自适应神经模糊推理系统在入侵检测系统报警管理的应用研究(IJCNIS-V4-N11-4)

I.J.ComputerNetworkandInformationSecurity,2012,11,32-38PublishedOnlineOctober2012inMECS()DOI:10.5815/ijcnis.2012.11.04Copyright©2012MECSI.J.ComputerNetworkandInformationSecurity,2012,11,32-38UsingAdaptiveNeuro-FuzzyInferenceSysteminAlertManagementofIntrusionDetectionSystemsZahraAtashbarOrangIslamicAzadUniversity,TabrizBranch,Tabriz,Iranatashbarorang_z@yahoo.comEzzatMoradpourIslamicAzadUniversity,ShabestarBranch,Shabestar,Irane.moradpoormail@yahoo.comAhmadHabibizadNavinIslamicAzadUniversity,ScienceandResearch,Tabriz,Iranah_habibi@iaut.ac.irAmirAzimiAlastiAhrabiIslamicAzadUniversity,ShabestarBranch,Shabestar,Iranamir.azimi.alasti@gmail.comMirKamalMirniaIslamicAzadUniversity,ScienceandResearchBranch,Tabriz,Iranmirnia-kam@tabrizu.ac.irAbstract—Byeverincreaseinusingcomputernetworkandinternet,usingIntrusionDetectionSystems(IDS)hasbeenmoreimportant.MainproblemsofIDSarethenumberofgeneratedalerts,alertfailureaswellasidentifyingtheattacktypeofalerts.InthispaperasystemisproposedthatusesAdaptiveNeuro-FuzzyInferenceSystemtoclassifyIDSalertsreducingfalsepositivealertsandalsoidentifyingattacktypesoftruepositiveones.BytheexperimentalresultsonDARPAKDDcup98,thesystemcanclassifyalerts,leadingareductionoffalsepositivealertsconsiderablyandidentifyingattacktypesofalertsinlowsliceoftime.IndexTerms—Intrusiondetectionsystem,alertclassification,ANFIS,falsepositivealertreductionI.INTRODUCTIONAnIntrusionDetectionSystem(IDS)isasoftwareprogramorhardwaredevicewhichmonitorscomputersystemand/ornetworkactivitiesformaliciousactivitiesandproducesalertstosecurityexperts.InIDStherearethreemajorproblemsnamelygeneratingmanyalerts,hugerateoffalsepositivealertsandunknownattacktypespergeneratedalerts.Alertmanagementmethodsareusedtomanagewiththeseproblems.Oneofthemethodsofalertmanagementisalertreductionandalertclassification[1].ThispaperproposesanewmethodtomanagethealertsusingAdaptiveNeuro-FuzzyInferenceSystem(ANFIS)[2].Presentedsystemcanclassifyalertsanddetectfalsepositivealertswithamoreaccuracythanpreviousmethods.ThissystemcanbeusedinactiveIDSsbecauseitdeterminestheattacktypewithalowsliceofclassificationtime.IntheproposedalertmanagementsystemresultsfromANFIS,apreprocessingandalertfilteringprocess,isappliedtothealertsduringtrainandtestphases.Therestofthethispaperisorganizedasfollows:Insection2relatedworksarediscussed,thesuggestedsystemforclassifyingthealertsisproposedinsection3,theexperimentalresultsareshowninsection4andfinallysection5isaconclusionandfutureworks.II.RELATEDWORKSOneofthemethodsinIDSalertmanagementtechniquesisclusteringofalerts.TheclusteringmethodbasedonformingageneralizedviewoffalsealertshasbeenintroducedbyK.Julisch[3].Thismethodisbasedondiscoveringtherootsleadingfalsepositivealerts.Julischnoticedthatasmallnumberofmainimplies90%ofalerts.Byremovingthoserootcauses,thetotalnumberofalertswillcomedownto82%.AnotherclusteringtechniqueisusedinMiradorprojectwithexpertsystemsbyCuppens.Inthismethodtheexpertsystemalgorithmdecideswhetheralertsbemergedintoacluster[4,5].GeneticalgorithmusedtoclusteringIDSalertsbyJianxinWang,etal.[6].AlsotwoclusteringUsingAdaptiveNeuro-FuzzyInferenceSysteminAlertManagementofIntrusionDetectionSystems33Copyright©2012MECSI.J.ComputerNetworkandInformationSecurity,2012,11,32-38algorithms,basedonGAandIGAarecomparedtogether[7].WangappliedGAandIGAinsteadofJulisch'sheuristicalgorithmforrootcauseclustering.MaheyzahMdSirajcomparedEM,SOM,K-meansandFCMclusteringalgorithmsonDarpa2000dataset[16].TheyshowedthatAlgorithmEMisthebestforclustering,sincethereceivedalertsbyalgorithmsarenotfiltered.Azimiet.al.introducedanotheralertmanagementsystembasedonSelf-OrganizingMaps(SOM)[8].Theproposedsystem(SOM)[8]usesseveraloperationssuchasalertfiltering,alertpreprocessingandclustermergingandcouldclusterandclassifytruepositiveandfalsepositivealertsmoreaccuratethanothertechniques.Theseoperationsimprovetheaccuracyoftheresults.OurproposedalertmanagementsystemisdesignedbasedonalertmanagementsystempresentedbyAzimiet.al.SevengeneticclusteringalgorithmsnamedGA,GKA,IGA,FGKA,GFCMA,GPCMAandGFPCMAareusedtoclusterandclassifytruepositiveandfalsepositivealerts,andthenprioritizedgeneratedclusterswithFuzzyInferenceSystem[9].Theproposedsystempresentedin[9]isverysimilartothesystemin[8]onlybythedifferenceinclusteringandclassificationmechanisms.InanotherworkLearningVectorQuantization(LVQ)algorithmisusedasaclassifierinproposedsystembyAzimiandBahbegi[17].LVQisaspecialtypeofKohonennetwork[18]canclassifytestdatasetaftertraining.Ithassomedisadvantages;oneofthemislowaccuracyrateinresultsandanotherisLVQcouldnotbeabletoidentifyattacktypeofalerts.HereweuseanalertmanagementsystemsimilartothesystemproposedbyAzimiet.al.whichusesANFIStoclassifygeneratedalertsinsteadofSOM.Themainadvantagesoftheproposedsystemareobtainingtheresultswithhigheraccuracy,identifyingtheattacktypeofalertsaccuratelyandalsoreducingthenumberoffalsepositivealertsconsiderably.III.ALERTSCLASSIFICATIONSYSTEMThestructureofproposedsystemisshowninFig.1.DARPA98dataset[10]andSnorttool[11]areu