326
Copyright © 2011-15. Vandana Publications. All Rights Reserved.
Volume-5, Issue-2, April-2015 International Journal of Engineering and Management Research
Page Number: 326-330
Intrusion Detection and Attack Classification Using K Means
Algorithm and Artificial Neural Network
Alok Rana1 Rajeev Ranjan Pandey2 Sonali Londhe3 Pooja Mohankar4
Department of Computer Engineering, Sinhgad College of Engineering, Pune, INDIA
ABSTRACT
An intrusion detection system (IDS) is a device or system activities for malicious activities or policy violations and produces reports to a management station. Majority of research is going on neural network and machine learning technique for detecting intrusions. In this paper, we present a layered framework integrated with neural network to build an effective intrusion detection system. Here we make use of K-means clustering algorithm along with the back propagation neural networks algorithm. The proposed system is trained to detect three types of attacks UDP flood, TCP flood and Ping flood. The results show the system has high attack detection accuracy.
Keywords—IDS; neural network; layered framework
;K-means Algorithm.
I.INTRODUCTION
Intrusion detection system(IDS) is a tool that is being used to protect organization from attacks from different sources. Intrusion detection system have emerged in the computer security area because of the difficulty of ensuring that an information system will be free of security flaws. Intrusion detection is defined by the Sysadmin, Audit, Networking and Security (SANS) institute as the act of detecting actions that attempt to compromise the confidentiality, integrity or availability of a resource. Thus, security of data and continuity of services can only be ensured by IDS. It is required that IDS can handle large amount of data without affecting performance and without dropping data and can
detect attacks reliably without giving false alarms.
An IDS is broadly classified as:
A. Misuse Based System:
In misuse based IDS, detection is performed by looking for the exploitation of known weak points in the system, which can be described by a specific pattern or sequence of events or data. That means these systems can detect only known attacks for which they have a defined signature.
B. Anomaly based system:
In anomaly based IDS, detection is performed by detecting changes in the patterns of utilization or behavior of the system. The main advantage of anomaly detection systems that they can detect previously unknown attacks.
After the introduction in Section I, related work and its associated problems are described in Section II. Section III describes architecture of the proposed systems. Section IV explains the dataset, attack types & features used for classifying connection records. Section V shows the details of the experimental setup and results. Section VI concludes the paper with a discussion of results and scope of future work.
II.METHODOLOGY
327
Copyright © 2011-15. Vandana Publications. All Rights Reserved.
In the first step training of the dataset is done withback propagation neural network algorithm and feed forward is used to defect & classify the attacks.
III.PRIOR APPROACH
Neural network algorithms are emerging nowadays as a new artificial intelligence technique that can be applied to real life problems. Neural networks are a form of artificial intelligence that uses multiple artificial neurons, networked together to process information. This type of network has the capability to learn from patterns, and extrapolate results from data that has been previously entered into the network's knowledge base. This ability makes neural network applications extremely valuable in intrusion detection.[1] Neural networks method is a promising technique, which has been used in many classification problems. The present study is aimed to solve a multi-class problem of intrusion detection using MLP in which not only the attack records are distinguished from normal ones, but also the attack type is identified. [2] The weight updating algorithms developed for the ANN are based on the back propagation algorithms, echo state neural network and the functional update method. The method of presenting the patterns to the input layer of the network has been analyzed. The different methods of presenting the input patterns, such as reducing the dimension of the input patterns by a transformation and preprocessing of the input patterns for non linear classifiers have been investigated. In order to find the optimum number of nodes required in the hidden layer of an ANN a method has been proposed, based on the change in the mean squared error dynamically, during the successive sets of iterations. [3] presents new attacks detection by a neural network-based Intrusion Detection System. What is crucial for this topic is the adaptation of the neural network that is already in use to correct classification of a new “normal traffic” and of an attack representation not presented during the network training process. When it comes to the new attack it should also be easy to obtain vectors to test and to retrain the neural classifier. We describe the proposal of an algorithm and a distributed IDS architecture.[4] presents a novel algorithm for performing k-means clustering. It organizes all the patterns in a k-d tree structure such that one can find all the patterns which are closest to a given prototype efficient. [5] presents a new approach of intrusion detection system based on artificial neural network. Multi Layer Perceptron (MLP) architecture is used for Intrusion Detection System.
IV.OUR APPROACH
A. K-means Clustering Algorithm
Clustering is the method of grouping objects into meaningful subclasses so that the members from the same cluster are quite similar, and the members from different clusters are quite different from each other groups: partitioning algorithm, hierarchical algorithm, density-based algorithm and grid-based algorithm. Partitioning algorithms construct a partition of a data base of N objects into a set of K clusters. Usually they start with an initial partition and then use an iterative control strategy to optimize an objective function[3].
Idea of Algorithm:
K-means is one of the simplest unsupervised learning algorithms that solve the well known clustering problem. The procedure follows a simple and easy way to classify a given data set
through a certain number of clusters (assume k clusters) fixed a priori. The main idea is to define k centroids, one for each cluster. These centroids should be placed in a cunning way because of different location causes different result. So, the better choice is to place them as much as possible far away from each other. The next step is to take each point belonging to a given data set and associate it to the nearest centroid . When no point is pending, the first step is completed and an early groupage is done. At this point we need to re-calculate k new centroids as barycenters of the clusters resulting from the previous step. After we have these k new centroids, a new binding has to be done between the same data set points and the nearest new centroid. A loop has been generated. As a result of this loop we may notice that the k centroids change their location step by step until no more changes are done. In other words centroids do not move any more. Finally, this algorithm aims at minimizing an objective function, in this case a squared error function. The objective function.
Where
is a chosen distance measure between a data point
328
Copyright © 2011-15. Vandana Publications. All Rights Reserved.
the distance of the n data points from their respectivecluster centers. The algorithm can be explained with the help of following flowchart:
B. Training of Dataset
The incoming packets coming in the network are captured in a packet sniffer and are analyzed. Packet signatures are extracted and these features are discretized using K-means clustering Algorithm. Packets are labeled as attack with their type or normal and are added to the serialized database.
Training of Dataset
C. System Architecture
System Architecture
In this system the steps that follow to detect the intrusion are as under
1. Data is captured, in the form of IP packets.
1.The data are decoded and transformed into uniform format, through the process of feature extraction. In this step features that can be used for classification like hop limit, source ip, destination ip, length, SYN flag, ACK flag, RST flag, port number,etc.
2. The data are then analyzed in a manner which is specific to the individual IDS, and classified as threatening or not.
3. Alerts are generated if a threatening pattern is encountered.
D. Back-propagation Classifier
Used BPN algorithm [13] to build BPN classifier for classification of events.
Back Propagation Neural Network Algorithm (BPN):
Step1) Design Network and set parameters Step2)Initialize weights with random values. For a specified number of training iterations do:
For each input and ideal (expected) output pattern
– i) Calculate the actual output from the input
– ii) Calculate output neurons error
329
Copyright © 2011-15. Vandana Publications. All Rights Reserved.
– iii) Calculate weights variations (Newwt) Step3) Learn by new weights.
BPN Architecture
V.RESULTS
This system finds whether the packet is malicious or not. And also detects the type of attack means whether the attack is TCP attack, UDP attack or ICMP attack.
VI. CONCLUSION AND FUTURE
SCOPE
In this paper, intrusion detection and classification is done using ANN and K-means algorithm. A neural network based intrusion detection system, intended to classify the normal and attack patterns and the type of the attack.
As a possible future development to the implementation of the proposed system one can include more attack scenarios in the dataset.
REFERENCES
[1] Nidhi Srivastav and Rama Krishna Challa, “Novel Intrusion Detection System integrating Layered Framework with Neural Network” , 2013 3rd IEEE International Advance Computing Conference (IACC).
[2] Mehdi moradi and mohammad zulkernine,“ A neural network based system for intrusion detection and classification of attacks”.
[3] Rohit khandelwal, abhinav srivastava, md ejaz uddin,“A network traffic classification using artificial neural network (ANN)”.
[4] Devikrishna K S, Ramakrishna B B , “ An Artificial Neural Network based Intrusion Detection System and Classification of Attacks ”, International Journal of Engineering Research and Applications (IJERA) Jul-Aug 2013.I
[5] Mukhopadhyay, M Chakraborty, S Chakrabarti, T Chatterjee,“Back Propagation NeuralNetwork Approach to Intrusion Detection System,” International Conference on Recent Trends in Information Systems,2011.
[6] Suseela T. Sarasamma, Qiuming A. Zhu, Julie Huff, “Hierarchical Kohonenen Net for Anomaly Detection in Network Security,” IEEE Transactions on Systems, Man and Cybernetics—Part B: Cybernetics, vol. 35(2).
[7] J. Ryan, M. Lin, R. Mikkulainen, "Intrusion Detection with Neural Networks,” Advances in Neural Information Processing Systems, vol. 10, MIT Press.
[8] International Journal of Science and Modern Engineering (IJISME) ISSN: 2319-6386, Volume-1, Issue-3, February 2013 A Survey on K-mean Clustering and Particle Swarm Optimization Pritesh Vora, Bhavesh Oza.
[9] D. E. Denning, “An intrusion detection model,” IEEE Transactions on Software Engi neering, vol. 13, no. 2, pp. 222– 232, 1987.
[10] S.Haykin, " Neural Network Comprehensive Foundation," Second Edition , Prentice Hall , 1999. [11] Mohammed Sammany, MarwaSharawi, Mohammed El-Beltagy and ImaneSaroit, “Artificial Neural Networks Architecture For Intrusion Detection Systems and Classification of Attacks”, Cairo University, Egypt 2012
[12] PrzemysławKukiełka, ZbigniewKotulski, “Adaptation of the neural network-based IDS to new attacks detection”,Research and Development Department, Polish TelecomInstitute of Telecommunications, Warsaw University of Technology.
330
Copyright © 2011-15. Vandana Publications. All Rights Reserved.
[14] Deepika P Vinchurkar, AlpaReshamwala, “AReview of Intrusion Detection System Using Neural Network and Machine Learning Technique”, International Journal of Engineering Science and Innovative Technology (IJESIT) Volume 1, Issue 2, November 2012.
