An integrated approach using self organizing maps and fuzzy cognitive maps for network intrusion detection
Loading...
Date
2009-06
Authors
Jazzar, Mahmoud
Journal Title
Journal ISSN
Volume Title
Publisher
Abstract
The basic function of anomaly-based sensors is to detect any deviation from
normal system behavior. However, clear merits between normal and abnormal
patterns are very difficult to realize in practice especially when new systems are
added or removed from the system network dynamically.
A typical problem that arises when deploying intrusion detection sensors is
their affinities of producing high rate of false alerts. Thus, it needs huge analysis
efforts and time consuming odd jobs at higher levels. The main purpose of this thesis
is to propose a new soft computing inference engine model for intrusion detection. In
this study, we have investigated an approach to anomaly intrusion detection based on
causal knowledge reasoning. The approach is anomaly-based and utilizes causal
knowledge inference based fuzzy cognitive maps (FCM) and self organizing maps
(SOM).
Using FCM, we have presented a method that attempts to diagnose and direct
network traffic data based on its relevance to attack or normal connections. A set of
parallel neural network classifiers (SOM) are used to do an initial recognition of the
network traffic flow to detect abnormal behaviors. The FCM is incorporated to
eliminate ambiguities of odd neurons and making final decisions. Initially, each
neuron is mapped to its best matching unit in the SOM and then updated by the FCM
framework. This updating is achieved through the weights of the neighboring
neurons. Based on the domain knowledge of network data the SOM/FCM
combination presents quantitative and qualitative matching correspondences which
in tum reduce the number of suspicious neurons i.e. reduce the number of false
alerts. This method works as a unique fuzzy clustering approach and we have
demonstrated its performance using DARPA 1999 network traffic data set. The
method has also the flexibility of features selection for further exploration.
Description
Keywords
The basic function of anomaly-based sensors is to detect , any deviation from normal system behavior.