|
|
|
|
About AMP Lab Projects Downloads Publications People Links
Project - Pattern Recognition Tools for Intrusion Detection
Conventional intrusion detection methods in the field of computer security are anomaly detection and misuse detection – the former suffers from high false alarm rates while the latter lacks generalization capabilities and cannot detect new attack types. Pattern recognition techniques have been found to strike a fine balance in this trade off.
The goal of this work is thus to develop an effective classification algorithm for intrusion detection, that utilizes pattern recognition techniques to incorporate the following capabilities in the classification system:
-
Data Fusion: Computer security experts often combine attack evidence from different sources to code attack signatures. The goal of this work is to mimic this so that a classification system can combine information from multiple feature sets and make more reliable classification decisions than using any of the individual sources of information alone.
-
Adaptive Learning: Network conditions are known to vary with time, as different attack types surface and as network usage patterns change. In order to maintain accurate intrusion detection, the classification system would have to evolve with the evolving environment. The goal is to incorporate such adaptability capabilities in a classification system.
-
Cost Minimization: The costs associated with the different types of errors in intrusion detection are different. The goal of this work is to use statistical methods to gear the classification system towards minimizing the overall cost instead of minimizing the error rate. [SSP 2007 paper]
-
Posterior Probabilities Estimation: In order to combine classifiers effectively, it is important to transform them to comparable grounds. The goal is to develop a transform to obtain better estimates of the posterior probabilities based on the outputs of the multi layer perceptron neural networks as compared to other conventionally used methods. This would provide better classification rates, more effective classifier combination rules and means to incorporate different costs of errors involved. [ICASSP 2008 paper]
Thorough statistical analysis of the data used is to be performed for feature selection purposes and to ensure reliable results.
Ongoing work involves integrating these different aspects to develop a complete algorithm for adaptively evolving intrusion detection that exploits the ensemble of classifiers approach to achieve effective intrusion detection that combines information from multiple sources and is tuned towards minimizing the cost of the errors.
We work with the DARPA/MIT KDD database. Details about the approaches used and results obtained for these different tasks can be found in the related publications below.
-
D. Parikh, and T. Chen. Data Fusion and Cost Minimization for Intrusion Detection. IEEE Transactions on Information Forensics and Security, Special Issue on Statistical Methods for Network Security and Forensics, August 2008.
-
D. Parikh, and T. Chen. Bringing Diverse Classifiers to Common Grounds: dtransform, International Conference on Acoustics, Speech, and Signal Processing (ICASSP), 2008 [oral presentation].
-
D.Parikh, and T. Chen. Classification-Error Cost Minimization Strategy: dCMS. IEEE Statistical Signal Processing Workshop, 2007 [poster presentation].
The following are other documents that contain further details about certain aspects of the project:
-
Report (December 2005) providing details about the entire approach and results obtained
-
Presentation providing a high-level overview of the system
The work is being sponsored by Institute for Information Industry (III), Taiwan.
Any suggestions or comments are welcome. Please send them to Devi Parikh