Transcript Improvement of NID According to Selection of Continuous

Improvement of NID According to Selection of
Continuous Measures in Tree Induction Algorithm
2004. 8. 24.
Il-Ahn Cheong
Linux Security Research Center
Chonnam National University, Korea
Contents

Introduction

Related Works

Automatic Generation of Rules using TIA

The Experiments

Conclusions
WISA 2004
LSRC, Chonnam National University
2/14
I. Introduction

Signature-based Network Intrusion Detection



Our approaches



Require more time generating rules because of dependence on
knowledge of experts
Varies according to selection of network measures in the detection
Automatically generates the detection rules by using tree induction
algorithms
Improve the detection by automatic selection of network measures
Our expectations


Detection rules generated independent of knowledge of experts
The performance of detection could be improved
WISA 2004
LSRC, Chonnam National University
3/14
II. Related Works

The previous researches

Florida Univ.



New Mexico Univ.



SVM (Support Vector Machine)
SVM based Ranking method
Applied Research Lab. of Teas Univ.



LERAD (Learning Rules for Anomaly Detection)
Generating conditional rules
NEDAA (Exploitation Detection Analyst Assistant)
Genetic algorithm & Decision Tree
Problems


Used limited measures (src/dst. IP/Port, Protocol, etc.)
Not treats of the continuous measures
WISA 2004
LSRC, Chonnam National University
4/14
III. Automatic Generation of Rules (1/5)

Tree Induction Algorithms


A classification method using data mining
The constructed trees provide



a superior measure selection
an easy explanation for constructed tree models
The C4.5 algorithm


WISA 2004
Automatically generates trees by calculating the IG (Information
Gain) according to the Entropy Reduction
Could be classified in case of existing along with variables
having continuous and discrete attributes
LSRC, Chonnam National University
5/14
Automatic Generation of Rules (2/5)

Automatic Generation Model of Rules
WISA 2004
LSRC, Chonnam National University
6/14
Automatic Generation of Rules (3/5)

Modified C4.5 algorithm
C
Entropy ( I )    ( N i / N ) log 2 ( N i / N )
i 1
Entropy ( I , A k , j )
J

C
  (n
k j
i 1 i 1
/
n
kj
)[  ( n ki ( i ) / n kj ) log 2 ( n ki ( i ) / n kj ) ]
j
 Entropy ( At )  Entropy ( I )  Entropy ( Ak )
WISA 2004
LSRC, Chonnam National University
7/14
Automatic Generation of Rules (4/5)

Treatment of Continuous Distributions
f(x)
Continuous  Discrete
WISA 2004
LSRC, Chonnam National University
8/14
Automatic Generation of Rules (5/5)

Change of Selection for Network Measures

GRR (Good Rule Rate)



To select measures having high priority
Threshold value is 0.5 as binary (G | B)
RG (Good Rule)



affected positively generating of detection rules
Reflected next learning
RB (Bad Rule)


affected negatively generating of detection rules
Excluded next learning
GRR 
The # of R G
The # of (R
WISA 2004
G
 RB )
LSRC, Chonnam National University
where ,   0 . 01
9/14
IV. The Experiments (1/3)

Experiment Dataset



The 1999 DARPA IDS Evaluation dataset (DARPA99)
191,077 TCP sessions in Week 4 dataset
After treats of continuous measures


The detection rate increased 20%
The false rate decreased 15%
WISA 2004
LSRC, Chonnam National University
10/14
The Experiments (2/3)

The Result of GRR Calculation



Network measure selected from Ostermann’s TCPtrace (80 measures)
G(Good), B(Bad), I(Ignore), RST(Result;G|B|I), SLT(Select; O|X)
Step#: The # of repeat experiment
Threshold value = 0.5
WISA 2004
LSRC, Chonnam National University
11/14
The Experiments (3/3)

The ROC Evaluation

According to selection of priority measures


Detection rate increased
False rate decreased
Step0
Step1
Step2
Step3
WISA 2004
LSRC, Chonnam National University
Step0
Step1
Step2
Step3
12/14
V. Conclusions

Automatically generates detection rules



using Tree Induction algorithm
without support of experts
Solve the problems according to measure selection



continuous type converting into categorical type
selection of priority measures by calculating GRR
detection rate was increased and false rate was decreased
WISA 2004
LSRC, Chonnam National University
13/14
Q &A

Contact Us
E-mail: [email protected]

WISA 2004
Thank You!
LSRC, Chonnam National University
14/14