Seminar: ----------- https://www.shamra.sy/academia/show/5b0bff1c5de6d -------------------------------------------------------------------- Supervisor: ---------------- Mohammad Fadi Taqi Al-Din Prepared by: ---------------- Ahmad Al-Yassin Muhammad Khaled Al-Khalili Muhammad Nashouq --------------------------------------------------------------------

1. Role of Data Mining in
Cyber Security
Prepared by:
Ahmad Al-Yassin
Muhammad Khaled Al-Khalili
Muhammad Nashouq

2. Outline
What is Cyber Security?
What is Cyber Crime?
Applications of Data Mining in Cyber Security.
Intrusion detection.
Why Can Data Mining Help?
Data Mining approaches for Intrusion Detection.
Conclusion.

3. Cyber Security
Set of technologies and processes designed to protect computers,
networks, programs, and data from attack, unauthorized access, change,
or destruction.
A Major part of Cyber Security
is to fix broken Software.
Cyber
Security
Computer
Security System
Network
Security System

4. Cyber Crime
Encompasses any criminal act dealing with computers and networks.
Include:
• Malicious programs.
• Illegal imports.
• Computers Vandalism.

5. Cyber Security VS Cyber Crime
Cyber
SecurityCyber Crime Cyber Security
Cyber
Crime
One side of the
coin
Other side of the
coin

6. Cyber Attacks (Intrusions)
Actions that attempt to bypass security mechanisms of computer
systems.
Any set of actions that threaten the integrity, availability, or
confidentiality of a network resource.
Examples:
• Denial of service (DoS).
• Scan.
• Worms and viruses.
• Compromises.

7. Applications of Data Mining in Cyber Security
Malware detection.
Intrusion detection.
Fraud detection.

8. Intrusion Detection
The process of monitoring the events occurring in a computer system or
network and analyzing them for signs of intrusion.

9. Intrusion Detection System (IDS)
Combination of software and hardware that attempts to perform
intrusion detection.
Raise the alarm when possible intrusion happens.
Steps:
 Monitoring and analyzing traffic.
 Identifying abnormal activities.
 Assessing severity and raising alarm.

10. Information Source - Monitored System
Detector – ID Engine
Response
Component
Data gathering (sensors)
Raw data
Events
Knowledge base Configuration
Alarms
Actions
System State
System
State
Intrusion Detection System Architecture

11. IDS - Analysis Strategy
Misuse detection.
• Effective detecting known type of attacks by using signatures of those attacks
without generation false alarms.
• Cannot detect novel (Zero-day) attacks.
Anomaly detection.
• Identify the anomalies from normal behavior.
• Able to detect Zero-day attacks.
Hybrid detection.
• Combination of misuse and anomaly detection.
• Increase the detection rate and decrease the false alarm generation.

12. Goals of Intrusion Detection System (IDS)
Detect wide variety of intrusions.
Detect intrusions in timely fashion.
Present analysis in simple, easy-to-understand format.
Be accurate.

13. Why We Need Intrusion Detection?
Security mechanisms always have inevitable vulnerabilities.
Multiple levels of data confidentiality in commercial and government
organizations needs multi-layer protection in firewalls.

14. Traditional Intrusion Detection Systems
Traditional intrusion detection system (IDS) tools (e.g. SNORT) are
based on signatures of known attacks.
Limitations:
• Signature database has to be manually revised for each new type of
discovered intrusion.
• They cannot detect emerging cyber threats.
• Substantial latency in deployment of newly created signatures.
Data mining based IDSs can alleviate these limitations

15. Why Can Data Mining Help?
 Data mining: applying specific algorithms to extract patterns from
data.
 Normal and intrusive activities leave evidence in audit data.
 From the data-centric point view, intrusion detection is a data
analysis process.

16. Why Can Data Mining Help?
 Successful applications in related domains, e.g., fraud detection,
fault/alarm management.
 Learn from traffic data:
• Supervised learning: learn precise models from past intrusions.
• Unsupervised learning: identify suspicious activities.
 Maintain or update models on dynamic data.

17. Data Mining approaches for Intrusion Detection

18. Frequent Patterns
Patterns that occur frequently in a database.
Mining Frequent patterns – finding regularities.
Process of Mining Frequent patterns for intrusion detection.
• Phase I: mine a repository of normal frequent itemsets for attack-free data.
• Phase II: find frequent itemsets in the last n connections and compare the
patterns to the normal profile.

19. Traffic Mining
Firewall log file
Mining log file Using
Frequency
Filtering Rule
Generalization
Generic Rule
Identify Decaying &
Dominant Rule
Edit Firewall Rule
Firewall
Policy Rule

20. Frequent Pattern Mining in MINDS
MINDS: a IDS using data mining techniques
• University of Minnesota
Summarizing attacks using association rules:
• {Src IP=206.163.27.95, Dest Port=139, Bytes[150, 200]}

{ATTACK}

21. Associate rules
Used for link analysis
E.g.:
• If the number of failed login attempts (num_failed_login_attempts)
and the network service on the destination (service) are features, an
example of rule is:
• num_failed_login_attempts = 6, service = FTP

attack = DoS [1, 0.28 ]

22. Classification Methods
Neural networks.
Bayesian classification.
Support vector machines.

23. Intrusion Detection by NN and SVM
Neural Networks can be used for :
• Anomaly detection.
The approach consists of maintaining a database of a sequence of
system calls made by each program to the operating system, used
as the signature for the normal behavior. If online sequence of
system calls for a program differ from the sequence in the database
anomalous behavior is registered. If significant percentage of
sequences does not match then alarm for intrusion is raised.
• Misuse detection
Classification based on known intrusions.

24. Email Worm Detection Using Data Mining
Outgoing Emails
Training Data
Test Data
Classifier
Feature
Extraction
Machine
Learning
The model
Clean or Infected

25. Clustering
Group data into clusters
What is a good clustering intra-class similarity
• Depending on the similarity measure.
• The ability to discover some or all of the hidden patterns.
Clustering Approaches
• K-means
• Hierarchical Clustering

26. Clustering for Intrusion Detection
Anomaly detection.
Any significant deviations from the expected behavior are reported as
possible attacks.
Build clusters as models for normal activities.

27. Data Preprocessing
Extract the “connection” level features:
• Record connection attempts
• Watch how connection is terminated
Each record has:
• start time and duration
• participating hosts and ports (applications)
• statistics (e.g., # of bytes)
• flag: normal or a connection/termination error
• protocol: TCP or UDP
Divide connections into 3 types: incoming, out-going, and inter-lan

28. commentsTypical time complexityAlgorithm
e: number of epochs
k: number of neurons
O(emnk)ANN
O(𝑛3)Accusation Rules
O(mn)Bayesian Network
i: number of iterations
until threshold is reached
k: number of clusters
O(kmni)Clustering K-mean
O(mn)Naïve Bayes
O(𝑛2)SVM
Complexity of Algorithms During Training

29. Conclusion
Data mining has great potential as a malware detection tool. It allows
you to analyze huge sets of information and extract new knowledge from
it.
The main benefit of using data mining techniques for detecting
malicious software is the ability to identify both known and zero-day
attacks. However, since a previously unknown but legitimate activity may
also be marked as potentially fraudulent, there’s the possibility for a high
rate of false positives.

30. Thankyou