IJIES-2008 VOLUME 1 ISSUE 4 - Index of

More documents

Recommendations

Info

Figure 1. IDS system block diagramFigure 2. IDS decision block diagram2. General overview of our anomaly-based IDSapproachBy profiling the properties of normal network trafficand modeling intrusions or unwanted traffic asanomalies, it is possible to detect the occurrence ofsuch events within reasonable time so to activate reactionand response procedures. Determining the normalbehavior model, however, is a difficult task due tothe presence of different trends in data, which mightbe influenced by the time of day, the day of week andseasonal variations.In our approach we store ”normal” traces in a referencedatabase. Normal traces represent traffic fromdays, we are sure no attacks occurred. These referencetraces are compared to current, examined traces.Current traces may be either sniffed from traffic or forexperimental purposes may represent old attacks (sothat the ground truth is known).The general overview of our intrusion detectionsystem is presented in Figure 1. The overview of adecision block is explained in Figure 2.Signal processing techniques have found applicationin Network Intrusion Detection Systems becauseof their ability to detect novel intrusions and attacks,which cannot be achieved by signature-basedapproaches. It has been shown that network trafficpresents several relevant statistical properties whenanalyzed at different levels (e.g. self-similarity, longrange dependence, entropy variations, etc.) [3]. Approachesbased on signal processing and on statisticalanalysis can be powerful in decomposing the signalsrelated to network traffic, giving the ability to distinguishbetween trends, noise, and actual anomalousevents. Wavelet-based approaches, maximum entropyestimation, principal component analysis techniques,and spectral analysis, are examples in this regardwhich have been investigated in the recent years bythe research community [4]-[8].A powerful analysis, synthesis, and detection tool inthis field is represented by the wavelets. Indeed, timeandscale-localization abilities of the wavelet transform,make it ideally suited to detect irregular trafficpatterns in traffic traces. Recently many waveletbasedmethods for detection of attacks have beentested and documented. Some are based on the continuouswavelet transform analysis, most of them howeverrefer to the discrete wavelet transformation andthe multiresolution analysis [3].However, Discrete Wavelet Transform provides alarge amount of coefficients which not necessarily reflectrequired features of the network signals.Therefore, in this paper we propose anothersignal processing and decomposition method foranomaly/intrusion detection in networked systems.We developed original Anomaly Detection Type IDSalgorithm based on Matching Pursuit.3. Motivation for signal-based IDSSignal processing techniques have found applicationin Network Intrusion Detection Systems becauseof their ability to detect novel intrusions and attacks,which cannot be achieved by signature-basedapproaches. It has been shown that network trafficpresents several relevant statistical properties whenanalyzed at different levels (e.g. self-similarity, longInternational Journal of Intelligent Engineering and Systems 4 (2008) 18–24 19
ange dependence, entropy variations, etc.) [3]. Approachesbased on signal processing and on statisticalanalysis can be powerful in decomposing the signalsrelated to network traffic, giving the ability to distinguishbetween trends, noise, and actual anomalousevents. Wavelet-based approaches, maximum entropyestimation, principal component analysis techniques,and spectral analysis, are examples in this regardwhich have been investigated in the recent years bythe research community [4]-[8].A powerful analysis, synthesis, and detection tool inthis field is represented by the wavelets. Indeed, timeandscale-localization abilities of the wavelet transform,make it ideally suited to detect irregular trafficpatterns in traffic traces. Recently many waveletbasedmethods for detection of attacks have beentested and documented. Some are based on the continuouswavelet transform analysis, most of them howeverrefer to the discrete wavelet transformation andthe multiresolution analysis [3].However, Discrete Wavelet Transform provides alarge amount of coefficients which not necessarily reflectrequired features of the network signals.Therefore, in this paper we propose anothersignal processing and decomposition method foranomaly/intrusion detection in networked systems.We developed original Anomaly Detection Type IDSalgorithm based on Matching Pursuit.4. Intrusion Detection System based on MatchingPursuit4.1. Introduction to Matching PursuitMatching Pursuit signal decomposition was proposedby Mallat and Zhang [9].Matching Pursuit is a greedy algorithm that decomposesany signal into a linear expansion of waveformswhich are taken from an overcomplete dictionary D.The dictionary D is an overcomplete set of base functionscalled also atoms.D = {α γ : γ ∈ Γ} (1)where every atom α γ from dictionary has normequal to 1:‖α γ ‖ = 1 (2)Γ represents set of indexes for atom transformationparameters such as translation, rotation and scaling.Signal s has various representations for dictionaryD. Signal can be approximated by set of atoms α kfrom dictionary and projection coefficients c k :s =|D|−1∑n=0c k α k (3)To achieve best sparse decomposition of signal s(min) we have to find vector c k with minimal normbut sufficient for proper signal reconstruction. MatchingPursuit is a greedy algorithm that iteratively approximatessignal to achieve good sparse signal decomposition.Matching Pursuit finds set of atoms α γksuch that projection of coefficients is maximal. At firststep, residual R is equal to the entire signal R 0 = s.R 0 = 〈α γ0 ,R 0 〉α γ0 + R 1 (4)If we want to minimize energy of residual R 1 wehave to maximize the projection |〈α γ0 ,R 0 〉|. At nextstep we must apply the same procedure to R 1 .R 1 = 〈α γ1 ,R 1 〉α γ1 + R 2 (5)Residual of signal at step n can be written as follows:R n s = R n−1 s − 〈 R n−1 s|α γk〉αγk (6)s =Signal s is decomposed by set of atoms:N−1∑n=0〈α γk |R n s〉α γk + R n s (7)Algorithm stops when residual R n s of signal islower then acceptable limit.4.2. Our Approach to Intrusion DetectionAlgorithmIn basic Matching Pursuit algorithm atoms are selectedin every step from entire dictionary which hasflat structure. In this case algorithm causes significantprocessor burden. In our coder dictionary with internalstructure was used.Dictionary is built from:— Atoms,— Centered atoms,Centered atoms groups such atoms from D that areas more correlated as possible to each other. To calculatemeasure of correlation between atoms functiono(a,b) can be used [2] .o(a,b) =√1 −( |〈a,b〉|‖a‖ 2‖b‖ 2) 2(8)The quality of centered atom can be estimated accordingto (9):International Journal of Intelligent Engineering and Systems 4 (2008) 18–24 20
Page 1: International Journal ofIntelligent
Page 5 and 6: 0 100 200 300 400 500 600 700 800 9
Page 7: [10] J.A. Troop. Greed is Good: Alg

IJIES-2008 VOLUME 1 ISSUE 4 - Index of

Create successful ePaper yourself

Delete template?

Save as template?