Network security has been one of the most important problems in Computer Network Management and Intrusion is the most publicized threats to security. Intrusion detection is a device or software application that monitors network or system has emerged as an important field for network security. Fuzzy C-means clustering & probabilistic neural network technique have been organized as a new approach for intrusion detection. The proposed approach combines the fuzzy C-means clustering with the probabilistic neural network technique.(FCM& PNN)This proposed approach analyze the KDD99 dataset and it is efficient in terms of accuracy, detection rate, failure analysis rate and false alarm.
Keywords: - Intrusion detection system, fuzzy c-means clustering & probabilistic neural network.
1. Introduction
Traditional network security technologies are limited to the known network attacks; the protection system cannot effectively prevent all forms of intrusion. The intrusion detection is a proactive information security protection to make up for the deficiencies of traditional protection technology; it has become the hotspot of research recently. The main function of Intrusion Detection Systems is automatically detecting the network data stream, collecting evidence of intrusion and providing a basis for defense. Some intrusion detection systems can also be found to detect some kind of abnormal situation, and apply corresponding choices to prevent attacks, preventing network systems from destruction.
2. Types of Intrusion Detection Systems
Accordance with analytical methods, the Intrusion Detection System can be divided into two categories, one is Abnormal Detection, and the other is Misuse Detection or Signature Detection [1].
2.1. Anomaly Detection
Anomaly detection technique store the systems normal behavior such as kernel information, system logs event, network packet information, software running information, operating system information etc into the database. If any abnormal behavior or intrusive activity occurs in the computer system which deviates from system normal behavior then an alarm is generated. Anomalous activities that are not intrusive are flagged as intrusive.
This will result in false-positive, i.e. false alarm. Intrusive activities that are not anomalous result in false negative [2].
2.2. Signature Detection
The concept behind signature detection or misuse detection scheme is that it stores the sequence of Pattern, signature of attack or intrusion etc into the database. When an attacker tries to attack or when Intrusion occurs then IDS matches the signatures of intrusion with the predefined signature that are already stored in database. On successful match the system generates alarm.
The goal of intrusion detection is to build a system which would automatically scan network activity and detect such attacks. Once an attack is detected, the system administrator could be informed and thus take corrective action.
Generally, there are four categories of attacks [3]. They are:
1. DoS (Denial of Service) - trying to prevent a legitimate user from accessing the service in the target machine.
2. Probe - scanning a target machine for information about potential vulnerabilities.
3. R2L (Remote to Local) - when attacker attempts to obtain non-authorized access into a machine or network.
4. U2R (User to Root) - when target machine is already invaded, but the attacker attempts to gain access with super-user privileges.
3. Clustering
Clustering can be considered the most important unsupervised learning problem; so, as every other problem of this kind, it deals with finding a structure in a collection of unlabeled data. A loose definition of clustering could be "the process of organizing objects into groups whose members are similar in some way".
A cluster is therefore a collection of objects which are "similar" between them and are "dissimilar" to the objects belonging to other clusters. We can show this with a simple graphical example figure 1.
http://home.dei.polimi.it/matteucc/Clustering/tutorial_html/images/clustering.gif
Figure 1: Example of Clustering of Data
In this case we easily identify the 4 clusters into which the data can be divided; the similarity criterion is distance: two or more objects belong to the same cluster if they are "close" according to a given distance (in this case geometrical distance). This is called distance-based clustering.
Another kind of clustering is conceptual clustering: two or more objects belong to the same cluster if this one defines a concept common to all that objects. In other words, objects are grouped according to their fit to descriptive concepts, not according to simple similarity measures
3.1. The goals of clustering
So, the goal of clustering is to determine the intrinsic grouping in a set of unlabeled data. But how to decide what constitutes a good clustering? It can be shown that there is noabsolute "best" criterion which would be independent of the final aim of the clustering. Consequently, it is the user which must supply this criterion, in such a way that the result of the clustering will suit their needs. [4]
For instance, we could be interested in finding representatives for homogeneous groups (data reduction), in finding "natural clusters" and describe their unknown properties ("natural" data types), in finding useful and suitable groupings ("useful" data classes) or in finding unusual data objects (outlier detection). We can show this figure 2.
C:\Documents and Settings\aks\Desktop\3620050304015.png
Figure 2: Performing Clustering on Dataset
A clustering algorithm attempts to find natural groups of components (or data) based on some similarity. Also, the clustering algorithm finds the centroid of a group of data sets.
3.2. Fuzzy Clustering
Fuzzy logic is based on fuzzy set theory. Fuzzy set theory, unlike the well known mathematical set theory, allows an element to belong to more than one clustering the interval of [0, 1]. The degree of membership of each data element to the cluster is calculated which decides which cluster the data element is supposed to belong. The existence of a data element in more than one cluster depends on the value of Fuzzifier. The user defines the fuzzification value i.e. one data element can belong to how many clusters, also known as Fuzzifier. [5]
The fuzzy clustering algorithm focused in this work is:-
Fuzzy c-means:
3.3. Fuzzy C - Means Algorithm for intrusion detection
The unsupervised learning techniques using the machine learning for intrusion detection datasets, we know that Clustering is the best techniques on the efficient data mining for intrusion detection.The k-mean clustering algorithm is widely used for intrusion detection, because it gives efficient results. But sometime k-mean clustering fails to give best result because if the data set is noisy so for removing these problems we are analysis new algorithms for cluster to class assignment with fuzzy c-means clustering algorithm.Fuzzy c-means clustering involves two processes: the calculation of cluster centres and the assignment of points to these centres using a form of Euclidian distance. This process is repeated until the cluster centres stabilize. The algorithm is similar to k-means clustering in many ways but it assigns a membership value to the data items for the clusters within a range of 0 to 1.
So it incorporates fuzzy set's concepts of Partial membership and forms overlapping clusters to support it. The algorithm needs a fuzzification parameter m in the range [1, n] which determines the degree of fuzziness in the clusters.
When m reaches the value of 1 the algorithm works like a crisp partitioning algorithm and for larger values of m the overlapping of clusters is tend to be more. [6]
In fuzzy clustering, the data points can belong to more than one cluster, and associated with each of the points are membership grades which indicate the degree to which the data points belong to the different clusters. Thus, points on the edge of a cluster may be in the cluster to a lesser degree than points in the center of cluster. For each point x we have a coefficient giving the degree of being in the kth cluster uk(x). Usually, the sum of those coefficients for any given x is defined to be 1:
Using With fuzzy c-means, the centroid of a cluster is the mean of all points, weighted by their degree of belonging to the cluster. [7]
EquationThe degree of belonging is related to the inverse of the distance to the cluster center:
then the coefficients are normalized and fuzzyfied with a real parameter m > 1 so that their sum is 1. So
For m equal to 2, this is equivalent to normalizing the coefficient linearly to make their sum 1. When m is close to 1, then cluster center closest to the point is given much more weight than the others.
4. Intrusion Detection using Probabilistic Neural Network (PNN)
Machine Learning techniques to solve Intrusion Detection problems within computer networks.
Due to complex and dynamic nature of computer networks and hacking techniques, detecting malicious activities remains a challenging task for security experts, that is, currently available defense systems suffer from low detection capability and high number of false alarms. To overcome such performance limitations, we propose a Machine Learning algorithm, namely Probabilistic Neural Network (PNN), As the result, learning bias and generalization variance can be significantly minimized. Substantial analysis on KDD 99 intrusion dataset indicates that our model outperforms other state of the art learning algorithms, with significantly improved detection accuracy, minimal false alarms and relatively small computational complexity.
The feature reduction techniques are used to a given KDD 99 dataset. For the data analysis we will be used the MATLAB software. The MATLAB software is used to train and test the dataset and the efficiency is measured.
Probabilistic neural network are a kind of radial basis network suitable for classification problems.
C:\Documents and Settings\aks\Desktop\0200260204003.png
Figure 3: Structure of PNN
A Probabilistic Neural Network (PNN) consists of four layers. One is the input layer where the actual input vector is given. The second one is the pattern layer with one neuron for every training example. Input layer and pattern layer are fully connected. The next one is the summation layer, where the results of the pattern layer will be added. In this layer we have one neuron for each class we want to distinguish. The neurons of the pattern layer are connected to the neurons of the summation layer based on the class of the neuron in the pattern layer. So every neuron in the pattern layer of the same class is connected to the same neuron in the summation layer. The last layer is the output layer where the estimated class of the input data is shown. This is realized by an argmax operator over the outputs of the summation layer. For the use in this article we have no output layer and only one neuron in the summation layer. This structure is shown in ï¬gure.
The training process of a PNN is very easy. For each training vector in the training data set we create a neuron in the pattern layer.
The weights of this neuron are set to the values of the training vector. After this the PNN is trained and can be used.
4.1. Advantages of PNN
PNNs are much faster than multilayer perceptron networks.
PNNs can be more accurate than multilayer perceptron networks.
PNN networks are relatively insensitive to outliers.
PNN networks generate accurate predicted target probability scores.
PNNs approach Bayes optimal classification.
Inherently parallel structure.
Training samples can be added or removed without extensive retraining.
Guaranteed to converge to an optimal Classifier as the size of the representative training set increases no local minima issues.
4.2. Applications based on PNN
Probabilistic neural networks in modeling structural deterioration of storm water pipes.
Probabilistic neural networks method to gastric endoscope samples diagnosis based on FTIR spectroscopy.
Probabilistic Neural Networks in Solving Different Pattern Classification Problems.
Application of probabilistic neural networks to population pharmacokinetics.
Probabilistic Neural Networks to the Class Prediction of Leukemia and Embryonal Tumor of Central Nervous System.
Ship Identification Using Probabilistic Neural. Networks
Probabilistic Neural Network-Based sensor configuration management in a wireless AD-HOC network.
Probabilistic Neural Network in character recognizing.
5. Dataset Description
In our experiments, The KDD Cup'99 benchmark dataset is chosen for evaluation and comparison between the proposed approaches and the previous approaches. The entire KDD data set contains an approximately 500,000 instances with 41 features. The training dataset contains 24 types of attack, while the testing data contains more than 14 types of additional attack. Further description for the available features and intrusion instances can be found in [9].
KDD dataset covered four major categories of attacks which is Probe, DoS, R2L and U2R. In order to demonstrate the abilities to detect different kinds of intrusions, the training and testing data covered all classes of intrusion Categories as listed in the following as adopted from the [9].
6. Evaluation Measurement
An Intrusion Detection System (IDS) requires high accuracy and detection rate as well as low false alarm rate. In general, the performance of IDS is evaluated in term of accuracy, detection rate, and false alarm rate as in the following formula:
Table1: Confusion Matrix for Analysis of intrusion detection system
Actual \ Predicted
Normal
Attack
Normal
TN
FP
Intrusion(attacks)
FN
TP
True positive (TP) when attack data detected as attack
True negative (TN) when normal data detected as normal
False positive (FP) when normal data detected as attack
False negative (FN) when attack data detected as normal
7. Conclusion &Future Work
In this paper, a hybrid learning approach through combination of fuzzy c means clustering and PNN is analyzed. The analyzed approach evaluated using KDD 99 dataset. Fuzzy clustering algorithm is an unsupervised anomaly detection technique without training; it does not need to know the type of attack in intrusion detection data samples, so it can detect a variety of known & unknown characteristics of network intrusion simultaneously. Attacks fall into one of the four categories. For example Probe, R2L, U2R & DOS. .In this paper the result of simulation that run on KDD 99 dataset show that the fuzzy C-means & PNN is an Failure analysis rate shows the accuracy of intrusion detection, lower FAR indicating that the higher accuracy of detection.
