Index Terms: Intrusion Detection System (IDS), Training, Neural Network, anomaly detection, misuse detection.

Transcription

1 Survey: Learning Techniques for Intrusion Detection System (IDS) Roshani Gaidhane, Student*, Prof. C. Vaidya, Dr. M. Raghuwanshi RGCER, Computer Science and Engineering Department, RTMNU University Nagpur, Maharashtra, India Id: A B S T R A C T An intrusion detection system (IDS) is a software application that monitors network or system activities for malicious activities. The research on neural network methods and machine learning techniques to improve the network security by examining the behavior of the network as well as that of threats is done in the rapid force. There are several techniques for intrusion detection which exist at present to provide more security to the network, however many of those are static. Many researchers used machine-learning techniques for intrusion detection, but some shows poor detection, some techniques takes large amount of training time. In this paper, learning approaches i.e. neural network approaches used for intrusion detection in the recent research papers has been surveyed and proposed an extreme learning approach to solve the training time issue. Index Terms: Intrusion Detection System (IDS), Training, Neural Network, anomaly detection, misuse detection. I. INTRODUCTION Intrusion detection is a major focus of research in the security of computer systems and networking. an intrusion detection system (ids) [1] is used to detect unauthorized intrusions i.e. attacks into computer systems and networks. These systems are known to generate alarms (alerts).the following general terms used for detection and identification of attack and non-attack behavior. True Positive (tp): the amount of attack detected when it is actually attack; True Negative (tn): the amount of normal detected when it is actually normal; False Positive (fp):the amount of attack detected when it is actually normal called as false alarm; False Negative (fn): the amount of normal detected when it is actually attack, namely the attacks which can be detected by intrusion detection system. a) Classification of IDS Intrusion Detection Systems are primarily classified into two types i.e. Host-based IDS (HIDS) and Network-based IDS (NIDS) [2]. HIDS looks for particular host activity while NIDS watches network traffic. b) IDS Techniques The two basic techniques used by Intrusion Detection Systems for detecting intruders are Misuse Detection (also called signature based detection) and Anomaly Detection [2,3,4]. i) Signature or Misuse based IDS: , IJAFRC All Rights Reserved

2 Misuse Detection system tries to match data with known attack pattern. In this system every signature requires entry in a database which is one of the big challenges. It may hundreds or even thousands of entries and each packet is compared with all the entries in the database. Disadvantages Any new form of misuse is not detected Resource consuming and slows down the throughput Advantages It raises fewer false alarms because they can be very specific about what it is they are looking for. ii) Anomaly based IDS Anomaly Detection System watches for unknown intrusion for abnormalities in traffic. Disadvantages It raises high false alarm Limited by training data Advantage New form of attack can be detected. There are various approaches [4] used for intrusion detection in the research. In this paper learning approaches (Neural Network) used for IDS has surveyed. Neural Network (NN) approach has the scope for both the misuse detection system and the anomaly detection system due to its self-adaptive, selforganizing and self-learning (training) abilities [5]. c) Neural Network approach Increasing amount of research is going on Artificial Neural Network (ANN) [6], [7]. ANN consists of base units called neurons, which are grouped, in several levels. Neurons are connected to neighbor neurons and those connections are weighed. An ANN has input level, one or several hidden layers, and output level. Neural Networks architecture can be distinguished as follow: Supervised training algorithm [5], [6]: The network learns the desired output for a given input or pattern in the learning phase. Ex. Multi-Level Perception (MLP); the MLP is employed for Pattern Recognition problems. Unsupervised training algorithm [5], [6]: The network learns without specifying desired output in the learning phase. Ex. Self-Organizing Maps (SOM) It finds a topological mapping from the input space to clusters. Generally used for classification problems. For IDS using ANN approach has two phases: i) Training and ii) Testing i) Training: To recognize various normal and abnormal traffic behaviour one has to train the network. In the research it is done by using a dataset. The KDD99 dataset is publically available and it is mostly used for evaluating IDS , IJAFRC All Rights Reserved

3 ii) Testing: It is similar to the training. After training NN IDS tested using a test dataset. This dataset is smaller than the training dataset to ensure that the network can detect intrusions it was trained to detect. II. LITERATURE SURVEY For IDS using neural network approach it is necessary to collect data representing normal and abnormal behavior to train the Neural Network and in Machine learning it is based heavily on statistical analysis of data and some algorithms can use patterns found in previous data to make decisions about new data [6]. The advantage of Neural Network [7] is capable of analyzing the data from the computer network, even if the data is incomplete or distorted. Current ANN intrusion detection technologies are Back-propagation Neural Network called NNID (Neural Network Intrusion Detector) [8], Multiple Self Organizing Maps (MSOMS), CMAC (Cerebella Model Articulation Controller) uses adaptive NN, MLP (Multi Level Perceptron) [9]. a) Related Work Hua TANG and Zhuolin CAO proposed an approach in [10] to detect an attack, which uses artificial neural networks, and support vector machine. The proposed approach is applied to the KDD CUP'99 data set. Average detection rate for various attacks are obtained which are as follows. Approa ch NN(BPN ) Prob e 82.4 Attack type DoS U2R R2L SVM Table I - Attack Detection Rates Obtained [10] A result shows that SVM is better than NN. If overall accuracy is compared then author got the results in which NN is slightly better than the SVM. Laheeb Mohammad Ibrahim proposed an approach in [11] for anomaly detection using Distributed Time- Delay Artificial Neural Network (DTDNN) over KDD99dataset. He used training dataset consisting of patterns (5000 patterns for each class of DoS, U2R, R2L, Probe, Normal), and testing dataset consisting of 2500 patterns (500 patterns for each class). The results shows overall accuracy classification is for Distributed Time-Delay and the percentage of successful classification for DoS (97.6 ),U2R (96.2), R2L (95.8),Probe (98.2) from normal one (Normal (98.4)). For intrusion detection, authors used neural network IDS model based on BP neural Network in [12] 2570 records were selected from KDD99 dataset, of which 1325 for training, the normal connection 631,connecting 694 the invasion; 1245 for testing, 523 normal connections, 722 invasion of connection. Obtained results are detection rate=80.5, false alarm rate=7.4 and omission rate=11.3. Also in [13], Mukhopadhyay1, M Chakraborty, S Chakrabarti, T Chatterjee proposed Back propagation neural network for intrusion detection. Their emphasis is on detection of new attacks and low failure rate. The proposed model consists of data-collector, pre-processor, encoder and neural network classifier. First, the network is trained and then tested. Testing includes two phases Level 1 and Level , IJAFRC All Rights Reserved

4 In level 1 sample data is used whereas in level 2 totally new dataset is used. Success rate for level 1 and level 2 testing are 95.6, 73.9 whereas the failure rate is 4.4, 26.1 respectively. Sufyan T. Faraj Al-Janabi and Hadeel Amjed Saeed worked on anamoly based intrusion detection in [14]. They have developed anamoly based IDS based on BPN and used packet behaviour parameter for experiment. The proposed model first detects normal-abnormal traffic then abnormal events are classified into four attack types (DOS, PROB, U2R, or R2L) and then detailed classification of abnormal events into 29 subattack types. 22 features of KDD99 dataset is used for experiment. 5 preliminary, 7 secondary, 10 less important features are categorized. They faced several issues which are as follows: Large amount of training data requires to train ANN and to get accurate results. There is little compromise between increasing the classification levels and the percentage of detection In paper [15], Vladimir Bukhtoyarov and Eugene Semenkin proposed a neural network ensemble approach to detect intrusion. The approach is used for fixed-size neural networks ensembles with singlestage voting. To overcome the problem of detecting the network attacks collective neural network approach is used. But the structure become complex due to collective approach and more amount of training time requires for training each ANN model which are issues of the system. The choice of the threshold to appeal to the neural network ensemble classifier is one of the issues. Prof. D.P. Gaikwad, Sonali Jagtap, Kunal Thakare and Vaishali Budhawant implemented an FC-ANN approach in [16] based on ANN and fuzzy clustering to solve the lower detection precision, weaker detection stability issues. In the proposed model restore point is provided for rolling back of system files, registry keys, installed programs and the project data base etc. To reduce the complexity and size of the subsets, first different training subsets are generated by using fuzzy clustering. Then for those subsets different ANN models are trained and finally results are combined V. Jaiganesh, Dr. P. Sumathi, S. Mangayarkarasi proposed a back-propagation approach to detect intrusion in [17]. First the input and its corresponding target are called a Training Pair is generated. Then the training pair is applied to the network. Detection rate and false alarm rate are the performance measure used for evaluation of proposed method. The detection rate for DoS, Probe, U2R, R2L attack is below 80. Poor detection of attackers if some hidden attackers are present is one of the issues. In paper [18], Devikrishna K S and Ramakrishna B B proposed a system which uses Multi Layer Perceptron (MLP) architecture. The system detects attacks and classifies into six groups. Authors pointed out the issue of obtaining irrelevant output and suggest work to solve it in future. III. DRAWBACKS OF EXISTING TECHNIQUES Several issues come from the survey such as false detection, large training time, detection precision of low frequent attacks, classification of attacks etc. To overcome the problem of large amount of training time, it is necessary to use high-speed learning algorithm for IDS and to test its results with existing learning technique. In this paper, a technique is proposed which will reduce the training time and its results will be analyzed with existing technique IV. PROPOSED APPROACH , IJAFRC All Rights Reserved

5 From the literature survey, it is observed that many authors used back propagation neural network approach [12], [13], [14], [17] for intrusion detection. Though there are some issues such as low detection, long training time. So, there is need to find another approach which can work on these issues. In theory, it is found that Extreme learning machine (ELM) [19], [20] algorithm tends to provide extremely fast learning speed than traditional learning algorithm [20]. Therefore the proposed approach is to build a predictive model for intrusion detection which will have a fast learning ability than BPN. Using ELM technique a classifier will be build to classify normal and abnormal activity. The results of ELM will be compared with traditional BPN approach. The proposed approach has the following three phases. 1) Data pre-processing: Convert raw data to machine readable form. 2) Training: In this phase, the network will be trained on normal and attack data. 3) Testing: Activity will be predicting i.e. either intrusive or not.. Fig.1. Proposed Architecture of IDS. The architecture has following modules. Network Data Monitoring: This module will monitor network stream and capture packets to serve for the data source of the NIDS. Pre-processing: In pre-processing phase, network traffic will be collected and processed for use as input to the system. Feature Extraction: This module will extract feature vector from the network packets (connection records) and will submit the feature vector to the classifier module. The feature extraction process consists of feature construction and feature selection. The quality of feature construction and feature selection algorithms is one of the most important factors that influence the effectiveness of IDS. Achieving reduction of the number of , IJAFRC All Rights Reserved

6 relevant traffic features without negative impact on classification accuracy is a goal that largely improves the overall effectiveness of the IDS Classifier : This module will analyze the network stream and will draw a conclusion whether intrusion happens or not. BPN and ELM techniques can be used as a classifier. The most successful application of neural network is classification or categorization and pattern recognition. Training: The learning process is the process of optimization in which the parameters of the best set of connection coefficients (weighs) for solving a problem are found Testing : When detecting that intrusion happens, this module will send a warning message to the user. Knowledgebase: This module will serve for the training samples of the classifier phase. The Artificial Neural Networks can work effectively only when it has been trained correctly and sufficiently. V. CONCLUSION In this paper some basics of the IDS is introduced and discussed the different neural network approaches used in the research paper for IDS. It is found that the most of the researchers used BPN for intrusion detection. However, survey pointed out some issues like: low detection rate, detailed classification of attack gives sometimes-irrelevant output, large training time required to train the network. To overcome the training time issue an extreme learning approach is proposed and in future work its results will be compared with traditional BPN approach VI. REFERENCES [1] Danny Rozenblum, "Understanding Intrusion Detection Systems", SANS Institute Reading Room site. [2] K.Rajasekhar, B.Sekhar Babu, P.Lakshmi Prasanna, D.R.Lavanya, T.Vamsi Krishna,"An Overview of Intrusion Detection System [3] PengNing,SushilJajodia,"Intrusion Detection Techniques", /download?doi &rep=rep1&type=pdf [4] Sandip Sonawane, Shailendra Pardeshi, Ganesh Prasad,"A survey on intrusion detection techniques",world Journal of Science and Technology 2012, 2(3): [5] Jean-Philippe,"Application of Neural Networks to Intrusion Detection", SANS Institute Reading Room site , IJAFRC All Rights Reserved

7 [6] Deepika P Vinchurkar, Alpa Reshamwala, A Review of Intrusion Detection System Using Neural Network and Machine Learning Technique, International Journal of Engineering Science and Innovative Technology (IJESIT), Volume 1, Issue 2, November 2012 [7] Shahbaz Pervez, Iftikhar Ahmad, Adeel Akram, Sami Ullah Swati, A Comparative Analysis of Artificial Neural Network Technologies in Intrusion Detection Systems, Proceedings of the 6th WSEAS International Confe rence on Multimedia, Internet Video Technologies, Lisbon, Portugal, September 22-24, [8] V. Jaiganesh, Dr. P. Sumathi, S. Mangayarkarasi, An Analysis of Intrusion Detection System using back propagation neural network IEEE Computer Society Publication [9] Aida O. Ali,Ahmed I. saleh, Tamer R. Badawy, Intelligent Adaptive Intrusion Detection Systems Using Neural Networks (Comparative study) International Journal of Video& Image Processing and Network Security IJVIPNS-IJENS Vol:10 No:01, Feb [10] Hua TANG, Zhuolin CAO,"Machine Learning-based Intrusion Detection Algorithms",Journal of Computational Information Systems5:6(2009) [11] Laheeb Mohammad Ibrahim,"Anomaly network intrusion detection system based on distributed time-delay neural network(dtdnn)",journal of Engineering Science and Technology,Vol. 5, No. 4 (2010) [12] Changjun Han, Yi Lv, Dan Yang, Yu Hao, An Intrusion Detection System Based on Neural Network, IEEE publication, 2011 International Conference on Mechatronic Science, Electric Engineering and Computer, August 19-22, 2011, Jil. [13] Mukhopadhyay1, M Chakraborty, S Chakrabarti, T Chatterjee,"Back Propagation Neural Network Approach f,or Intrusion Detection System",2011 International Conference on Recent Trends in Information Systems, IEEE Publication. [14] Sufyan T. Faraj Al-Janabi, Hadeel Amjed Saeed A Neural Network Based Anomaly Intrusion Detection System 2011 Developments in E-systems Engineering,IEEE Publication /11, DOI /DeSE [15] Vladimir Bukhtoyarov, Eugene Semenkin, Neural Networks Ensemble Approach for Detecting Attacks in Computer Networks, WCCI 2012 IEEE World Congress on Computational Intelligence [16] Prof. D.P. Gaikwad, Sonali Jagtap, Kunal Thakare, Vaishali Budhawant, Anomaly Based Intrusion Detection System Using Artificial Neural Network and fuzzy clustering., International Journal of Engineering Research & Technology (IJERT), ISSN: , Vol. 1 Issue 9, November [17] V. Jaiganesh, Dr. P. Sumathi, S. Mangayarkarasi, An Analysis of Intrusion Detection System using back propagation neural network IEEE Computer Society Publication , IJAFRC All Rights Reserved

8 [18] Devikrishna K S, Ramakrishna B B,"An Artificial Neural Network based Intrusion Detection System and Classification of Attacks",International Journal of Engineering Research and Applications (IJERA) ISSN: ,Vol. 3, Issue 4, Jul-Aug 2013, pp [19] Chi Cheng, Extreme learning machines for intrusion detection, Neural Networks (IJCNN), The 2012 International Joint Conference on June 2012 [20] Guang-Bin Huang, Qin-Yu Zhu, Chee-Kheong Siew, Extreme learning machine: Theory and applications, NeuroComputing, December , IJAFRC All Rights Reserved