An Anomaly Based Adaptive Fuzzy Framework for Detecting Network Intrusions

Abstract

Anomaly based Intrusion detection systems have proved their worth by detecting zero age intrusions but suffers from large number of false alarms mainly because of imprecise definitions of their normal profile or detection models. Building accurate and precise normal profiles or detection models for intrusion detection is a complex process. It is because it involves highly dynamic network behavior, concept drift phenomenon and evolving intrusion patterns. To accommodate these network dynamics in intrusion de- tection models, we require extensive training data-sets. These data sets must contain a uniform distribution of theoretically possible intrusion patterns and normal network traffic instances. Deviation in training data-set with real time network data and skewed class distribution in training data set will result in a biased detection model. Concept drift phenomenon, huge network data, highly imbalance traffic distribution, addition of new applications and abstract boundaries between normal and abnormal behavior has limited the accuracy of generalized detection models or shortened their detection models useful life. Due to these limitations and complexities in building long term intrusion de- tection models, it is proposed in this thesis that instead of building a generalized profile responsible for detecting all the intrusions it is more helpful if short-term profiles are used to detect an intrusion or even a phase of an intrusion active in certain time space. These short term profiles are evolved by changing cost functions according to changed anomaly conditions, current network traffic patterns and security policies. The evolved profiles remain valid for a short period of time in which network dynamics can be as- sumed as piece-wise linear. In this thesis an anomaly based Adaptive SEmi-supervised Evolutionary Security (ASEES) fuzzy framework is proposed. It is based on adaptive distributed and cooperative fuzzy agents which use evolved short-term profiles. These profiles are evolved for different objectives to detect specific intrusions. Evolved pro- files are switched and activated according to current network and anomaly conditions, network security policies and based on forecasted attacks. The ASEES fuzzy framework is tested under two different attacks; DoS attack and viireconnaissance attack i.e. port scan. The results show good detection times and high detection rate due to similarity of the training and testing data-set. The results also shows a performance increase in using short term profiles along with generalize normal profiles for denial of service attacks.