Efficient Intrusion Detection Mechanism using FCRM and Neural Network

Efficient Intrusion Detection Mechanism using FCRM and Neural Network

P. Ananthi,

Assistant Professor Kongu Engineering College

Tamilnadu, India

Abstract The necessity of efficient intrusion detection system increased recent research to be focused on hybrid techniques for better results. In recent research plenty of intrusion detection systems have been proposed with various data mining techniques, machine learning mechanisms and fuzzy logic. Existing intrusion detection system suffered from higher false positive rate and negative rate. This paper proposes the integrated approach such as clustering with Fuzzy neural network for efficient detection rate. In this proposed approach, Fuzzy C-Regression technique is used to construct different training subsets. Then, FNN model is used to take decision making. This proposed approach significantly reduces the false positive and negative rate.

Keywords Intrusion Detection System, Fuzzy Neural Network, Fuzzy C-Regression model, false positive .

1. INTRODUCTION

   Intrusion Detection Systems (IDS) used to help detect and curb different types of attack. Nowadays the attacks in the network turn out to be unavoidable, the existing security systems cannot efficiently identify the powerful attacks such as denial of service, viruses, worms etc so that performance of the security system should be increased by using various techniques for detecting attacks earlier [3]. Many intrusion detection systems are introduced based on the statistical algorithm, heuristic algorithm and many researches has been conducting for improving the security solutions [12]. In Internet, intrusion detection system plays a vital role in detecting the network attacks, such as denial of service (DoS), viruses, worms, trojan horses, spyware, and so on.

   Furthermore, various kinds of attacks reduce network performance significantly and dilemma users. However, based on the high volume of data traffic involved in a network system, effects of redundant and irrelevant data should be minimized if a qualitative intrusion detection mechanism is genuinely desirous. The main goal of IDS is to prevent the happening of intrusions in the network by classifying packets into two types of attacks and normal.

   P. Balasubramanie Professor

   Kongu Engineering College Tamilnadu, India

   IDS has been classified based on principle that intruder features which are misuse detection and anomaly detection. The differences of these two types are in their patterns.

   The misuse intrusion detection regularly examine the network and try according to some predefined signature patterns matches on the network by pattern matching techniques. The anomaly network intrusion based systems provide normal traffic patterns and try to find the deviation from the normal behavior. One of the most important things in the IDS is computational speed and comparison accuracy [15]. According to the tremendous features in each transaction of network a proper mechanism is required to derive an effective subset of features in order to recognize the intrusions.

   A number of intrusion detection systems are developed based on many different machine learning techniques. Existing studies apply single learning techniques, such as neural networks, genetic algorithms, support vector machines, etc. Some systems are based on combining different learning techniques, such as hybrid or ensemble techniques[18]. In particular, these techniques are developed as classifiers, which are used to classify or recognize whether the incoming Internet access is the normal access or an attack. Considerably the hybrid approach provides better results than single classifier approach. Artificial Neural Network based Fuzzy c-means clustering is proposed to detect intrusion observed to provide better result and security. This method suffered from certain drawbacks such as lower detection precision for low frequency attacks [20].

   The present research work develops an extension of the FC-ANN approach. In order to overcome the drawbacks of fuzzy c-means clustering, an efficient Fuzzy c-regression clustering approach is presented in this research work for clustering [13]. Additionally Fuzzy Neural Network (FNN) is used for better performance. KDD NSL data set is used for simulation result. KDD NSL is the subset of benchmark KDD 99 cup data set, which reduces the duplicate features of old data set. Section 2 describes the related work. Section 3 describes proposed methodology for detection and decision support in an intrusion detection system. Section 4 organized as conclusion and future work.

2. RELATED WORK

   In tremendous network traffic, it is tedious to maintain unbalanced distribution of data, hard to detect boundaries between normal and abnormal behaviors, and adapting to contingency environment [6]. Here we are describing some existing systems for intrusion detection and their potential shortcomings.

   Jiang et al. [15] proposed serial and parallel hierarchical neural networks for IDS, which is based on radial basis function (RBF). This approach concentrates misuse and anomaly-based detection. In this approach C-mean clustering algorithm is used to group intrusions into different categories. There-fore, IDS will automatically use these groups to train a new RBF classifier to detect emergent intrusions.

   Yang Li, Li Guo [17] proposed supervised intrusion detection method based on TCM-KNN algorithm and active learning method. In this approach feature selection and mapping classical attack patterns of specific application to limited points are the most important problems in real network.

   Wenying Feng et.al [18] proposed IDs based on SVM with ant colony method. This IDS not consider the feature extraction of intrusion effectively. SVM classifiers are not enough for properly handling the multiclass cases.

   Saurabh Mukherjee and Neelam Sharma [19] proposed Naives Bayes classifies based intrusion detection. FVBRM model for feature selection and make its comparison with three feature selectors CFS, IG and GR. Naïve bayes classifier has its own drawbacks for feature classification of attacks. This method improved the feature selection on someway but failed to produce better result for U2R attacks.

   In [20], Hybrid Intelligent Intrusion Detection System is proposed based on specific AI approach for intrusion detection. The technique includes neural networks and fuzzy logic with network profiling. The system detects both anomaly and misuse attacks. Simple if then Fuzzy rules reflect common ways of describing security attacks. There have been many techniques used for machine learning applications to tackle the problem of feature selection for intrusion detection.

   Gan Xu-sheng, et al. [21] proposed anomaly detection mechanism based on PLS and CVM algorithm. the problem of feature extraction and fast modelling for large-scale sample data in anomaly intrusion detection can be solved.

3. METHODOLOGY

   This research work presents an improved version of the intrusion detection system based on the Fuzzy C- regression clustering along with the Fuzzy Neural Network. The Fuzzy C-Regression Model (FCRM) of Hath-away and Bezdek [13] was introduced to classify objects into similar groups. FCRM yields simultaneous estimates of parameters for fuzzy C- regression models, while fuzzy partitioning a given dataset. It is supporting hyperplane-shaped clusters.

   The proposed framework includes both training phase and testing phase. The arbitrary dataset DS is divided into training set TR and testing TS. Using the Fuzzy C-Regression clustering model the dataset s divided into different training datasets TR1,TR2,TR3,TRk. Training subsets are applied to rule based fuzzy neural network to extract features and produce the results.

   The proposed method applied the following procedure

   Step 1. Apply Fuzzy C-Regression Mechanism on NSL data set

   FCRM performs regression process with the number of similar clusters c(2<c<n) from training dataset. Values of cluster centers are obtained then, membership values are obtained by using these values of cluster centers.

   Step 2. Form fuzzy partition matrix.

   Calculate fuzzy partition matrix and obtain the representatives of each cluster from weighted member function.

   Step 3. Establish the fuzzy relationship with neural network.

   Attack patterns are extracted based on fuzzy classifier to discriminate normal and attack data.

   Step 4. Defuzzify the results.

   The FCRM clustering algorithm consists of two phases, calculating fuzzy partition matrix and obtaining the representatives of each cluster, which is carried out separately from the former phase. The solution of representatives of clusters is obtained by weighted recursive least square (WRLS), which needs iteration and this process, is embedded in the outer iterative frame [24]. The proposed system mainly used for detecting the malicious activities and it consist of the Fuzzy C- regression clustering, FNN module and fuzzy aggregation module. In intrusion detection system, detection algorithm is not only enough for detecting intrusion effectively, but also feature selection method is also an important process in IDS. The NSLKDD dataset is used for the evaluating the performance of the proposed IDS. The dataset used in this research has certain features as shown in table 1. The data type of the features is either discrete or continuous and it is labelled as either normal or an attack types.

   1. Dataset

      One of the most important deficiencies in the KDD data set is the huge number of redundant records, which leads inaccuracy in detection rate. Herewith there are two main reasons for this first one is lots of duplicates in training and testing records. The second one is the lack of difficulty measurement in records. Redundant records in training dataset prevents learning method from learning rare records such as U2R attack and R2L attack causes wrong results in testing dataset. Lack of difficulty level can wrongly increase accuracy rate. Because of the simplicity of dataset, learning methods can provide high accuracy without any trouble.

      TABLE 1

      REDUNDANT RECORDS IN KDD99 TRAINING DATA SET

      	Original Records	Distinct Records	Reduction Rate
      Normal	972,781	812,814	16.44%
      Anomaly	3,925,650	262,178	93.32%
      Total	4,898,431	1,074,992	78.05%

      TABLE 2

      REDUNDANT RECORDS IN KDD99 TESTING DATA SET

      	Original Records	Distinct Records	Reduction Rate
      Normal	60,591	47,911	20.92%
      Anomaly	250,436	29,378	88.26%
      Total	311,027	77,289	75.15%

      NSL-KDD dataset covers four major categories of attacks such as Probing attacks (information gathering attacks), Denial-of-Service (DoS) attacks (deny legitimate requests to a system), user-to-root (U2R) attacks (unauthorized access to local super-user or root), and remote-to-local (R2L) attacks (unauthorized local access from a remote machine). NSL-KDD dataset is divided into labeled and unlabeled records which class attribute has 21 predicated labels for each record.

   2. Intrusion detection system Framework

      NSL-KDD data set is classified into training and testing data set. Fuzzy c-Regression algorithm partition the training data set TR1, TR2,,TRn and forms the clusters. Output from FCRM module is passed through FNN module which has input nodes corresponding to major category of attacks such as Dos, Probe, R2L, L2R and normal. Figure.1 shows the framework of intrusion detection system.

   3. Fuzzy C-Regression Clustering

      1. Objective Function

         Let S = {(x1,y1),..,(xN,yN)} = {(xk,yk), k =1,…,N} be a set of inputoutput sample data pairs. Assume that the data pairs in S are drawn from c different fuzzy regression models. The hyper-plane of the i-th cluster representative is expressed as follows:

         yk = fi(xk,i) + Eik(i),= ai1xk1 + ai2xk2 + + aiMxkM+ bi0 +

         Eik(i),

         i ik i

         = [xk 1]. T + E ( ),i= 1,2,,c (1)

         where xk = [xk1, . . . , xkM] M is the input vector, yk is the output and i = [ai1, . . . , aiM, bi0] M+1 is the parameter vector of the corresponding local linear model.

         The distance (error measure) between the value predicted by the model fi(xk, i) and the output yk is defined by

         i

         Eik(i) = |yk [xk 1]. T|. (2)

         The distances (Eik(i)) are weighted with the membership values ik in the objective function that is minimized by the clustering algorithm and is given as

         N c

         J (S; U, ) = (ikm )Eik2 (i ), (3)

         k=1 i=1

         where m is the weighting exponent and ik is the membership degree of xk to the i-th cluster. The membership values ik have to satisfy the following conditions:

         ik [0 1], i = 1, 2, . . . , c,k = 1, 2, . . . , N, (4)

         N

         0 < ik < N, i = 1, 2, . . . , c, (5)

         k=1

         c

         ik = 1, k = 1, 2, . . . , N. (6)

         i=1

         The identification procedure of the FCRM algorithm is summarized as follows[35]. Given data S, set m>1and specify regression model (eqn.1) and choose error measure (eqn.2).

         Select termination threshold > 0 and initialize U(0).

      2. Algorithm

         Repeat for l=1,2,3.,

         Step 1. Calculate values for c model parameters in eqn.1 and that globally minimize the restricted function in Eqn.3.

         Step 2. Update U(l) with ( ) to satisfy

         = if Eik >0 for 1 i c

         Until then stop. Otherwise, set l=l+1

         and return to step 1.

   4. Fuzzy Neural Network

   The combination of the fuzzy logic and artificial neural network is used in the neural network is explained in [24, 25]. The FNN is one of the important topics in the research field because it is used in various applications.

4. EXPERIMENTAL RESULTS AND DISCUSSION

   This section depicts the experimental results and performance evaluation of the proposed system. Today network traffic data is increasing rapidly. In order to detect intrusion from large traffic data, detection algorithm, and

   NSL-KDD Data

   Input

   Fuzzification

   Training Data

   Testing Data

   Fuzzy Inference engine

   Fuzzy Rule base

   FCRM

   Defuzzification

   Testing Phase

   Output

   FNN Module

   Result

   Fig.1 Hybrid Intrusion Detection System

   Fuzzy neural network is used to learn parameters of the fuzzy sets, fuzzy rules and weights of the rules of a fuzzy system in an iterative way. A neuro-fuzzy system can be interpreted as a set of fuzzy rules. This system can be total created from input output data or initialised with the a priori knowledge in the same way of fuzzy rules. The resultant system by fusing fuzzy systems and neural networks has as advantages of learning through patterns and the easy interpretation of its functionality. Fuzzy systems are suitable for uncertain or approximate reasoning, especially for the system with a mathematical model that is difficult to derive. Fuzzy logic allows decision making with estimated values under incomplete or un-certain information. eural networks are used to tune membership functions of fuzzy systems that are employed as decision-making systems for controlling equipment. This system applies fuzzy IF-THEN rules in a constructive way.

   The basic functions of neural network is training the input data, output data, parameter connection between the neurons which is adjusted through the repeated error corrections and these functions are mainly used to achieve the purpose of learning. The normal if-then rules in the network cannot be encoded directly. The only method is giving a large number of training data to the system. When the fuzzy system is compared with the neural network, the input values can be directly encoded in the fuzzy systems and the tolerance level is also high in fuzzy based system than the neural network [26].

   Fig.2 Fuzzy System

   feature selection method have to more efficient. NSL KDD data set is used for evaluating intrusion detection system. The proposed system can easily filters records to improve detection accuracy. The data in NSL-KDD dataset is either labeled as normal or the 24 different kinds of attack. These attacks can be grouped into four major types Probe, DoS, R2L, and U2R. In this proposed mechanism, FCRM algorithm clustering data by various parameters and FNN used to classify network traffic as normal and attack behavior. The effectiveness of the algorithm is identified from high detection ratio and accuracy. The results of the proposed method are presented in table 3.

   DoS

   Detection Ratio

   The evaluating parameters such as precision recall F- value are used in this study to evaluate the proposed system. The experiment is conducted and the simulated results are compared for 21 features of NSL-KDD dataset for 5000 records with the other types of intrusion detection system. The parameters are taken here are measurement of precision, recall and f-value of the systems.

   U2R

   R2L

   Probe

   100

   90

   80

   70

   60

   50

   1000 2000 3000 4000 5000

   Training Data set

   Fig.3 Attack Detection of FCRM-FNN methods

   TABLE 3

   COMPARISON OF DETECTION RATIO WITH 21 FEATURES OF NSL- KDD DATA SET

   Class Name	SVM system	FC-ANN	FCRM-FNN
   Normal	99.5%	99.6	99.89
   DoS	99.2%	99.91	99.76
   U2R	81.2%	83.33	57.72
   R2L	54.6%	93.18	95.2
   Probe	95.3%	48.12	95.5

   REFERENCES

   1. S.-X. Wu and W. Banzhaf, The Use of Computational Intelligence in Intrusion Detection Systems: A Review, Elsevier Applied Soft Computing, vol. 10, issue 1, pp. 135, Jan. 2010.

   2. H. T. Elshoush and I. M. Osman, Reducing False Positives through Fuzzy Alert Correlation in Collaborative Intelligent Intrusion Detection Systems A Review, Prof. IEEE Intl. Conf. Fuzzy Systems, July 2000, pp. 18.

   3. Patcha, A., & Park, J. M., An overview of anomaly detection techniques: Existing solutions and latest technological trends, Computer Networks, 51(12), 34483470, 2007.

   4. Manikopoulos, C., & Papavassiliou, S. Network intrusion and fault detection: A statistical anomaly approach IEEE Communications Magazine, 40(10), 7682, 2002.

   5. Ryan, J., Lin, M., & Miikkulainen, R., Intrusion detection with neural networks. Advances in neural information processing systems (Vol. 10). Cambridge, MA: Springer, 1989.

   6. P. Spathoulas and S. K. Katsikas, Using a Fuzzy Inference System to Reduce False Positives in Intrusion Detection, Proc. 16th Intl. Conf. Systems, Signals and Image Processing, June 2009.

   7. Kosko, Bart, Neural Networks and Fuzzy Systems: A Dynamical Systems Approach to Machine Intelligence. Englewood Cliffs,

      1.2

      Detection Ratio

      1

      0.8

      0.6

      0.4

      0.2

      0

      SVM FC-ANN FCRM-FNN

      DoS U2R R2L Probe

      Fig. 4 Comparison of Detection Ratio

      NJ: Prentice Hall. ISBN 0-13-611435-0, 1992.

   8. Lin, W. J. Hwang, and R. J. Wai, A supervisory fuzzy neural network control system for tracking periodic inputs, IEEE Trans. Fuzzy Systems, Volume 7, No.1, pp. 41-52, 1999.

   9. Y. C. Chen and C. C. Teng, A model reference control structure using a fuzzy neural network, Fuzzy Sets and Systems, Volume 73, pp.291-312,1995.

   10. Bezdek, J. Fuzzy mathematics in pattern classification. Ph.D. thesis. Ithaca, NY: Cornell University, 1974.

   11. Beghdad, R., Critical study of neural networks in detecting intrusions. Computers and Security, 27(5-6), 168175, 2008.

   12. Axelsson, S. The base-rate fallacy and the difficulty of intrusion detection. ACM Transaction on Information and System Security, 3, 186205, 2003.

   13. Hathaway, R.J., Bezdek, J.C., Switching regression models and fuzzy clustering IEEE Trans. Fuzzy Syst. 1 (3), 195204, 1993.

   14. Moez Solutani, Abdelkadar Chaary, Faycal Benhimda, A Novel Fuzzy C-regression Model using a new error measure and particle swarm optimization International Journal of applied Mathematics and computer science, 22(3), 617-628,2012.

       The comparison of detection ratio between the SVM, FC- ANN and FCRM-FNN is represented in the graph. The detection ratio of the proposed method is compared with the existing system detection ratio. The system performance is measured based on the detection ratio and the proposed approach outperforms the existing system.

5. CONCLUSION

1. Jiang J, Zhang C, Kame M. RBF-based real-time hierarchical intrusion detection systems In Pro-ceedings of the International Joint Conference on Neural Networks (IJCNN03), vol. 2, pp. 1512 1516, 2003.

2. M. Tavallaee, E. Bagheri, W. Lu, and A. Ghorbani, A Detailed Analysis of the KDD CUP 99 Data Set, Submitted to Second IEEE Symposium on Computational Intelligence for Security and Defense Applications (CISDA), 2009.

3. Yang Li, Li Guo, An active learning based TCM-KNN algorithm for supervised network intrusion detection, Computers & Security

   For efficient intrusion detection system approach the fuzzy clustering and fuzzy rule based neural network mechanisms have been employed in order to obtain accurate results [23]. The existing mechanism FCM does not consider the functional relationship of clustering variables. The proposed FCRM algorithm improves the modeling accuracy

5. (26) 459467, 2006.

   Wenying Feng, Qinglei Zhang, Gongzhu Hu, Jimmy Xiangji Huang,

   Mining network data for intrusion detection through combining SVMs with ant colony networks, Future Generation Computer Systems 37, 127140,2014.

   Dr. Saurabh Mukherjee,, Neelam Sharma, Intrusion Detection using Naive Bayes Classifier with Feature Reduction Procedia Technology 4 , 119 128, Elsevier 2014.

   by forming fuzzy partition matrix of data and parameters which represents cluster centers. This is forming similar clusters with function relationship of input and output variable in first phase. Then second phase fuzzy rule discriminates normal and attach behavior of data to achieve desired results efficacy. The evaluation of the algorithm prominently measured in precision, recall and f-value analysis.

6. Norbik Bashah, Idris Bharanidharan Shanmugam, and Abdul Manan

   Ahmed, Hybrid Intelligent Intrusion Detection System World Academy of Science, Engineering and Technology, 2005

7. Gan Xu-sheng, Duanmu Jing-shun, Wang Jia-fu, Cong Wei, Anomaly intrusion detection based on PLS feature extraction and core vector machine, Knowledge-Based Systems 40, 16, Elsevier 2013.

9. Michel Menard, Fuzzy clustering and switching regression models using ambiguity, and distance rejects, Fuzzy Sets and Systems 122, 363399, Elsevier 2001.

10. I.B. Türken, A review of developments in fuzzy system models: Fuzzy rule bases to fuzzy functions Scientia Iranica D , 18 (3), 522527, 2011.

11. Heba F. Eid, Ashraf Darwish, Aboul Ella Hassanien, and Ajith Abraham, Principle Components Analysis and Support Vector Machine based Intrusion Detection System 978-1-4244-8136, 2010 IEEE.