Intrusion Detection System for ME & MCA students

7/31/2019 Intrusion Detection System for ME & MCA students

1/10

Intrusion Detection System

Part 3

1) Executive SummaryAs the next step in the process of creating an Intrusion detection system, this

part of the project involves not only detection of an attack but also it need to

be recognized as a particular type and need to be classified as known attack.

Further the project involves detection of an unknown attack, if it happens to

be present, as a new attack. This unknown attack will be different than those

5 attacks that have been pre-selected.In this section of the project it was required to design Artificial Neural

Network structures which will consist of NNs detecting a particular type of

attack. Based on the output of these NNs it need to be decided whether the

given input is an attack of known type or unknown type. If it is of known

type then which one of those 5 attacks.

Same 5 different training sets created for each of the 5 attacks will then be

used to train the networks starting from smaller size files to larger size files.

After training a NN structure, involving 5 different NNs detecting a

particular attack, using a particular size file, it is then tested based on the test

file created in part 1 of the project. The testing will determine how well a

NN structure is able to detect and classify an attack and the results is

calculated in terms of False Positive and False Negative ratios based on

whether an attack is wrongly detected or wrongly not detected and wrongly

classified and correctly classified respectively. These results are then plotted

and analyzed to determine how the size of the file affects the two types of

outputs and the efficiency of the ANN structure as a whole.

2) RequirementsIn this part of the project it was required to create an anomaly detection

system which will not only detect an attack but also identify as particular

attack and also classify it as known or unknown attack.


2/10

In the part it was required to design an ANN structure that will consist of 5

different NN trained to detect particular type of attack as in part 2 of this

project and a NN trained to detect normal situation.

Each of the NNs in the NN structure is trained to detect particular attack

using particular size file. The output of these NNs will then be used to

decide whether its an attack or not. If its an attack then whether it is among

known attack or its an unknown attack. This part is divided into 4 sections.

First section requires creation of a decision making algorithm that will

decide whether there is of particular type of attack or not. This algorithm

takes input from all the 6 NNs mentioned above and based on these outputs

decide whether it is an attack or not, if yes then what type.

Second section requires addition of few unknown attack type records in the

testing sets. For each of these records, each of the NNs will give an outputand these outputs is then given to the decision making algorithm which will

then decide whether the given record is an attack of known type or unknown

type.

Third section involves replacement of decision making algorithm with a

special type of NN called Competitive NN. Competitive NN is an

unsupervised type of NN which makes the decision based on Kohonen

learning rule. This NN will take input from all the NN trained for particular

attack and decide the type attack. This section doesnt include the records for

unknown attack.

Fourth section involves addition of few unknown attack type records in the

testing sets. For each of these records, each of the NNs will give an output

and these outputs is then given to the Competitive NN which will then

decide whether the given record is an attack of known type or unknown

type.

It was required to train the networks in the NN structure starting from

smaller size training files to larger size files (i.e from 10 then 20 then 40then 60 and then 100). After training the NNs using each of these file it is

then tested with the testing file created in part 1. Based on the outputs of

testing, four measures are calculated ie false positive ratio, false negative

ratio, right classification and wron classification.

Once all the training files are been used for training the NNs for a particular

attack and corresponding testing results are calculated these ratios are then


3/10

plotted against the size of the training files and the resulting graph analyzed

to determine how the size of the training set affect the efficiency of the

decision making algorithm or the Competitive NN in detecting and

classifying a particular attack.

These steps are then repeated for all the 5 types of attack chosen earlier and

corresponding graphs are obtained. Based on the results conclusions are

drawn.

3) SpecificationsThis part of the project can be divided into 3 steps

DesignEach of the NN used in NN structure have the same design architecture

as mentioned in specification of part 2.

Training and TestingTraining process involve creating ANN structure which will have 6 NNs

(5 for particular attack and 1 for normal condition detection). These

networks are trained with the created training files of different sizes.

Training is begun by using the smallest size training file i.e 10 and the

networks are trained based on it. Once trained, the network structure is

then tested based on the test file using decision making algorithm or

Competitive NN and results are calculated in the form of false positive

ratio, false negative ratio, misclassification and correct classification.

Then the training is repeated using other training files in increasing order

of their size and corresponding testing results are obtained.

Then the training is repeated for other 4 types of attack in the same

fashion and corresponding results are obtained.

AnalysisThe results obtained after testing during each of the 4 sections, are then

plotted against the size of the training files. These plots are then analyzed

to determine how the efficiency of the decision making algorithm and

competitive NN get affected in detecting and classifying a particular type


4/10

of attack as the size of the training set is gradually increased. Based on

these analyses, conclusions are drawn.

4) Implementation StructureAs mentioned before this project is conducted using MATLAB toolbox.

In this experiment, for each training process an ANN structure that will

consist of 6 NNs, 5 for each 5 attacks and 1 for detecting normal

condition. These NNs are created using MATLAB commands and each

NN structure is in a separate training .m files. These files consist of input

and output variables which include the input and corresponding output

records for a particular training file of particular size for a particular type

of attack. These variables are the used in the training process. A variable

TestInputis also created which consist of records for the testing part. Allthe user need to do is to run these .m files in MATLAB. The results are

shown in the form of graph plots in separate plot files for each of the

experiment conducted.

Software RequirementThe given project is performed using MATLAB software tool hence user

is required to have MATLAB software to run the given project. No other

software is required.

5) Results and AnalysisThe results obtained in this part of the experiment are shown in the

following table

False Positive

ratio

False Negative

ratio

Misclassification Right

Classification

NN 10 8/900 =0.008 0 .19 .81

NN 20 24/900=0.026 0 .1 .99NN 40 80/900 = 0.08 0 .18 .82

NN 60 21/900 =0.023 0 0 1

NN 100 7/900=0.007 0 0 1

CNN 10 0 0 .18 .82

CNN 20 0 0 0 1

CNN 40 0 0 0 1


5/10

CNN 60 0 0 0 1

CNN 100 0 0 0 1

Unknown 10 39/900 = 0.043 0 .2 .8

Unknown 20 32/900 = 0.035 0 0 1

Unknown 40 82/900 = 0.09 0 .18 .82Unknown 60 53/900 = 0.058 0 0 1

Unknown 100 52/900 = 0.057 0 0 1

CNN Unknown

10

0 0 .2 .8

CNN Unknown

20

0 0 0 1

CNN Unknown

40

0 0 0 1

CNN Unknown

60

0 0 0 1

CNN Unknown

100

0 0 0 1


6/10

Following screenshot shows the graph of False Positive, False Negative

misclassification and correct classification against file size for part A

which involves decision making algorithm without unknown attack

records added in test file.

Analysis

The given graph shows that false positive ratio in blue line gradually

reduces to zero as size of training file increases. False negative in green

line remains zero throughout which shows all the attacks got detected.

Red line shows misclassification of attack which remains below .2 and

eventually drops to zero for higher sizes. Similarly correct classification

shown in light blue remains high and finally reaches 100 percent for

higher sizes. Overall graph shows good results and thus decision making

algorithm seems quite efficient.


7/10


misclassification and correct classification against file size for part B

which involves decision making algorithm with unknown attack records

added in test file.

AnalysisThe graph show that false positive ratio in blue line remain almost

constant and very low. False negative in red line remain zero throughout.

Misclassification in light blue, initially show some ups and down finally

drops to zero for higher sizes. Correct classification in converse to

misclassification remain high, higher that .8 and finally become 100

percent. The errors present in this experiment show some fluctuation but

they are always very low hence the decision making algorithm and thus

the experiment seems to be good and satisfactory.


8/10



which involves Competitive network without unknown attack records

added in test file.

AnalysisThe given graph pretty good results. False positive and False Negative

ratios are 0 throughout. Misclassification drop to zero from size 20

similarly Right Classification also reaches 100 percent from size 20.

Overall the result is good and the CNN is able to classify attack

efficiently.


9/10



which involves Competitive network with unknown attack records added

in test file.

Analysis

The graph also shows good results with false positive and false negativezero throughout while misclassification drops to zero after size 20 and

right classification reaches 100 percent after size 20. Overall good results

thus the CNN was able to detect and classify correctly to a very good

result.

6)Comparison between Decision making algorithm and CNNSeeing the results, it can be seen that both the methods of classification

results into satisfactory outcome. Both are able to detect and classify

attacks almost completely without an error. Certain variations exist with

files of smaller sizes. When these two methods are compared to each

other CNN method shows better results than decision making algorithm.

But this cannot be said for larger test files.


10/10

Intrusion Detection System for ME & MCA students

Documents

Transcript of Intrusion Detection System for ME & MCA students