Increasing Performance Of Intrusion Detection System ...

2014 IEEE International Conference on Advanced Communication Control and Computing Technologies (ICACCCT)

Increasing Performance Of Intrusion Detection System Using Neural Network Satendra kumar1 ,Anamika Yadav2 1,2

Department of Electrical Engineering,National Institute of Technology, Raipur,Raipur, India 1 [email protected],[email protected]

Abstract- Rapid growth in Internet and in parallel attacks, vulnerability and threats, has made intrusion detection systems very essential component in all parts of security infrastructure. Building IDS is not a new task, classical signature based IDS are used but they are unable to handle novel attacks. In this paper artificial neural network based intrusion detection is proposed for complete KDD cup 99 dataset. Performance of the proposed ANN based IDS system is evaluated and results shows high anomaly detection accuracy for the complete KDD cup 99 dataset as compared to existing techniques.

I D S

Keywords: Intrusion Detection System, ANN, KDD99 dataset.

I.

INTRODUCTION

An Intrusion Detection System (IDS) is a defense mechanism whose goal is to detect when a system or network is being used inappropriately or without correct authorization. Now-adays many organizations allow their staff members and even outside contractors to connect to their systems remotely. Although it is beneficial for organizations to increase productivity but on the same side it also renders the network susceptible to unauthorized entry by third parties. Firewall hides major parts of the system from unwanted attention. Hackers can pass malicious traffic through ports that are commonly left open by system such as SMTP, HTTP etc. So the need for sophisticated IDS arises as shown in Fig.1. Webster’s dictionary [1] defines Intrusion as “the act of thrusting in, or of entering into a place or state without invitation, right, or welcome”. So intrusion is an event in network which violates the basic of network security i.e. confidentiality, integrity and availability. According to Monowar [2] intrusion detection system S using supervised learning can be thought of as a pair S= (M,D) ,where M represents the model of normal behavior and D is proximity to measure the deviation of an given active record with respect to model M. Therefore, IDS are software and/or hardware based systems that detect intrusions on network or host. The main function of IDS is the detection, reporting, log generation and correlation of system and network security events.

ISBN No. 978-1-4799-3914-5/14/$31.00 ©2014 IEEE

INTERNET

ATTACKER

FIRE WALL

SERVER SECURITY CHECK

Fig.1.Deployment of Intrusion Detection System

IDS can be classified into two groups based on the method of detection. A. Misuse or signature based system This is rule-based detection. In this approach, the system analyzes data from audit logs to create a rule or signature for the attack. Therefore, it can detect only known attacks with fewer false alarms. B. Anomaly based system It relies on “learning” about past behavior of users. Analysis of audit logs every time determines what behavior is normal for users. Any deviations generate alerts. II.

RELATED WORK

The research area of IDS is not new; it is in purview since late 1987s. Many papers have been reported based on classification, statistical, clustering, soft computing and hybrid technique. D.E. Denning et al [3] first proposed the model for real time IDS in 1987 capable of detecting penetrations, break-ins, and other forms of computer vulnerability by monitoring system’s audit records. Zhang et al [4] proposed a

1935

2014 IEEE International Conference on Advanced Communication Control and Computing Technologies (ICACCCT) statistical technique for IDS using ANN. Muda et al [5] used K-mean clustering along with naive bayes classifier on kdd cup 99 dataset [6] in which randomly selected patterns are used for training and testing. Thaseen et al [7] selected random patterns over which tree based classifiers is used. Authors [3-7] have used either their own setup to extract data or subset of different publically available benchmark dataset for performance evaluation. Ibrahim et al [8] applied self organizing map on KDD cup 99 dataset and NSL-KDD dataset [9] for binary classification (Normal or Attack) and achieved 92.37% and 75.49% accuracy respectively. Guo et al [10] presented a hybrid distance sum based support vector machine technique for IDS in KDD cup 99 and achieved 92.5% overall accuracy for detailed classification (5 class) . III.

DATASET DISCRIPTION

KDD cup 99 dataset is one of the widely used in the field of intrusion detection by the researchers [11]. This data set is prepared by Stolfo et al. and is built based on the data captured in DARPA’98 IDS evaluation program. The training set employed for this experiment is ‘10%KDDcup99dataset’ (Kddcup.data_10_percent.gz) file. The testing set used for performance measure is ‘Kddcup99 corrected test dataset’ (corrected.gz) file. KDD cup 99 Dataset includes broadly four types of attacks as shown in Table I and II. • Denial of Service (DoS) - Unauthorized attempt to disrupt the normal functioning of a victim host or network. • Remote to Local (R2L) - Unauthorized obtaining of user privileges on a local host by a remote user without such privileges. • User to Root (u2r) - Unauthorized access to local super user or administrator privileges by a local unprivileged user. • Surveillance or Probe - Unauthorized probing of a machine or network to look for vulnerabilities, explore configurations, or map the network's topology. TABLE I. DETAIL OF RECORDS IN ‘10%KDDCUP99 TRAIN DATASET’ Record Type Normal DoS Probe R2L U2R Total

No. of Records 97278 391458 4107 1126 52 494021

Per. record 19.6911% 79.2391% 0.8313% 0.2279% 0.0105% 100%

TABLE II. DETAIL OF RECORDS IN‘KDD CUP99 CORRECTED TEST DATASET’ Record Type Normal DoS Probe R2L U2R Total

No. of Records 60591 229853 4166 16189 228 311027

Per. record 19.4809% 73.9013% 1.3394% 5.2050% 0.0733% 100%

Table I infer two things: • The number of Records for R2L and U2R is very few in train dataset. • The portion of R2L and U2R is very less with respect to others. This leads the improper classification of these two types of patterns. By selecting the patterns randomly from training dataset the biasing in training can be minimized. Both the dataset is labeled as either normal or different types of attack classes. It is important to note that the data training dataset have only 22 attacks type as discussed in Table III. Whereas the test dataset have 37 attacks which makes IDS more realistic as shown in Table IV. TABLE III. ATTACKS IN TRAINING DATASET DoS back neptune pod land smurf

Probe satan nmap ipsweep portsweep

R2L spy warezclient warezmaster phf multihop imap guess_passwd ftp_write imap

U2r bufferoverflow loadmodule perl rootkit

TABLE IV. ATTACKS IN TEST DATASET DoS apache2 back land mailbomb Neptune pod processtable smurf teardrop udpstorm

Probe ipsweep mscan nmap portsweep saint satan

IV.

R2L ftp_write guesspasswd httptunnel imap multihop named phf sendmail snmpgetattack warezmaster xlock xsnoop

U2r bufferoverflow loadmodule perl ps rootkit snmpguess sqlattack worm xterm

PROPOSED METHOD

Typical intrusion detection system using artificial neural network can be built by following the steps depicted in Fig. 2.

1936

2014 IEEE International Conference on Advanced Communication Control and Computing Technologies (ICACCCT) A. KDD cup 99 Dataset As Discussed above KDD cup 99 Dataset is used for training, testing and evaluation of proposed neural network based IDS. B. Data Selection KDD cup 99 Dataset repository having a number of dataset for training and testing too, from which kddcup.data_10_percent.gz 10% subset of complete dataset is selected for training and corrected.gz. A Test data with corrected labels is selected for testing the trained network.

counted and a numeric value is assigned on the basis of rank i.e. 1 given to the feature value have a greater number of repeat 2 for feature value less frequently.(ICMP=1; TCP=2; UDP=3). After successful conversion of symbolic feature to numeric feature next step is to normalize the feature values. Z-Score normalization is used in the proposed scheme. It normalizes the values for an attribute A in such a way that the mean and standard deviation after normalization becomes zero and one respectively hence also known as zero- mean normalization. A value x, of A is normalized to x’ as
′ 

KDD 99 Dataset

Dataset Selection

 

-(1)

Where  is the mean and  is the standard deviation of given attribute A. D. Selecting Neural Network architecture Multi layer perceptron neural network which uses “Gradient descent with momentum backpropagation algorithm” for learning is proposed. This algorithm updates weight and bias values according to gradient descent with momentum.

Data preprocessing

Selecting Neural Network architecture

Training Neural Network

Testing Neural network

Result Evaluation

Fig.2. Steps for building Typical IDS using ANN.

C. Data Preprocessing The dataset chosen is having continuous as well as symbolic or categorical attribute so it must be processed before giving it to neural network. For converting the symbolic values to numeric value, the possible values of a given attribute is

Fig.3. proposed Artificial Neural network architecture

As shown in Fig. 3, the proposed neural layer having three layers input, hidden and output with 41, 29, 5 neurons respectively. Tangent sigmoid is used as a transfer function. As discussed there are four types of attacks, making five classes including normal. Thus, the output layer has five neurons, one for each class. When more hidden layers are introduced, the training algorithm will take more memory and time and the neural network becomes more complex. So here only one hidden layer is used. E. Training Neural Network There are 494021 different patterns in the training set and more over the patterns are not distributed equally for each class. So Training with this large dataset leads to slow training as well as biased training. Hence for training new dataset is prepared with 25285 patterns which includes 20000 randomly selected patterns of normal and DoS and all the patterns from the remaining classes. F. Neural Network Testing The trained neural network is tested against complete testing dataset of KDD cup99, since large test set gives a good

1937

2014 IEEE International Conference on Advanced Communication Control and Computing Technologies (ICACCCT) assessment of the classifier's performance. For testing the neural network the target is coded in Binary representation one bit for each class i.e. Normal=10000; DoS=01000; probe=00100; R2L=00010; U2R=00001.

than the latest reported techniques in terms of accuracy and detection rate and false positive rate.

G. Result Evaluation Metrics The output of MLP neural network after testing is evaluated using various parameters. A General classification output falls into four classes that can be understood by the confusion matrix as given in Table V. TABLE V. CONFUSION MATRIX Output Positive Predicted output Negative

Target output Positive Negative TP FP FN TN

A good Intrusion detection system (IDS) requires high accuracy and detection rate as well as low false positive rate. These performance metrics can be calculated using confusion Matrix. 

  

         

  

   

    V.

   

EXPERIMENTAL RESULTS

The proposed scheme uses neural network toolbox of MATLAB and is simulated on a system having 2GB RAM and Intel(R) Core(TM) i7 CPU @ 3.40GHz processor. The neural network reaches the goal of 6.63e-3 in 4000 epochs. The proposed neural network is tested for complete testing dataset of KDD cup 99 comprising of 311027 patterns and the confusion matrix obtained is shown in Table VI. Further the confusion matrix for each attack is given in Table [VII-X]. These results are also compared with latest reported work by Guo [10] and given in Table XI. The proposed technique is also compared with the technique reported by Ibrahim et al [8] in terms of binary class comparison i.e. normal or attack and comparison is given in Table XII. It can be seen from Table XI that the proposed NN based IDS gives higher detection rate of classification of Probe, R2L, U2R types of attack as compared with Guo et al [10]. From table XII, the proposed NN based IDS gives higher accuracy 93% as compared with 92.37% by Ibrahim et al [8]. The proposed technique is better

Fig.4. Confusion matrix obtained by MatLab simulation

From fig. 4 for DoS the False positive (FP) can be calculated by adding the cells of second row except second cell i.e. 733+71+0+0=804 and True negative (TN) can be calculated by adding the diagonal elements except the second element i.e. 58611+3789+1229+28=63657.Hence for DoS, False positive rate (FPR) equals to 0.0125 and in the same way FPR for other classes can be calculated as given in Table XI. TABLE VI. CONFUSION MATRIX OF THE PROPOSED TECHNIQUE FOR FIVE CLASS CLASSIFICATION Class Normal DoS Probe R2L U2R

Normal 58611 7300 304 14809 63

DoS 733 222161 71 0 0

Probe 349 189 3789 146 133

R2L 870 203 2 1229 4

U2R 28 0 0 5 28

Actual 60593 229853 4166 16189 228

TABLE VII. CONFUSION MATRIX FOR DoS Target output DoS Positive Negative Positive 222161 804 Predicted output Negative 7692 63657 TABLE VIII. CONFUSION MATRIX FOR PROBE Target output Probe Positive Negative Positive 3789 817 Predicted output Negative 377 282029

1938

2014 IEEE International Conference on Advanced Communication Control and Computing Technologies (ICACCCT) TABLE IX. CONFUSION MATRIX FOR R2L

R2L Positive Negative

Predicted output

REFERENCES

Target output Positive Negative 1229 1079 14960 284589

[1] [2]

TABLE X. CONFUSION MATRIX FOR U2R

U2R Predicted output

Positive Negative

Target output Positive Negative 28 33 200 285790

TABLE XI. ATTACK CLASS COMPARISION OF THE PROPOSED TECHNIQUE WITH EARLIER REPORTED TECHNIQUE Attack Type

Proposed

Guo et al [10]

DT

FPR

DT

FPR

DoS

96.65

0.0125

97.2

0.3

Probe

90.95

0.0029

87.5

0.8

R2L

7.59

0.0038

6.3

0.2

U2R

10.85

0.0001

3.1

Overall ACC

91.9

0 92.5

The best results of the proposed techniques are in bold-faced.

TABLE XII. BINARY CLASS COMPARISION OF THE PROPOSED TECHNIQUE WITH EARLIER REPORTED TECHNIQUE Target output Attack

Predicted Positive output Negative

Positive 230268

Negative 20168

1647

58944

Webster’s Dictionary : www.Webster-Dictionary.Org M. Bhuyan, D. Bhattacharyya, and J. Kalita. Network Anomaly Detection: Methods, Systems and Tools, IEEE Communications Surveys & Tutorials, Vol. 16, No. 1, 2014, pp.1-34. [3] Denning, D. E. (1987). An Intrusion-Detection Model. Software Engineering, IEEE Transactions On, (2), 222-232. [4] Zhang, Z., Li, J., Manikopoulos, C. N., Jorgenson, J., & Ucles, J. (2001, June). HIDE: A Hierarchical Network Intrusion Detection System Using Statistical Preprocessing And Neural Network Classification. In Proc. IEEE Workshop on Information Assurance and Security, pp. 85-90. [5] Muda, Z., Yassin, W., Sulaiman, M. N., & Udzir, N. I. (2011, July). Intrusion Detection Based On K-Means Clustering and Naïve Bayes Classification. (CITA 11), 2011 7th IEEE International Conference on In Information Technology in Asia. pp. 1-6. [6] Https://Kdd.Ics.Uci.Edu/Databases/Kddcup99/Kddcup99.html. [7] Thaseen, S., & Kumar, C. (2013, February). An Analysis of Supervised Tree Based Classifiers for Intrusion Detection System. IEEE International Conference on In Pattern Recognition, Informatics and Medical Engineering (PRIME), 2013, pp. 294-299. [8] Ibrahim, L. M., Basheer, D. T., & Mahmod, M. S. (2013). A comparison study for intrusion database (KDD99, NSL-KDD) based on self organization map (som) artificial neural network. Journal of Engineering Science and Technology, 8(1), 107-119. [9] Http://Nsl.Cs.Unb.Ca/NSL-KDD/ [10] Guo, C., Zhou, Y., Ping, Y., Zhang, Z., Liu, G., & Yang, Y. (2014). A Distance Sum-Based Hybrid Method for Intrusion Detection. Applied Intelligence, 40(1), 178-188. [11] Tavallaee, M., Bagheri, E., Lu, W., & Ghorbani, A. A. (2009). A Detailed Analysis of the KDD CUP 99 Data Set. In Proceedings of the Second IEEE Symposium on Computational Intelligence for Security and Defense Applications 2009.

Accuracy Accuracy of of Ibrahim et al [8] Proposed Tech. 93

92.37

The best results of the proposed techniques are in bold-faced.

VI.

CONCLUSION

In this paper an artificial neural network based intrusion detection system is proposed which used Gradient descent with momentum backpropagation algorithm for learning. Although random patterns are selected for training but the proposed neural network is tested across complete “testing” data of KDD cup 99 dataset. The output is evaluated in terms of accuracy detection rate and false positive ratio and compared with latest reported works. The results shows the accuracy of the proposed NN based IDS for binary classification (Attack or normal) is high and detection rate for probe, R2L and U2R attacks are high as compared with other techniques.

1939