A Class Association Rule Based Classifier Using Probability Density Functions for Intrusion Detection Systems
Shingo Mabu*, Wenjing Li**, and Kotaro Hirasawa**
*Graduate School of Science and Engineering, Yamaguchi University
2-16-1 Tokiwadai, Ube, Yamaguchi 755-8611, Japan
**Graduate School of Information, Production and Systems, Waseda University
2-7 Hibikino, Wakamatsu-ku, Kitakyushu, Fukuoka 808-0135, Japan
As the number of computer systems connected to the Internet is increasing exponentially, the computer security has become a crucial problem, and many techniques for Intrusion detection have been proposed to detect network attacks efficiently. On the other hand, data mining algorithms based on Genetic Network Programming (GNP) have been proposed and applied to Intrusion detection recently. GNP is a graph-based evolutionary algorithm and can extract many important class association rules by making use of the distinguished representation ability of the graph structure. In this paper, probabilistic classification algorithms based on multi-dimensional probability distribution are proposed and combined with conventional class association rule mining of GNP, and applied to network intrusion detection for the performance evaluation. The proposed classification algorithms are based on 1) one-dimensional probability density functions and 2) a two-dimensional joint probability density function. These functions represent the distribution of normal and intrusion accesses and efficiently classify a new access data into normal, known intrusion or even unknown intrusion. The simulations using KDD99Cup database from MIT Lincoln Laboratory show some advantages of the proposed algorithms over the conventional mean and standard deviation-based method.
-  D. E. Denning, “An Intrusion Detection Model,” IEEE Trans. on Software Engineering, Vol.13, pp. 222-232, 1987.
-  W. Lee and S. J. Stolfo, “Data Mining Approaches for Intrusion Detection,” Proc. of the 1998 USENIX Security Symp., 1998.
-  W. Lee and S. J. Stolfo, “A Framework for Construction Features and Models for Intrusion Detection System,” ACM Trans. on Information and System Security, Vol.3, No.4, pp. 227-261, 2000.
-  Z. Bankovic´, D. Stepanovic´, S. Bojanic´, and O. Nieto-Taladriz, “Improving network security using genetic algorithm approach,” Computers and Electrical Engineering, Vol.33, pp. 438-451, 2007.
-  W. Lu and I. Traore, “Detecting new forms of network intrusion using genetic programming,” Computational Intelligence, Vol.20, No.3, pp. 474-494, 2004.
-  G. Folino, C. Pizzuti, and G. Spezzano, “GP Ensemble for Distributed Intrusion Detection Systems,” ICAPR 2005, Lecture Notes in Computer Science (LNCS) 3686, pp. 54-62, Springer-Verlag Berlin Heidelberg, 2005.
-  B. Casewell and J. Beale, “SNORT 2.1, Intrusion Detection, second edition,” Syngress, 2004.
-  M. Roesch, “SNORT–Lightweight Intrusion Detection for Networks,” Proc. of the USENIX 13th Systems Administration Conf., pp. 229-238, 1999.
-  S. A. Hofmeyr, A. Somayaji, and S. Forrest, “Intrusion detection using sequences of system calls,” J. Comput. Secur., Vol.6, No.3, pp. 151-180, 1998.
-  S.-J. Han and S.-B. Cho, “Evolutionary Neural Networks for Anamoly Detection Based on the Behavior of a Program,” IEEE Trans. on Systems, Man, and Cybernetics Part B, Cybernetics, Vol.36, No.3, pp. 559-570, 2006.
-  K. Hwang, M. Cai, Y. Chen, and M. Qin, “Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episodes,” IEEE Trans. Dependable Secure Comput., Vol.4, No.1, pp. 41-55, 2007.
-  J. H. Holland, “Adaptation in Natural and Artificial Systems,” University of Michigan Press, Ann Arbor, 1975.
-  D. E. Goldberg, “Genetic Algorithm in search, optimization and machine learning,” Addison-Wesley, 1989.
-  J. R. Koza, “Genetic Programming, on the programming of computers by means of natural selection,” MIT Press, Cambridge, Mass., 1992.
-  J. R. Koza, “Genetic Programming II, Automatic Discovery of Reusable Programs,” MIT Press, Cambridge, Mass., 1994.
-  S. Mabu, K. Hirasawa, and J. Hu, “A Graph-Based Evolutionary Algorithm: Genetic Network Programming (GNP) and Its Extension Using Reinforcement Learning,” Evolutionary Computation, Vol.15, No.3, pp. 369-398, 2007.
-  K. Hirasawa, T. Eguchi, J. Zhou, L. Yu, and S. Markon, “A Double-Deck Elevator Group Supervisory Control System Using Genetic Network Programming,” IEEE Trans. on Systems, Man, and Cybernetics–-Part C: Applications and Reviews, Vol.38, No.4, pp. 535-550, 2008.
-  K. Hirasawa, M. Okubo, H. Katagiri, J. Hu, and J. Murata, “Comparison between Genetic Network Programming (GNP) and Genetic Programming (GP),” Proc. of the Congress on Evolutionary Computation, pp. 1276-1282, 2001.
-  D. B. Fogel, “An introduction to simulated evolutionary optimization,” IEEE Trans. on Neural Networks, Vol.5, No.1, pp. 3-14, January 1994.
-  L. J. Fogel, A. J. Owens, and M. J. Walsh, “Artificial Intelligence through simulated Evolution,” John Wiley & Sons, 1966.
-  R. S. Sutton and A. G. Barto, “Reinforcement Learning - An Introduction,” MIT Press, Cambridge, Mass., London, England, 1998.
-  S. Mabu, H. Hatakeyama, K. Hirasawa, and J. Hu, “Genetic network programming with Reinforcement Learning Using Sarsa Algorithm,” Proc. of the 2006 Congress on Evolutionary Computation, pp. 1570-1576, 2006.
-  K. Shimada, K. Hirasawa, and J. Hu, “Genetic Network Programming with Acquisition Mechanisms of Association Rules,” J. of Advanced Computational Intelligence and Intelligent Informatics (JACIII), Vol.10, No.1, pp. 102-111, 2006.
-  R. Agrawal and R. Srikant, “Fast Algorithms for Mining Association Rules,” Proc. of the 20th VLDB Conf., pp. 487-499, Santiago, Chile, 1994.
-  S. Mabu, C. Chen, N. Lu, K. Shimada, and K. Hirasawa, “An Intrusion Detection Model Based on Fuzzy Class Association Rule Mining Using Genetic Network Programming,” IEEE Trans. on Systems, Man, and Cybernetics–-Part C: Applications and Reviews, Vol.41, No.1, pp. 130-139, 2010.
-  Y. Gong, S. Mabu, C. Chen, Y. Wang, and K. Hirasawa, “Intrusion Detection System Combining Misuse Detection and Anomaly Detection Using Genetic Network Programming,” Proc. of the SICE-ICASE Int. Joint Conf., pp. 3463-3467, 2009.
-  KDDCup1999 Data, newblock http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html. [Accessed January 25, 2010]
-  R. P. Lippmann, D. J. Fried, I. Graf, J. Haines, K. P. Kendall, D. McClung, D. Weber, S. Webster, D. Wyschogrod, R. K. Cunningham, and M. A. Zissman, “Evaluating Intrusion Detection Systems: The 1998 DARPA Offline Intrusion Detection Evaluation,” Proc. of the DARPA Information Survivability Conf. and Exposition 2000, Vol.2, IEEE Computer Society Press, 2000.
-  J. Zhang, M. Zulkernine, and A. Haque, “Random-Forests-Based Network Intrusion detection Systems,” IEEE Trans. on Systems, Man, and Cybernetics—Part C: Applications and Reviews, Vol.38, No.5, pp. 649-659, 2008.
-  Z. Yu, J. J. P. Tsai, and T. Weigert, “An Automatically Tuning Intrusion Detection System,” IEEE Trans. on Systems, Man, and Cybernetics—Part B: Cybernetics, Vol.37, No.2, pp. 373-384, 2006.
-  W. Hu, W. Hu, and S. Maybank, “AdaBoost-Based Algorithm for Network Intrusion Detection,” IEEE Trans. on Systems, Man, and Cybernetics—Part B: Cybernetics, Vol.38, No.2, pp. 577-583, 2008.
-  K. Shimada, K. Hirasawa, and J. Hu, “Class Association Rule Mining with Chi-Squared Test Using Genetic Network Programming,” Proc. of the IEEE Int. Conf. on Systems, Man and Cybernetics, pp. 5338-5344, 2006.
-  C. Chen, S. Mabu, K. Shimada, and K. Hirasawa, “Network Intrusion Detection using Class Association Rule Mining Based on Genetic Network Programming,” IEEJ Trans. on Electrical and Electronic Engineering, Vol.5, No.5, pp. 553-559, 2010.