This document discusses a tabu search based fuzzy system for intrusion detection. It begins with an introduction to intrusion detection systems and their purpose of monitoring for malicious activities and policy violations. It then describes the key components of the proposed system, including fuzzy logic to handle partial truths, tabu search to guide the local search through previously visited solutions, and modules for initialization, evaluation, generation, acceptance and termination. The system aims to effectively classify intrusions using tabu search to explore the large solution space.
2. Problem Statement
• The process of scanning the events occurring in a
computer system or network and analysing them
for warning of intrusions is known as intrusion
detection system (IDS).
• This paper presents a new intrusion detection system
based on tabu search based fuzzy system. Here, we use
tabu search algorithm to effectively explore and exploit
the large state space associated with intrusion detection
as a complicated classification problem.
3. Introduction
• An intrusion detection system (IDS) is a device
or software application that monitors network or system
activities for malicious activities or policy violations
and produces reports to a management station.
• Intrusion detection and prevention systems (IDPS) are
primarily focused on identifying possible incidents,
logging information about them, and reporting
attempts.
4. Fuzzy System
• Based on fuzzy logic
• Fuzzy logic is a form of many-valued
logic or probabilistic logic; it deals with reasoning that
is approximate rather than fixed and exact. Compared
to traditional binary sets (where variables may take
on true or false values) fuzzy logic variables may have
a truth value that ranges in degree between 0 and 1.
• Fuzzy logic has been extended to handle the concept of
partial truth, where the truth value may range between
completely true and completely false.
5. Local Search
• Local search is a metaheuristic method for solving
computationally hard optimization problems. Local
search can be used on problems that can be
formulated as finding a solution maximizing a
criterion among a number of candidate solutions.
• Local search algorithms move from solution to
solution in the space of candidate solutions
(the search space) by applying local changes, until
a solution deemed optimal is found or a time bound
is elapsed.
6. Tabu Search
• Tabu search is a local search method used
for mathematical optimization.
• Local searches take a potential solution to a problem
and check its immediate neighbors (that is, solutions
that are similar except for one or two minor details) in
the hope of finding an improved solution. Local search
methods have a tendency to become stuck in
suboptimal regions or on plateaus where many
solutions are equally fit.
7. Why use tabu search??
• Tabu search enhances the performance of these local
search methods by using memory structures that
describe the visited solutions or user-provided sets of
rules.
• If a potential solution has been previously visited
within a certain short-term period or if it has violated a
rule, it is marked as "tabu" (forbidden) so that
the algorithm does not consider that possibility
repeatedly.
8. Diversification
• Diversification is an algorithmic mechanism that tries
to alleviate this problem by forcing the search into
previously unexplored areas of the search space.
• It is usually based on some form of long-term memory
of the search, such as a frequency memory, in which
one records the total number of iterations (since the
beginning of the search) that various "solution
components" have been present in the current solution
or have been involved in the selected moves.
11. Module Description
1: Create an initial set of fuzzy rules and specify the Tabu
list (TL) size (Initialization).
2: Evaluate current set of fuzzy rules using evaluation
function (Evaluation).
3: Generate a new set of fuzzy if–then rules from current
set of rules by modifying on of its rules (Generation).
4: Accept the new rule set if it is better than current
solution or the modified rule is not in TL (Acceptance).
5: Terminate the algorithm if the stopping condition is
satisfied, otherwise return to Step 2 (Termination).
12. References
[1] A. Murali, M. Rao, “A Survey on Intrusion Detection Approaches,” First
International Conference on Information and Communication Technologies,
2005.
[2] N.B. Idris, B. Shanmugam, “Artificial Intelligence Techniques Applied to
Intrusion Detection,” Annual IEEE INDICON, 2005.
[3] N. Ye, S. Vilbert, and Q. Chen, “Computer Intrusion Detection Through
EWMA for Auto correlated and Uncorrelated Data,” IEEE Transactions on
Reliability, vol. 52, no. 1, Mar. 2003, pp. 75-82.
[4] N. Ye, Q. Chen, and C.M. Borror, “EWMA Forecast of Normal System
Activity for Computer Intrusion Detection,” IEEE Transactions on
Reliability, vol. 53, no. 4, Dec. 2004, pp. 557-566.
[5] S.B. Cho, “Incorporating soft computing techniques into a probabilistic
intrusion detection system,” IEEE Transactions on Systems, Man and
Cybernetics, Part C, Volume 32, Issue 2, May 2002, pp.154-160.