Efficient Intrusion Detection with KNN Classification and DS Theory - Proceedings of All India Seminar on Biomedical Engineering 2012 (AISOBE-2012)

Biomedical Engineering Reference

In-Depth Information

!

X

Match r ðÞ¼ 1

p þ q

MatchDegree q i ; a i

ð

Þþ t

ð 2 Þ

i 2 Ap

where

i index of continuous attribute in rule r;

Ap set of suffixes of continuous attributes in rule r;

p number of continuous attributes in rule r;

q number of discrete attributes in r;

t number of discrete attributes in new unlabeled connection d satisfying rule r;

Match r (d) ranges from 0 to 1. If Match r (d) equals 1.0, rule r matches connection

data d completely. While Match r (d) equals 0, rule r does not match connection d at

all. Then, the average matching between connection data d and all the rules in a

certain rule pool is defined as:

j X

r 2 Rp

MATCH r ðÞ¼ 1

Rp

Matchr ðÞ

ð 3 Þ

j

where R p is the set of suffixes of extracted important class association rule in a

certain rules pool.

A. Classifier for misuse detection

The average matching between connection data d and all the rules in the normal

rule in pool MATCH n (d), and the average matching between connection data d

and all the rules in the intrusion rule pool MATCH i (d) are calculated and

compared.

If MATCH n (d) C MATCH r (d), connection data d is labeled as normal. On the

other hand, if MATCH n (d) \ MATCH i (d), connection data d is labeled as intrusion.

In summary, a new connection data is labeled according to their matching with

normal and intrusion rule pools. Larger matching suggests the higher possibility of

belonging to this class.

B. Classifier for anomaly detection

After getting matching between each connection data and rules in the normal

rule pool, we can have the distribution of the matching with the mean value l and

standard deviation r. The figure shows an example of the distribution.

In this testing period, when a new unlabeled connection data comes,

the matching between the data and the rules in normal rule pool is calculated.

If MATCH n (d) \ (l-kr), label the connection as intrusion. On the other hand,

if MATCH n (d) C (l-kr), the label is normal. By adjusting parameter k, we can

balance the PFR (Positive False Rate) and NFR (Negative False Rate).

In all, by using the improved Fuzzy GNP-based class association rule mining,

we can find a large number of rules related to normal behavior so as to explore the

space of the normal connections, and any significant deviation from the normal

space is viewed as an intrusion.

Proceedings of All India Seminar on Biomedical Engineering 2012 (AISOBE-2012)

Search WWH ::

Custom Search

Home