Anomaly Detection Using GAs

Download Report

Transcript Anomaly Detection Using GAs

Anomaly Detection Using GAs
Umer Khan
28-sept-2005
1
Limitations
• GAs provide Optimization rather than
Classification
• Tends to be rule based
• Usually applied to Misuse Detection rather
than Anomaly detection
• Learns according to a scenario i.e. specific
to scenario
• But, Integration with Fuzzy Logic
integrated with Data Mining may work well.
2
Fuzzy Logic
• Appropriate for intrusion detection for two
reasons.
• Quantitative features (Fuzzy Variables) are
involved intrusion detection.
• Measurements of CPU usage time,
connection detection, number of different
TCP/UDP connections initiated by same
source host.
3
Fuzzy Logic
• 2nd motivation, “Security includes
fuzziness”
• Helps to smooth abrupt separation of
normality and abnormality.
• Allows representation of overlapping
categories.
• Standard set theory VS Fuzzy set theory
4
Anomaly Detection via Fuzzy Data Mining
• Data mining, is used to automatically learn
patterns from large quantities of data.
• If the number different destination
addresses during the last 2 seconds was
high Then an unusual situation exists.
• What number falls in the set High?
• The degree of membership in the fuzzy set
high determines whether or not the rule is
activated.
5
Typical Way
6
Fuzzy Logic
7
Data Mining
• 2 methods:
• “Association Rules and Frequency
Episodes”.
• Mine audit data to find normal patterns for
anomaly intrusion detection.
8
Association Rules
• if a customer who buys a soft drink (A)
usually also buys potato chips (B), then
potato chips are associated with soft
drinks using the rule AB.
• A Fuzzy Association rule can be like:
{ SN=LOW, FN=LOW } → { RN=LOW }
• We mine a set rules from dataset with no
intrusions and designate it as normal
behavior.
9
Association Rules
• Considering new set of audit data, a new
set of set of association rules is mined and
its similarity with reference set is analyzed.
• If the similarity is low, then the new data
will cause an alarm.
10
11
Future Task
• Analyzing the working of “Frequency
Episode” method of data mining.
• Use of Genetic Algorithms in tuning Fuzzy
Membership Functions.
12