Hierarchical Adaptive FCM To Detect Attacks Using Layered Approach

Transcription

1 Hierarchical Adaptive FCM To Detect Attacks Using Layered Approach J.Jensi Edith 1, Dr. A.Chandrasekar 1.Research Scholar,Sathyabama University, Chennai.. Prof, CSE DEPT, St.Joseph s College of Engg., Chennai. ensi.edith198@gmail.com Abstract: In this modern world, computer has been used as a tool for crime. Because of this kind of hacking,companies are getting loss.by using intrusion detection system(ids), the attacks can be detected and that can be corrected. We also check the effectiveness and ineffectiveness in finding the anomalies by considering the network data.intrusion detection system (IDS) provides a layer that monitors the network traffic for predefined suspicious patterns and inform about the misactivity. In this paper, we address the clustering methods and the method for detecting attacks. Experiments performed on the KDD CUP 1999 Dataset. We address for 5 categories of attacks like back attacks,neptune attacks,smurf attacks,warezclient attacks and ipsweep attacks. Fuzzy C-Means clustering is used to train the network data. Hierarchical FCM is used for further classification. Keywords: Intrusion Detection System(IDS), Fuzzy C- Means (FCM),DMZ(Demilitarized zone) 1. INTRODUCTION Several types of IDS exists:one type of intrusion detection system is Misuse Detection or signature based system. Signature based system are trained by extracting specific patterns or signatures from previously known attacks.it has high detection rates for well known attacks but fails to detect for unknown attacks. It monitors packets in the network and compared with preconfigured and predetermined attack patterns called signatures. Another type of Intrusion detection is Anomaly detection.it is based on models for normal behaviors.any deviation from the constructed models of normal behavior is considered as anomaly(abnormal). Another approach for IDS is Hybrid system which considers both normal(signature based) and known anomalous patterns for training the data. It performs classification on test data. Another method for IDS is Network IDS(NIDS) is an independent platform.it identifies intrusions by examining network traffic and monitors multiple hosts.it can gain access to network traffic by connecting to a network hub,network switch configured for port mirroring or network tap. In NIDS, sensors are located at choke points in the network to be monitored often in Demilitarized zone(dmz).sensors captures all network traffic and analyzes the content of individual packets for malicious traffic(example. SNORT).It defends the machine against attack,as detection occurs before the data arrive at the machine.it also detect intrusions using the IP package information collected by the network hardware such as switches and routers. Another approach for IDS is host based detections.it consists of an agent on a host that identifies intrusion by analyzing system calls,application logs,file system modifications(binaries,pwd files,capability databases,access control lists etc and other host activities. Sensors consists of software agents. Decision tree method [3] select the best features for each decision node during the construction of the tree based on well defined criteria.one criterion is information gain ratio.this is used in C4.5. This method has very high speed of operation and high attack detection accuracy. In Naïve Bayes Classifier mehod, independence between different features in an observation is maintained.lower attack detection accuracy when the features are related.it increases system efficiency but affects accuracy.bayesian Network tend to be attack specific. It builds a decision network based on special characteristics of individual attacks. Here size this network increases as the number of features and the type of attacks modeled by this network increases.. THE DIFFERENT TYPE OF ATTACKS THAT CAN OCCUR IN AN IDS SYSTEM.1 Smurf attacks Smurf attack is denial of service(dos) attack. This type of attack makes the attacker to make some computing device too busy or memory resource too full to handle legitimate requests or denies legitimate users access to a system. Smurf floods a system through spoofed broadcast ping messages. Smurf creates more network traffic. The attacker uses a program called Smurf. This makes the attacked part of the network as non operating.

2 . ipsweep attacks It is a probe attack. An address sweep occurs when one source IP address sends a defined number of ICMP packets to different hosts within a defined interval (5000 microseconds is the default). The purpose of this attack is to send ICMP packets- typically echo requests to various hosts in the hopes, thus uncovering an address to target..3 Back attacks The Back attack is a type of Dos attack. The Back attack was implemented as a C shell script that used the Netcat tool to generate network traffic. This kind of attack is based on the front slashes in the URL.URL with more number of front slashes will be considered as an attack. The Back attack causes instances of the httpd process on the victim to consume excessive CPU time. The CPU slows down all the system's activities, including responses to network requests because of this consumption. The system will be recovered automatically when the attack stops..4 Neptune attacks It is a kind of DOS attack to which every TCP/IP implementation is vulnerable (to some degree). For distinguishing a Neptune attack network traffic is monitored for a number of simultaneous SYN packets destined for a particular machine. The host sending these packets is usually unreachable[4].5 warezclient attacks It is an RL attack. It is a Remote to Local attack. This means attacking the local system from the remote machine. Warezmaster exploit a system bug associated with a file transfer protocol (FTP) server. Normally, guest users are never allowed write permissions on an FTP server. Hence they can never upload files on the server. Most public domain FTP servers have guest accounts for downloading data. Anyone can login to an FTP server using guest accounts. This attack takes place when an FTP server has, by mistake, given write permissions to users on the system. Hence any user can login and upload files. During the execution of the attack, the attacker logs on the server using the guest account. The attacker then creates a hidden directory and uploads warez (copies of illegal software) onto the server. Other users can then later download these files. One simple and obvious way to prevent this attack is to assign correct permissions to the users on the FTP server. The most popular clustering algorithms to separate the input data in the Euclidian space is the K-Means clustering, which is a non-hierarchical technique that follows a simple and easy way to classify a given dataset through a certain number of clusters (Assume for parameter k) that are known a priori. This algorithm is built using an iterative method. Here the data elements are exchanged between clusters in order to satisfy the criteria of minimizing the variation within each cluster and maximizing the variation between clusters. If no data elements are exchanged between clusters, the process will be halted. The four steps of this algorithm are explained below: Steps of the K-Means clustering algorithm: 1. Initialization define the number of clusters and randomly select the position of the centers for each cluster or directly generate k seed points as cluster centers.. Assign each data point to the nearest cluster center. 3. Calculate the new cluster centers for clusters receiving new data points and for clusters losing data points. 4. Repeat the steps and 3 until a convergence criterion is met (when there is no exchange of data points between the k clusters). The aim of the K-Means is the minimization of an obective function: J k n ( ) xi c 1 i1 ( ) xi c is the distance measure (usually Euclidian ( ) metric) between a data point x i and the cluster center c (this is an indicator of the distance of the n data points from the cluster centers). The advantages are its simplicity and low computational cost, which allows it to run efficiently on large datasets. The main drawback is, it won t produce the same result the algorithm runs each time and the resulting clusters depend on the initial assignments. 3.. Fuzzy C-Means Clustering One of the other clustering method is Fuzzy C- Means that was first developed by Dunn in 1973[6]. Fuzzy C-means(FCM) clustering is used to cluster the training dataset. FCM clustering is the widely used approach of fuzzy clustering techniques to unsupervised classification. (1) 3. CLUSTERING METHODS 3.1. K-Means Clustering The fuzzy set theory allows an element of the data to belong to a cluster with a degree of membership that has a value in the interval [0,1]. For K-Means clustering the

3 degree of membership for a pattern in a particular cluster is 1 if the pattern belongs to the cluster or 0 if it doesn t. In fuzzy set theory, a pattern can belong to or more clusters simultaneously where the membership grades determine the degree to which the pattern belongs to these clusters. Like KMeans, Fuzzy C-Means tends to minimize the following obective function: J C n m ( ) ( ui ) xi c 1 i1 where u i are the membership values that form the membership matrix U (represents the degree of membership to the C clusters and it has a value in the range of [0 1] for each feature vector x i to the fuzzy cluster c. The parameter m is the called the fuzzifier factor and determines the level of cluster fuzziness. A large value for m results in smaller membership u i and hence fuzzier clusters. () Steps of the Fuzzy C-Means Clustering Algorithm: 1. Consider a set of n data points (vectors) to be clustered.. Assume the number of clusters C is known: C є [,n]. 3. Choose an appropriate level of cluster fuzziness m є R, m > Initialize the (n x c) size membership matrix U to random values such that: C u i ε [0 1] and u 1 (3) 1 5. Calculate the cluster centers c using n i m ( ui ) xi i1 c n, for =1 C (4) m ( u ) i1 i ( ) 6. Calculate the distance measures d x c for all clusters = 1 C and data points i = 1 n. 7. Update the fuzzy membership matrix U according to d i. C 1 If d i > 0 then d m i u i. k 1 dik If d i = 0 then the data point x coincides with the cluster center c and so full membership can be set u i =1. 8. Loop from step 5 until the change in U is less than a given tolerance. i 1 i namely the initial selection of the cluster centers and the initial choice of weights ui. The advantage consists in the idea that fuzzy clustering allows overlapping clusters with partial membership of individual clusters and we can control the level of cluster fuzziness. Because there is no total commitment of a given point to a given cluster, fuzzy clustering algorithms require more memory and are computationally expensive when applied to large datasets. 4. LAYERED APPROACH FOR INTRUSION DETECTION The LIDS[1] is based on the Airport Security model, where a number of security checks are performed one after the other in a sequence. Similar to this model, the LIDS represents a sequential Layered Approach ie. it is based on one by one model and is based on ensuring security for the network data. Figure 1 gives the representation of this approach. The aim of this approach is to reduce computing time to detect attacks in a network. Each and every layer in the Layered architecture will be trained separately and then implemented sequentially. We define five layers that correspond to the five attack groups mentioned in the data set. They are for detecting the five types of attacks as discussed. But we implement the Layered Approach to improve overall system performance. Five layers are as follows: Ipsweep attacks Neptune attacks Smurf attacks Warezclient attacks Back attacks INPUT The obective of the Fuzzy C-Means algorithm is the minimization of the intra-cluster variability. Fuzzy C- Means shares the same problems as K-Means algorithm, ipsweep attack Normal No Blocked

4 Figure 1 Representation of the layered system 5. Hierarchical FCM The main advantage of the hierarchical procedures[5] is that the clustering is not influenced by the starting conditions and the number of clusters doesn t need to be mentioned a priori. The main disadvantage of hierarchical clustering procedures is that they partition the data statistically and no information about the global shape Database or size of clusters is used in the clustering process. Also, this type of clustering has a static character because the points that are committed to one cluster in the early stages cannot move to another cluster since the sequence of partitions is nested. In hierarchical clustering data are not gets clustered at ones instead stepwise procedures is followed for clustering the datasets K-Mean clustering involves 4 steps: Input: 1. Training and test datasets. Number of clusters k Output: Datapoints in form of k clusters Initialization: First all define the number of clusters, and randomly initial centroid of the clusters Assignment: Assign the data point to their corresponding cluster based upon the least distance between the datapoint and cluster centroid Recalculation: After assignment of all datapoint to their corresponding cluster recalculate the clusters centroid. Repeat step which is an assignment of the datapoint to the clusters.untill there is no further variation of the cluster centroids. Finally: Assign the datapoint to their corresponding cluster. We have created the model on training datasets and then apply this model on test datasets. For cluster to class mapping we have used cluster as a new attribute in the current datasets. Steps in Hierarchical FCM: 1. Separate the entire content using FCM. Arrange it in hierarchical manner 3. Compare one child with other child and parent groups 4. If any of the child have combined property better than their groups of any other parent, then combine with that parent. This is called multiproperty checking. 5. Then check for normal or an attack INPUT FCM Hierarchical NO Multiproperty

5 Test Data Used No. of clusters Time taken for training in sec Total time taken in sec Average error rate [%] 10 Hierarchi cal FCM clustering Fuzzy C-means clustering method does not capture if we give more attacks. But in Hierarchical method, it detects more attacks. References Figure Architecture of Hierarchical FCM The following are the results obtained from the comparison of Fuzzy C-Means clustering and Hierarchical Fuzzy C-means clustering: Table 1: Fuzzy C-Means Clustering Results Table : Hierarchical Fuzzy C-Means Clustering Results Test Data 10 Used FCM clustering No. of clusters Time taken for training in sec Total time taken in sec Average error rate [%] [1] Kapil Kumar Gupta, Baikunth Nath, Ramamohanaro Kotagiri, Layered approach using conditional random fields for intrusion detection, IEEE transactions on Dependable and Secure Computing, vol 1, no. 1, pp , Mar 010. [] Dat Tran,Wanli Ma, Dharmendra Sharma, Thien Nguyen, Fuzzy vector quantization for network intrusion detection in Proc. International Conference on Granular Computing, pp , 007 [3]Panda.M, A Comparative study of data mining algorithms for intrusion detection, in Proc. int. conf. IEEE Emerging Trends in Engineering and Tech., pp ,July 008. [4] Kristopher Kendall, A database of computer attacks for the evaluation of intrusion detection systems, Masters Thesis, MIT, [5] Fenye,Ing-Rayn, MoonJeong,andJin-Hee, Hierarchical trust management for wireless sensor networks and its applications to trust-based routing and intrusion detection, IEEE Transactions on Network and Service Management, vol. 9, no., pp ,June CONCLUSION We have studied the feature selection for detecting anomaly attacks. For detection of attacks, we have used hierarchical fuzzy C-means anomaly detection method and KDD CUP 1999 data set. We trained with 5 types of attack models with 37 labels of dataset. We observed that the time for hierarchical fuzzy C-means anomaly detection method is saved when compared to Fuzzy C-means clustering method.