Online Boosting Based Intrusion Detection in Changing Environments

More documents

Recommendations

Info

too high to be used in practice. Third, the variety of attribute of network data is also a difficult issue. There are various types of attributes for network data, including both categorical and continuous ones. Furthermore, the value ranges for different attributes differ greatly, from [ 0, 1] to 7 [ 0, 10 ] . This brings more difficulties for many detection methods and limits their performance. In this paper, an online boosting based method is proposed for intrusion detection. The carefully designed strategies for training weak classifiers make the learning efficient, and the detection rate balance scheme produces great detection performance for the final ensemble classifier. Furthermore, the online learning framework provides the ability of quick adaption to the changing environments, which only needs to make one pass over the training data of the new intrusion types. The other training data have not to be revisited and the detector is efficiently updated online. Experimental results show that the proposed method quickly adapts to the changing environments, and can perform realtime intrusion detection with high detection accuracy. The rest of paper is organized as follows. In Section 2 we introduce the online boosting based intrusion detection algorithm, and provide its relation to the batch boosting based detection scheme. In Section 3 some experimental results are presented which show the advantage of the proposed method. Then we draw the conclusions in the last section. 2 Online boosting based ID 2.1 Problem formulation In the network-based IDSs, the training and detection are performed at network nodes such as switchers and routers. Three groups of features are extracted from each network connection: basic features of individual TCP connections; content features within a connection suggested by domain knowledge; traffic features computed using as two-second time window. The above features are commonly used in intrusion detection. The framework for constructing these features can be found in [2]. For each network connection, the feature values extracted above form a vector x x , x ,..., x ] , where [ 1 2 d d is the number of features extracted. The label y indicates the binary class of the network connection: 1 normal connection { 1 network intrusion The intrusion detection algorithm is expected to train a classifier H from the labeled training data set, then use the classifier H to predict the binary label ~ y H( x) for a new network connection. Note that there are many types of intrusions, such as guessing password, port scanning, neptune, satan, and there are constantly new intrusion types emerging in the network. However, they are all expected to be classified into the network intrusion class, no matter which types of intrusion they are. y ( 1) y 2.2 Adaoost algorithm Adaboost [13] is one of the most popular machine learning algorithms developed in recent years, which has been successfully used in many applications, such as face detection [14], and image retrieval [15]. The classical Adaboost algorithm is trained in batch mode, which is showed in Table 1. Note that N is the number of training samples, M is the number of weak classifiers to generate, and L is the base model learning b algorithm, such as Naive Bayes and decision stumps. A sequence of weak classifiers is learned based on the evolving sampling distribution of the training data set. The final strong classifier is an ensemble of the weak classifiers, and the voting weights are derived from the classification errors of these weak classifiers. (m ) The evolving weight w plays a key role in Adaboost. It indicates the importance of the n-th training sample while generating the m-th weak classifier. The ) weight w is updated in the following way: w (m n w ( m 1) ( m) n n { 2( 1 1 2 The weights of samples that are wrongly classified by the current weak classifier are increased, the others decreased, so that more attention is paid to the samples that are difficult to classify while generating the next weak classifier. 2.3 Online boosting 1 ( m) ( m) In many applications, learning process need to be performed in online mode. For example, when the training data are generated as data streams, or the size of the training data set is too huge for memory resources, it is impractical to make multi-pass over the entire training data set for the learning algorithm. Training a classifier in online mode is necessary in these cases. This opens a hot research field called “online learning” or “incremental learning”. Online learning means we process a training sample, then discard it after updating the classifier. There is likely some difference between the two classifiers that trained in batch and online modes, since the online learning algorithm can only make ) n if if ( m) h ( xn ) ( m) h ( xn ) y y n n ( 2)
use of the information supplied by part of the training data set. Thus, the key issue of online learning research is how to control the above difference while training a classifier online. Table 1. Adaboost Algorithm Input: {( x 1 , y1),..., ( xn , yn )}, M , Lb ( 1) Initilization: 1 N n 1, 2,..., N w n For m 1, 2,..., M m) ( h L ({( x , y ),..., ( x , y )}, w ( m) b 1 1 n n ( m) (m) h ( m) ( m) w n: h ( xn ) y n n ( m) 1 , then Calculate the weighted error of If 2 Set M m1 and stop loop endif Update the weights ( m) ( m1) ( m) 2( 1 ) w if n wn { 1 ( m) 2 if Output the final strong classifier: ( M ( m) 1 H ( x) sign( h ( x) lg m1 ( m) In order to adapt Adaboost to the data streams environment, Oza proposed an online version of Adaboost in [16], and the convergence proof for the online version was also given. Recently, Grabner and Bischof [17] successfully introduced the online boosting algorithm into computer vision field. The detailed online boosting algorithm is presented in Table 2. Here h is the set of weak classifiers to be updated online, L is the online base model learning algorithm. Note o that in the batch Adaboost algorithm, the sum of sample weights remains 1: N n1 w ( m) n ) where the definition of w is already given in Section 2.2. (m n 1 However, in online boosting, the weight evolves ) individually for each training sample. The weight w is actually a sampling weight while generating the m-th weak classifier. The same function is taken through the parameter k in online boosting, which is randomly generated from Poission distribution with parameter . As to the weighted (m) classification error of h , an approximation is used: sw ( m) m ( 4) sc sw m m which involves only samples already seen. Moreover, the number of weak classifiers is not fixed in Adaboost; while in online boosting, the number of weak classifiers is fixed beforehand, and the weak classifiers are all learned online. Although it may differ greatly from that learned in batch mode when only a few training samples have been processed, the online ensemble classifier converges statistically to the m) ) ) 1, m 1,..., M ( m) h ( xn ) ( m) h ( xn ) y y n n (m n ( 3) ensemble generated in batch mode, as the number of training samples increases [16]. Table 2. Online Boosting Algorithm Input: {( x 1 , y1),..., ( xn , yn )}, M , Lo sc sw Initilization: 0 0 m 1, 2,..., M m m For each new training sample ( x , y) Initialize weight of the current sample 1 For m 1, 2,..., M Set k according to Poission () Do k times h L (( x, y), h ( m) ( m) o h x m ( ) ( ) ,then If y sc sc m m ( m) sc m 1 2( 1 else sw sw m ( m) m 2 sc m 1 ( m) sw m sw m (m) ) sw m sw m endif Output the final strong classifier ( M ( m) 1 H ( x) sign( h ( x) lg m1 ( m) 2.4 Online boosting based intrusion detection An intrusion detection algorithm is expected to fill mainly three requirements in order to be suitable for practical uses: ) m) the detection should be perform in real-time; the detection accuracy should be as high as possible, which means a high detection rate to guarantee the system security, and a low false alarm rate to decrease unnecessary human burden; the detector should adapt quickly to the changing network environments, which implies the ability to accurately detect any new type of attack soon after its emergence. In order to make the updating of intrusion detector efficient, the training of the detector should not be timeconsuming, which prevents the use of some complex classifiers; on the other hand, the strict requirement of detection performance makes the direct use of simple classifiers impractical. Consider the variety of attribute of network connection data, the situation is even worse. We will try to solve these difficulties in the proposed online boosting based detection method. )
Page 1: Online Boosting Based Intrusion Det
Page 5 and 6: 2.5 Computational complexity Comput
Page 7: 4 Conclusions In this paper, an eff

Online Boosting Based Intrusion Detection in Changing Environments

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?