close

Вход

Забыли?

вход по аккаунту

код для вставкиСкачать
Decision Tree Classifier for Signature
Recognition and State Classification
in Intrusion Detection
IEE591C Presentation
Xiangyang Li, Qiang Chen and Yebin Zhang
Information Integration and Assurance Laboratory
Arizona State University
Box 875906, Tempe, AZ 85287-5906, USA
Problem Definition(1)
• Intrusion Detection
Normality profile method
Signature recognition method
– Decision tree technique can be used
to build the signatures of normal
activities and attacks automatically.
Each path of the tree corresponds to
a signature.
– Each leaf represents an IW value.
Each leaf corresponds to a specific
state of the system.
September 2000
2
Problem Definition(2)
• BSM audit event from Solaris • Target variable
event
auid
euid
egid
ruid
rgid
pid
sid
RemoteIP
time
error_message
process_error
retval
attack
September 2000
217
-2
0
0
0
0
96
0
0.0.0.0
897047263
91
0
0
0
– Label : 0 - normal activity, 1 - attack
– IW(Intrusion Warning) : 0 - 1
• Predictor variables
Only use the information of event type.
(284 event types - Solaris 2.7)
• Data sets
– Training data set
– Testing data set
3
Problem Definition(3)
• Decision tree algorithms
– GINI and CHAID (Answer Tree - SPSS Inc.)
– Information Gain Ratio (ITI - UMASS)
• Analysis of testing results
– Comparison of Mean, Max and Min of IW values between normal and
attack events.
– ROC (Receiver Operating Curve) with Hit rates and False alarm rates
based on the predicted IW values and the true Label values.
September 2000
4
Single-event Decision Tree Classifier
• Single-event classifier
– Label -> target variable
– Event type -> the only predictor variable
September 2000
5
Result Analysis(1)
IW
V alue
N o rm a l
M in
M ax
M ean
0 .0 0
1 .0 0
0 .2 1 7
S tand ard
D eviatio n
0 .1 5 79
A ttac k
0 .0 0
1 .0 0
0 .3 9 6
0 .2 9 21
S tatistics fo r sin gle eve nt cla ssifier (IT I)
IW
V alue
N o rm al
M in
M ax
M ean
0 .0 0
1 .0 0
0 .2 0 9
S tand ard
D eviatio n
0 .1 3 5
A ttack
0 .0 0
1 .0 0
0 .3 6 8
0 .2 5 5
S tatistics fo r sin gle event classifier (C H A ID )
September 2000
6
Result Analysis(2)
ROC for single event classifier(ITI)
1
Hit rate
0.8
0.6
0.4
0.2
0
0
0.2
0.4
0.6
0.8
1
Fasle alarm rate
September 2000
7
Result Analysis(3)
ROC analysis for single event classifier (CHAID)
1
Hit rate
0.8
0.6
0.4
0.2
0
0
0.2
0.4
0.6
0.8
1
False alarm rate
September 2000
8
EWMA Vectors
We use one variable to represent one event type. Then there are 284 variables
for the 284 event types. In our sample data set there are 50 variables. Then
we use these variables as the predictor variables. Each variable is calculated
for each event as:
X i ( t )   * 1  (1   ) * X i ( t  1)
if the audit event at time t belongs to the ith event type
X i ( t )   * 0  (1   ) * X i ( t  1)
if the audit event at time t is different from the ith event type
X i (0 )  0,
September 2000
  0 .3
9
Result Analysis(4)
IW
V alue
N o rm al
M in
M ax
M ean
0 .0 0
1 .0 0
0 .2 0 9
S tand ard
D eviatio n
0 .1 3 5
A ttack
0 .0 0
1 .0 0
0 .3 6 8
0 .2 5 5
S tatistics fo r sin gle event classifier (C H A ID )
IW
V alue
N o rm a l
M in
M ax
M ean
0 .0 0
1 .0 0
0 .0 4 6
S tand ard
D eviatio n
0 .2 1 0
A ttac k
0 .0 0
1 .0 0
0 .8 8 1
0 .3 2 4
S tatistics fo r E W M A vecto r classifier (C H A ID )
September 2000
10
Result Analysis(5)
ROC analysis for EWMA vectors (GINI-CHAID)
1
0.9
0.8
Hit rate
0.7
0.6
0.5
GINI
0.4
CHAID
0.3
0.2
0.1
0
0
0.2
0.4
0.6
0.8
1
False alarm rate
September 2000
11
Moving Window
September 2000
12
“Existence” and “Count” Classifiers
• “Existence”
In the transferred data set, variable i records whether event type i exists in
current moving window. We use this one in moving window classifiers on
event types.
• “Count”
In the transferred data set, variable i records how many times event type i
appears in current moving window.
• Truncation
Remove the part of transferred data which includes both normal and attack
events.
September 2000
13
Result Analysis(6)
IW
V alue
N o rm al
M in
M ax
M ean
0 .0 0
1 .0 0
0 .0 4 6
S tand ard
D eviatio n
0 .2 1 0
A ttack
0 .0 0
1 .0 0
0 .8 8 1
0 .3 2 4
S tatistics fo r E W M A vecto r classifier (C H A ID )
IW
V alu e
N o rm a l
M in
M ax
M ean
0 .0 0
1 .0 0
0 .0 6 5
S tan d ard
D ev iatio n
0 .2 4 6
A ttac k
0 .0 0
1 .0 0
0 .9 1 7
0 .2 7 7
S tatistics fo r m o v in g w in d o w classifier (C H A ID -G IN I)
September 2000
14
Result Analysis(7)
ROC for moving window classifier (ITI-CHAID-GINI)
1
Hit rate
0.8
0.6
0.4
0.2
0
0
0.2
0.4
0.6
0.8
1
False alarm rate
September 2000
15
Tree Structure for Moving Window Classifier
(CHAID-GINI-ITI)
September 2000
16
Layered Classifiers
U pper Level
IW
State-ID classifier
Single event classifier
C lassified States
A udit
data
IW
Lo w er Level
State-ID C lassifiers
September 2000
17
Result Analysis(8)
IW
V alue
N o rm a l
M in
M ax
M ean
0 .0 0
1 .0 0
0 .0 3 3
S tand ard
D eviatio n
0 .0 8 26
A ttac k
0 .0 0
1 .0 0
0 .9 0 1
0 .2 7 06
S tatistics fo r “ex iste nce” state-ID classifier (IT I)
IW
V alue
N o rm a l
M in
M ax
M ean
0 .0 0
1 .0 0
0 .0 1 8
S tand ard
D eviatio n
0 .0 8 12
A ttac k
0 .0 0
1 .0 0
0 .9 2 4
0 .2 5 48
S tatistics fo r “co u nt” sta te-ID cla ssifier (IT I)
September 2000
18
Result Analysis(9)
ROC analysis for state_ID classifiers (CHAID)
1
Hit rate
0.8
0.6
Count
0.4
Existence
0.2
0
0
0.2
0.4
0.6
0.8
1
False alarm rate
September 2000
19
Result Analysis(10)
ROC analysis for "count" state-ID classifiers
1
Hit rate
0.95
Chaid
0.9
Gini
ITI
0.85
0.8
0
0.2
0.4
0.6
0.8
1
False alarm rate
September 2000
20
Results Analysis(11)
Comparison of ROC curves (ITI)
1
Hit rate
0.95
moving window
0.9
"existence" stateID classifier
"count" state-ID
classifier
0.85
0.8
0
0.2
0.4
0.6
0.8
1
False alarm rate
September 2000
21
Conclusions and Problem
Conclusions
• DTCs show promising performance in intrusion detection application
• The performance of a DTC is dependent on its design, i.e. the choice of
predictor variables and target variable.
• Different decision tree algorithms impact the results.
Problem
• Computational Feasibility
– Incremental training ability(ITI)
– Scalable/Parallel/Database(ScalParC)
– Bagging and Boosting?
September 2000
22
END
• This presentation - http://iia.eas.asu.edu/myweb/courses/dtc.ppt
• Other works - http://iia.eas.asu.edu/
September 2000
23
1/--страниц
Пожаловаться на содержимое документа