JIS  Vol.3 No.4 , October 2012
Category-Based Intrusion Detection Using PCA
ABSTRACT
Existing Intrusion Detection Systems (IDS) examine all the network features to detect intrusion or misuse patterns. In feature-based intrusion detection, some selected features may found to be redundant, useless or less important than the rest. This paper proposes a category-based selection of effective parameters for intrusion detection using Principal Components Analysis (PCA). In this paper, 32 basic features from TCP/IP header, and 116 derived features from TCP dump are selected in a network traffic dataset. Attacks are categorized in four groups, Denial of Service (DoS), Remote to User attack (R2L), Remote to User attack (U2R) and Probing attack. TCP dump from DARPA 1998 dataset is used in the experiments as the selected dataset. PCA method is used to determine an optimal feature set to make the detection process faster. Experimental results show that feature reduction can improve detection rate for the category-based detection approach while maintaining the detection accuracy within an acceptable range. In this paper KNN classification method is used for the classification of the attacks. Experimental results show that feature reduction will significantly speed up the train and the testing periods for identification of the intrusion attempts.

Cite this paper
G. Reza Zargar and T. Baghaie, "Category-Based Intrusion Detection Using PCA," Journal of Information Security, Vol. 3 No. 4, 2012, pp. 259-271. doi: 10.4236/jis.2012.34033.
References
[1]   A.-B. Amparo, S.-M. Noelia, M. C.-F. Félix, A. S.-R. Juan and P.-S. Beatriz, “Classification of Computer Intrusions Using Functional Networks. A Comparative Study,” Proceedings of European Symposium on Artificial Neural Networks (ESANN), Bruges, 25-27 April 2007, pp. 579-584.

[2]   R. Heady, G. Luger, A. Maccabe and M. Servilla, “The Architecture of a Network Level Intrusion Detection System,” Technical Report, University of New Mexico, Albuquerque, 1990.

[3]   K. Ilgun, R. A. Kemmerer and P. A. Porras, “State Transition Analysis: A Rule-Based Intrusion Detection Approach,” IEEE Transaction on Software Engineering, Vol. 21, No. 3, 1995, pp. 181-199.

[4]   I. Guyon and A. Elisseeff, “An Introduction to Variable and Feature Selection,” Journal of Machine Learning Research, Vol. 3, No. , 2003, pp. 1157-1182.

[5]   T. S. Chou, K. K. Yen and J. Luo, “Network Intrusion Detection Design Using Feature Selection of Soft Computing Paradigms,” International Journal of Computational Intelligence, Vol. 4, No. 3, 2008, pp. 196-208.

[6]   G. Zargar and P. Kabiri, “Identification of Effective Network Feature for Probing Attack Detection,” Proceedings of First International Conference on Network Digital Technologies, July 2009, pp. 405-410.

[7]   S. Chebrolu, A. Abraham and J. Thomas, “Feature Deduction and Ensemble Design of Intrusion Detection Systems,” Computers and Security, Elsevier Science, Vol. 24, No. 4, 2005, pp. 295-307.

[8]   A. H. Sung and S. Mukkamala, “Identifying Important Features for Intrusion Detection Using Support Vector Machines and Neural Networks,” Proceedings of International Symposium on Applications and the Internet (SAINT), 2003, pp. 209-216.

[9]   R. Agrawal, J. Gehrke, D. Gunopulos and P. Raghavan, “Automatic Subspace Clustering of High Dimensional Data for Data Mining applications,” Proceedings of Acmsigmod International Conference on Management of Data, Seattle, 1998, pp. 94-105.

[10]   M. F. Abdollah, A. H. Yaacob, S. Sahib, I. Mohamad and M. F. Iskandar, “Revealing the Influence of Feature Selection for Fast Attack Detection,” International Journal of Computer Science and Network Security, Vol. 8, No. 8, August 2008, pp. 107-115.

[11]   B. Chakraborty, "Feature Subset Selection by Neuro-Rough Hybridization," Lecture Notes in Computer Science (LNCS), Springer, Hiedelberg, 2005.

[12]   S. Mukkamala, A. H. Sung and A. Abraham, “Modeling Intrusion Detection Systems Using Linear Genetic Programming Approach,” Lecture Notes in Computer Science (LNCS), Springer, Hiedelberg, 2004.

[13]   Sung, A. H. and S. Mukkamala, “The Feature Selection and Intrusion Detection Problems,” Lecture Notes in Computer Science (LNCS), Springer, Hieldelberg, 2004.

[14]   A. Abraham and R. Jain, “Soft Computing Models for Network Intrusion Detection Systems,” Springer, Hiedelberg, 2004.

[15]   A. Abraham, C. Grosan and C. M. Vide, “Evolutionary Design of Intrusion Detection Programs,” International Journal of Network Security, Vol. 4, No. 3, 2007, pp. 328-339.

[16]   C. Boutsidis, M. W. Mahoney and P. Drineas, “Unsupervised Feature Selection for Principal Components Analysis,” Proceedings of the 14th ACM Sigkdd International Conference on Knowledge Discovery and Data Mining, Las Vegas, 2008, pp. 61-69.

[17]   W. Wang and R. Battiti, “Identifying Intrusions in Computer Networks Based on Principal Component Analysis,” 2009. http://eprints.biblio.unitn.it/archive/00000917/

[18]   R. D. Jain and J. Mao, “Statistical Pattern Recognition: A Review,” IEEE Transactions on Pattern Analysis and Machine Intelligence, Vol. 22, No. 1, 2000, pp. 4-37.

[19]   M. Turk and A. Pentland, “Eigenfaces for Recognition,” Journal of Cognitive Neuroscience, Vol. 3, No. 1, 1991, pp. 71-86.

[20]   K. Ohba and K. Ikeuchi, “Detectability, Uniqueness, and Reliability of Eigen Windows for Stable Verification of Partially Occluded Objects,” IEEE Transactions on Pattern Analysis and Machine Intelligence, Vol. 19, No. 9, 1997, pp. 1043-1048.

[21]   H. Murase and S. Nayar, “Visual Learning and Recognition of 3D Objects from Appearance,” International Journal of Computer Vision, Vol. 14, 1995, pp. 5-24.

[22]   Y. Song, J. Huang, D. Zhou, H. Y. Zha and C. L. Giles, “IKNN: Informative K-Nearest Neighbor Classification,” Springer Verlag, Hieldelberg, 2007.

[23]   D. Hand, H. Mannila and P. Smyth, “Principles of Data Mining,” MIT Press, Cambridge, 2001.

[24]   D. T. Larose, “Discovering Knowledge in Data: An Introduction to Data Mining,” John Wiley and Sons Ltd., Chichester, 2005.

[25]   2009. http://support.microsoft.com/kb/172983

[26]   2009. http://www.Tcpdump.org MIT Lincoln Laboratory, 2009. http://www.ll.mit.edu/IST/ideval/

[27]   MIT Lincoln Laboratory, Information Systems Techno- logy Group, “The 1998 Intrusion Detection Off-Line Evaluation Plan,” 1998. http://www.11.mit.edu/IST/ideval/docs/1998/id98-eval-11.txt

[28]   2009. http://www.wireshark.org

[29]   2009. http://www.Tcptrace.org

[30]   2009. http://www.wireshark.org/docs/man-pages/editcap.html

[31]   G. R. Zargar and P. Kabiri, “Category-Based Selection of Effective Parameters for Intrusion Detection,” International Journal of Computer Science and Network Security (IJCSNS), Vol. 9, No. 9, 2009.

[32]   A. S. Vasilios and P. Fotini, “Application of Anomaly Detection Algorithms for Detecting SYN Flooding Attacks,” Proceedings of IEEE Globecom, 2004, pp. 2050-2054.

[33]   A.-B. Amparo, S.-M. Noelia, M. C.-F. Félix, A. S.-R. Juan and P.-S. Beatriz, “Classification of Computer Intrusions Using Functional Networks. A Comparative Study,” Proceedings—European Symposium on Artificial Neural Networks, Bruges, 2007, pp. 579-584.

[34]   A. Hassanzadeh and B. Sadeghian, “Intrusion Detection with Data Correlation Relation Graph,” 3rd International Conference on Availability, Reliability and Security (ARES 08), 2008, pp. 982-989.

[35]   L. Christopher, I. Schuba, V. Krsul et al., “Analysis of a Denial of Service Attack on TCP,” Proceedings of the IEEE Symposium on Security and Privacy, 1997, pp. 208-223.

[36]   N. B. Anuar, H. Sallehudin, A. Gani and O. Zakaria, “Identifying False Alarm for Network Intrusion Detection System Using Hybrid Data Mining and Decision Tree,” Malaysian Journal of Computer Science, Vol. 21, No. 2, 2008, pp. 110-115.

[37]   W. Lee, “A Data Mining Framework for Constructing Feature and Model for Intrusion Detection System,” Ph.D. Thesis, University of Columbia, New York, 1999.

[38]   W. Lee, S. J. Stolfo and K. W. Mok, “A Data Mining Framework for Building Intrusion Detection Models,” IEEE Symposium on Security and Privacy, 1999, pp. 120-132.

[39]   G. R. Zargar and P. Kabiri, “Selection of Effective Network Parameters in Attacks for Intrusion Detection,” Lecture Notes in Computer Science (LNCS), Springer, Berlin, 2010.

[40]   G. R. Zargar and P. Kabiri, “Identification of Effective Optimal Network Feature Set for Probing Attack Detection Using PCA Method,” International Journal of Web Application (IJWA), Vol. 2, No. 3, 2010.

 
 
Top