An Adaptive Intrusion Detection Algorithm Based on Clustering and Kernel-Method ART 알고리즘특강자료 ( 응용 01) DB 및데이터마이닝연구실 http://idb.korea.ac.kr 2009 년 05 월 01 일 1
Introduction v Background of Research v In the traditional signature-based IDSs, the rule-base has to be manually revised whenever each new type of attack is discovered. v To solve this manual revision problem, some of the machine learning algorithms have been applied to the IDS. v Most of these machine learning approaches are based on supervised learning. 2
Introduction v Problems of Intrusion Detection Model based Supervised Learning v A large volume of training data should be collected and classified manually; v The performance of the IDS depends on the quality of the training data; v A training phase with the huge data is computationally expensive and can not be performed in an incremental manner; v It is difficult to detect new intrusions which are not trained. 3
Introduction v Recently, the clustering algorithms based on unsupervised learning have been proposed for IDS. v However, the number of new intrusion types is increased rapidly and the volume of the information is too large. v Thus, the general-purpose clustering algorithms used in artificial intelligence need to be modified to satisfy the following IDS requirements: 1) Each event data should be processed as soon as it is received and clusters are generated adaptively without fixing the number of clusters; 2) Clustering the huge volume of event data needs to be completed in short periods; 3) The result of clustering needs to be insensitive to the order of input data since the sequence of event data is arbitrary in general. 4
Introduction v Kernel-ART = ART + Concept Vector + Mercer Kernel v ART : on-line and incremental clustering algorithm; v Concept Vector : classify a high dimensional sparse pattern efficiently; v Mercer Kernel : improved the separability. 5
Data Representation and Similarity Measure v Representation of Input Data v We assume that the input pattern consist of k- numeric attributes and m-symbolic attributes. v To avoid bias toward some feature over other feature. 6
Data Representation and Similarity Measure v Similarity Measure v Similarity between objects of mixed variable types. where 7
Adaptive Intrusion Detection Algorithm v Kernel-ART v Combines the on-line and incremental clustering algorithm ART with Concept Vector and Mercer-Kernel. v By employing the Concept Vector, we need not consider the learning rate parameter in updating the weight vectors and can improve the speed of the execution. v We can improve the separability by mapping the input pattern to a feature space with Mercer-Kernel. 8
Adaptive Intrusion Detection Algorithm v Initialization : v Activation Function : 9
Adaptive Intrusion Detection Algorithm v Matching Function : If the activation function AF( ) and the matching function MF( ) are chosen as then the mismatch reset condition and the template matching process of the original ART can be eliminated for the resonance domain. v Resonance Condition : 10
Adaptive Intrusion Detection Algorithm v Update Weight Vector : 11
Adaptive Intrusion Detection Algorithm v Outline of Kernel-ART Algorithm : 12
Experimental Results v Data Set v Corrected-labeled data set among KDD CUP 99 data v KDD CUP 99 data is famous benchmark data. 13
Experimental Results v Parameter Setting of Kernel-ART v ρ is the vigilance parameter which affects the support of clusters. v λ [0, 1] and c denote the weight of the similarity measure function and the RBF kernel-width parameter of Kernel-ART, respectively. v Set ρ to 0.93, λ to 0.5 and c to 1. 14
Experimental Results v Comparisons with Other Intrusion Detection Methods v v Most research results show considerable inferior performance only at the classification capability as to R2L and U2R. Our method can provide superior performance in separating these two patterns. 15
Experimental Results v Clustering Results of Each Subsidiary Types of Attack 16
Experimental Results v Comparison with Other Clustering Algorithm 17
감사합니다! Thank you for your attention!!!