Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

STATISTICAL TECHNIQUES IN ANOMALY INTRUSION DETECTION SYSTEM

527 views

Published on

In this paper, we analyze an anomaly basedintrusion detection system (IDS) for outlier detection in hardware profile using statistical techniques: Chi-square distribution, Gaussian mixture distribution and Principal component analysis. Anomaly detection based methods can detect new intrusions but they suffer from false alarms. Host based Intrusion Detection Systems (HIDSs) use anomaly detection to identify malicious attacks i.e. intrusion. The features are shown by large set of dimensions and the system becomes extremely slow during processing this huge amount of data (especially, host based). We show the comparative results using three different approaches: Principal Component Analysis (PCA), Chi-square distribution andcluster with Gaussian mixture distribution. We get good results using these techniques.

Published in: Design
  • Be the first to comment

  • Be the first to like this

STATISTICAL TECHNIQUES IN ANOMALY INTRUSION DETECTION SYSTEM

  1. 1. International Journal of Advances in Engineering & Technology, Nov. 2012.©IJAET ISSN: 2231-1963 STATISTICAL TECHNIQUES IN ANOMALY INTRUSION DETECTION SYSTEM Hari Om & Tanmoy Hazra Department of Computer Science & Engineering, Indian School of Mines, Dhanbad, IndiaABSTRACTIn this paper, we analyze an anomaly based intrusion detection system (IDS) for outlier detection in hardwareprofile using statistical techniques: Chi-square distribution, Gaussian mixture distribution and Principal componentanalysis. Anomaly detection based methods can detect new intrusions but they suffer from false alarms. Host basedIntrusion Detection Systems (HIDSs) use anomaly detection to identify malicious attacks i.e. intrusion. The featuresare shown by large set of dimensions and the system becomes extremely slow during processing this huge amount ofdata (especially, host based). We show the comparative results using three different approaches: PrincipalComponent Analysis (PCA), Chi-square distribution and cluster with Gaussian mixture distribution. We get goodresults using these techniques.KEYWORDS: Principal Component Analysis, Outlier, Mahalanobis Distance, Confusion Matrix, AnomalyDetection, Gaussian mixture distribution, Chi-square distribution, Expectation maximization algorithm. I. INTRODUCTIONThe process of monitoring events occurs in a computer system and analyzing them to signal for intrusionsis known as intrusion detection. An intrusion is defined as an attack in a network or system by an intruderthat hampers the security goals such as integrity, confidentiality, authentication i.e. violation of thesecurity policy of a system. There are various types of attacks: external attacks, internal penetrations, andmisfeasors. An intruder tries to gain unauthorized access to a valid user’s system. An intrusion detectionsystem (IDS) is a program that analyzes what happens/has happened during an execution and tries to findout indications if the computer has been misused. With explosive rapid expansion of computers in pastfew years, their security has become an important issue. Host based intrusion detection systems (HIDSs)are used to monitor a suspicious activity of the system. The HIDSs can be classified into two types:anomaly detection that is based on statistical measures and misuse detection that is based on signature.Anomaly detection is used to capture the changes in behavior that deviates from the normal behavior.These methods take training data as input to build normal system behavior models. Alarms are raisedwhen any activity deviates from the normal model. These models may be generated using statisticalanalysis, data mining algorithms, genetic algorithms, artificial neural networks, fuzzy logic, rough set, etc.Anomaly detection methods may raise alarms for normal activity (false positive) or not sound alarmsduring attacks (false negative). Nowadays, the numbers of new attacks are increasing and the variations of 387 Vol. 5, Issue 1, pp. 387-398
  2. 2. International Journal of Advances in Engineering & Technology, Nov. 2012.©IJAET ISSN: 2231-1963known attacks cannot be recognized by misuse detection. Here, we develop an intrusion detection systemusing the Chi-square distribution and Gaussian mixture distribution that are used to detect outlier data andfind out the results using three different approaches.Outlier detection is the most important tasks in data analysis. The outliers describe abnormal databehavior, i.e. data which deviate from the natural data variability. The cut-off value or threshold whichdivides anomalous and non-anomalous data numerically is often the basis for important decisions. Manymethods have been discussed for univariate outlier detection. They are based on (robust) estimation oflocation and scatter, or on data quantiles. Their major disadvantage is that these rules are independentfrom the sample size. Moreover, by definition of most rules, outliers are identified even for “clean” data,or at least no distinction is made between outliers and extremes of a distribution. The basis formultivariate outlier detection is the Mahalanobis distance. The standard method for multivariate outlierdetection is robust estimation of parameters in the Mahalanobis distance and the comparison with acritical value of the Chi-square distribution. However, the values larger than this critical value are notnecessarily outliers; they could still belong to the data distribution. In order to distinguish betweenextremes of a distribution and outliers, Garrett introduces the Chi-square plot, which draws the empiricaldistribution of the robust Mahalanobis distances against the Chi-square distribution. The rest of the paperis organized as follows. Section 2 discuses the related work and section 3 discusses the proposed work.II. RELATED WORKMany designs have been developed for intrusion detection [1-6]. Shyu has developed a network basedintrusion predictive model using principal component analysis (PCA) and Chi-square distribution forKDD1999 dataset [1]. Denning describes an intrusion detection model that is capable of detecting break-ins, penetrations and other types of computer attacks. This model is based on the hypothesis that thesecurity violations can be detected by monitoring audit records of the system for abnormal patterns ofsystem usage [2]. Errors in multivariate data have been detected using PCA [3]. Ye discusses an anomalydetection technique based on a Chi-Square statistic into information systems that achieves 100% detectionrate [4]. Puketza discusses methodologies to test an intrusion detection system and gets satisfactory resultin the course of testing IDSs [6]. He further finds experimentally that the performance of Chi-squaredistribution is better than that of the Hotelling’s T2 [14]. In [34], the PCA methodology is discussed todetect intrusion. Filzmoser applies the Chi-square method to detect multivariate outlier in explorationgeochemistry [17]. Garrett has made a tool for multivariate outlier detection [18]. Gascon et al. haveshown a comprehensive statistical analysis in relation to the vulnerability disclosure time, updates ofvulnerability detection systems (VDS), software patching releases and publication of exploits [22]. Davisand Clark have shown a trend toward deeper packet inspection to construct more relevant featuresthrough targeted content parsing [23]. Jin et al. discuss direct utilization of the covariance matrices ofsequential samples to detect multiple network attacks [24]. Yeung and Ding show in their experimentalresults that the dynamic modeling approach is better than the static modeling approach for the system calldatasets, while the dynamic modeling approach is worse for the shell command datasets [25]. Hussein andZulkernine present a framework to develop components with intrusion detection capabilities [26]. Wanget al. present several cross frequency attribute weights to model user and program behaviors for anomalyintrusion detection [27]. Chen et al. discuss an efficient filtering scheme that can reduce system workloadand only 0.3% of the original traffic volume is required to examine for anomaly [28]. Casas et al. presentan unsupervised network intrusion detection system that is capable of detecting unknown network attackswithout using any kind of signatures, labeled traffic, or training [29]. Trailovi´c discusses varianceestimation and ranking methods for stochastic processes modeled by Gaussian mixture distributions. It isshown that the variance estimate from a Gaussian mixture distribution has the same properties as avariance estimate from a single Gaussian distribution based on a reduced number of samples [31].Dasgupta presents provably the first correct algorithm for learning a mixture of Gaussians, which is verysimple and returns the true centers of the Gaussians to within the precision specified by the user, withhigh probability and has linear complexity in the dimension of data and polynomial in the number of 388 Vol. 5, Issue 1, pp. 387-398
  3. 3. International Journal of Advances in Engineering & Technology, Nov. 2012.©IJAET ISSN: 2231-1963Gaussians [32]. Dempster et al. present a general approach to iterative computation of maximum-likelihood estimator for incomplete data since each iteration of the algorithm consists of an expectationstep followed by a maximization step [33]. Chandola et al. have presented a brief survey of anomalydetection [35]. Teodoro et al. have discussed anomaly detection methodologies and different type ofproblems [36]. In next section, we discuss statistical techniques for intrusion detection.III. STATISTICAL TECHNIQUES IN INTRUSION DETECTIONIn this work, we discuss three approaches, which are based on PCA, Chi-square distribution and Gaussianmixture distribution and then discuss their comparative performances for host based intrusion detectionsystem. We may mention that these techniques have been discussed in literature for network basedintrusion detection systems, not for host based systems. In [34], the PCA has been used for outlierdetection in hardware profile. We now discuss PCA, Chi-square distribution, and Gaussian mixturedistribution each for host based intrusion detection system.3.1 Principal Component AnalysisThe principal component analysis (PCA) is a common technique to find the patterns in a high dimensiondata by reducing its dimensions without losing the information contained in it. It produces a set ofprincipal components which are orthonormal eigenvalue/eigenvector pairs, i.e., it projects a new set ofaxes that best suit the data. In our proposed scheme, these set of axes represent the normal feature data.Outlier detection occurs by mapping the data on to these ‘normal’ axes and calculating the distances fromthese axes. If the distance is greater than a certain threshold, we may confirm there is an attack i.e. outlierdetection. Principal components are particular linear combinations of m random variables: X1, X2, ... ,Xmthat have two important properties: a. X1 , X2 , ... , Xm are uncorrelated and sorted in descending order. b. Total variance, X, of X1 , X2 , ... , Xm is given by m X =  Xi (1) i 1These variables are found from eigenanalysis of the correlation matrix of the original variables X1, X2, ... ,Xm. The values of correlation matrix and covariance are not same [9-10], [15].Let the original data, X, be an nxm data matrix of n observations with each observation consisting of mfields (dimensions) X1, X2,..., Xm and R be a m x m correlation matrix of X1, X2,...,Xm. The eigenvalues ofR are the roots of the following polynomial equation: | R – λI | = 0Each eigenvalue of R has a corresponding non-zero vector e, called an eigenvector, Re = λeIf (λ1 , e1), (λ2 , e2), ..., (λm, em) are the m eigenvalue-eigenvector pairs of the correlation matrix R, the ithprincipal component is given by yi = eiT(x – x ) = ei1 (x1 – x1 )+ ei2 (x2 – x2 ) + ... + eim (xm – xm ), i =1 , 2 , ..., m. (2) where eigen values are ordered as λ1 ≥ λ2 ≥ ... ≥ λm ≥ 0, eiT= (ei1 , ei2 ,..., eim) is ith eigenvector, x=(x1, x2, … , xm)T is transpose of observation data x =(x1 , x2 , ..., xm)T is transpose of sample mean vector of the observation data.For any attribute xi, let the observed data be a1, a2, … , an, then we have n xi = 1/n  ai i 1 389 Vol. 5, Issue 1, pp. 387-398
  4. 4. International Journal of Advances in Engineering & Technology, Nov. 2012.©IJAET ISSN: 2231-1963The principal components derived from the covariance matrix are usually different from the principalcomponents generated from the correlation matrix. When some values are much larger than others, theircorresponding eigenvalues have larger weights. One of these metrics is known as the Mahalanobisdistance d2 (x, y) = (x − y)T R-1 (x − y ) (3)where R-1 is the sample correlation matrix, x and y are vectors and here XT represents the transpose of X.Using the correlation matrix, the relationships between the data fields is represented more effectively.There are two main issues in applying PCA, interpretation of the set of principal components andcalculation of distance.Each eigenvalue of a principal component corresponds to the amount of variation it encompasses. Thelarger eigenvalues are more significant and correspond to their projected eigenvectors. The principalcomponents are sorted in descending order. Eigenvectors of the principal components represent axeswhich best suit a data sample. Points which lie at a far distance from these axes are assumed to exhibitabnormal behavior and they can be easily identified. Using a threshold value, the data generated bynormal system with Mahalanobis distance greater than the threshold is considered an outlier and, here, itis an intrusion. But, sometimes it alerts the user as intrusion if the data is on the threshold boundary.Consider the sample principal components, y1 , y2 , ... ,ym of an observation X where yi = eiT (X – x ), i =1 , 2 , ..., m The sum of squares of the partial principal component scores is equal to the principal component score: m i 1 yi2/λi = y12/λ1 + y22/λ2 + …. + ym2/λm (4)equates to the Mahalanobis distance of the observation X from the mean of the normal sample dataset[15]. Major principal component score is used to detect extreme deviations with large values on theoriginal features. The minor principal component score is used to detect some attacks which may notfollow the same correlation model. As a result, two thresholds are needed to detect attacks. q is a subset ofmajor principal components and r is a subset of minor principal components. The major principalcomponent score threshold is denoted Tq while the minor principal component score threshold is referredto as Tr. q is most significant principal components and r is least significant principal components. Anattack occurs for any observation X if : q m i 1 yi2/λi > Tq or  i  m  r 1 yi2/λi > Tr (5)3.2 Chi-square distributionThe Chi-square distribution is an asymmetric distribution that has a minimum value of 0, but nomaximum value. The curve reaches a peak to the right of 0, and then gradually declines. The mean of theChi square distribution is the degree of freedom and the standard deviation is twice the degrees offreedom. For each degree of freedom, there is a different X2 distribution. This implies that the Chi squaredistribution is more spread out with a peak farther to the right, for larger than for smaller degrees offreedom. As a result, for any given level of significance, the critical region begins at a larger Chi-squarevalue, the larger the degree of freedom. The size of multivariate data are quantified by the covariancematrix. A well-known distance measure which takes into account the covariance matrix is theMahalanobis distance. For a p-dimensional multivariate sample xi ( i = 1, …, n ), the Mahalanobisdistance is defined as MDi = (( xi - t )T C-1 ( xi - t ))1/2 , i = 1, … , nwhere t is the estimated multivariate location and C the estimated covariance matrix. Usually, t is themultivariate arithmetic mean, and C the sample covariance matrix. For multivariate normally distributeddata, the values are approximately Chi-square distributed with p degrees of freedom (Xp2). Themultivariate outliers can now simply be defined as observations having a large (squared) Mahalanobisdistance. For this purpose, a quantile of the Chi-squared distribution (e.g., the 99.5% quantile) could be 390 Vol. 5, Issue 1, pp. 387-398
  5. 5. International Journal of Advances in Engineering & Technology, Nov. 2012.©IJAET ISSN: 2231-1963considered. However, this approach has several limitations. The Mahalanobis distances need to beestimated by a robust procedure in order to provide reliable measures for the recognition of outliers.Single extreme observations, or groups of observations, departing from the main data structure can have asevere influence to this distance measure because both location and covariance are usually estimated in anon-robust manner. The minimum covariance determinant (MCD) estimator is probably most commonlyused in practice. Using robust estimators of location and scatter in the above equation leads to robustdistances (RD). If the squared RD for an observation is larger than, say, X 2p;0.995, it can be declared as anoutlier. The Chi-square plot are obtained by the squared Mahalanobis distances (which have to becomputed ont the basis of robust estimations of location and scatter) against the quantiles of Xp2, the mostextreme points are deleted until the remaining points follow a straight line. The deleted points areidentified as outliers. This method needs user interaction and experience on the part of the analyst.Moreover, especially for large data sets, it can be time consuming, and also to some extent it is subjective.In the next section a procedure that does not require analyst intervention, is reproducible and thereforeobjective, into consideration is introduced.3.3 Gaussian Mixture DistributionAssuming the covariance matrix Σ non-singular, the probability density function (pdf) of X can be writtenas: Nx(μ, Σ) = |2Π Σ|-1/2 exp(-1/2 (x- μ)T Σ-1 (x- μ)) (6)Here μ denotes mean value, Σ covariance matrix and | . | the determinant. It is possible to havemultivariate Gaussian distributions with singular covariance matrix. In that case, the above expressioncannot be used for the probability distribution function. We assume non-singular covariance matrices. Fora mixture model with K components each zi is between 1 and K. The sum to be maximized is Σi Σk p(k|xi;θt)[log p(k;θ) + log p(xi|k;θ)] (7)Using the mixture model notation from above, we have p(k;θ) = αk and p(xi|k;θ) = f(xi;λk).Then the sum to be maximized can be written as E = Σi Σk p(k|xi;θt)[log αk + log f(xi;λk)] (8)For the E-step, we use Bayes rule: wik = p(k|xi;θt) = f(xi;λk).αk / Σj f(xi;λj).αj (9)For the M-step, the two terms inside the square brackets in E involve disjoint sets of parameters. So, wecan do two separate maximizations. The first one to be maximized is Σi Σk wik log αk = Σk ck log αk (10)where ck = Σi wik, subject to constraint Σk αk = 1. Using a Lagrange multiplier, its solution is given by αk = ck / Σj cj (11)The second one to be maximized is Σi Σk wik log f(xi;λk) (12)This can be divided into K separate maximizations, each of the following form λk = argmaxλ Σi wik log f(xi;λ) (13)The cluster is used to automatically estimate the parameters of a Gaussian mixture model from sampledata. This process is essentially similar to conventional clustering except that it allows cluster parametersto be accurately estimated even when the clusters overlap substantially.IV. EXPERIMENTTo carry out the experiments, the performance logs need to be generated. The steps for generating theperformance logs are as follows.  On the start menu, go to settings, then Control Panel. Double click Administrative Tools and double click Computer Management. 391 Vol. 5, Issue 1, pp. 387-398
  6. 6. International Journal of Advances in Engineering & Technology, Nov. 2012.©IJAET ISSN: 2231-1963  Explore performance Logs and Alerts by right click Counter Logs, and then click New Log Settings.  Type a name for the counter log and then click OK.  Click Add Counters.  In the Performance object box, select a performance object that need be monitored.  Counters added for experiment.  On the General tab under Sample data every, sampling interval of 15 seconds is configured.  On the Log Files tab log files properties is configured as Comma delimited files that can be viewed later in reporting tools such as Microsoft Excel. After the performance log has been generated for each day, the log is divided into 4 groups, and theaverage values for each column of the table are calculated. After finding the average values, the valuesare maintained in another table. These values are used as our normal data set.In the meanwhile, for one day the system is left to work when the graphics driver, audio driver, and USBdriver have been disabled. This generates the logs for system performance that have been considered asintruded data. We have taken the same number and the same type of attributes in our experiments. For ourexperiment, we have taken the normal dataset and the testing dataset i.e. mixture dataset (normal andintrusion) have been shown in Tables 1 and 2, respectively. Table 1: Normal dataset with some selective attributesCommit Availab Cache Page Page Page Pool Pool System Writeted byte le faults/sec faults/sec writes/se op/sec Non- Paged driver copies/sein use Mbytes c paged Allocs total c Allocs byte3.82441 1724.57 101.6124 295.3630 0.06857 1.09718 26682 42251.7 7503152 3.335828508 2519 671 973 4005 4087 6336 .855 13083.64145 1736.84 57.15040 256.0914 0.24534 3.92547 23133.4 32497.9 7503872 4.445423572 8485 864 499 2241 5853 2424 697 91075.11114 1680.81 79.47708 334.4868 0.14372 2.29958 37059.2 52290.0 7607771 1.918614298 9718 971 715 3968 3495 0563 2817 .944 69725.63854 1654.26 36.17087 162.9619 0.03686 0.58990 32614.1 45698.5 7503872 2.133366946 1628 94 512 9153 6451 1047 5233 75544.57840 1702.97 51.11998 280.3527 0.15858 2.53736 27955.8 37290.3 7503872 5.541004615 1429 798 608 5618 9884 7143 74344.77965 1696 49.93331 128.9745 0.16840 2.69441 33171.6 48146.6 7503872 1.321707979 807 175 0988 5815 1811 0236 42146.23580 1640.77 94.47212 308.6162 0.13230 2.11694 54970.7 71052.6 7503872 3.68972037 8065 975 728 9061 497 5613 1742 72655.61765 1648.30 46.02698 219.4003 0.01555 0.24880 33495.5 43982.1 7503689 7.984841849 0971 896 424 0526 8412 1262 0097 .072 30914.11134 1720.17 132.1210 525.6392 0.06567 1.05075 26849.5 37876.3 7500175 7.747308119 0732 622 525 2177 484 3659 3537 .61 11959.08474 1619.29 68.32869 458.0278 0.60135 9.62174 42900.9 47518.9 7470655 4.443566823 0476 399 67 9321 913 6667 2857 .39 240410.7049 1580.08 76.97290 512.5241 1.16544 18.6470 49948.0 62041.1 7470663 10.85754185 8785 274 61 1987 7179 1402 2617 .776 936210.8421 1563.67 102.9971 469.8837 0.46537 7.44597 86950.0 100841. 7470944 8.171715109 4455 76 442 3406 4504 7321 3692 .498 79488.92087 1650.93 35.11830 189.8569 0.29024 4.64387 36718.6 45366.9 7470916 7.522110039 6255 951 296 2311 6977 8127 5219 .335 25969.01944 1629.35 123.1521 660.7778 1.23764 19.8022 37276.3 44230.8 7470045 9.026775732 9551 235 565 2668 8269 9326 5393 .483 0954 392 Vol. 5, Issue 1, pp. 387-398
  7. 7. International Journal of Advances in Engineering & Technology, Nov. 2012.©IJAET ISSN: 2231-19638.15211 1669.16 46.88692 185.9397 0.32143 5.14289 36697.4 42494.6 7470859 2.60437776 8831 477 726 1061 6979 8312 1299 .304 26869.78973 1564.33 108.4193 688.6777 1.01201 16.1922 39289.6 42273.7 7469309 11.22624979 3333 887 162 838 9409 8571 4286 .562 46468.82137 1635.53 70.41303 401.7980 0.52689 8.43039 36366.8 41617.4 7470379 7.551440882 8462 081 469 9445 1119 5 6154 .323 64729.22601 1605.61 82.65173 478.1532 0.81245 12.9993 44724.5 48669.6 7470484 5.782762337 8421 496 06 8579 3727 7763 .211 190313.1381 1567.82 60.97717 335.7265 0.80176 12.8282 49766.0 58386.9 7470946 6.014788528 7759 436 847 4537 326 2174 9164 .462 382510.2376 1621.77 107.5001 639.6973 0.61802 9.88847 49423.0 56112.7 7577140 3.400911708 0221 39 908 9752 6038 7537 8125 .706 274614.1174 1537.98 55.69721 329.7004 1.10637 17.7019 55713.7 58141.7 7470967 5.035110933 6938 551 28 4628 9405 1408 2424 .269 295611.3247 1523.32 46.23485 296.8309 0.23660 3.78563 45210.7 52444.3 7471038 5.962004835 4022 621 553 2086 3383 8911 8687 .212 72868.32844 1651.97 48.98892 329.3808 0.64198 10.2718 35643.3 41295.2 7470613 5.879775781 9167 139 661 8393 1429 0208 1354 .333 085511.6934 1548.83 46.67733 268.6304 0.67348 10.7757 48628.6 52783.7 7471689 2.700733107 8095 261 243 6201 7921 8571 6429 .143 580513.8784 1432.84 40.06764 200.9667 0.45081 7.21302 65461.5 69597.7 7470956 4.410199525 9765 295 528 3931 2891 8216 2457 .57 76999.62421 1599.36 52.68971 289.4970 0.56781 9.08501 45187.1 48521.9 7470690 4.018932947 4035 743 927 3405 4478 7982 5175 .807 423510.1362 1567.27 80.36205 476.6320 0.89210 14.2737 45269.5 48855.0 7470416 6.000125358 7372 126 696 8133 3012 9124 219 .35 10514.3701 1552.65 32.39166 251.1562 0.61583 9.85339 50546.9 55239.2 7470791 3.870210283 6716 472 525 7055 2883 5191 2554 .536 05018.60691 1628.66 51.56334 258.0409 0.31237 4.99797 43503.2 52199.9 7470850 2.983936888 2634 321 433 3168 0694 5403 8387 .753 29769.20217 1585.38 140.3664 874.0920 1.14834 18.3735 40237.6 44611.6 7588050 13.20986526 3178 739 392 4959 1934 3551 1682 .542 4198.17029 1637.28 131.4596 607.5526 0.72011 11.5217 40203.4 48259.9 7470553 14.04656367 0702 738 303 2328 9725 3275 2982 .076 570810.3369 1550.55 84.19619 483.3572 0.56207 8.99320 43950.9 51344.5 7470687 6.151989814 7522 754 935 5459 7343 469 885 .15 20518.68097 1642.34 120.2821 367.8754 0.28778 4.60448 55126.2 65521.6 7503742 3.013977551 4156 865 24 0024 039 0698 9075 .338 828915.5496 1376.74 66.20661 480.5522 0.50815 8.13048 59087.9 65756.6 7470931 6.636782495 1758 941 772 5306 4901 3407 685 .458 32649.92405 1585.74 67.85154 336.0418 0.35963 5.75412 49347.1 57079.7 7503137 3.967961137 7813 881 492 2859 5742 1953 6385 .586 177614.1485 1450.71 69.47134 348.4456 0.83024 13.2839 59940.0 64597.6 7470850 4.244068942 467 899 721 7837 654 9017 9583 .412 578912.1838 1465.22 127.4100 848.5976 1.03672 16.5875 53400.0 56523.8 7469546 8.544245114 314 169 84 1365 4184 7438 2645 .843 926514.0090 1440.05 54.06844 234.6482 0.36904 5.90468 57645.8 66894.4 7470993 5.670317012 1704 756 035 3016 8251 0964 7004 .297 70029.29341 1583.12 108.4084 817.3167 1.13076 18.0922 40862.4 42871.1 7469391 10.17942873 7273 986 886 3968 2349 3636 .127 98748.27161 1650.73 235.4550 575.5292 0.40006 6.40111 43779.8 52748.0 7470818 5.386627418 9394 432 127 9694 5106 3636 4848 .521 6169 393 Vol. 5, Issue 1, pp. 387-398
  8. 8. International Journal of Advances in Engineering & Technology, Nov. 2012.©IJAET ISSN: 2231-1963 Table 2: Testing dataset with some selective attributesCommitt Availabl Cache Page Page Page Pool Pool System Writeed byte e Mbytes faults/se faults/se writes/se op/sec Nonpage Paged driver copies/sein use c c c d Allocs Allocs total c byte4.60138 1700.02 26.0404 132.996 0.08761 1.40176 29212.3 39788.4 7533002 2.940187552 2388 3396 7699 0478 7647 4328 8507 .507 42864.94660 1690.17 85.3540 371.750 0.28284 4.52559 32166.5 43517.9 7503581 7.65501698 9012 8783 5326 9872 7951 5556 321 .235 22199.25192 1632.75 220.428 905.328 0.37617 6.01887 63023.9 72219.4 7497443 8.420610893 4655 4527 7534 982 7122 1566 2935 .119 24479.87306 1584.64 64.1982 766.807 0.42482 6.79723 48472.4 57402.4 7470780 4.506646812 2612 9632 9994 7439 9025 8454 9828 .261 99597.56782 1692.20 68.2845 324.150 0.94456 15.1130 35413.9 38624.1 7470356 5.489033945 6349 7374 1421 778 8448 3651 9048 .317 7168.83105 1646.63 54.3164 264.238 0.32550 5.20806 39974.5 44790.8 7471010 5.517904122 7537 7998 9394 4227 7639 8491 8183 .447 33099.11075 1635.15 51.9675 234.469 0.42992 6.87881 49530.9 54235.6 7470840 3.02198792 8042 4351 843 5858 372 8042 993 .481 25068.03826 1653.07 71.3703 399.828 0.94208 15.0734 35642.4 39465.2 7470368 5.881568296 0313 7658 3644 7728 0364 0625 7344 06789.81139 1581.92 87.2102 427.907 0.70748 11.3198 43191.1 52279.0 7470755 10.64524241 963 098 25 8741 1986 5556 8889 .081 395213.2414 1585.84 64.6419 316.883 0.67535 10.8056 53580.3 61298.0 7470985 4.57260429 5865 0334 6163 2729 4366 6842 3383 .945 38698.74293 1644.18 32.3115 222.820 0.29641 4.74259 36625.9 41421.0 7470881 4.255707931 3962 6115 7108 1962 1388 5755 7547 .811 76078.21368 1634.32 62.8280 336.102 0.53460 8.55366 38311.6 44574.3 7470298 3.907114021 4786 7225 0724 3814 1019 6239 1197 .803 026512.9612 1484.29 62.8370 446.223 0.55942 8.95087 39367.7 50919.1 7470895 5.646073187 9335 6428 2714 9696 5138 4279 5965 .113 20649.59933 1608.68 83.1764 498.384 0.96693 15.4709 40983.4 46584.3 7470341 9.075048354 4211 2964 5806 393 4288 2915 1579 .182 321912.4230 1585.58 73.9178 383.005 1.11480 17.8369 52191.4 57598.2 7470933 4.484662175 7703 2982 4702 7342 1747 6293 8571 .642 51328.30114 1657.94 225.526 470.624 0.30587 4.89407 40272.8 51679.3 7470849 3.655734161 197 7105 4796 9715 5434 0297 4143 .727 786911.6564 1522.17 189.698 1189.39 2.62417 41.9867 48923.3 55990.7 7468938 14.63288745 2414 7689 3533 4933 9892 908 0115 .299 305113.8432 1499.34 64.7662 314.717 0.87648 14.0237 58342.5 66071.5 7470707 4.622820911 1053 2069 7163 5557 6892 8105 9158 .335 4029.73926 1581.82 68.7048 415.767 0.54809 8.76947 40609.1 47562.4 7470734 7.130236809 7451 6069 9794 2356 7698 098 7059 .557 930311.2344 1540.49 99.7359 500.433 0.32827 5.25238 58790.2 63676.7 7509421 3.993354288 8941 2101 7987 3963 3416 7542 8072 .559 0763.19629 1740 1602.59 4193.39 1.86552 29.8484 22480 28030 7278592 123.228803 2741 7458 8638 5821 53067.09809 1613 3708.62 48843.1 4.60062 73.6099 26335 31848 7278592 504.4252873 9397 9072 4828 9725 65087.63337 1600 2531.46 29764.0 6.08298 97.3277 29131 37788 7372800 287.251616 6836 9948 2197 1516 93717.64847 1603 1006.76 1956.87 6.00021 96.0034 29534 40935 7372800 27.80109754 9784 085 7242 7587 06568.26295 1590 461.147 2469.61 5.20016 83.2026 31214 45784 7372800 200.4727542 8738 1203 3966 2346 9878 394 Vol. 5, Issue 1, pp. 387-398
  9. 9. International Journal of Advances in Engineering & Technology, Nov. 2012.©IJAET ISSN: 2231-19633.32467 1738 1762.76 4682.11 1.67807 26.8492 22296 28074 7278592 141.0148577 4486 5926 7508 4012 44666.19187 1643 3732.79 49552.1 4.66608 74.6573 25054 31251 7278592 492.6717248 9556 3253 2767 2428 68195.87539 1651 2049.18 21404.1 3.52296 56.3673 31232 31145 7376896 297.9697339 9776 4929 2366 9785 92017.64619 1600 2791.57 31989.2 2.53379 40.5407 34482 35446 7376896 211.7054342 5869 3505 5515 2824 28317.89301 1602 295.943 2465.41 6.00020 96.0032 31029 44443 7372800 34.80118861 3757 6994 3608 5773 80937.84651 1601 524.727 1533.88 5.99383 95.9013 36112 36112 7471104 48.5500569 077 9331 6392 8227 74787.96336 1600 1156.74 2285.15 6.00005 96.0009 36439 42058 7471104 44.6004981 4234 4868 6544 047 20315.93630 1649 1982.85 20715.5 3.39234 54.2775 31382 31160 7376896 292.8188543 2701 1759 5214 2342 62347.63327 1598 2817.94 32296.5 2.53070 40.4912 34623 35585 7376896 196.9956794 1408 4016 6249 9998 50227.84363 1601 480.204 1513.81 6.00005 96.0009 36190 37699 7471104 48.60044084 6148 4548 7662 2258 67065.74721 1653 1971.06 20561.8 3.39333 54.2933 31316 31052 7376896 284.2055523 8567 4666 2869 2591 09347.65623 1602 2656.19 31600.5 2.53288 40.5262 34369 35563 7376896 220.1610282 9819 7928 8158 1053 30497.89778 1599 866.335 2194.67 5.99401 95.9042 36073 37570 7471104 37.89558417 4261 6453 817 9071 148712.9385 1429 233.867 1094.26 0 0 55611 63459 7471104 67.80011347 1284 8827 338513.7001 1405 282.068 2013.08 0 0 58759 68319 7471104 76.80055193 5421 0051 10644.1. False alarm rateFalse alarm rate and detection rate can be calculated using confusion matrix. Confusion matrix isshown below Predicted Class C NC Actual Class C TN FP NC FN TP Fig. 1 Confusion matrixwhere,C – Anomaly class, NC – Normal classTN – True Negative, FN – False NegativeTP – True Positive, FP – False PositiveRecall (R) = TP / (TP+ FN), Precision (P) = TP / (TP+FP)F-measure = (RP(1+  2)) / (R  2+P), where R and P denote Recall and Precision, respectively; is the relative importance of precision vs. recall and it is usually set to 1. Therefore, we canhave F-measure as 2RP/(R+P). 395 Vol. 5, Issue 1, pp. 387-398
  10. 10. International Journal of Advances in Engineering & Technology, Nov. 2012.©IJAET ISSN: 2231-19634.2. Comparative results Table 3: Comparative results of PCA, Chi-square distribution and cluster with Gaussian mixture distribution Name of Used Techniques Detection rate False alarm rate Principal Component Analysis 97.5% 2.5% Chi-square distribution 90% 10% Cluster with Gaussian Mixture Distribution 97.5% 2.5%Here, we have used three different techniques for our experiments. We have got the results for PCAtechnique and Gaussian Mixture Distribution each, which is 97.5% detection rate. We have also got goodresult in Chi-distribution method. Using these above techniques we can easily detect hardware basedintrusion. All these three techniques are shown by implementing for HIDS on the basis of performancelog and two (i.e. Principal Component Analysis and Cluster with Gaussian Mixture Distribution) amongthese three give good results. The PCA and Gaussian mixture distribution give the detection ratemaximum 97.5% each and the Chi-square distribution gives 90%. Generally, anomaly detection systemssuffer from false alarm rate. Another problem in anomaly detection systems is that they are not able toclassify the boundary data i.e. sometimes detection systems show the normal data as intrusion data andvice versa. That’s why we have used confusion matrix that gives accurate detection rate and false alarmrate. We can apply these techniques for any type of outlier detection and huge dataset also. V. FUTURE WORKIn future work, we will try to produce better results in terms of better detection rate and lesser false alarmrate. We will also explore other statistical techniques that can be used in our work for improving theresults.VI. CONCLUSIONSIn this paper, we have analyzed an intrusion detection system using Chi-square distribution and Gaussianmixture distribution. We have shown the comparative results of Principal Component Analysis, Chi-square distribution and Gaussian mixture distribution. Our experimental results show that the PCA andGaussian mixture distribution each give detection rate maximum 97.5% and the Chi-square distribution90%. Generally, anomaly detection system suffers from false alarm rate. We can apply these methods forany type of outlier detection and we can apply these techniques for huge dataset also.ACKNOWLEDGEMENTThe authors express their sincere thanks to Prof. S. Chand for his invaluable comments and suggestions.REFERENCES[1] M.L . Shyu, S.C. Chen, K. Sarinnapakorn, and L. Chang, “A novel anomaly detection scheme based on principal component classifier,” IEEE Foundations and New Directions of Data Mining Workshop, pp. 172– 179, Nov. 2003.[2] D.E. Denning, “An Intrusion Detection Model,” IEEE Trans. on Software Engineering, SE-13, No. 2, pp. 222-232, 1987.[3] D.M. Hawkins, “The Detection of Errors in Multivariate Data Using Principal Components,” Journal of the American Statistical Association, Vol. 69, No. 346, pp. 340-344, 1974.[4] N. Ye and Q. Chen, “An Anomaly Detection Technique Based on a Chi-Square Statistic for Detecting Intrusions into Information Systems,” Quality and Reliability Eng. Int’l, Vol. 17, No. 2, pp. 105-112, 2001.[5] J. McHugh, “Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory,” ACM Trans. on Information and System Security, Vol. 3, No. 4, pp. 262-294, 2000. 396 Vol. 5, Issue 1, pp. 387-398
  11. 11. International Journal of Advances in Engineering & Technology, Nov. 2012.©IJAET ISSN: 2231-1963[6] N.J. Puketza, K. Zhang, B. Mukherjee and R.A. Olsson, “Testing Intrusion Detection Systems: Design Methodologies and Results from an Early Prototype,” Proc. 17 th National Computer Security Conference, Vol. 1, pp.1-10, Oct. 1994.[7] F.N.M. Sabri, Md. Norwawi, and K. Seman, “Identifying False Alarm Rates for Intrusion Detection System with Data Mining,” International Journal of Computer Science and Network Security, Vol.11 No.4, Apr. 2011.[8] Z.K. Baker and V. K. Prasanna, “Efficient Hardware Data Mining with the Apriori Algorithm on FPGAs,” In Proceedings of the Thirteenth Annual IEEE Sym. on Field Programmable Custom Computing Machines 2005. [9] J.D. Jobson, “Applied Multivariate Data Analysis,” Volume II: Categorical and Multivariate Methods. Springer- Verlag, N Y, 1992.[10] I.T. Jolliffe, “Principal Component Analysis,” Springer- Verlag, N Y, 2002.[11] J. Song, H. Takakura and Y. Okabe, “A proposal of new benchmark data to evaluate mining algorithms for intrusion detection,” In 23rd Asia Pacific Advanced Networking Meeting, 2007.[12] N. Athanasiades, R. Abler, J. Levine, O. Henry and G. Riley, “Intrusion detection testing and benchmarking methodologies,” In IEEE International Information Assurance Workshop, 2003. [13] H. Song and J.W. Lockwood, “Efficient packet classification for network intrusion detection using FPGA,” Intl. Symp. on Field Programmable Gate Arrays, Feb. 2005.[14] N. Ye, S.M. Emran, Q. Chen, and S. Vilbert, “Multivariate Statistical Analysis of Audit Trails for Host-Based Intrusion Detection,” IEEE Trans. on Computers, Vol-51, No.7, 2002.[15] R.A. Johnson and D.W. Wichern, “Applied Multivariate Data Analysis,” 3rd Edition, Prentice-Hall, Inc., Englewood Cliffs, N.J., U.S.A., 1992.[16] H. Om and T.K. Sarkar, “Neural network based intrusion detection system for detecting changes in hardware profile,” Journal of Discrete Mathematical Sciences & Cryptography, vol. 12(4), pp. 451-466, 2009.[17] P. Filzmoser, C. Reimann, and R.G. Garrett, “Multivariate outlier detection in exploration geochemistry,” Technical report TS 03-5, Department of Statistics, Vienna University of Technology, Austria, Dec. 2003.[18] R.G. Garrett, “The chi-square plot: A tool for multivariate outlier recognition,” Journal of Geo chemical Exploration, Vol. 32, pp. 319-341, 1989.[19] D. Gervini, “A robust and efficient adaptive reweighted estimator of multivariate location and scatter,” Journal of Multivariate Analysis, Vol. 84, pp. 116-144, 2003.[20] P.J. Rousseeuw, and K. Van Driessen, “A fast algorithm for the minimum covariance determinant estimator,” Technometrics, Vol. 41, pp. 212-223, 1999.[21] Rousseeuw P.J., Van Zomeren B.C., “Unmasking multivariate outliers and leverage points,” Journal of the American Statistical Association, Vol. 85 (411), pp. 633-651, 1990.[22] H. Gascon, A. Orfila, and J. Blasco, “Analysis of update delays in signature-based network intrusion detection systems,” Computers & Security, Vol. 30, pp. 613-624, 2011.[23] J.J. Davis and A.J. Clark, “Data preprocessing for anomaly based Network Intrusion Detection: Review,” Computers & Security, Vol. 30, pp. 353-375, 2011.[24] S. Jin, D.S. Yeung, and X. Wang, “Network intrusion detection in covariance feature space,” Pattern Recognition, Vol. 40, pp. 2185-2197, 2007.[25] D. Yeung, and Y. Ding, “Host-based intrusion detection using dynamic and static behavioral models,” Pattern Recognition, Vol. 36, pp. 229-243, 2003.[26] M. Hussein and M. Zulkernine, “Intrusion detection aware component-based systems: A specification-based framework,” Journal of Systems and Software, Vol. 80, pp. 700-710, 2007.[27] W. Wang, X. Zhang, and S. Gombault, “Constructing attribute weights from computer audit data for effective intrusion detection,” Journal of Systems and Software, Vol. 82, pp.1974-1981, 2009.[28] C.M. Chen, Y.L. Chen, and H.C. Lin, “An efficient network intrusion detection,” Computer Communications, Vol. 33, pp. 477-484, 2010.[29] P. Casas, J. Mazel, and P. Owezarski, “Unsupervised Network Intrusion Detection Systems: Detecting the Unknown without Knowledge,” Computer Communications, Vol. 35, pp. 772-783, 2012.[30] K. Triantafyllopoulos, “On the central moments of the multidimensional Gaussian distribution," The Mathematical Scientist, Vol. 28, pp. 125-128, 2003.[31] L. Trailovi´c and L. Y. Pao, “Variance Estimation and Ranking for Gaussian Mixture Distributions in Target Tracking Applications,” Proc. Conf. Decision and Ctrl., Vol. 2, pp. 2195 – 2201, Dec. 2002.[32] S. Dasgupta, “Learning Gaussian Mixtures,” Proc. of IEEE Symp. on Foundations of Computer Science, p.634, Oct. 17-18, 1999 . 397 Vol. 5, Issue 1, pp. 387-398
  12. 12. International Journal of Advances in Engineering & Technology, Nov. 2012.©IJAET ISSN: 2231-1963[33] A.P. Dempster, N.M. Laird, and D.B. Rubin, “Maximum-Likelihood from Incomplete Data Via the EM Algorithm,” J. Royal Stat. Soc. Ser. B, vol. 39, no. 1, pp. 1-38, 1977.[34] H. Om and T. Hazra, “Design of Anomaly Detection System for Outlier Detection in Hardware Profile Using PCA,” International Journal on Computer Science and Engineering, Vol. 4, Issue 9, pp. 1623-1632, Sept. 2012.[35] V. Chandola, A. Banerjee, and V. Kumar, “Anomaly detection: A survey,” ACM Computing Surveys, vol. 41, no. 3, 2009.[36] P. G. Teodoro, J. D. Verdejo, G. M. Fernandez, and E.Vazquez, “Anomaly-based network intrusion detection: Techniques, systems and challenges”, computer & security, Vol. 28, Issues 1–2, pp. 18-28, Feb.– March 2009.AUTHORSHari Om is presently working as Assistant Professor in the department of Computer Science &Engineering at Indian School of Mines, Dhanbad, India. He earned his Ph.D. in Computer Sciencefrom Jawaharlal Nehru University, New Delhi, India. He has published more than 50 researchpapers in International and National Journals including various Trans. of IEEE, Springer, Elsevieretc., International and National conferences of high repute. His research areas are Video-on-Demand, Cryptography, Network security, Data Mining, and Image Processing.Tanmoy Hazra has completed his M.Tech in Computer Applications, department of ComputerScience and Engineering from Indian School of Mines, Dhanbad in 2012. He is presentlyworking as Assistant Professor in the department of Computer Engineering at ISB & M School ofTechnology, Pune. His research interest is mainly on Intrusion Detection Systems. 398 Vol. 5, Issue 1, pp. 387-398

×