Intrusion Detection System for ME & MCA students
Transcript of Intrusion Detection System for ME & MCA students
-
7/31/2019 Intrusion Detection System for ME & MCA students
1/10
Intrusion Detection System
Part 3
1) Executive SummaryAs the next step in the process of creating an Intrusion detection system, this
part of the project involves not only detection of an attack but also it need to
be recognized as a particular type and need to be classified as known attack.
Further the project involves detection of an unknown attack, if it happens to
be present, as a new attack. This unknown attack will be different than those
5 attacks that have been pre-selected.In this section of the project it was required to design Artificial Neural
Network structures which will consist of NNs detecting a particular type of
attack. Based on the output of these NNs it need to be decided whether the
given input is an attack of known type or unknown type. If it is of known
type then which one of those 5 attacks.
Same 5 different training sets created for each of the 5 attacks will then be
used to train the networks starting from smaller size files to larger size files.
After training a NN structure, involving 5 different NNs detecting a
particular attack, using a particular size file, it is then tested based on the test
file created in part 1 of the project. The testing will determine how well a
NN structure is able to detect and classify an attack and the results is
calculated in terms of False Positive and False Negative ratios based on
whether an attack is wrongly detected or wrongly not detected and wrongly
classified and correctly classified respectively. These results are then plotted
and analyzed to determine how the size of the file affects the two types of
outputs and the efficiency of the ANN structure as a whole.
2) RequirementsIn this part of the project it was required to create an anomaly detection
system which will not only detect an attack but also identify as particular
attack and also classify it as known or unknown attack.
-
7/31/2019 Intrusion Detection System for ME & MCA students
2/10
In the part it was required to design an ANN structure that will consist of 5
different NN trained to detect particular type of attack as in part 2 of this
project and a NN trained to detect normal situation.
Each of the NNs in the NN structure is trained to detect particular attack
using particular size file. The output of these NNs will then be used to
decide whether its an attack or not. If its an attack then whether it is among
known attack or its an unknown attack. This part is divided into 4 sections.
First section requires creation of a decision making algorithm that will
decide whether there is of particular type of attack or not. This algorithm
takes input from all the 6 NNs mentioned above and based on these outputs
decide whether it is an attack or not, if yes then what type.
Second section requires addition of few unknown attack type records in the
testing sets. For each of these records, each of the NNs will give an outputand these outputs is then given to the decision making algorithm which will
then decide whether the given record is an attack of known type or unknown
type.
Third section involves replacement of decision making algorithm with a
special type of NN called Competitive NN. Competitive NN is an
unsupervised type of NN which makes the decision based on Kohonen
learning rule. This NN will take input from all the NN trained for particular
attack and decide the type attack. This section doesnt include the records for
unknown attack.
Fourth section involves addition of few unknown attack type records in the
testing sets. For each of these records, each of the NNs will give an output
and these outputs is then given to the Competitive NN which will then
decide whether the given record is an attack of known type or unknown
type.
It was required to train the networks in the NN structure starting from
smaller size training files to larger size files (i.e from 10 then 20 then 40then 60 and then 100). After training the NNs using each of these file it is
then tested with the testing file created in part 1. Based on the outputs of
testing, four measures are calculated ie false positive ratio, false negative
ratio, right classification and wron classification.
Once all the training files are been used for training the NNs for a particular
attack and corresponding testing results are calculated these ratios are then
-
7/31/2019 Intrusion Detection System for ME & MCA students
3/10
plotted against the size of the training files and the resulting graph analyzed
to determine how the size of the training set affect the efficiency of the
decision making algorithm or the Competitive NN in detecting and
classifying a particular attack.
These steps are then repeated for all the 5 types of attack chosen earlier and
corresponding graphs are obtained. Based on the results conclusions are
drawn.
3) SpecificationsThis part of the project can be divided into 3 steps
DesignEach of the NN used in NN structure have the same design architecture
as mentioned in specification of part 2.
Training and TestingTraining process involve creating ANN structure which will have 6 NNs
(5 for particular attack and 1 for normal condition detection). These
networks are trained with the created training files of different sizes.
Training is begun by using the smallest size training file i.e 10 and the
networks are trained based on it. Once trained, the network structure is
then tested based on the test file using decision making algorithm or
Competitive NN and results are calculated in the form of false positive
ratio, false negative ratio, misclassification and correct classification.
Then the training is repeated using other training files in increasing order
of their size and corresponding testing results are obtained.
Then the training is repeated for other 4 types of attack in the same
fashion and corresponding results are obtained.
AnalysisThe results obtained after testing during each of the 4 sections, are then
plotted against the size of the training files. These plots are then analyzed
to determine how the efficiency of the decision making algorithm and
competitive NN get affected in detecting and classifying a particular type
-
7/31/2019 Intrusion Detection System for ME & MCA students
4/10
of attack as the size of the training set is gradually increased. Based on
these analyses, conclusions are drawn.
4) Implementation StructureAs mentioned before this project is conducted using MATLAB toolbox.
In this experiment, for each training process an ANN structure that will
consist of 6 NNs, 5 for each 5 attacks and 1 for detecting normal
condition. These NNs are created using MATLAB commands and each
NN structure is in a separate training .m files. These files consist of input
and output variables which include the input and corresponding output
records for a particular training file of particular size for a particular type
of attack. These variables are the used in the training process. A variable
TestInputis also created which consist of records for the testing part. Allthe user need to do is to run these .m files in MATLAB. The results are
shown in the form of graph plots in separate plot files for each of the
experiment conducted.
Software RequirementThe given project is performed using MATLAB software tool hence user
is required to have MATLAB software to run the given project. No other
software is required.
5) Results and AnalysisThe results obtained in this part of the experiment are shown in the
following table
False Positive
ratio
False Negative
ratio
Misclassification Right
Classification
NN 10 8/900 =0.008 0 .19 .81
NN 20 24/900=0.026 0 .1 .99NN 40 80/900 = 0.08 0 .18 .82
NN 60 21/900 =0.023 0 0 1
NN 100 7/900=0.007 0 0 1
CNN 10 0 0 .18 .82
CNN 20 0 0 0 1
CNN 40 0 0 0 1
-
7/31/2019 Intrusion Detection System for ME & MCA students
5/10
CNN 60 0 0 0 1
CNN 100 0 0 0 1
Unknown 10 39/900 = 0.043 0 .2 .8
Unknown 20 32/900 = 0.035 0 0 1
Unknown 40 82/900 = 0.09 0 .18 .82Unknown 60 53/900 = 0.058 0 0 1
Unknown 100 52/900 = 0.057 0 0 1
CNN Unknown
10
0 0 .2 .8
CNN Unknown
20
0 0 0 1
CNN Unknown
40
0 0 0 1
CNN Unknown
60
0 0 0 1
CNN Unknown
100
0 0 0 1
-
7/31/2019 Intrusion Detection System for ME & MCA students
6/10
Following screenshot shows the graph of False Positive, False Negative
misclassification and correct classification against file size for part A
which involves decision making algorithm without unknown attack
records added in test file.
Analysis
The given graph shows that false positive ratio in blue line gradually
reduces to zero as size of training file increases. False negative in green
line remains zero throughout which shows all the attacks got detected.
Red line shows misclassification of attack which remains below .2 and
eventually drops to zero for higher sizes. Similarly correct classification
shown in light blue remains high and finally reaches 100 percent for
higher sizes. Overall graph shows good results and thus decision making
algorithm seems quite efficient.
-
7/31/2019 Intrusion Detection System for ME & MCA students
7/10
Following screenshot shows the graph of False Positive, False Negative
misclassification and correct classification against file size for part B
which involves decision making algorithm with unknown attack records
added in test file.
AnalysisThe graph show that false positive ratio in blue line remain almost
constant and very low. False negative in red line remain zero throughout.
Misclassification in light blue, initially show some ups and down finally
drops to zero for higher sizes. Correct classification in converse to
misclassification remain high, higher that .8 and finally become 100
percent. The errors present in this experiment show some fluctuation but
they are always very low hence the decision making algorithm and thus
the experiment seems to be good and satisfactory.
-
7/31/2019 Intrusion Detection System for ME & MCA students
8/10
Following screenshot shows the graph of False Positive, False Negative
misclassification and correct classification against file size for part A
which involves Competitive network without unknown attack records
added in test file.
AnalysisThe given graph pretty good results. False positive and False Negative
ratios are 0 throughout. Misclassification drop to zero from size 20
similarly Right Classification also reaches 100 percent from size 20.
Overall the result is good and the CNN is able to classify attack
efficiently.
-
7/31/2019 Intrusion Detection System for ME & MCA students
9/10
Following screenshot shows the graph of False Positive, False Negative
misclassification and correct classification against file size for part A
which involves Competitive network with unknown attack records added
in test file.
Analysis
The graph also shows good results with false positive and false negativezero throughout while misclassification drops to zero after size 20 and
right classification reaches 100 percent after size 20. Overall good results
thus the CNN was able to detect and classify correctly to a very good
result.
6)Comparison between Decision making algorithm and CNNSeeing the results, it can be seen that both the methods of classification
results into satisfactory outcome. Both are able to detect and classify
attacks almost completely without an error. Certain variations exist with
files of smaller sizes. When these two methods are compared to each
other CNN method shows better results than decision making algorithm.
But this cannot be said for larger test files.
-
7/31/2019 Intrusion Detection System for ME & MCA students
10/10