Back Room Front Room 2

More documents

Recommendations

Info

212 ENTERPRISE INFORMATION SYSTEMS VI VI automate the intrusion detection process to reduce human intervention; several such techniques include neural networks (Ghosh, 1999; Cannady, 1998; Ryan 1998; Debar, 1992a-b), and machine learning (Mukkamala, 2002a). Several data mining techniques have been introduced to identify key features or parameters that define intrusions (Luo, 2000; Cramer, 1995; Stolfo, 2000; Mukkamala, 2002b). In this paper, we explore Multivariate Adaptive Regression Splines (MARS) (Steinberg, 1999), Support Vector Machines (SVM) and Artificial Neural Networks (ANN), to perform intrusion detection based on recognized attack patterns. The data we used in our experiments originated from MIT’s Lincoln Lab. It was developed for intrusion detection system evaluations by DARPA and is considered a benchmark for IDS evaluations (Lincoln Laboratory, 1998-2000). We perform experiments to classify the network traffic patterns according to a 5-class taxonomy. The five classes of patterns in the DARPA data are (normal, probe, denial of service, user to super-user, and remote to local). In the rest of the paper, a brief introduction to the data we use is given in section 2. Section 3 briefly introduces to MARS. In section 4 a brief introduction to the connectionist paradigms (ANNs and SVMs) is given. In section 5 the experimental results of using MARS, ANNs and SVMs are given. The summary and conclusions of our work are given in section 6. 2 INTRUSION DETECTION DATA In the 1998 DARPA intrusion detection evaluation program, an environment was set up to acquire raw TCP/IP dump data for a network by simulating a typical U.S. Air Force LAN. The LAN was operated like a real environment, but being blasted with multiple attacks (Kris, 1998; Seth, 1998). For each TCP/IP connection, 41 various quantitative and qualitative features were extracted (Stolfo, 2000; University of California at Irvine, 1999). Of this database a subset of 494021 data were used, of which 20% represent normal patterns. Attack types fall into four main categories: - Probing: surveillance and other probing - DoS: denial of service - U2Su: unauthorized access to local super user (root) privileges - R2L:unauthorizedaccess from a remote machine. 2.1 Probing Probing is a class of attacks where an attacker scans a network to gather information or find known vulnerabilities. An attacker with a map of machines and services that are available on a network can use the information to look for exploits. There are different types of probes: some of them abuse the computer’s legitimate features; some of them use social engineering techniques. This class of attacks is the most commonly heard and requires very little technical expertise. 2.2 Denial of Service Attacks Denial of Service (DoS) is a class of attacks where an attacker makes some computing or memory resource too busy or too full to handle legitimate requests, thus denying legitimate users access to a machine. There are different ways to launch DoS attacks: by abusing the computers legitimate features; by targeting the implementations bugs; or by exploiting the system’s misconfigurations. DoS attacks are classified based on the services that an attacker renders unavailable to legitimate users. 2.3 User to Root Attacks User to root exploits are a class of attacks where an attacker starts out with access to a normal user account on the system and is able to exploit vulnerability to gain root access to the system. Most common exploits in this class of attacks are regular buffer overflows, which are caused by regular programming mistakes and environment assumptions. 2.4 Remote to User Attacks A remote to user (R2L) attack is a class of attacks where an attacker sends packets to a machine over a network, then exploits machine’s vulnerability to illegally gain local access as a user. There are different types of R2U attacks; the most common attack in this class is done using social engineering. 3 MULTIVARIATE ADAPTIVE REGRESSION SPLINES (MARS) Splines can be considered as an innovative mathematical process for complicated curve drawings and function approximation. To develop a spline the X-axis is broken into a convenient number
INTRUSION DETECTION SYSTEMS USING ADAPTIVE REGRESSION SPLINES 213 of regions. The boundary between regions is also known as a knot. With a sufficiently large number of knots virtually any shape can be well approximated. While it is easy to draw a spline in 2-dimensions by keying on knot locations (approximating using linear, quadratic or cubic polynomial etc.), manipulating the mathematics in higher dimensions is best accomplished using basis functions. The MARS model is a regression model using basis functions as predictors in place of the original data. The basis function transform makes it possible to selectively blank out certain regions of a variable by making them zero, and allows MARS to focus on specific sub-regions of the data. It excels at finding optimal variable transformations and interactions, and the complex data structure that often hides in high-dimensional data (Friedman, 1991). Given the number of records in most data sets, it is infeasible to approximate the function y=f(x) by summarizing y in each distinct region of x. For some variables, two regions may not be enough to track the specifics of the function. If the relationship of y to some x's is different in 3 or 4 regions, for example, the number of regions requiring examination is even larger than 34 billion with only 35 variables (Steinberg, 1999). Given that the number of regions cannot be specified a priori, specifying too few regions in advance can have serious implications for the final model. A solution is needed that accomplishes the following two criteria: - judicious selection of which regions to look at and their boundaries - judicious determination of how many intervals are needed for each variable. Given these two criteria, a successful method will essentially need to be adaptive to the characteristics of the data. Such a solution will probably ignore quite a few variables (affecting variable selection) and will take into account only a few variables at a time (also reducing the number of regions). Even if the method selects 30 variables for the model, it will not look at all 30 simultaneously. Such simplification is accomplished by a decision tree at a single-node, only ancestor splits are being considered; thus, at a depth of six levels in the tree, only six variables are being used to define the node. 3.1 MARS Smoothing, Splines, Knots Selection and Basis Functions To estimate the most common form, the cubic spline, a uniform grid is placed on the predictors and a reasonable number of knots are selected. A cubic regression is then fit within each region. This approach, popular with physicists and engineers who want continuous second derivatives, requires many coefficients (four per region), in order to be estimated. Normally, two constraints, which dramatically reduce the number of free parameters, can be placed on cubic splines: curve segments must join, and continuous first and second derivatives at knots (higher degree of smoothness). Figure 1 shows typical attacks and their distribution while Figure 2 (section 5) depicts a MARS spline with three knots (actual data on the right). A key concept underlying the spline is the knot. A knot marks the end of one region of data and the beginning of another. Thus, the knot is where the behavior of the function changes. Between knots, the model could be global (e.g., linear regression). In a classical spline, the knots are predetermined and evenly spaced, whereas in MARS, the knots are determined by a search procedure. Only as many knots as needed are included in a MARS model. If a straight line is a good fit, there will be no interior knots. In MARS, however, there is always at least one "pseudo" knot that corresponds to the smallest observed value of the predictor (Steinberg, 1999). Finding the one best knot in a simple regression is a straightforward search problem: simply examine a large number of potential knots and choose the one with the best R 2 . However, finding the best pair of knots requires far more computation, and finding the best set of knots when the actual number needed is unknown is an even more challenging task. MARS finds the location and number of needed knots in a forward/backward stepwise fashion. A model that is clearly over fit with too many knots is generated first; then, those knots that contribute least to the overall fit are removed. Thus, the forward knot selection will include many incorrect knot locations, but these erroneous knots will eventually (although this is not guaranteed), be deleted from the model in the backwards pruning step (Abraham, 2001; Steinberg, 1999).
Page 1 and 2:
www.dbeBooks.com - An Ebook Library
Page 3 and 4:
A C.I.P. Catalogue record for this
Page 5 and 6:
vi TABLE OF CONTENTS PART 1 - DATAB
Page 7 and 8:
viii TABLE OF CONTENTS A WIRELESS A
Page 9 and 10:
CONFERENCE COMMITTEE Honorary Presi
Page 11 and 12:
Hung, P. (AUSTRALIA) Jahankhani, H.
Page 13 and 14:
Invited Papers
Page 15 and 16:
2 ENTERPRISE INFORMATION SYSTEMS VI
Page 17 and 18:
Page 19 and 20:
Page 21 and 22:
Page 23 and 24:
10 ENTERPRISE INFORMATION SYSTEMS V
Page 25 and 26:
Page 27 and 28:
Page 29 and 30:
Page 31 and 32:
Page 33 and 34:
Page 35 and 36:
Page 37 and 38:
EVOLUTIONARY PROJECT MANAGEMENT: MU
Page 39 and 40:
Page 41 and 42:
Page 43 and 44:
MANAGING COMPLEXITY OF ENTERPRISE I
Page 45 and 46:
Page 47 and 48:
Page 49 and 50:
Page 51 and 52:
Page 53 and 54:
Page 55 and 56:
Page 57 and 58:
Page 59 and 60:
Page 61 and 62:
Page 63 and 64:
Page 65 and 66:
Page 67 and 68:
ASSESSING EFFORT PREDICTION MODELS
Page 69 and 70:
Page 71 and 72:
Page 73 and 74:
Page 75 and 76:
ORGANIZATIONAL AND TECHNOLOGICAL CR
Page 77 and 78:
Page 79 and 80:
ASAP Processes W Project Kickoff A
Page 81 and 82:
Page 83 and 84:
since it means changing the relevan
Page 85 and 86:
ACME-DB: AN ADAPTIVE CACHING MECHAN
Page 87 and 88:
ACME-DB: AN ADAPTIVE CACHING MECHAN
Page 89 and 90:
Hit Rate (%) ACME-DB: AN ADAPTIVE C
Page 91 and 92:
5.3.6 Effect on all Policies by Int
Page 93 and 94:
ACKNOWLEDGEMENTS We would like to t
Page 95 and 96:
This paper describes the data sampl
Page 97 and 98:
The major limit A of the operation
Page 99 and 100:
RELATIONAL SAMPLING FOR DATA QUALIT
Page 101 and 102:
TOWARDS DESIGN RATIONALES OF SOFTWA
Page 103 and 104:
((Brown et al., 1998), pp. 159-190,
Page 105 and 106:
sive data filtering, presentation (
Page 107 and 108:
• implementation changes in servi
Page 109 and 110:
MEMORY MANAGEMENT FOR LARGE SCALE D
Page 111 and 112:
Data Rate [bytes/sec] 1600000 14000
Page 113 and 114:
E.g., DV Camcorder Camera Packets (
Page 115 and 116:
Procedure CheckOptimal (n rs 1 ...n
Page 117 and 118:
MEMORY MANAGEMENT FOR LARGE SCALE D
Page 119 and 120:
PART 2 Artificial Intelligence and
Page 121 and 122:
110 ENTERPRISE INFORMATION SYSTEMS
Page 123 and 124:
Page 125 and 126:
Page 127 and 128:
DYNAMIC MULTI-AGENT BASED VARIETY F
Page 129 and 130:
Page 131 and 132:
Page 133 and 134:
Page 135 and 136:
Page 137 and 138:
Page 139 and 140:
Page 141 and 142:
Page 143 and 144:
Page 145 and 146:
Page 147 and 148:
Page 149 and 150:
Page 151 and 152:
Page 153 and 154:
Page 155 and 156:
Page 157 and 158:
Page 159 and 160:
Page 161 and 162:
Page 163 and 164:
Page 165 and 166:
Page 167 and 168:
Page 169 and 170:
AN EXPERIENCE IN MANAGEMENT OF IMPR
Page 171 and 172: 160 ENTERPRISE INFORMATION SYSTEMS
Page 179 and 180: ANALYSIS AND RE-ENGINEERING OF WEB
Page 181 and 182: Module p0 Customer Itinerary Send I
Page 183 and 184: departments: the marketing dept. se
Page 185 and 186: • An acyclic module M is usable,
Page 187 and 188: BALANCING STAKEHOLDER’S PREFERENC
Page 189 and 190: The scenarios will provide an abstr
Page 191 and 192: BALANCING STAKEHOLDER'S PREFERENCES
Page 193 and 194: BALANCING STAKEHOLDER'S PREFERENCES
Page 195 and 196: A POLYMORPHIC CONTEXT FRAME TO SUPP
Page 197 and 198: A POLYMORPHIC CONTE XT FRAME TO SUP
Page 203 and 204: FEATURE MATCHING IN MODEL-BASED SOF
Page 205 and 206: combination of solution domains - a
Page 207 and 208: • features for all the concepts:
Page 209 and 210: Existence In both steps it is possi
Page 211 and 212: matching strategies are maximal, mi
Page 213 and 214: TOWARDS A META MODEL FOR DESCRIBING
Page 215 and 216: elementary message (ae-message) can
Page 217 and 218: problems on a pragmatic level, whic
Page 219 and 220: TOWARDS A META MODEL FOR DESCRIBING
Page 221: INTRUSION DETECTION SYSTEMS USING A
Page 225 and 226: (k� 1) (k) (k�1) (k) p � w
Page 227 and 228: Table 5: Performance Comparison of
Page 229 and 230: A USER-CENTERED METHODOLOGY TO GENE
Page 231 and 232: carries out the second phase of the
Page 233 and 234: 1 1 1 1 2 PROCESS STORE ENTITY EDGE
Page 235 and 236: constraints rules. KOGGE (Ebert et
Page 237 and 238: PART 4 Software Agents and Internet
Page 273 and 274:
Page 275 and 276:
Page 277 and 278:
Page 279 and 280:
Page 281 and 282:
Page 283 and 284:
Page 285 and 286:
CABA 2 L A BLISS PREDICTIVE COMPOSI
Page 287 and 288:
y disables evidencing severe mental
Page 289 and 290:
Figure 4: Symbols emission in DAR-H
Page 291 and 292:
they evidence a generalization erro
Page 293 and 294:
A METHODOLOGY FOR INTERFACE DESIGN
Page 295 and 296:
and mobility loss coupled with redu
Page 297 and 298:
Tradeoff: The default input is poss
Page 299 and 300:
Sessions on the VABS which are held
Page 301 and 302:
A CONTACT RECOMMENDER SYSTEM FOR A
Page 303 and 304:
A CONTACT RECOMMENDER SYSTEM FOR A
Page 305 and 306:
- "Going to the sources". The user
Page 307 and 308:
Here are the matrix W and P for our
Page 309 and 310:
EMOTION SYNTHESIS IN VIRTUAL ENVIRO
Page 311 and 312:
theme turns out to be surprisingly
Page 313 and 314:
6 FROM FEATURES TO SYMBOLS 6.1 Face
Page 315 and 316:
sions are described by different em
Page 317 and 318:
Electronic Imaging 2000 Conference
Page 319 and 320:
to the accessibility problem for th
Page 321 and 322:
Figure 3: Hierarchical View of the
Page 323 and 324:
4 CONCLUSIONS AND FUTURE WORK On th
Page 325 and 326:
PERSONALISED RESOURCE DISCOVERY SEA
Page 327 and 328:
Page 329 and 330:
profile, the user defines his curre
Page 331 and 332:
Page 333 and 334:
Abdelkafi, N. .....................
show all

Back Room Front Room 2

Create successful ePaper yourself

Delete template?

Save as template?