An Intrusion Detection and Prevention System based on Automatic Learning of Traffic Anomalies

Full Text (PDF, 441KB), PP.53-60

Views: 0 Downloads: 0

Author(s)

Abdurrahman A. Nasr 1,* Mohamed M. Ezz 1 Mohamed Z. Abdulmaged 1

1. Al-Azhar University, System and Computer Engineering Dept., Cairo, 11651, Egypt

* Corresponding author.

DOI: https://doi.org/10.5815/ijcnis.2016.01.07

Received: 5 May 2015 / Revised: 1 Aug. 2015 / Accepted: 12 Sep. 2015 / Published: 8 Jan. 2016

Index Terms

Incremental learning, Conceptual clustering, Attributional calculus, Intrusion detection, Intrusion prevention, Zero-day attack

Abstract

The ever changing network traffic reveals new attack types, which represent a security threat that poses a serious risk for enterprise resources. Therefore, the security administrators are in a real need to employ efficient Intrusion Detection and Prevention Systems, IDPS. Such systems might be capable to learn from the network behavior. In this paper, we present an incremental Learnable Model for Anomaly Detection and Prevention of Zero-day attacks, LMAD/PZ. To facilitate the ability of learning from observations that can provide a reliable model for automatic prevention, a comparison has been carried out between supervised and unsupervised learning techniques.
Thus, in LMAD/PZ, the intrusion detection step is integrated with an intrusion prevention plan. To ensure that the prevention plan is dependable and automatic, it must be backed and sustained with robust and accurate detection process. Therefore, two incremental data mining techniques are deeply investigated and implemented on NSL-KDD’99 intrusion dataset. The first technique is the Algorithm Quasi-optimal (AQ), which is a supervised Attributional Rules Learner, ARL, while the second is the Cobweb; an unsupervised hierarchical conceptual clustering algorithm. These algorithms categorize the network connections as either normal or anomalous. The performance of AQ is compared to Cobweb, and the best performance result is integrated with the prevention plan, to afford a fully automated system. The experimental results showed that, the model automatically adapts its knowledge base from continuous network streams, in addition to offering the advantage of detecting novel and zero day attacks. Many experiments have verified that AQ performance outperforms the Cobweb clustering, in terms of accuracy, detection rate and false alarm rate.

Cite This Paper

Abdurrahman A. Nasr, Mohamed M. Ezz, Mohamed Z. Abdulmaged, "An Intrusion Detection and Prevention System based on Automatic Learning of Traffic Anomalies", International Journal of Computer Network and Information Security(IJCNIS), Vol.8, No.1, pp.53-60, 2016. DOI:10.5815/ijcnis.2016.01.07

Reference

[1]J. H. Lee, J. H. Leet, S. G. Sohn, J. H. Ryu, and T. M. Chung, “Effective value of decision tree with KDD 99 intrusion detection datasets for intrusion detection system,” in International Conference on Advanced Communication Technology, ICACT, 2008, vol. 2, pp. 1170–1175.
[2]H.-J. Liao, C.-H. Richard Lin, Y.-C. Lin, and K.-Y. Tung, “Intrusion Detection System: A Comprehensive Review,” J. Netw. Comput. Appl., vol. 36, no. 1, pp. 16–24, Jan. 2013.
[3]C.-F. Tsai, Y.-F. Hsu, C.-Y. Lin, and W.-Y. Lin, “Intrusion detection by machine learning: A review,” Expert Syst. Appl., vol. 36, no. 10, pp. 11994–12000, Dec. 2009.
[4]V. Chandola, A. Banerjee, and V. Kumar, “Anomaly detection,” ACM Comput. Surv., vol. 41, no. 3, pp. 1–58, Jul. 2009.
[5]R. S. Michalski, “Attributional calculus: A logic and representation language for natural induction,” Reports Mach. Learn. Inference Lab. MLI 04-2, Georg. Mason Univ., 2004.
[6]J. R. Quinlan, C4.5: Programs for Machine Learning. Morgan Kaufmann, 1993, p. 302.
[7]W. W. Cohen, “Fast Effective Rule Induction,” in Proceedings of the Twelfth International Conference on Machine Learning, Lake Tahoe, California, 1995.
[8]J. Wojtusiak, R. S. Michalski, K. A. Kaufman, and J. Pietrzykowski, “The AQ21 natural induction program for pattern discovery: initial version and its novel features,” in Tools with Artificial Intelligence, 2006. ICTAI’06. 18th IEEE International Conference on, 2006, pp. 523–526.
[9]J. Wojtusiak and R. S. Michalski, “The LEM3 System for Non-Darwinian Evolutionary Computation and Its Application to Complex Function Optimization,” no. C, pp. 2005–2010, 2010.
[10]G. Cervone, P. Franzese, and A. P. K. Keesee, “Algorithm quasi-optimal (AQ) learning,” Wiley Interdiscip. Rev. Comput. Stat., vol. 2, no. 2, pp. 218–236, Mar. 2010.
[11]J. Wojtusiak, R. S. Michalski, K. A. Kaufman, and J. Pietrzykowski, “The AQ21 natural induction program for pattern discovery: initial version and its novel features,” in Tools with Artificial Intelligence, 2006. ICTAI’06. 18th IEEE International Conference on, 2006, pp. 523–526.
[12]D. H. Fisher, “Knowledge acquisition via incremental conceptual clustering,” Mach. Learn., vol. 2, no. 2, pp. 139–172, 1987.
[13]H. Bensefia and N. Ghoualmi, “A New Approach for Adaptive Intrusion Detection,” 2011 Seventh Int. Conf. Comput. Intell. Secur., pp. 983–987, Dec. 2011.
[14]C. Modi, D. Patel, B. Borisaniya, H. Patel, A. Patel, and M. Rajarajan, “A survey of intrusion detection techniques in Cloud,” J. Netw. Comput. Appl., vol. 36, no. 1, pp. 42–57, Jan. 2013.
[15]A. Patcha and J.-M. Park, “An overview of anomaly detection techniques: Existing solutions and latest technological trends,” Comput. Networks, vol. 51, no. 12, pp. 3448–3470, Aug. 2007.
[16]S. S. Sivatha Sindhu, S. Geetha, and A. Kannan, “Decision tree based light weight intrusion detection using a wrapper approach,” Expert Syst. Appl., vol. 39, no. 1, pp. 129–141, Jan. 2012.
[17]P. García-Teodoro, J. Díaz-Verdejo, G. Maciá-Fernández, and E. Vázquez, “Anomaly-based network intrusion detection: Techniques, systems and challenges,” Comput. Secur., vol. 28, no. 1–2, pp. 18–28, Feb. 2009.
[18]“KDD Cup 1999 Dataset.” [Online]. Available: http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html. [Accessed: 23-Jun-2015].
[19]N. A. Syed, H. Liu, and K. K. Sung, “Handling concept drifts in incremental learning with support vector machines,” in Proceedings of the fifth ACM SIGKDD international conference on Knowledge discovery and data mining - KDD ’99, 1999, pp. 317–321.
[20]Z. Zhang and H. Shen, “Application of online-training SVMs for real-time intrusion detection with different considerations,” Comput. Commun., vol. 28, no. 12, pp. 1428–1442, Jul. 2005.
[21]B. Xu, T. Yi, F. Wu, and Z. Chen, “An incremental updating algorithm for mining association rules,” J. Electron., vol. 19, no. 4, pp. 403–407, Oct. 2002.
[22]K. Shafi, H. A. Abbass, and W. Zhu, “An Adaptive Rule-based Intrusion Detection Architecture,” Secur. Technol. Conf. 5th Homel. Secur. Summit, Aust., pp. 345–355, 2006.
[23]H. Du, S. Teng, M. Yang, and Q. Zhu, “Intrusion detection system based on improved SVM incremental learning,” in Artificial Intelligence and Computational Intelligence, 2009. AICI’09. International Conference on, 2009, vol. 1, pp. 23–28.
[24]X. Yun, L. Zhang, I. Security, and C. Network, “Using Incremental Learning Method For Adaptive Network,” no. August, pp. 18–21, 2005.
[25]J. Oldmeadow, S. Ravinutala, and C. Leckie, “Adaptive clustering for network intrusion detection,” in Advances in Knowledge Discovery and Data Mining, Springer, 2004, pp. 255–259.
[26]S.-J. Horng, M.-Y. Su, Y.-H. Chen, T.-W. Kao, R.-J. Chen, J.-L. Lai, and C. D. Perkasa, “A novel intrusion detection system based on hierarchical clustering and support vector machines,” Expert Syst. Appl., vol. 38, no. 1, pp. 306–313, 2011.
[27]A. Nasr, M. Ezz, and M. Abdulmageed, “Use of Decision Trees and Attributional Rules in Incremental Learning of an Intrusion Detection Model,” Int. J. Comput. Networks Commun. Secur. IJCNCS, vol. 2, no. 7, pp. 216 – 2 24, 2014.
[28]M. Panda and M. R. Patra, “A hybrid clustering approach for network intrusion detection using cobweb and FFT,” J. Intell. Syst., vol. 18, no. 3, pp. 229–246, 2009.
[29]K. Julisch and M. Dacier, “Mining intrusion detection alarms for actionable knowledge,” in Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining, 2002, pp. 366–375.
[30]S. Petrovic, G. Alvarez, A. Orfila, and J. Carbó, “Labelling clusters in an intrusion detection system using a combination of clustering evaluation techniques,” in System Sciences, 2006. HICSS’06. Proceedings of the 39th Annual Hawaii International Conference on, 2006, vol. 6, p. 129b–129b.
[31]“The NSL-KDD Data Set.” [Online]. Available: http://nsl.cs.unb.ca/NSL-KDD/. [Accessed: 24-Jun-2015].
[32]A. P. Dawid, “Present Position and Potential Developments: Some Personal Views: Statistical Theory: The Prequential Approach,” J. R. Stat. Soc. Ser. A, vol. 147, no. 2, p. 278, 1984.
[33]M. Salem and U. Buehler, “Mining Techniques in Network Security to Enhance Intrusion Detection Systems,” CoRR, p. 16, Dec. 2012.
[34]M. Whitman and H. Mattord, Principles of information security. Cengage Learning, 2011.
[35]“Weka 3 - Data Mining with Open Source Machine Learning Software in Java.” [Online]. Available: http://www.cs.waikato.ac.nz/ml/weka/. [Accessed: 24-Jun-2015].
[36]“MOA Massive Online Analysis, Data Stream Analytics in Real Time.” [Online]. Available: http://moa.cms.waikato.ac.nz/. [Accessed: 24-Jun-2015].