtons,, s shown n Fg. 6. The prmeter vlues re extrcted bsed on the computed cluster P n the followng mnner: m c (11) ( c c ) (12) ( c c ) (13) Here, symbol denotes the fuzzness prmeter, whch s used to dust the spred of the membershp functons. Usng the mnmum tnorm, the frng strength of fuzzy rule R s then computed s: ( x) mn{ ( x )} (14) R 1... n In ths specfc pplcton, the output of the fuzzy rule s sngleton fuzzy set ssgnng the nput pttern to the norml behvor clss. Hence, n ths specl cse the fred output of prtculr fuzzy rule s ctully ts own frng strength R (x). The fnl output decson y of the nomly detecton system s obtned by pplyng to mxmum tconorm to the output of ll vlble rules: y( x) mx ( x) (15) 1... C Here, C denotes the number of extrcted fuzzy rules. The vlue of the output y denotes the degree of belongng of nput pttern x to the clss of norml behvor. By pplyng crsp decson threshold the nput pttern cn be lbeled s ether nomlous or norml network behvor. R A () (b) (c) (d) (e) (f) Fg. 7 Prmeter control nlyss of the proposed nomly detecton lgorthm. Fgures show the number of generted clusters (), correct clssfcton rte (b), zoomedn vew of the clssfcton rte (c), flse postve rte (d), flse negtve rte (e), nd zoomedn vew of the flse negtve rte (f) for dfferent vlues of wndow sze nd mxmum cluster rdus prmeters.
7 () (b) (c) Fg. 8 Prmeter control nlyss of the proposed nomly detecton lgorthm. Fgures show the correct clssfcton rte (), the flse negtve rte (b), nd the flse postve rte (c) for dfferent vlues of wndow sze nd the senstvty threshold. VI. EXPERIMENTAL RESULTS Ths secton frst descrbes the cqured expermentl dtsets. Next, the sutble vlues of control prmeters re found by nlyzng ther mpct on the performnce of the lgorthm. Fnlly, the clssfcton performnce s evluted on the cqured testng dtsets. A. Expermentl Dtsets The Nmp [28] nd Nessus [29] softwre utltes were used to crete nomlous network trffc behvor n n ttempt to emulte the probes of cyber ttcker. Nmp s network scnnng tool commonly used to dentfy hosts, scn ports, opertng systems nd to determne pplctons tht re lstenng on open ports. It hs mny optons nd provdes useful reconnssnce nformton for determnng further courses of cton. Nessus s network scnnng tool tht provdes udtng cpbltes, vulnerblty ssessments nd proflng nformton. In ddton to generl computer relted ssessments, control system specfc vulnerbltes re vlble nd were used on the prevously descrbed expermentl testbed. The smulted ntruson ttempts nclude: ARP pngs, SYN stelth scns, port scnnng, open port dentfcton nd others. Cyber ttcks rnged from long ttcks composed of mny pckets to very short ntruson sequences. Two sets of expermentl dt hve been recorded. The recorded trnng set s composed of 6 dtset wth only norml network behvor. Overll, 60,661 pckets of norml network trffc were cqured ncludng speclzed norml behvor such s system ntlzton nd system component reconnecton. The second set s testng set composed of 11 dtsets, whch nclude smulted bnorml behvor. Overll 213,924 pckets hve been recorded. B. Prmeter Tunng The performnce of the presented nomly detecton lgorthm depends on the vlues of severl control prmeters: ) wndow sze of the wndow feture extrcton, ) mxmum cluster rdus for the onlne NNC lgorthm, ) the fuzzness prmeter of the fuzzy membershp functons, nd v) the vlue of the crsp threshold for norml/nomly trffc lbelng. The correct clssfcton, the flse negtve nd the flse postve rtes were used s performnce mesures. The correct clssfcton rte s the percentge of the overll correctly clssfed dt nstnces. The flse negtve rte s the rto of ncorrectly lbeled norml behvor nputs nd the overll number of norml behvor nstnces. The flse postve rte s the rto of ncorrectly lbel nomlous nputs nd the overll number of nomles. Fg. 7 nd Fg. 8 depct the performnce for dfferent vlues of wndow sze, mxmum cluster rdus nd the crsp decson threshold. Fg. 7() shows the number of generted clusters. Ths number monotonclly ncreses wth the decresng mxmum cluster rdus nd reches ts mxmum for wndow sze round 6. The more clusters generted, the more detled the model. However, more detled model ncreses the chnce of overfttng nd requres ddtonl computtonl tme. From Fg. 7(b)(f) t cn be seen tht the clssfcton performnce prmrly depends on the wndow sze. Smll vlues of wndow sze (e.g. 2, 4 or 6) generte ncresed number of flse negtves wth nonzero flse postve rte (~4%). From the detled vew n Fg. 7(c) nd Fg. 7(f) t s pprent tht there s slght grdent towrds smller vlues of wndow sze. Hence, vlues of wndow sze round 10 seem to yeld optml results for the gven dtsets. () (b) (c) Fg. 9 Anomly detecton performnce on dtset 1 for vlues of prmeter = 0.5 (), 1 (b), nd 2.0 (c).
8 () (b) (c) Fg. 10 Anomly detecton performnce of the proposed lgorthm on segments of pckets from dtsets 2 (), 3 (b), nd 4 (c). Thn lne represents system decson, thck lne denotes the known nomlous behvor. Fg. 8 nvestgtes the nfluence of the crsp decson threshold nd the wndow sze. Hgh rtes of both flse postves nd negtves cn be gn seen for smller vlues of wndow sze nd for smller vlues of decson threshold. The fgures demonstrte tht wth wndow sze of pproxmtely 20 pckets, the lgorthm s lest senstve to the vlue of the crsp decson threshold. Ths s lkely to be where the best seprton between norml nd nomly behvor s obtned. The nfluence of the fuzzness prmeter of the membershp functon s brefly demonstrted n Fg. 9. Here, the response of the lgorthm ppled to dtset 1 (thn lne s lgorthm output, thck lne mrks known ntrusons) s plotted. It cn be observed tht smller vlues of the fuzzness prmeter produce nrrower membershp functons, whch tend to reect more nstnces of more unusul norml behvor. However, lrger vlues of the fuzzness prmeters would eventully led to ncresed flse postve rte s nomly nstnces would become less dstnct from the norml behvor. In summry, the followng prmeters hve been selected s the optml vlues for the cqured expermentl dt: wndow sze = 20, mxmum cluster rdus = 0.01, the fuzzness prmeter = 2.0, nd crsp threshold = 0.9. TABLE II CLASSIFICATION PERFORMANCE OF THE FUZZY LOGIC BASED ANOMALY DETECTION ALGORITHM ON DIFFERENT DATASETS Dtsets Number of Pckets Clssfcton Rte Flse Negtves Flse Postves Processng Tme per Pcket Dt 1 35, % 1.485% % ms Dt 2 29, % % % ms Dt 3 34, % % % ms Dt 4 13, % % % ms Dt 5 10, % % % ms Dt 6 5, % % % ms Dt 7 7, % % % ms Dt 8 23, % % % ms Dt 9 24, % % % ms Dt 10 15, % % % ms Dt 11 15, % % % ms Sum / Averge 213, % % % ms
9 C. Clssfcton Performnce Evluton The fuzzy logc bsed nomly detecton lgorthms ws ppled to the 11 cqured testng dtsets. The lgorthm ws trned on the 6 trnng dtsets composed of 60,661 norml behvor pckets. The trnng took s resultng n potentlly mxmum processng speed of over 5,000 pckets per second. Altogether 71 fuzzy rules were extrcted. The clssfcton performnce s summrzed n Tble II. Here, the clssfcton rte, the flse negtve nd the flse postve rtes re depcted for ech dtset nd the verge vlues re clculted. It cn be observed tht the lgorthm mntned 0% flse postve rte nd 0.9% verge flse negtve rte. Hence, no ntruson ttempts were mssed, whle mntnng low flse negtve rte. Fg. 10 vsully demonstrtes the clssfcton of dtsets 2, 3 nd 4. The thn lne denotes the predcton of the nomly detecton system nd the thck lne bove the system response mrks the known occurrence of the nomlous behvor. It cn be seen tht the proposed nomly detecton system responded well to both long nd short ntruson ttempts. VII. CONCLUSION Ths pper presented novel fuzzy logc bsed nomly detecton lgorthm for embedded network securty cyber sensors. The nomly detecton lgorthm ws specfclly desgned to llow for both fst lernng nd fst clssfcton on the constrned computtonl resources of the embedded devce. The lgorthm extrcts fuzzy rules usng n dpted verson of the onlne nerest neghbor clusterng lgorthm drectly to the strem of pckets. The proposed lgorthm ws tested on n expermentl testbed mmckng the envronment of crtcl nfrstructure control system wth emulted probes of cyber ttcker. The control prmeters of the presented lgorthm were tuned v performnce nlyss. The fnl performnce evluton ws performed on set of 11 test dtsets wth over 200,000 pckets wth wde rnge of nomlous network behvor. The expermentl nlyss yelded 99.36% correct clssfcton rte wth 0.0% flse postve rte nd 0.9% flse negtve rtes. The prmry drecton for future work ncludes ncorportng type2 fuzzy logc nto the lgorthm desgn, fusng the nomlydetecton bsed system wth ntruson sgntures to mprove the clssfcton performnce nd deployng the lgorthm n rel opertonl settngs. REFERENCES [1] D. Yng, A. Usynn, J. W. Hnes, AnomlyBsed Intruson Detecton for SCADA Systems, n Proc. of 5 th Intl. Topcl Meetng on Nucler Plnt Instrumentton, Control nd Humn Mchne Interfce Technologes (NPIC&HMIT 05), Albuquerque, NM, Nov 1216, [2] H. S. Km, J. M. Lee, T. Prk, W. H. Kwon, Desgn of networks for dstrbuted dgtl control systems n nucler power plnts, Intl. Topcl Meetng on Nucler Plnt Instrumentton, Controls, nd Humn Mchne Interfce Technologes (NPIC&HMIT 2000), Wshngton, DC, November [3] Dn A. She, Crtcl Infrstructure: Control Systems nd the Terrorst Thret, Report for Congress RL31534, Februry, [4] C. G. Reger, D. I. Gertmn, M. A. McQueen, Reslent Control Systems: Next Generton Desgn Reserch, n Proc. 2 nd IEEE Conf. on Humn System Interctons, Ctn, Itly, pp , My [5] J. P. Anderson, Computer securty thret montorng nd survellnce, Techncl report, Jmes P. Anderson Co, [6] D. E. Dennng, An Intruson Detecton Model, n IEEE Trns. on Softwre Engneerng,vol. SE13, pp , Februry [7] R. Sommer, V. Pxson, Outsde the Closed World: On Usng Mchne Lernng For Network Intruson Detecton, n Proc. of IEEE Symp. on Securty nd Prvcy, Oklnd, Clforn, pp , [8] V. Chndol, A. Bneree, V. Kumr, Anomly Detecton: A Survey, Techncl Report, Unversty of Mnnesot, [9] I. H. Wtten, E. Frnk, Dt Mnng: Prctcl Mchne Lernng Tools nd Technques, Morgn Kufmnn Publshers, [10] Z. Zhng, J. L, C. Mnkopulos, J. Jorgenson, J. Ucles, HIDE: Herrchcl Network Intruson Detecton System Usng Sttstcl Preprocessng nd Neurl Network Clssfcton, n Proc. IEEE Workshop on Informton Assurnce nd Securty, [11] J. Ryn, M. Lln, R. Mkkulnen, Intruson Detecton wth Neurl Networks, n Advnces n Neurl Informton Processng Systems 10, Cmbrdge, MA, MIT Press, [12] H. Debr, B Dorzz, An Applcton of Recurrent Network to n Intruson Detecton System, n Proc. of the Interntonl Jont Conference on Neurl Networks, pp [13] O. Lnd, T. Vollmer, M. Mnc, Neurl Network Bsed Intruson Detecton System for Crtcl Infrstructures, n Proc. Int. Jont INNS IEEE Conf. on Neurl Networks, Atlnt, Georg, June 1419, [14] W. Hu, Y. Lo, V. R. Vemur, Robust Anomly Detecton Usng Support Vector Mchnes, n Proc. Interntonl Conference on Mchne Lernng, [15] G. Sten, B. Chen, A. S. Wu, K. A. Hu, Decson Tree Clssfer For Network Intruson Detecton Wth GAbsed Feture Selecton, n Proc. of the 43 rd ACM Southest Conference, Kennesw, GA, Mrch [16] F. Gonzlez, D. Dsgupt, J. Gomez, M. Kngnt, An Evolutonry Approch to Generte Fuzzy Anomly Sgntures, n Proc. the IEEE Informton Assurnce Workshop, June [17] J. Gomez, D. Dsgupt, F. Gonzlez, Detectng Cyber Attcks wth Fuzzy Dt Mnng Technques, n Proc. of the Workshop on Dt Mnng for Counter Terrorsm nd Securty, 3 rd SIAM Conference on Dt Mnng, Sn Frncsco, CA, My, [18] S. Zhong, T. Khoshgoftr, N. Sely, Clusterngbsed network ntruson detecton, n Intl. Journl of Relblty, Qulty nd Sfety, Vol. 14, No. 2, 2007, pp [19] Q. Wng, V. Mehlookonomou, A Clusterng Agorthm for Intruson Detecton, n SPIE Conference on Dt Mnng, Intruson Detecton, Informton Assurnce, nd Dt Networks Securty, Orlndo, Flord, USA, [20] L. Portnoy, E. Eskn, S. Solfo, Intruson detecton wth unlbeled dt usng clusterng, n Proc. Of ACM CSS Workshop on Dt Mnng Appled Securty, Phldelph, PA, November 58, [21] R. Sommer, V. Pxson, N. Wever, An rchtecture for explotng multcore processor to prllelze network ntruson preventon, Concurrency Computton: Prctce nd Experence, 21: , [22] Tofno webpge [URL], Avlble: from October [23] L. A. Zdeh, Fuzzy Sets, n Informton nd Control, vol. 8, pp , [24] J. M. Mendel, Uncertn RuleBsed Fuzzy Logc Systems: Introducton nd New Drectons, Upper Sddle Rver, NJ: Prentce Hll PTR, [25] G. J. Klr, B. Yun, Fuzzy Sets nd Fuzzy Logc Theory nd Applctons, Prentce Hll, New York, [26] Intel Corporton, Dtsheet Intel IXP42X Product Lne of Network Processors nd IXC1100 Control Plne Processor, June [27] Alln Brdley PLC 5 Controller webpge, Avlble: from October [28] Nmp webpge [URL], Avlble: from October [29] Nessus webpge [URL], Avlble: from October 2010.
More equal but less mobile? Education financing and intergenerational mobility in Italy and in the US
Journl of Publc Economcs 74 (1999) 351 393 www.elsever.nl/ locte/ econbse More equl but less moble? Educton fnncng nd ntergenertonl moblty n Itly nd n the US *, Aldo Rustchn b, c Dnele Checch, Andre Ichno
More informationISLABEL: an IndependentSet based Labeling Scheme for PointtoPoint Distance Querying
ISLABEL: n IndependentSet bsed Lbeln Scheme for PonttoPont Dstnce Queryn Ad WChee Fu, Hunhun Wu, Jmes Chen Dept. of Computer Scence nd Enneern The Chnese Unversty of Hon Kon dfu,hhwu,jchen@cse.cuhk.edu.hk
More informationAVR32723: Sensor Field Oriented Control for Brushless DC motors with AT32UC3B0256. 32bit Microcontrollers. Application Note. Features.
AVR7: Sensor Feld Orented Control for Brushless DC motors wth ATUCB056 Fetures Stndlone Spce Vector Modulton lbrry for AVR UC mcrocontroller. Prk nd Clrke mthemtcl trnsformton lbrry for AVR UC mcrocontroller.
More informationEnergy Conserving Routing in Wireless Adhoc Networks
Energy Conservng Routng n Wreless Adhoc Networks JaeHwan Chang and Leandros Tassulas Department of Electrcal and Computer Engneerng & Insttute for Systems Research Unversty of Maryland at College ark
More informationPhysical Security and Vulnerability Modeling for Infrastructure Facilities
Proceedngs of the 39th Hawa Internatonal Conference on System Scences  2006 Physcal Securty and Vulnerablty Modelng for Infrastructure Facltes Dean A. Jones Chad E. Davs Sanda Natonal Laboratores Albuquerque,
More informationSCRIBE: A largescale and decentralized applicationlevel multicast infrastructure
!! IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 2, NO. 8, OCTOBER 22 1 SCRIBE: A lrgescle nd decentrlized pplictionlevel multicst infrstructure Miguel Cstro, Peter Druschel, AnneMrie Kermrrec
More informationDP5: A Private Presence Service
DP5: A Prvate Presence Servce Nkta Borsov Unversty of Illnos at UrbanaChampagn, Unted States nkta@llnos.edu George Danezs Unversty College London, Unted Kngdom g.danezs@ucl.ac.uk Ian Goldberg Unversty
More informationDocumentation for the TIMES Model PART I
Energy Technology Systems Analyss Programme http://www.etsap.org/tools.htm Documentaton for the TIMES Model PART I Aprl 2005 Authors: Rchard Loulou Uwe Remne Amt Kanuda Antt Lehtla Gary Goldsten 1 General
More informationSelfAdaptive SLADriven Capacity Management for Internet Services
SelfAdaptve SLADrven Capacty Management for Internet Servces Bruno Abrahao, Vrglo Almeda and Jussara Almeda Computer Scence Department Federal Unversty of Mnas Geras, Brazl Alex Zhang, Drk Beyer and
More informationP2P/ Gridbased Overlay Architecture to Support VoIP Services in Large Scale IP Networks
PP/ Grdbased Overlay Archtecture to Support VoIP Servces n Large Scale IP Networks We Yu *, Srram Chellappan # and Dong Xuan # * Dept. of Computer Scence, Texas A&M Unversty, U.S.A. {weyu}@cs.tamu.edu
More informationIn Quest of Benchmarking Security Risks to CyberPhysical Systems
In Quest of Benchmarkng Securty Rsks to CyberPhyscal Systems Saurabh Amn, Massachusetts Insttute of Technology Galna A. Schwartz, Unversty of Calforna at Berkeley Alefya Hussan, Unversty of Southern Calforna
More informationLearning to Search Better than Your Teacher
KiWei Chng University of Illinois t Urbn Chmpign, IL Akshy Krishnmurthy Crnegie Mellon University, Pittsburgh, PA Alekh Agrwl Microsoft Reserch, New York, NY Hl Dumé III University of Mrylnd, College
More informationProvable Possession and Replication of Data over Cloud Servers
Provble Possession nd Repliction of Dt over Cloud Servers Ayd F.Brsoum nd M.Anwr Hsn Deprtment of Electricl nd Computer Engineering University of Wterloo, Ontrio, Cnd. fekry@engmil.uwterloo.c, hsn@sisr.uwterloo.c
More informationA fractional adaptation law for sliding mode control
INTERNATIONAL JOURNAL OF ADAPTIVE CONTROL AND SIGNAL PROCESSING Int. J. Adapt. Control Sgnal Process. 28; 22:968 986 Publshed onlne 7 October 28 n Wley InterScence (www.nterscence.wley.com). DOI:.2/acs.62
More informationDropout: A Simple Way to Prevent Neural Networks from Overfitting
Journal of Machne Learnng Research 15 (2014) 19291958 Submtted 11/13; Publshed 6/14 Dropout: A Smple Way to Prevent Neural Networks from Overfttng Ntsh Srvastava Geoffrey Hnton Alex Krzhevsky Ilya Sutskever
More informationAlgebraic Point Set Surfaces
Algebrac Pont Set Surfaces Gae l Guennebaud Markus Gross ETH Zurch Fgure : Illustraton of the central features of our algebrac MLS framework From left to rght: effcent handlng of very complex pont sets,
More informationA Study of the Cosine DistanceBased Mean Shift for Telephone Speech Diarization
TASL046013 1 A Study of the Cosne DstanceBased Mean Shft for Telephone Speech Darzaton Mohammed Senoussaou, Patrck Kenny, Themos Stafylaks and Perre Dumouchel Abstract Speaker clusterng s a crucal
More informationMaxMargin Early Event Detectors
MaxMargn Early Event Detectors Mnh Hoa Fernando De la Torre Robotcs Insttute, Carnege Mellon Unversty Abstract The need for early detecton of temporal events from sequental data arses n a wde spectrum
More informationHuman Tracking by Fast Mean Shift Mode Seeking
JOURAL OF MULTIMEDIA, VOL. 1, O. 1, APRIL 2006 1 Human Trackng by Fast Mean Shft Mode Seekng [10 font sze blank 1] [10 font sze blank 2] C. Belezna Advanced Computer Vson GmbH  ACV, Venna, Austra Emal:
More informationA Methodology for Information Quality Assessment in Data Warehousing
Ths full text paper was peer revewed at the drecton of IEEE ommuncatons Socety subect matter experts for publcaton n the I 008 proceedngs. A ethodology for Informaton Qualty Assessment n Data Warehousng
More informationThis article appeared in a journal published by Elsevier. The attached copy is furnished to the author for internal noncommercial research and
Ths artcle appeared n a ournal publshed by Elsever. The attached copy s furnshed to the author for nternal noncommercal research educaton use, ncludng for nstructon at the authors nsttuton sharng wth
More informationCORRELATION OF DIFFUSION COEFFICIENTS IN DILUTE SOLUTIONS
Applctons of holup t to expln the effect of ffusvty on the vporzton of lqus n pckngs n to estmte effectve nterfcl res for mss trnsfer hve been outlne. ACKNOWLEDGMENT The uthors wsh to cknowlege support
More informationNew Approaches to Support Vector Ordinal Regression
New Approaches to Support Vector Ordnal Regresson We Chu chuwe@gatsby.ucl.ac.uk Gatsby Computatonal Neuroscence Unt, Unversty College London, London, WCN 3AR, UK S. Sathya Keerth selvarak@yahoonc.com
More informationVerification by Equipment or EndUse Metering Protocol
Verfcaton by Equpment or EndUse Meterng Protocol May 2012 Verfcaton by Equpment or EndUse Meterng Protocol Verson 1.0 May 2012 Prepared for Bonnevlle Power Admnstraton Prepared by Research Into Acton,
More informationAn agent architecture for network support of distributed simulation systems
An agent archtecture for network support of dstrbuted smulaton systems Robert Smon, Mark Pullen and Woan Sun Chang Department of Computer Scence George Mason Unversty Farfax, VA, 22032 U.S.A. smon, mpullen,
More informationWEB DELAY ANALYSIS AND REDUCTION BY USING LOAD BALANCING OF A DNSBASED WEB SERVER CLUSTER
Interntionl Journl of Computers nd Applictions, Vol. 9, No., 007 WEB DELAY ANALYSIS AND REDUCTION BY USING LOAD BALANCING OF A DNSBASED WEB SERVER CLUSTER Y.W. Bi nd Y.C. Wu Abstrct Bsed on our survey
More informationSequential DOE via dynamic programming
IIE Transactons (00) 34, 1087 1100 Sequental DOE va dynamc programmng IRAD BENGAL 1 and MICHAEL CARAMANIS 1 Department of Industral Engneerng, Tel Avv Unversty, Ramat Avv, Tel Avv 69978, Israel Emal:
More informationComplete Fairness in Secure TwoParty Computation
Complete Farness n Secure TwoParty Computaton S. Dov Gordon Carmt Hazay Jonathan Katz Yehuda Lndell Abstract In the settng of secure twoparty computaton, two mutually dstrustng partes wsh to compute
More informationInvoicing and Financial Forecasting of Time and Amount of Corresponding Cash Inflow
Dragan Smć Svetlana Smć Vasa Svrčevć Invocng and Fnancal Forecastng of Tme and Amount of Correspondng Cash Inflow Artcle Info:, Vol. 6 (2011), No. 3, pp. 014021 Receved 13 Janyary 2011 Accepted 20 Aprl
More informationHow Bad are Selfish Investments in Network Security?
1 How Bad are Selfsh Investments n Networ Securty? Lbn Jang, Venat Anantharam and Jean Walrand EECS Department, Unversty of Calforna, Bereley {ljang,ananth,wlr}@eecs.bereley.edu Abstract Internet securty
More information