The Effects of Combined Application of SOM, ANFIS and Subtractive Clustering in Detecting

Intrusions in Computer Networks Dr.Sc Zikrija Avdagić

Computer Science Department Faculty of Electrical Engineering

Zmaja od Bosne bb., Kampus 71 000 Sarajevo, Bosnia and Herzegovina

Phone: + 387 33 250 737 Fax: + 387 33 250 725

E-mail: zikrija.avdagic@etf.unsa.ba

M.Sc Admir MidžićIT Services Monitoring and Security Department

Join Stock Company BH Telecom Sarajevo Obala Kulina banSa 8, 71 000 Sarajevo, Bosnia and Herzegovina

Phone: + 387 37 229 929 Fax: + 387 33 776 403

E-mail: admir.midzic@bhtelecom.ba

Abstract - Building a system for the detection and prevention of intrusions into computer networks is a major challenge. Huge amounts of network traffic that process these systems are characterized by diversity and the data are described by a number of attributes. In addition, input data are often changing in a relatively short period of time,creating a completely new traffic patterns. This significantly complicates the identification of potentially unwanted network traffic. The aim of this paper is to present and analyze the effects of combined application of Self Organizing Map (SOM), Adaptive Neuro Fuzzy Inference System (ANFIS), Subtractive Clustering (SC) and Voting Mechanism (VM) in building systems for intrusion detection in computer networks in order to maintain an acceptable level of efficiency of data processing and increased system adaptivity.

Keywords: Self Organizing Map, Adaptive Neuro Fuzzy Inference System, Subtractive Clustering, Voting Mechanism, Intrusion Detection and Prevention.

I. INTRODUCTION

The development of information technology in the field of processing, collection and distribution of data is further accelerated by the needs of modern business.Modern business is increasingly based on various forms of electronic commerce, which is further stimulated by the expansion of the Internet. This way of doing business brings new risks to the security of information systems.New threats appear daily by individuals and organizations who attack and abuse information systems. Accordingly, for the achievement of business goals of the company it is essential to ensure the availability and proper functioning of computer networks and to ensure that information

systems are provided with information when they are needed. This creates the conditions for proper decision-making at all levels of management and decision-making system. One of the main requirements for the designers of computer networks in the past was to enable their fast and efficient work. One of the main objectives today is to prevent intrusions into computer networks through preventive action, or detect them when they happened.There is a trend in the world to theoretically and practically explore ways of detecting and preventing intrusions in computer networks [3]. The research in this paper is based on the use of SOM (neural network based on competitive learning), ANFIS, SC and VM in process of intrusion detection in computer networks. This paper is organized as follows. Section II presents related work in past several years. Section III presents data set that was used for system development, training and testing. Section IV present architecture of system describing its components using block diagrams and mathematical expressions. Section V presents proposed algorithm and reasons for combining SOM, ANFIS and SC. Section VIpresents and discuss experimental result of algorithm execution. Section VII concludes the paper.

II. RELATED WORK

The researchers have been widely used SOM for data clustering [4]. However, SOM have some drawbacks. For instance, the network architecture of SOM has to be established in advance and it requires knowledge about the problem domain [5]. That kind of knowledge is difficult to achieve, especially with data of high dimensionality as it is case with intrusion detection and prevention data set [3]. Moreover, the hierarchical relations among input data are difficult to represent.

MIPRO 2014, 26-30 May 2014, Opatija, Croatia

1435

Several dynamic algorithms were proposed to overcome those drawbacks. The growing hierarchical SOM (GHSOM) is one algorithm that tries to face these problems. It is an neural network which consists of independent growing SOM arranged in layers [7]. The next is Enhanced Dynamic SOM (EDSOM). EDSOM is based on GHSOM. It is a dynamic node growth structure, but instead of using rectangular grid, a closed circle structure is applied for outpout node structure [6]. A Large Scale Memory Storage and Retrieval (LAMSTAR) network is another approach that is used for intrusion detection by combining SOM modules and statistical decision tools. It was specifically developed for application problems involving very large memory that relates to many different attributes [5]. The logistic regression model is used for data analysis concerned with describing the relationship between a response variable and one or more predictor variables. A logistic regression model with a binary response variable is a particular case of the general multinomial logistic regression model. Its dependent variable can have more than two choices that are coded categorically and in that case, one of the categories is taken as the reference category. A study on KDD CUP 99 that was published [3] identified predictors that are statistically significantly associated with the response variable.

III. KDD CUP 99 DATASET

Comparing various Intrusion Detection Systems (IDS) is extremely difficult because it is hard to find publicly avaliable data set. Fear of violating privacy is one of the main reasons why most companies are unwilling to provide their data to other institutions. Even if some of those data are available, it is very difficult to denote data as normal or as those signifying attack, since this would require the participation of a large number of experts in this area, and also a significant amount of time. Constant changes of network traffic include also new types of cyber attacks. It also brings a new definition of "normal" behavior. Because of that, it is no surprise that only a small number of shared data sets are available. IDS researchers have mostly used the KDD CUP 99 dataset in their work, thus the same data set was used in this research. It is composed of basic attributes, such as connection duration, protocol type, service type, status indicator, total bytes sent, total bytes received, whether the source and target address are same or not, number of wrong fragments, and number of urgent packages. In addition to these attributes, each connection is described by further thirty-two attributes that may be classified into the following three categories: contents attributes, time-based traffic attributes and host traffic based attributes. Each entry is composed of forty-one attributes plus target value. The target value represents the type of attack. The number of records was 4898430. 972780 records represented normal traffic, and the remaining records were attacks, with the following distribution: DoS (Denial of Service) 3883370, testing 41102, compromising attacks 1178 with 52 in relation to U2R (User to Root), and 1126 R2L (Root to Local). Duplicate records were removed from the dataset. After deleting

duplicate records, the traffic was distributed as it is shown in Table 1.

TABLE 1. AN OVERVIEW OF TRAFFIC DISTRIBUTION

TRAFFIC records percentage records percentagenormal 812813 75,611 60593 19,481probe 13860 1,289 4166 1,339DoS 247267 23,002 229853 73,901U2R 52 0,005 228 0,0733R2l 999 0,093 16189 5,205

Total: 1074991 100 311029 100

Most of classification methods are not able to process the data in such a format. It is therefore necessary to perform pre-processing the data into a format acceptable by the classification algorithms. Examples of records from the KDD CUP 99 data set before pre-processing of data are as follows:

a) 0 tcp other S0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 130 13 1.00 1.00 0.00 0.00 0.10 0.05 0.00 255 13 0.05 0.05 0.00 0.00 1.00 1.00 0.00 0.00 neptune.

b) 0 udp private SF 105 147 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0.00 0.00 0.00 0.00 1.00 0.00 0.00 255 253 0.99 0.01 0.00 0.00 0.00 0.00 0.00 0.00 normal.

For the purposes of this research attributes that describe each record used in the training and test data are labeled with the following symbols: A1, A2, A3, A4, A5, A6, A7, A8, A9, A10, A11, A12, A13, A14, A15, A16, A17, A18, A19, A20, A21, A22, A23, A24, A25, A26, A27, A28, A29, A30, A31, A32,A33, A34, A35, A36, A37, A38, A39, A40, A41, A42 a refer to the value of: DURATION,PROTOCOL TYPE, SERVICE, FLAG, SRC BYTES,DST BYTES, LAND, WRONG FRAGMENT,URGENT, HOT, NUM FAILED LOGINS, LOGGED IN, NUM COMPROMISED, ROOT SHELL, SU ATTEMPTED, NUM ROOT, NUM FILE CREATIONS,NUM SHELLS, NUM ACCESS FILES, NUM OUTBOUND CMDS, IS HOST LOGIN, IS GUEST LOGIN, COUNT, SRV COUNT, SERROR RATE, SRV SERROR RATE, RERROR RATE, SRV RERROR RATE, SAME SRV RATE, DIFF SRV RATE, SRV DIFF HOST RATE, DST HOST COUNT, DST HOST SRV COUNT, DST HOST SAME SRV RATE, DST HOST DIFF SRV RATE, DST HOST SAME SRC PORT RATE, DST HOST SRV DIFF HOST RATE, DST HOST SERROR RATE, DST HOST SRV SERROR RATE, DST HOST RERROR RATE, DST HOST SRV RERROR RATE and ATTACK TYPErespectively.

IV. SYSTEM ARCHITECTURE

Building a system that is used in this work was being done in phases using multiple components (Fig. 1). Each component has its own role and responsibilities in process of intrusion detection in computer networks. Components are as follows:

1) Component for data pre-processing 2) Component for forming a training and test data

sets

1436

3) Compoment for data attribute selection (SC Voting Mechanism)

4) ANFIS component 5) SOM component

Figure 1. System architecture

Purpose of the component for data pre-processing is to prepare input data (training and test data set) for next component. This activity is performed in a manner to carry out the conversion of the symbolic value into numerical data and it is necessery to perform normalization on it (Fig. 2). This means that it is necessary to perform data pre-processing to obtain a format acceptable to classification algorithms [2]. Symbol attributes, such as the attack type (twenty-three symbols), protocol type (three symbols), service (seventy symbols), and flag (eleven symbols) are expressed as numeric values (whole numbers) with the range of (0-(N-1)), where N is the number of symbols. Each of the symbols thus expressed were scaled linearly into the following range: [0.0,1.0] using following equation:

B = A / max (A) (1)

where A is original symbol value, and B is the result of scaling. Then, all attributes with whole number fields, with a narrow value range were scaled linearly into [0,1] interval. It was not necessary to scale the remaining attributes, that are Boolean, or within the [0,1] range. Attributes with the wide vale range (0-1.3 billion) were scaled logarithmically:

B = 9.14 x log (A) / log (max (A)) (2)

Figure 2. Training and testing data set conversion, normalisation and scalling

The fact that processing of data (the training and test data sets) is time and performance consuming process [4],

it was challenge to made component of the system for forming a training and test data sets [5]. The objective of this component is to form smaller groups of training and test data sets (Fig. 3, and 4.), which are used in the construction of the system and later testing. The number and size of these data sets is determined based on the following steps:

- number of rows = size of training and test matrix

- random chosen rows= permutation (number of rows) (3)

- training and test matrix = random chosen rows (1:1000);

Figure 3. Building training data set group

Figure 4. Building test data set group

Component for data attribute selection for each attribute of the input training data sets using the SC determines whether the attribute should participate in building the ANFIS module. The criterion according to which selection of attribute is done is the number of clusters. If the number of clusters for the attributes in the input training data is greater than one, then that attribute will participate in the construction of the module (Fig. 5).Otherwise, the attribute is not taken into consideration.

Figure 5. SC voting mechanism

Thus, for the selected training data sets attributes verifiyng is done using SC Voting Mechanism, according to previously described condition.

KDD CUP 99 DS Component for data pre-processing

Component for forming a

training and test data sets

Compoment for data attribute

selection (VM)ANFIS component SOM

component

KDD CUP 99 DS

data conversion, normalisation and scaling

TRAINING DATASET TD

TEST DATASET TSD

TRD

TDS1 TDS2 ... TDSn TRN

TSD

TSD1

TDS

SC VOTING MECHANISM (number of cluster >1)

TR

1437

The result of these activities is the creation of a training matrix TR1, TR2, .., TRn with reduced number of attributes. In other words the dimensionality of the input data is reduced (Fig. 6).

Figure 6. Training matrix dimensionality reduction

ANFIS modules are then trained with training groups of data, so that AN1 modul is trained with TDS1 training data group which is processed with SC1 (TR1), AN1modul with training data group TDS2 which is processed with SC2 (TRn), and all remaining ANFIS modules including ANn (TRN) (Fig. 7).

Figure 7. ANFIS module evaluation with new training data set

As input for prepared ANFIS modules (AN1, AN2,..., ANn) we introduce second training data group (matrix TRN). Attributes that are marked in previous step are selected for every module from this new training group (i.e. those attributes that were involved in ANFIS module building The results obtained in this phase ANR1, ANR2,..., ANn are the input SOM component of system (Fig. 8).

Figure 8. SOM training

SOM component of the system is then trained with these data by building a network with five neurons.

V. ALGORITHM PROPOSAL

Each of the methods and techniques that were used in the construction of the system has certain advantages that are used in the proposed algorithm [1]. Thus, the SC is used in the process of voting to reduce the dimensionality of the training and test data. ANFIS is used to build the module because the expected output for the training data is already known. And because of the fact that the random sample is taken from a small percentage of the training data of SOM is used for clustering the results obtained simultaneously by ANFIS modules and final classification of test data set.

The proposed algorithm is shown below:

1) Loading and processing KDD CUP 99 dataset training and test data in the training TRD matrix and test matrix TSD respectively

2) The formation of input training matrix TDSk(k=1,..,3) with dimension [m,n] that contains data generated from training data where m=1000 and n=42.Matrix are formed as a random selection of rows from the training matrix TRD.

3) Applying SC on all attributes (A1, A2, ..., An-1) for each of training matrix tk and determination of number of clusters for all matrix attributes. If the number of clusters is equal to one, this attribute is not taken into consideration when building the ANFIS module ANk. That is how new training matrix TRk are formed .

4) ANFIS modul ANk training using new training matrix TRk .

5) The formation of new TRN training matrix with dimension [a,b] that contains data generated form training data set where a=1000 and b=41.

6) ANFIS modul evaluation ANk taking into consideration those matrix attributes positions TRNk that where participated in the making of these modules respectively

7) The formation TSD1 test matrix with dimension [c,d] that contains randomly generated data from test matrix TSD where c=1000 and r=41.

8) TSD1 evaluation using the previosly described model. In other words, using ANFIS modul (for attributes defined in step 3.) and using results from ANRk as input for SOM modul.

VI. EXPERIMENT RESULTS AND DISCUSSION

For the purpose of performing the experiments Matlab software was used. All simulations were performed on HP Compaq 6710b with Intel Core2 Duo T7100 1,8 GHz and 2048 MB RAM. During training and testing main parameters values were: for SC a range of influence of 0,5 is specified for all data dimensions, for ANFIS module SC is used for generating FIS and for SOM module five neurons for network size were used.

TDS1

SC1

TR1

TDS2

SC2

TR2

...

...

...

TDSn

SCn

TRn

TRN

AN1

ANR1

TRN

AN2

ANR2

...

...

...

TRN

ANn

ANRn

SOM

ANR1

ANR2 ...

ANRn

1438

The following training matrices are generated: TDS1,TDS2, TDS3 i TRN. All these matrix are generated from the training data set. Distribution of data in a matrices is as shown in Table 2.:

TABLE 2. AN OVERVIEW OF TRAINING DATA DISTRIBUTION

- normal Probe DoS U2R R2L TotalTDS1 750 10 239 0 1 1000TDS2 771 15 211 0 3 1000TDS3 793 14 192 0 1 1000TRN 765 6 228 0 1 1000

Applying SC Voting Mechanism on TDS1, TDS2,TDS3 matrix attributes that satisfy the criterion (that is the number of clusters is larger than one) are separeted.Using these attributes new training matrix TR1, TR2, TR3are generated.

These matrices had significantly reduced dimensionality, so that the new training matrix, TR1, TR2were formed with thirteen attributes (instead of the previous forty-one), while the matrix TR3 is formed with twelve attributes.

The following table (Table 3.) is a representation of the attributes used in the new training matrix.

TABLE 3. ATTRIBUTE LIST FOR TRAINING DATA AFTER SC VOTING

Training matrix

Featured attributes of the matrix training group - TDSk

TR1 A3, A4, A5, A6, A12, A25, A26, A29, A32, A33, A34 A38, A39

TR2 A3, A4, A5, A6, A12, A25, A26, A29, A32, A33, A34 A38, A39

TR3 A3, A4, A5, A12, A25, A26, A29, A32, A33, A34 A38, A39

Matrices TR1, TR2, TR3 are used for training of ANFIS modules i.e. building AN1, AN2, AN3. Next figure (Fig. 9) represent surface for AN3.

Figure 9. AN3 surface

After completed training of ANFIS modules as their inputs TRN attributes were brought - new training matrix that is generated from the training data set. Output from

this modules were used as inputs for training SOM network with five neurons.

This trained network is then used to classify the data from the test data group. Test data group TSD1 s then brought as input data for the system, in order to carry out the evaluation. Data classification result for TSD1 that are output from the last component of system (SOM) is graphically represented on next figure (Fig. 10).

Figure 10. SOM data classification result

The following table (Table 4.) shows the results that are obtained together with the expected results of the classification in order to perform a comparison of the results.

TABLE 4. EXPERIMENT RESULTS

normal Probe DoS U2R

R2L

1000

SC, ANFIS, SOM

859 48 91 0 2 1000

TSD1 924 18 56 0 2 1000

The results shown that the portion of traffic that is actually classified as a normal is classified as Probe and DoS. This generates false alarms. One reason for this is the fact that volume of sample data used for training and testing is not so big and traffic is not distributed equally. On the other side, experiment shown the possibilities of the proposed algorithm on a smaller sample of data.

The comparation to other research (Table 5.) shown that proposed algorithm can give acceptable level of the intrusion detection accuracy even using this small data sample.TABLE 5. EXPERIMENT RESULTS COMPARATION TO OTHER

RESEARCH

normal Probe DoS U2R R2LGAUSSIAN

MIXTURE [4]98,97 93,03 88,24 22,80 9,60

RBF IDS [4] 99,07 91,31 75,10 7,01 5,6SOM [4] 93,98 64,30 96,10 21,49 11,70

BINARY TREE[4]

96,43 77,94 96,45 13,59 0,44

ART [4] 97,19 98,48 97,09 17,98 11,29LAMSTAR IDS

[4]99,69 98,48 99,21 28,94 41,20

MULTINOMIAL LOGISTIC MODEL [3]

98,30 85,60 97,20 25,90 11,20

EDSOM [6] 95,20 92,30 96,20 38,40 43,60SC, ANFIS, SOM 92,66 100,00 100,00 - 100

1439

VII. CONCLUSION

This paper demonstrates the effects of combined application SOM, ANFIS, SC and Voting Mechanism in detecting intrusions in computer networks. This was done by comparing the results of execution of the ANFIS, SC and SOM implemented in the same software package Matlab on KDD CUP 99 data that were processed using various methods. Pre-processing of KDD CUP 99 dataset included removing duplicated data from training and testing data. This paper proposes algorithm which combines the previously listed methods and techniques, in order to take full advantage of them. Thus, the proposed algorithm has effect of reducing the complexity of the input data by reducing the number of attributes involved in the construction of ANFIS models. with no significant lost on its efficiency. For the selected amount of data, ANFIS module with parallel execution contributes in increasing the speed of execution of this algorithm. The presented algorithm will be modified in the further research by adding one more parameter. It will be the distance between clusters (in the case when the number of clusters is larger than one). In addition, the algorithm will be further tested with higher number of training samples taking the advantage of parallel execution. The proposed algorithm result in this paper shows that combining different methods (SOM, ANFIS, SC and Voting Mechanism) can give acceptable level of the intrusion detection accuracy.

REFERENCES

[1] Z. Avdagic, Vještačka intelignecija & fuzzy-neuro-genetika, Sarajevo, Grafoart 2003

[2] A. Midzic, The Significance of Data Pre-processing in Desting and Developing Intrusion Detection Systems, 32nd International Convention on Information and Communication Technology, electronics and microelectronics, Vol 5, Mipro, 2009

[3] Y. Wang, Statististical Techniques for Network Security: Modern Statistically-Based Intusion Detection and Protection, Information Science Reference - IGI Global, 2009

[4] V. Venkatachalam S.Selvan, Intrusion Detection using an Improved Competitive Learning Lamstar Neural Network, International Journal of Computer Science and Network Security, Vol.7, No.2, 2007

[5] V. Venkatachalam S.Selvan, An Approach for Reducing the Computational Complexity of LAMSTAR Intrusion Detection Using Pricincipal Component Analysis, International Journal of Computer Science and Network Security, Vol.2, No.1, 2006

[6] Li Feng, Li-Quan Sun, Embeded Dynamic Self-organizing Maps For Data Cluster, International Technology Journal 12(2) Asian Network for Scientifiic Information, 2013

[7] Esteban J. Palomo, Enrique Domínguez, Rafael M. Luque and Jose Munoz, An Intrusion Detection System based on Hierarchical Self-Organization, Journal of Information Assurance and Security, 2009

1440