Date post: | 02-Jan-2016 |
Category: |
Documents |
Upload: | stanley-wade |
View: | 219 times |
Download: | 3 times |
1
Utilizing fuzzy logic and trend analysis for effective intrusion detection
Author: Martin Botha and Rossouw von SolmsAuthor: Martin Botha and Rossouw von Solms
Source: Computers & Security Vol 22, No 5, pp 423-434, 2003 Source: Computers & Security Vol 22, No 5, pp 423-434, 2003
Speaker: Su-Ping ChenSpeaker: Su-Ping Chen
Date: 2006/1/3Date: 2006/1/3
2
Outline
Overview of current Intrusion Detection Systems and fuzzy logic
The fuzzy methodology HIDS Conclusion Comments
3
Overview of current Intrusion Detection Systems and fuzzy logic Current Intrusion Detection System are based on two
major intrusion detection approaches namely, misuse and anomaly intrusion detection.
Immunology approach for Intrusion detection Systems. The first shortcoming of current anomaly intrusion
detection system is lack of precise data. The simple approach will gather precise data from the
firewall and operating system audit logs as well as the various user profiles.
4
Overview of current Intrusion Detection Systems and fuzzy logic A simple Intrusion Detection approach.
5
Overview of current Intrusion Detection Systems and fuzzy logic The second shortcoming of current anomaly intrusion
detection system is no precise method. The object of the strategy is to compare the generic
intrusion phases to the actions of a user or intruder. These graphs will then be compared using pattern
recognition techniques. Template and user action graph.
6
The fuzzy methodology
Fuzzy logic provides a comprehensive approach that can be used to construct the user action graph and template.
The approach is based on four steps. The four steps are:
1. Fuzzification step
2. Inference step
3. Composition step
4. Defuzzification step
7
The fuzzy methodologyFuzzification step The object of this step is to define input variables as well
as input membership functions for each input variable.
8
The fuzzy methodologyFuzzification step The information gained from the input variables represen
ts real-world values and must be converted to truth-values
For input variable 2 (Illegal firewall access) one can define the following membership expression for this input:
Illegal firewall access (x) = {0,if number of attempts < 3 0.33%,if number of attempts = 3 0.66%,if number of attempts = 4 1,if number of attempts > 4}
10
The fuzzy methodologyFuzzification step The fuzzy set for the membership expression for illegal fi
rewall access is as follows:
A (Illegal firewall access) =
0/2U0.33/3U0.66/4U1/5
11
The fuzzy methodology
Inference step The purpose of the inference process is to categorize
each input variable according to standard fuzzy values. Such as; low, medium or high.
A (Illegal firewall access) =
0/0U0.33/2.75U0.66/5.5U1/8.34U0.66/11.09U0.33/13.84U0/16.67
12
The fuzzy methodologyInference step The fuzzy rules for illegal firewall access input variable
are as follows: Rule 1: If the user types his/her password incorrectly zero to two times, then
the contribution of this input should be zero. Rule 2: If the user types his/her password incorrectly three times, then the
contribution of this input should be low. Rule 3: If the user types his/her password incorrectly four times, then the
contribution of this input should be medium. Rule 4: If the user types his/her password incorrectly five or more times,
then the contribution of this input should be high.
13
The fuzzy methodology
Composition step During the composition step, all 11-input membership
functions will be combined.
14
The fuzzy methodologyDefuzzification step This step will explain how this geometrical graph can be
used to map the user’s/intruder’s actions onto the six generic intrusion phases.
The mapping strategy consists of three phases, namely: 1. Construction of template graph
2. Construction of user action graph
3. Mapping the two graphs
15
The fuzzy methodologyDefuzzification step (Construction of template graph) The template represents an intruder’s typical actions wh
en progressing through all six phases of the generic intrusion phases.
The various output membership functions can mathematically be maximized and combined by employing the following expression:
μ (x) = μ1(x) Λμ2(x) Λ .. Λμj(x) x X∪ ∈ ∴ μ (Template) =∪ 0/0 1/8.34 1/16.6 1/25.02 1/33.33 1/41.67 1/50.51 1/58.35∪ ∪ ∪ ∪ ∪ ∪ ∪ ∪1/66.69 1/75.03 1/83.37 1/91.71 0/100∪ ∪ ∪ ∪
16
The fuzzy methodologyDefuzzification step (Construction of the user action graph) The user action graph can be constructed by reading the
various audit logs and user profiles.
17
The fuzzy methodologyDefuzzification step (Mapping the two graphs) The mapping strategy can be conducted by employing th
e defuzzification step of the fuzzy logic process. The centre of gravity (COG) represents a numerical cate
gorization of the total area of the graph.
19
HIDS
A working prototype called Hybrid Intrusion Detection System.
HIDS is a software suite written in Visual Basic and Visual C programming languages.
The prototype allows for two types of testing and real-time testing.
20
Conclusion
A novice fuzzy methodology that will identify the different levels of an intrusion attack has been proposed in this paper.
The model will identify the intrusion attack, by reading audit log files and user profiles on the operating system and then by constructing the user graphs according to the information.
The methodology will also construct a typical intrusion graph (template graph) and it will then map the user graph onto this template graph.
21
Conclusion If the two graphs match, the methodology will then alert
the security officer that someone is carrying out an intrusion attack.
If not, the methodology will then compute which phase the intruder reached.
Fuzzy logic will be used in both the mapping and phase determining processes.