Journal of Information Processing Systems

Korea Information Processing Society (한국정보처리학회)
권호 표지
DOI QR코드

DOI QR Code

A Multiple Instance Learning Problem Approach Model to Anomaly Network Intrusion Detection

  • Weon, Ill-Young (Dept. of Computer Engineering, Konkuk University) ;
  • Song, Doo-Heon (Dept. of Computer Games & Information, Yong-in SongDam College) ;
  • Ko, Sung-Bum (Dept. of Computer Science, Kongju National University) ;
  • Lee, Chang-Hoon (Dept. of Computer Engineering, Konkuk University)
  • Published : 2005.12.01
Download PDF
⟨ Previous Next ⟩

Abstract

Even though mainly statistical methods have been used in anomaly network intrusion detection, to detect various attack types, machine learning based anomaly detection was introduced. Machine learning based anomaly detection started from research applying traditional learning algorithms of artificial intelligence to intrusion detection. However, detection rates of these methods are not satisfactory. Especially, high false positive and repeated alarms about the same attack are problems. The main reason for this is that one packet is used as a basic learning unit. Most attacks consist of more than one packet. In addition, an attack does not lead to a consecutive packet stream. Therefore, with grouping of related packets, a new approach of group-based learning and detection is needed. This type of approach is similar to that of multiple-instance problems in the artificial intelligence community, which cannot clearly classify one instance, but classification of a group is possible. We suggest group generation algorithm grouping related packets, and a learning algorithm based on a unit of such group. To verify the usefulness of the suggested algorithm, 1998 DARPA data was used and the results show that our approach is quite useful.

Keywords

References

  1. C. Kruegel and G. Vigna. Anomaly detection of webbased attacks. In Proceedings of the 10th ACM Conference on Computer and Communication Security (CCS '03), pages 251--261, Washington DC, USA, October 2003. ACM Press
  2. P. Barford, J. Kline, D. Plonka, and A. Ron. A Signal Analysis of Network Traffic Anomalies. In Proceedings of ACM SIGCOMM Internet Measurement Workshop, November 2002
  3. F Gonzalez and D Dasgupta, Anomaly detection using real-valued negative selection. Journal of Genetic Programming and Evolvabe Machines, 4:383--403, 2003 https://doi.org/10.1023/A:1026195112518
  4. Javitz, H. and Alfonso Valdes, S. The NIDES Statistical Component Description and Justification, Annual Report, SRI International, 333 Ravenwood Avenue, Menlo Park, CA 94,025, March 1994
  5. M. Markou and S. Singh. Novelty detection: a review-part 1: statistical approaches. Signal Processing, v.83 n.12, p.2481-2497, December 2003 https://doi.org/10.1016/j.sigpro.2003.07.018
  6. W. LEE. 'A Data Mining Framework for constructing Features and Models for Intrusion Detection Systems', Ph.D. Dissertation, Columbia University, 1999
  7. A.K. Ghosh, A. Schwatzbard and M. Shatz, Learning Program Behavior Profiles for Intrusion Detection, in Proceedings 1st USENIX Workshop on Intrusion Detection and Network Monitoring, Santa Clara, California, April 1999
  8. Wang, J. and Sucker, J.-I). Solving the MultipleInstance Learning Problem: A Lazy Learning Approach, Proceedings 17th International Conference on Machine Learning (pp. 1119-1125). San Francisco: Morgan Kaufmann, 2000
  9. Dietterich, T. G., Lathrop, P H. and Lozano-Perez, T. Solving the multiple-instance problem with axisparallel rectangles. Artificial Intelligence, 89, 31-71.1997 https://doi.org/10.1016/S0004-3702(96)00034-3
  10. Lippman. R. et. AI. Evaluation intrusion detection systems: The 1998 DARPA Off-line intrusion detection evaluation, Proc. Of DARPA Information Survivability Conference and Exposition, pp 12-26, 2000
  11. DARPA data set: www.ll.mit.edu/IST/ideval
  12. Mutual Information: http://en.wikipedia.org/wiki/ Mutual_information
  13. Behrouz A. Forouzan. TCP/IP Protocol Suite. MaGRAW-HILL,2000
  14. Aha, D. & Kibler, D., Noise-tolerant instance-based learning algorithms. Proceedings of the Eleventh International Joint Conference on Artificial Intelligence pp.794-799, 1989
  15. Stanfill C., & Waltz, D., Toward memory-based reasoning. Communications of the ACM, 1986
  16. Won, I., Song, D., Lee, C. Heo., Y. & Jang, J., A Machine Learning approach toward an environmentfree network anomaly IDS - A primer report, In Proc of 5th International Conference on Advanced Communication Technology, 2003
  17. Song,D.,Won, I.,Cang, Lee, The Utility of Packet level decision in Misused Intrusion Detection System: An analysis of DARPA dataset toward a hybrid behavior based IDS. The 3rd Asia Pacific International Symposium on Information Technology, Jan. 13-142004, Istanbul, Turkey
  18. S. Cost, and S. Salzberg, A Weighted Nearest Neighbor Algorithm for Learning with Symbolic Features, Machine Learning 10,00.57-78,1993
  19. Joo, D., The Design and Analysis of Intrusion Detection Systems using Data Mining, KAIST PH.D, 2003
  20. Sadat Malik. Network Security Principles and Practices, Cisco Press, pp. 420. 2003

Cited by

  1. Network anomaly detection based on probabilistic analysis 2017, https://doi.org/10.1007/s00500-017-2679-3