improvement of nid according to selection of continuous measures in tree induction algorithm

Improvement of NID According to Selection of Improvement of NID According to Selection of Continuous Measures in Tree Induction Algorithm Continuous Measures in Tree Induction Algorithm

2004. 8. 24.

Il-Ahn CheongLinux Security Research Center

Chonnam National University, Korea

WISA 2004 LSRC, Chonnam National University

2/14

Contents

Introduction

Related Works

Automatic Generation of Rules using TIA

The Experiments

Conclusions


3/14

I. Introduction Signature-based Network Intrusion Detection

Require more time generating rules because of dependence on knowledge of experts

Varies according to selection of network measures in the detection Our approaches

Automatically generates the detection rules by using tree induction algorithms

Improve the detection by automatic selection of network measures Our expectations

Detection rules generated independent of knowledge of experts The performance of detection could be improved


4/14

II. Related Works The previous researches

Florida Univ. LERAD (Learning Rules for Anomaly Detection) Generating conditional rules

New Mexico Univ. SVM (Support Vector Machine) SVM based Ranking method

Applied Research Lab. of Teas Univ. NEDAA (Exploitation Detection Analyst Assistant) Genetic algorithm & Decision Tree

Problems Used limited measures (src/dst. IP/Port, Protocol, etc.) Not treats of the continuous measures


5/14

III. Automatic Generation of Rules (1/5)

Tree Induction Algorithms A classification method using data mining The constructed trees provide

a superior measure selection an easy explanation for constructed tree models

The C4.5 algorithm Automatically generates trees by calculating the IG

(Information Gain) according to the Entropy Reduction Could be classified in case of existing along with variables

having continuous and discrete attributes


6/14

Automatic Generation of Rules (2/5)

Automatic Generation Model of Rules


7/14


Modified C4.5 algorithm

)()()( kt AEntropyIEntropyAEntropy

J

i

C

ikjkikjki

jkjjk

k

ninninnn

jAIEntropy

1 12 ])/)((log)/)(()[/(

),,(

C

iii )N/N(log)N/N()I(Entropy

12


8/14


Treatment of Continuous Distributions

f(x)

Continuous Discrete


9/14


Change of Selection for Network Measures GRR (Good Rule Rate)

To select measures having high priority Threshold value is 0.5 as binary (G | B) RG (Good Rule)

affected positively generating of detection rules Reflected next learning

RB (Bad Rule) affected negatively generating of detection rules Excluded next learning

)R(R of # TheR of # The

GRRBG

G

01.0, where


10/14

IV. The Experiments (1/3) Experiment Dataset

The 1999 DARPA IDS Evaluation dataset (DARPA99) 191,077 TCP sessions in Week 4 dataset

After treats of continuous measures The detection rate increased 20% The false rate decreased 15%


11/14

The Experiments (2/3) The Result of GRR Calculation

Network measure selected from Ostermann’s TCPtrace (80 measures)

G(Good), B(Bad), I(Ignore), RST(Result;G|B|I), SLT(Select; O|X) Step#: The # of repeat experiment

Threshold value = 0.5


12/14

The Experiments (3/3) The ROC Evaluation

According to selection of priority measures Detection rate increased False rate decreased

Step0Step1Step2Step3

Step0Step1Step2Step3


13/14

V. Conclusions

Automatically generates detection rules using Tree Induction algorithm without support of experts

Solve the problems according to measure selection continuous type converting into categorical type selection of priority measures by calculating GRR detection rate was increased and false rate was decreased


14/14

Q & A

Contact UsE-mail: [email protected]

Thank You!

improvement of nid according to selection of continuous measures in tree induction algorithm

Documents