Beruflich Dokumente
Kultur Dokumente
ORG
29
A New Approach for Anomaly Intrusion Detection by MLP and CNN Neural Networks
Mohammad Nabizadeh Gangaraj, Sam Jabbehdari and Ahmad Khadem-Zadeh
Abstract By increasing information exchange and developing computer networks, diversity of attack is grown. Most of attacks are mixture of a series of events and abnormal happenings that are mainly called time-delayed attacks. They are not effectively recognized by current intrusion detection systems. We suggest using MLP neural network and CNN for detection of time delay attacks. MLP neural network noticeably can detect real-time attack and CNN neural network can assist to MLP for detection of time delay attacks. Our suggested method by using KDD Cup99 data set results in increasing detection of Probe attacks and denial of service (DoS) without increasing of false alarm rate.
Index Terms MLP, CNN, Anomaly, Detection Rate and False Alarm Rate
1 INTRODUCTION
uring recent two decades, importance of computer networks security has considerable increase. In order to increase security of computer networks in addition to use firewall and other equipments of intrusion prevention, it is required using other tools such as intrusion detection systems. Generally intrusion detection systems are divided into two classes including: Signature Based Detection and Anomaly Detection. In signature based detection the identified intrusion patterns are compared with interval traffic so that in case of compatibility, intrusion is detected. Advantage of this method is low level of False Alarm Rate and its disadvantage is that it cannot detect new attacks [1]. In anomaly detection method, first of all a profile of ordinary network behavior is created. Then, any traffic that has deviates from created profile is detected as intrusion. Advantage of this method is detection of new intrusions and its disadvantage is high false alarm rate. If the present behavior has deviates from ordinary behavior, the anomaly detection model, identifies data as an attack [2]. There are many methods for detecting intrusion that have high false alarm rate so that may cause problem for network security manager [3]. The remainder of the paper is organized as follows; Section 2 presents related works of intrusion detection systems with ANN. Section 3 introduces our proposal system. Section 4 clarifies the experiments and results finally in Section 5 the conclusions and feature works are discussed.
2 RELATED WORKS
One of the most significant challenges for current intrusion detection approaches is to reduce false alarm rate. The false alarm rate is still too high for current neural network intrusion detection approaches because they have not enough capability to detect time-delayed attacks. MLP/CNN neural networks are used for higher detection rate of time-delayed attacks [4]. In this method used real time MLP neural network with time delay CNN neural network that input data enter to MLP neural network and then MLP output data enter to CNN as an input data. In mentioned method Probe detection rate is still low. The Distributed Time Delay Neural Network (DTDNN) as a dynamic neural network is attempted to more detecting of time-delayed attacks [5], but in addition to much time spends for training, its attack detection rate is still low. Tow hidden layers MLP is used for anomaly intrusion detection [6, 7]. MLP is used only for detecting two changed known attacks of DoS, and other aspects of this method are not considered. The detection rate of this method is rather acceptable but is not very well as its Probe detection rate can be better.
Mohammad Nabizadeh Gangaraj Department of Computer Engineering, North Tehran Branch, Islamic Azad University, Tehran, Iran. Sam Jabbehdari Department of Computer Engineering, North Tehran Branch, Islamic Azad University, Tehran Iran. Ahmad Khadem-Zadeh. Iran Telecommunication Research Center, ITRC, Tehran, Iran.
JOURNAL OF COMPUTING, VOLUME 4, ISSUE 2, FEBRUARY 2012, ISSN 2151-9617 https://sites.google.com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.ORG
30
3 PROPOSED METHOD
Whereas percentage of time-delayed attacks including: DoS and Probe covers most of the present and new attacks; therefore, it is used from CNN neural network to detect time delay attack including: DoS and Probe and it is used from MLP neural network to detect real-time attack including: RU. As a result, instead of using mixture of both methods like article [4], we act as follows in Figure.2:
CNN(trainlm)
MLP(trainbr)
Fig.1. 2 layers feed forward neural network with 4 inputs and 2 outputs [8]. Neural network while training, upon receiving input data at first layer and receiving target data at last layer, attempts to adjust weight of edge and fixed initial amount that is called bias. Then within test stage by using these amounts and receiving input data it estimates output target data [4].
function training
Fig.2. Our proposed method by MLP and CNN neural networks . Initial Data: in this stage data entered from network traffic or data extracted from log file are collected. In simulation stage the input of neural networks were including 35 features like(protocol type, service, duration, flag, serrorrate ) and other output within 4 messages (RU, Probe, DoS, Normal) from set of KDD Cup99 data set. Pre-Processing: in this stage the collected data in the previous stage are classified and prepared as comprehendible numbers for being used at neural networks (RU= 1, Probe=2, DoS= 3, Normal=0) The processed data are separately sent to each of the neural networks and according to the patterns receiving during training, a message is sent to the next module (message filter).It is shown in the Figure.3.
JOURNAL OF COMPUTING, VOLUME 4, ISSUE 2, FEBRUARY 2012, ISSN 2151-9617 https://sites.google.com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.ORG
31
Final Message If msg1 = msg2 = msg3 If(msg3 != Probe) & (msg2 != RU) &(msg1 = DoS) Msg1
ously sends its specialty message, the message filter unit send a message consisting of unlabeled attack (without determining group) for network manager. This method may slightly increase load of calculation.
Msg1
Msg2
Msg3
Msg2
Unlabeled attack
By repeated testing we found out that if we use training function of "trainbr" instead of using ordinary training function i.e. "trainlm" according to article [5], MLP neural network can detect RU attack type more than when we use "trainlm", also for CNN with "trainbr" for detect Probe attack, but for detecting DoS attack using CNN with "trainlm" is better than "trainbr". Message of each network is separately sent to message filter unit. Whereas CNN neural network can detect time delay attacks of DoS and Probe, MLP neural network can detect real-time attacks of RU, Therefore, in order to send final message to network manager, it is recommended to use the following pattern: If the sent message by CNN neural network with "trainlm" indicates DoS attack (i.e. detection of attack that CNN neural network can identify it more accurate than other methods) and message of other neural networks is nonspecialty message of them, the criterion of making decision is the message sent from CNN neural network that use "trainlm" training function and we use the same style for any type of attack. If within specific mode, each network simultane-
DR
TP FP , FAR [11] TP FN FP TN
100 80 60 40 20 0
Fig.4. Detection Rate of changed known attacks for Anomaly Detection Systems.
JOURNAL OF COMPUTING, VOLUME 4, ISSUE 2, FEBRUARY 2012, ISSN 2151-9617 https://sites.google.com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.ORG
32
other methods. New works can be conducted on the our proposed method by using data mining for decreasing required memory and increasing detection accuracy. Also we can change more parameters of neural network for detecting different types of attack at different networks.
REFERENCES
[1] V. Dao, A Performance Comparison of Different Back Propagation Neural Networks Methods in Computer Network Intrusion Detection, Proc. of the Fourth IASTED International Conference on Visualization, Imaging, and Image. Acta Press, Marbella, 159165, 2004. E. Eskin, M. Miller, Z. Zhong, et al. Adaptive Model Generation for Intrusion Detection Systems, Proc. of Workshop on Intrusion Detection and Prevention, 7thACM Conference on Computer Security, Athens, GR: 2000. K. Anup, S. Ghosh. A Study in Using Neural Networks for Anomaly and Misuse Detection, Proc. of the 8th USENIX Security Symposium, USENIX press, Washington, D.C., 1999. Y. Yu, Y. Wei, G. Fu-xiang and Y. Ge, Anomaly Intrusion Detection Approach Using Hybrid MLP/CNN Neural Network, Proceedings of the Sixth IEEE International Conference on Intelligent Systems Design and Applications, 2006. M.I. Laheeb, Anomaly Network Intrusion Detection System Based on Distributed Time-Delay Neural Network (DTDNN), Journal of Engineering Science and Technology Vol. 5, No. 4 , School of Engineering, Taylors University, 2010.
[2]
%
3.5 3 2.5 2 1.5 1 0.5 0
FAR
[3]
[4]
FAR
MLP/CNN
Proposed Method
[5]
MLP
DTDNN
Fig.6. False Alarm Rate on Dataset for Anomaly Detection Systems. According to Figure. 4 and 5 which show the results of our simulation, rate of detecting RU attack by our proposed method is nearly 2% to 10% higher than previous methods. In addition, rate of detecting DoS and Probe attacks in comparison to previous methods is respectively 3% to 9% and 8.5% to 24% higher than previous methods. Apart from these superiorities, our proposed method has nearly 0.06% more false alarm rate than MLP/CNN method. It is shown in Figure.6. According to higher rate of detecting attack in suggested method, this amount of false alarm is acceptable.
5 CONCLUSION
According to requirement of detection of time-delayed attacks by intrusion detection system, it is recommended to use CNN neural network with MLP neural network. In order to improve their performance it is better to use them separately. In addition it is better if we use "trainbr" training function with CNN and MLP neural network for detecting Probe and RU attacks that was mentioned in previous section. The results of the our proposed method indicate 8.5% to 24% increasing rate of detecting Probe attack in comparison to
M. Moradi, and M. Zulkernine, A neural network based system for intrusion detection and classification of attacks, IEEE International Conference on Advances in Intelligent Systems Theory and Applications, Luxembourg-Kirchberg, Luxembourg, 2004. [7] M. Sammany, M. Sharawi, M. El-Beltagy, and I. Saroit, Artificial neural networks architecture for intrusion detection systems and classification of attacks, Accepted for publication in the 5th international conference INFO, Cairo University, 2007. [8] S. Haykin, Feed Forward Neural Networks: An Introduction. [9] K. Kendall, A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems, Master's Thesis, Massachusetts Institute of Technology, 1998. [10] W. Campbell, Traditional Indications and Warnings for Host Based Intrusion Detection, Proc. of CERT Conference, CA press, Omaha, 1999. [11] C. Zhou, S. Karunasekera, and C. Leckie, Evaluation of a Decentralized Architecture for Large Scale Collaborative Intrusion Detection, In Proceedings of the 10th IFIP/IEEE International Symposium on Integrated Network Management, 2007.
[6]
Mohammad Nabizadeh Gangaraj is now M.Sc. student in Computer Engineering at North Tehran Branch, Islamic Azad University, Iran. Sam Jabbehdari currently working as assistant professor at the department of Computer Engineering in IAU (Islamic Azad University), North Tehran Branch, in Tehran, since 1993. He received his both B.Sc. and M.S. degrees in Electrical Engineering Telecommunication from K.N.T (Khajeh Nasir Toosi) University of Technology, and IAU, South Tehran Branch in Tehran, Iran, in 1988, through 1991
JOURNAL OF COMPUTING, VOLUME 4, ISSUE 2, FEBRUARY 2012, ISSN 2151-9617 https://sites.google.com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.ORG
33
respectively. He was honored Ph.D. degree in Computer Engineering from IAU, Science and Research Branch, Tehran, Iran in 2005. He was head of Postgraduate Computer Engineering Department IAU-North Tehran Branch during 2008-2010. He also has written Advanced Topics in Computer Networks book in Persian Language (Tehran, Classic, 2009). His current research interests are Scheduling, QoS, MANETs, Wireless Sensor Networks and Grid Computing Systems. Ahmad Khadem-Zadeh was born in Meshed, Iran, in 1943. He received the B.Sc. degree in applied physics from Ferdowsi University, Meshed, Iran, in 1969 and the M.Sc., Ph.D. degrees respectively in Digital Communication and Information Theory & Error Control Coding from the University of Kent, Canterbury, UK. He is currently the Head of Education & National Scientific and International Scientific Cooperation Department at Iran Telecom Research Center (ITRC). He was the head of Test Engineering Group and the director of Computer and Communication Department at ITRC. He is also a lecturer at Tehran Universities & he is a committee member of the Iranian Electrical Engineering Conference Permanent Committee. Dr. Khadem-Zadeh has been received four distinguished national and international awards including Kharazmi International Award, and has been selected as the National outstanding researcher of the Iran Ministry of Information and Communication Technology.