Intrusion detection using neural based hybrid classification methods

Abstract

Data mining is the use of algorithms to extract the information and patterns derived by the knowledge discovery in databases process. Classification is a very common data mining task. Classification maps data into predefined groups or classes. It is often referred to as supervised learning because the classes are determined before examining the data. Due to increasing incidents of cyber attacks, building effective intrusion detection systems are essential for protecting information systems security, and yet it remains an elusive goal and a great challenge. This paper presents two classification methods involving multilayer perceptron and radial basis function and an ensemble of multilayer perceptron and radial basis function. We propose hybrid architecture involving ensemble and base classifiers for intrusion detection systems. The analysis of results shows that the performance of the proposed method is superior to that of single usage of existing classification methods such as multilayer perceptron and radial basis function. Additionally it has been found that ensemble of multilayer perceptron is superior to ensemble of radial basis function classifier for normal behavior and reverse is the case for abnormal behavior. We show that the proposed method provides significant improvement of prediction accuracy in intrusion detection.

Introduction

Information technology has become a key component to support critical infrastructure services in various sectors of our society. In an effort to share information and streamline operations, organizations are creating complex networked systems and opening their networks to customers, suppliers, and other business partners. While most users of these networks are legitimate users, an open network exposes the network to illegitimate access and use. Increased network complexity, greater access, and a growing emphasis on the internet have made network security a major concern for organizations. The number of computer security breaches has risen significantly in the last three years. While traditional approaches to network security have focused on prevention, network intrusion detection has become increasingly important in recent years to enable firms to reduce undetected intrusion. Typically, network intrusion [16] is detected by examining the data trail left by user and searching for abnormal user behavior.

In recent years, data mining techniques have been successfully used in the context of network intrusion detection. They have been extensively used in discriminating normal behavior from abnormal behavior in a variety of contexts. Data mining has become a very useful technique to reduce information overload and improve decision making by extracting and refining useful knowledge through a process of searching for relationships and patterns from the extensive data collected by organization. The extracted information is used to predict, classify, model, and summarize the data being mined. Data mining technologies, such as rule induction, neural networks, genetic algorithms, fuzzy logic, and rough sets are used for classification and pattern recognition in many industries [46], [9], [5], [17], [52].

Many decision-making problems fall into the general category of classification. In recent years there has been a surge in interest in newer models of classification, specifically methods from machine learning and neural nets. Classification is a very common data mining task. In classification, we need to examine the features of newly presented objects and try to assign it to one of the predefined sets of classes. Supervised learning methods are applied to solve classification problems. Multilayer perceptron (MLP), radial basis function (RBF) and case based reasoning (CBR) are representative supervised learning methods that can be applied to classification problems. In the process of handling classification tasks, an important issue usually encountered is determining the best performing method for a specific problem. Several studies address the issue. However, the common understanding of data mining practitioners and researchers is that there does not exist a universal best-performing method. That is, different kinds of methods have their own advantages and limitations. So, a method can perform best for one specific problem, but given another problem, another method can work better. This situation is called selective superiority [39]. Also, that fact implies that all of the supervised learning methods have their intrinsic limitations to improve prediction accuracy. Hybrid models have been suggested to overcome the defects of using a single supervised learning method, such as MLP and RBF techniques. Hybrid models combine different methods to improve prediction accuracy. The term combined model is usually used to refer to a concept similar to a hybrid model. Combined models also have been called ensembles or hybrid models. This paper proposes new hybrid classification methods for faster and more effective intrusion detection.

The signatures of some attacks are known, where as other attacks only reflect some deviation from normal patterns. Consequently, two main approaches have been devised to detect intruders.

Anomaly detection assumes that an intrusion will always reflect some deviations from normal patterns. Anomaly detection may be divided into static and dynamic detection. A static anomaly detector is based on the assumption that there is a portion of the system being monitored that does not change. Usually, static detectors only address the software portion of a system and are based on the assumption that the hardware need not be checked. The static portion of a system is the code for the system and the constant portion of data upon which the correct functioning of the system depends. For example, operating systems software and data to bootstrap a computer never change. If the static portion of the system ever deviates from its original form, an error has occurred or an intruder has altered the static portion of the system. Therefore static anomaly detectors focus on integrity checking. Dynamic detection typically operates on audit records or on monitored networked traffic data. Audit records of operating systems do not record all events that are recorded in the audit and these events may occur in a sequence. In distributed systems, partial ordering of events is sufficient for detection. In other cases, the order is not directly represented. Only cumulative information, such as cumulative processor resources used during a time interval, is maintained. In this case, thresholds are defined to separate normal resources consumption from anomalous resources consumption.

Misuse detection is based on the knowledge of system vulnerabilities and known attack patterns. Misuse detection is concerned with finding intruders who are attempting to break into a system by exploiting some known vulnerability. Ideally, a system security administrator should be aware of all the known vulnerabilities and eliminate them. The term intrusion scenario is used as a description of a known kind of intrusion. It is a sequence of events that would result in an intrusion without some outside preventive intervention. An intrusion detection system continually compares recent activity to known intrusion scenarios to ensure that one or more attackers are not attempting to exploit known vulnerabilities. To perform this, each of the intrusion scenarios must be described or modeled. The main difference between the misuse techniques is how they describe or model the behavior that constitutes an intrusion. The original misuse detection systems used rules to describe events indicative of intrusion actions that a security administrator looked for within the system. Large number of rules can be difficult to interpret. If-then rules are not grouped by intrusion scenarios and therefore making modifications to the rule set can be difficult as the affected rules are spread out across the rule set. To overcome these difficulties, new rule organizational techniques include model based rule organization and state transition diagrams. Misuse detection systems use the rules to look for events that possibly fit an intrusion scenario. The events may be monitored live by monitoring system calls or later using audit records.

The main disadvantage of misuse detection approaches is that they will detect only the attacks for which they are trained to detect. Novel attacks or unknown attacks or even variants of common attacks often go undetected. At a time when new security vulnerabilities in software are discovered and exploited everyday, the reactive approach embodied by misuse detection methods is not feasible for defeating malicious attacks. The main advantage of anomaly detection approaches is the ability to detect novel attacks or unknown attacks against software systems, variants of known attacks, and deviations of normal usage of programs regardless of whether the source is a privileged internal user or an unauthorized external user. The disadvantage of the anomaly detection approach is that well-known attacks may not be detected, particularly if they fit the established profile of the user. Once detected, it is then difficult to characterize the nature of the attack for forensic purposes. Another drawback of many anomaly detection approaches is that a malicious user who knows that he or she is being profiled can change the profile slowly over time to essentially train the anomaly detection system to learn the attacker’s malicious behavior as normal. Finally a high false positive rate may result for a narrowly trained detection algorithm, or conversely, a high false negative rate may result for a broadly trained anomaly detection approach.

Previous work has demonstrated that bagging is very effective for k-Nearest Neighbor (k-NN) [19] and Support Vector Machine (SVM) [20]. Discussion with previous researchers reveal that many authors concentrated on decision trees due to their fast training speed and well established default parameter settings. Neural networks present difficulties for testing in terms of both significant processing time required and in selecting training parameters. Our neural network results led to an important conclusion that a bagging ensemble generally produces a classifier that is more accurate than a standard classifier. They also show that the ensemble methods are generally consistent (in terms of their effect on accuracy) when applied to either neural networks or k-NN classifier.

We investigated a new technique for intrusion detection model and evaluated its performance on the normal and abnormal intrusion datasets. The run time and error rate are estimated using comparative cross validation method for base classifier. Following this, the general k-NN classifier is explored as an intrusion detection model. The performance comparisons have also been demonstrated using intrusion detection datasets. The proposed ensemble of k-NN classifiers combines the complementary features of the base classifiers. Hybrid architecture involving ensemble and base classifier is proposed for intrusion detection model. It is shown that, compared to earlier k-NN technique, the run time is reduced by up to 0.01% and 0.06% while error rates are lowered by up to 0.002% and 0.03% for normal and abnormal behavior, respectively.

We described feature selection and model selection simultaneously for support vector regression (SVR). The feasibility and the benefits of the proposed approach are demonstrated by the means of data mining problem: intrusion detection in computer networks. It is shown that, compared to earlier SVR technique, the run time is reduced by up to 0.07 s and 0.26 s while error rates are lowered by up to 0.01% and 1.84% for normal and abnormal behavior, respectively.

Experiments have been carried out with intrusion detection data set to examine the improvements in prediction performance of the suggested method compared with conventional single learning algorithms. The experimental results show that the overall accuracy of the proposed method is better than the use of single learning algorithms. In particular, there are high performance improvements when the prediction inconsistency ratio between two different learning techniques is high. The proposed method can contribute in situations in which the accuracy of prediction is very important. For example, a single case can cause serious damage in fraudulent use of credit cards or in medical cases.

The remainder of this article is structured as follows: In the next section, the state of art of existing work is described. Section 3 focuses on the classification methods. Section 4 discusses the hybrid model for intrusion detection systems. Section 5 shows experimental results and discussion. Finally, Section 6 summaries the results and concludes.