Impact of Feature Selection on the Performance of Wireless Intrusion Detection Systems



Similar documents
INTRUSION DETECTION SYSTEM BASED ON SPECIFIC ATTACKS

Role of Feature Reduction in Intrusion Detection Systems for Attacks

An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks

Keywords - Intrusion Detection System, Intrusion Prevention System, Artificial Neural Network, Multi Layer Perceptron, SYN_FLOOD, PING_FLOOD, JPCap

A Content based Spam Filtering Using Optical Back Propagation Technique

A Neural Network Based System for Intrusion Detection and Classification of Attacks

Comparison of K-means and Backpropagation Data Mining Algorithms

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

XIV. Title. 2.1 Schematics of the WEP Encryption in WEP technique Decryption in WEP technique Process of TKIP 25

A Multi-level Artificial Neural Network for Residential and Commercial Energy Demand Forecast: Iran Case Study

CHAPTER 1 INTRODUCTION

Introduction to Machine Learning and Data Mining. Prof. Dr. Igor Trajkovski

FRAUD DETECTION IN ELECTRIC POWER DISTRIBUTION NETWORKS USING AN ANN-BASED KNOWLEDGE-DISCOVERY PROCESS

Intrusion Detection via Machine Learning for SCADA System Protection

EFFICIENT DATA PRE-PROCESSING FOR DATA MINING

Lecture 6. Artificial Neural Networks

Data Mining using Artificial Neural Network Rules

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

International Journal of Innovative Research in Advanced Engineering (IJIRAE) ISSN: Volume 1 Issue 11 (November 2014)

Evaluation of Feature Selection Methods for Predictive Modeling Using Neural Networks in Credits Scoring

Predicting the Risk of Heart Attacks using Neural Network and Decision Tree

American International Journal of Research in Science, Technology, Engineering & Mathematics

A survey on Data Mining based Intrusion Detection Systems

REVIEW OF HEART DISEASE PREDICTION SYSTEM USING DATA MINING AND HYBRID INTELLIGENT TECHNIQUES

Design call center management system of e-commerce based on BP neural network and multifractal

Chapter 4: Artificial Neural Networks

Advanced Ensemble Strategies for Polynomial Models

Impelling Heart Attack Prediction System using Data Mining and Artificial Neural Network

Price Prediction of Share Market using Artificial Neural Network (ANN)

Feature Subset Selection in Spam Detection

Study of Different Types of Attacks on Multicast in Mobile Ad Hoc Networks

Artificial Neural Networks and Support Vector Machines. CS 486/686: Introduction to Artificial Intelligence

KEITH LEHNERT AND ERIC FRIEDRICH

Open Access Research on Application of Neural Network in Computer Network Security Evaluation. Shujuan Jin *

Neural Network Design in Cloud Computing

International Journal of Computer Science Trends and Technology (IJCST) Volume 3 Issue 3, May-June 2015

A SURVEY ON GENETIC ALGORITHM FOR INTRUSION DETECTION SYSTEM

Time Series Data Mining in Rainfall Forecasting Using Artificial Neural Network

Chapter 12 Discovering New Knowledge Data Mining

Bandwidth based Distributed Denial of Service Attack Detection using Artificial Immune System

Neural Networks in Data Mining

Feed-Forward mapping networks KAIST 바이오및뇌공학과 정재승

International Journal of Computer Science Trends and Technology (IJCST) Volume 2 Issue 3, May-Jun 2014

Using Data Mining for Mobile Communication Clustering and Characterization

Power Prediction Analysis using Artificial Neural Network in MS Excel

Predictive time series analysis of stock prices using neural network classifier

Conclusions and Future Directions

Neural Network Add-in

Neural Networks and Support Vector Machines

Neural Network and Genetic Algorithm Based Trading Systems. Donn S. Fishbein, MD, PhD Neuroquant.com

Chapter 2 The Research on Fault Diagnosis of Building Electrical System Based on RBF Neural Network

Feature Selection using Integer and Binary coded Genetic Algorithm to improve the performance of SVM Classifier

A Novel Distributed Denial of Service (DDoS) Attacks Discriminating Detection in Flash Crowds

degrees of freedom and are able to adapt to the task they are supposed to do [Gupta].

Prediction of Stock Performance Using Analytical Techniques

Supply Chain Forecasting Model Using Computational Intelligence Techniques

International Journal of Recent Trends in Electrical & Electronics Engg., Feb IJRTE ISSN:

Botnet Detection Based on Degree Distributions of Node Using Data Mining Scheme

A New Approach For Estimating Software Effort Using RBFN Network

Lab VI Capturing and monitoring the network traffic

Role of Neural network in data mining

How To Use Neural Networks In Data Mining

A new Approach for Intrusion Detection in Computer Networks Using Data Mining Technique

6.2.8 Neural networks for data mining

D-optimal plans in observational studies

Neural Network Applications in Stock Market Predictions - A Methodology Analysis

SURVIVABILITY ANALYSIS OF PEDIATRIC LEUKAEMIC PATIENTS USING NEURAL NETWORK APPROACH

International Journal of Computer Trends and Technology (IJCTT) volume 4 Issue 8 August 2013

Neural Networks and Back Propagation Algorithm

APPLICATION OF ARTIFICIAL NEURAL NETWORKS USING HIJRI LUNAR TRANSACTION AS EXTRACTED VARIABLES TO PREDICT STOCK TREND DIRECTION

Towards applying Data Mining Techniques for Talent Mangement

Applying Multiple Neural Networks on Large Scale Data

Analecta Vol. 8, No. 2 ISSN

Spam Classification With Artificial Neural Network and Negative Selection Algorithm

The Research of Data Mining Based on Neural Networks

A Dynamic Flooding Attack Detection System Based on Different Classification Techniques and Using SNMP MIB Data

Layered Approach of Intrusion Detection System with Efficient Alert Aggregation for Heterogeneous Networks

Performance Evaluation of Intrusion Detection Systems using ANN

A Survey on Intrusion Detection System with Data Mining Techniques

STUDY OF IMPLEMENTATION OF INTRUSION DETECTION SYSTEM (IDS) VIA DIFFERENT APPROACHS

AnalysisofData MiningClassificationwithDecisiontreeTechnique

An Introduction to Neural Networks

1. Classification problems

Data quality in Accounting Information Systems

Detection. Perspective. Network Anomaly. Bhattacharyya. Jugal. A Machine Learning »C) Dhruba Kumar. Kumar KaKta. CRC Press J Taylor & Francis Croup

Artificial Intelligence and Machine Learning Models

D A T A M I N I N G C L A S S I F I C A T I O N

Figure 1. The cloud scales: Amazon EC2 growth [2].

Novelty Detection in image recognition using IRF Neural Networks properties

Optimum Design of Worm Gears with Multiple Computer Aided Techniques

Method of Combining the Degrees of Similarity in Handwritten Signature Authentication Using Neural Networks

HYBRID PROBABILITY BASED ENSEMBLES FOR BANKRUPTCY PREDICTION

Neural Network Predictor for Fraud Detection: A Study Case for the Federal Patrimony Department

Wireless Sensor Networks Chapter 14: Security in WSNs

An Artificial Neural Networks-Based on-line Monitoring Odor Sensing System

Transcription:

2009 International Conference on Computer Engineering and Applications IPCSIT vol.2 (2011) (2011) IACSIT Press, Singapore Impact of Feature Selection on the Performance of ireless Intrusion Detection Systems Mouhcine Guennoun 1, Zine E.A Guennoun 2 and Khalil El-Khatib 1 1 University of Ontario Institute of Technology 2000 Simcoe Street North, Oshawa, Ontario, Canada L1H 7K4 2 Département Math-Info, Faculté des Sciences de Rabat 4 Avenue Ibn Battouta B.P. 1014 RP, Rabat, Maroc {mouhcine.guennoun@uoit.ca, guennoun@fsr.ac.ma, khalil.el-khatib@uoit.ca } Abstract. In this paper, we study the impact of the optimization of the feature set of wireless intrusion detection systems on the performance and learning time of different types of classifiers based on neural networks. The optimal set of features is selected using a hybrid selection model. In this approach, the wireless frame attributes are first ranked according to a score assigned by the information gain ratio measure. K-means classifier is then used to build the optimal subset of features that maximizes the accuracy of the detectors while reducing their learning time. Experimental results with three types of neural networks architectures show clearly that the optimization of the wireless feature set has a significant impact on the efficiency and accuracy of the intrusion detection system. Keywords: Intrusion Detection Systems, ireless Networks, Feature Selection. 1. Introduction Intrusion detection in wireless networks has gained considerable attention in the last few years. ireless networks are not only susceptible to TCP/IP-based attacks native to wired networks, they are also subject to a wide array of 802.11-specific threats. Such threats range from passive eavesdropping to more devastating denial of service attacks. To detect these intrusions classifiers are built to distinguish between normal and anomalous traffic. It has been proved that optimizing the feature set has a major impact on the performance, speed of learning, accuracy and reliability of the intrusion detection system [1]. Unfortunately, current wireless intrusion detection solutions rely on features extracted directly from the frame headers to build the learning algorithm of the classifiers. Feature selection is the most critical step in building intrusion detection models. During this step, the set of attributes or features that deemed to be the most effective attributes are extracted in order to construct suitable detection algorithms (detectors). A key problem that many researchers face is how to choose the optimal set of features since not all features are relevant to the learning algorithm, and in some cases, irrelevant and redundant features can introduce noisy data that distracts the learning algorithm and therefore severely degrade the accuracy of the detector and cause slow training and testing process. Feature selection was proven to have a significant impact on the performance of the classifiers. Experiments in [1] show that feature selection can reduce the building and testing time of a classifier by up to 50%. The rest of the paper is organized as follows. Section 2 lists the optimal set of features selected using a hybrid selection model. In Section 3, we go over the three different neural networks architectures we used to build the intrusion detection system. Section 4 gives an overview of the datasets that we collected to train, 270

validate and test the classifiers. e discuss the experimental results in Section 5 and finally, conclusions and plans for future work are provided in Section 6. 2. Optimal Set of Features In [2,3], we presented a complete framework to select the best set of MAC layer features that efficiently characterize normal traffic and distinguish it from abnormal traffic containing intrusions specific to wireless networks. Our framework uses a hybrid approach for feature selection that combines the filter and wrapper models [4]. In this approach, we rank the features using an independent measure: the information gain ratio. The k-means classifier s predictive accuracy is used to reach an optimal set of features that maximizes the accuracy of detection of wireless attacks. To train the classifier, we first collected network traffic that contains four known wireless intrusions, which are de-authentication, duration, fragmentation, and chopchop attacks [5,6]. As shown in table 1, the selection algorithm voted 8 features as the best set of features that maximizes the accuracy of the k-means classifier. Table 1: List of the optimal set of features Feature IsepValid DurationRange MoreFragment ToDS EP CastingType Type SubType Description Indicate if EP ICV check is successful. Indicate if duration value is low(<5ms), average (between 5-20ms), or high (>20 ms). Indicate whether a frame is non final fragment or not. Indicate if a frame is destined to the Distribution System. Indicate if the frame is processed by the EP protocol. Indicate whether the receiving address is a unicast, multicast or a broadcast address. Indicate the type of the frame (Mgmt, Ctrl, Data). Indicate the subtype of the frame. In the rest of the paper, we report the results of our experiments related to the impact of the optimized set of features listed above on the accuracy and learning time of three different architectures of classifiers based on neural networks. 3. Artificial Neural Networks Artificial Neural Networks (ANN) is a computational model that mimics the properties of biological neurons. A neuron, which is the base of an ANN, is described by a state, synapses, a combination function and a transfer function. The state of the neuron, which is a Boolean or real value, is the output of the neuron. Each neuron is connected to other neurons via synapses. Synapses are associated with weights that are used by the combination function to achieve a pre-computation, generally a weighted sum, of the inputs. Activation function, called also transfer function, computes, from the output of the combination function, the output of the neuron. An artificial neural network is composed of a set of neurons grouped in layers that are connected by synapses. There are three types of layers: input, hidden and output layers. The input layer is composed of input neurons that receive their values from external devices such as data files or input signals. The hidden layer which is an intermediary layer that contains neurons with the same combination and transfer functions. The output layer provides the output of the computation to the external applications. An interesting property of the ANN is their capacity to dynamically adjust the weights of the synapses to solve a specific problem. There are two phases in the operation of the ANN networks. The learning phase in which the network receives the input values with their corresponding outputs called the desired outputs. In this phase, weights of the synapses are dynamically adjusted according to a learning algorithm. The difference between the output of the neural network and the desired output gives a measure on the 271

performance of the network. The most used learning algorithm is the retro back propagation algorithm. In the second phase, called generalization phase, the neural network is capable of extending the learned examples to new examples not seen before. The learning phase is resource demanding. This is explained by the iterative nature of the operation mode of the ANN. Once the network is trained, the processing of a new input is generally fast. In order to study the impact of the optimized set of features on the learning phase and accuracy of the ANN networks, we have tested these attributes on three types of architectures of ANN networks. 3.1. Perceptron Perceptron, fig. 1, is the simplest form of a neural network. It's used for classification of linearly separable problems. It consists of a single neuron with adjustable weights of the synapses. Even tough the intrusion detection problem is not linearly separable; we use the perceptron architecture as reference to measure the performance of the other two types of classifiers. Input eights Fig. 1: Architecture of a perceptron 3.2. Multi-layer back propagation perceptrons The multi-layer back-propagation perceptrons architecture, fig. 2, is an organization of neurons in n successive layers (n>=3). The synapses link the neurons of a layer to all neurons of the following layer. Error propagation is done in the opposite direction of the information flow. e note that we use one hidden layer composed of 8 neurons. Input Layer Hidden Layer Output Layer 3.3. Hybrid Multi-Layer Perceptrons Fig. 3: Multi-Layer Back-propagation Perceptrons Architecture Hybrid Multi-Layer Perceptrons architecture, fig. 3, is the superposition of perceptron with multi-layer back-propagation perceptrons networks. This type of network is capable of identifying linear and non linear correlation between the input and output vectors [7]. e used this type of architecture with 8 neurons in the hidden layer. 272

Input Layer Hidden Layer Output Layer Fig. 3: Hybrid Multi-Layer Perceptrons Architecture Transfer function of all neurons is the sigmoid function. The initial weights of the synapses is randomly chosen between the interval [-0.5,0.5]. 4. Data Set The data we used to train and test the classifiers were collected from a wireless local area network. The local network is composed of 3 wireless stations and one access point. One machine is used to generate normal traffic (HTTP, FTP). The second machine transmits simultaneously data originating from 4 types of attacks. The last station is used to collect and record both types of traffic (normal and intrusive). The attacks we used to test our system are: de-authentication, duration, fragmentation and chopchop. The source code of the attacks is available in [5]. The data collected were grouped in three sets: learning, validation and testing sets. The first set is used to reach the optimal weight of each synapse. The learning set contains the input with its desired output. By iterating on this data set, the neural network classifier dynamically adjusts the weights of the synapses to minimize the error rate between the output of the network and the desired output. Validation data set are necessary to avoid the effect of overfitting. Indeed, in some cases, the neural network classifier might produce an excellent performance on the learning data set, but still have a low performance on the testing data set. In general, the learning algorithm stops when the error between the output of the validation data set and the desired output is below a predefined threshold. Once the network is trained and validated, it should be able to predict the output of each entry of the testing data set. The following table shows the distribution of the data collected for each attacks and the number of frames in each data set. Table 2: Distribution of collected data Learning Validation Test Normal 6000 4000 5000 Deauthentication 900 600 800 Duration 900 600 800 Fragmentation 900 600 800 Chopchop 900 600 800 Total 9600 6400 8200 4. Experimental results Experimental results are obtained using NeuroSolutions software [8]. The three types of classifiers were trained using the complete set of features (38 features), which are the full set of MAC header attributes, and the reduced set of features (8 features). e evaluated the performance of the classifiers based on the learning time and accuracy of the resulting classifiers. Experimental results clearly demonstrate that the performance of the classifiers trained with the reduced set of features is higher than the performance of the classifiers 273

trained with the full set of features. Indeed, learning time is reduced to 33% and the accuracy is increased by around 15% for the three types of neural networks architectures. Table 3: Performance of the three types of neural networks using 8 and 38 features Learning Time (s) Detection Rate (%) False Positives (%) False Negatives (%) Optimal Full Optimal Full Optimal Full Optimal Full Perceptron 271 592 43.37 35.27 39.46 44.57 6.95 7.46 MLBP 349 967 95.99 82.87 3.02 8.93 0.38 2.37 Hybrid 356 1009 96.27 83.48 2.84 8.79 0.37 2.49 Table 3 summarizes the results of the experiments. False positives rate is the percentage of frames containing normal traffic classified as intrusive frames. False negatives rate is the percentage of frames generated from wireless attacks and classified as normal traffic. 5. Conclusion In this paper we studied the impact of feature selection on the performance of different classifiers based on neural networks. Learning time of the classifiers is reduced to 33% with the reduced set of features, while the accuracy of detection is improved by 15%. In future work, we are planning to do a comparative study of the impact of the reduced feature set on the performance of classifiers based on support vector machines (SVMs), artificial neural networks (ANNs), multivariate adaptive regression splines (MARS) and linear genetic programs (LGPs). 6. References [1] Y. Chen, Y. Li,. Cheng, L. Guo, "Survey and Taxonomy of Feature Selection Algorithms in Intrusion Detection System", Inscrypt 2006. [2] M. Guennoun, A. Lbekkouri, K. El-Khatib, "Selecting the Best Set of Features for Efficient Intrusion Detection in ireless Networks", 3rd International IEEE Conference on Information and Communication Technologies: From Theory to Applications, 2008. [3] M. Guennoun, A. Lbekkouri, K. El-Khatib, Optimizing the Feature Set of ireless Intrusion Detection Systems, International Journal of Computer Science and Network Security, VOL.8 No.10, October 2008. [4] H. Liu, H. Motoda, Feature Selection for Knowledge Discovery and Data Mining, Boston: Kluwer Academic, 1998. [5] J. Bellardo, S. Savage, 802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions., USENI Security Symposium, pages 15-28, 2003. [6] A. Bittau, M. Handley, J. Lackey, "The final nail in EP's coffin", 2006 IEEE Symposium on Security and Privacy, May 2006. [7] Z. Zhang, C. Manikopoulos, "Investigation of neural network classification of computer network attacks", International Conference on Information Technology: Research and Education, 2003. 11-13 Aug 2003 Page(s): 590-594 [8] NeuroSolutions Inc, http://www.neurosolutions.com/ 274

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information