An Evolutionary Feature Clustering Approach for Anomaly Detection Using Improved Fuzzy Membership Function: Feature Clustering Approach for Anomaly Detection

An Evolutionary Feature Clustering Approach for Anomaly Detection Using Improved Fuzzy Membership Function: Feature Clustering Approach for Anomaly Detection

Gunupudi Rajesh Kumar (VNR Vignana Jyothi Institute of Engineering and Technology, Hyderabad, India), Narsimha Gugulothu (JNTUH, Hyderabad, India) and Mangathayaru Nimmala (VNR Vignana Jyothi Institute of Engineering and Technology, Hyderabad, India)
DOI: 10.4018/IJITWE.2019100102

Abstract

Traditionally, IDS have been developed by applying machine learning techniques and followed single learning mechanisms or multiple learning mechanisms. Dimensionality is an important concern which affects classification accuracies and eventually the classifier performance. Feature selection approaches are widely studied and applied in research literature. In this work, a new fuzzy membership function to detect anomalies and intrusions and a method for dimensionality reduction is proposed. CANN could not address R2L and U2R attacks and have completely failed by showing these attack accuracies almost zero. Following CANN, the CLAPP approach has shown better classifier accuracies when compared to classifiers kNN, and SVM. This research aims at improving the accuracy achieved by CLAPP, CANN, and kNN. Experimental results show accuracies obtained using proposed approach is better when compared to other existing approaches. In particular, the detection of U2R and R2L attacks to user accuracies are recorded to be very much promising.
Article Preview
Top

1. Introduction

The advancements in computing and communication technology made our life simple and every task in daily life is driven by technology. Today our life depends on the internet for everything starting from professional, personal needs to the domestic needs. Internet use for our daily needs such as shopping, banking, hotel booking, daily news etc., becoming very common in our daily life. As the computer literacy rate increasing day by day, the use of IT related services is increasing exponentially. Previously cyber-attacks were limited to only organizations. But, now, the cyber-attacks not only restricted to organizations but also to the personal computers, laptops or the mobile devices. This clearly underlines the need for the protection at different levels.

When we investigate the history, first steps for intrusion detection laid by the United States Air Force (USAF). For the first time in the literature, James P Anderson who was working as deputy for command and management systems in USAF (Anderson, 1972) uses the phrase “malicious threat” in his report to US government which, is defined as “external penetration threat in closed or open systems and boil down to gaining an unauthorized access to classified data directly or indirectly”. He proposed the use of reference monitor to safeguard classified data, which is currently called as an intrusion detection system. The formal definition for intrusion detection can be given as “…the process of discovering the presence or the possibility of presence, of unauthorized uses of network or computing infrastructure activities on a continuous basis…” The first real-time Intrusion Detection System (IDS) was researched and developed by Neumann during 1984 and 1986, named as Intrusion Detection Expert System (IDES) which was developed as a rule-based system that detects malicious activity from known threats, later known as Next Generation Intrusion Detection Expert System (NIDES) (Schwab, 2015).

In the late 1990s the design approaches of intrusion detection systems were greatly improved to accommodate the increase in volume and complexity of network attacks. Till the 1990s the IDS’s were functioning on principle of correlating the signatures of a new incoming threat with the already existing knowledge base of attack data, if any match found, will be declared as a threat. This approach is called as signature-based intrusion detection system. These kinds of systems cannot detect new threats. When a new attack arrived, will be passed through the IDS without any blockage and, only on realization damage caused by the attack, its signature pattern will be added to the knowledge base, thus enabling IDS to detect the same in future. Another method, named as an anomaly detection system, learns from the history and understands the behavioral patterns of normal packets and abnormal packets. On receiving any abnormal packet even though its signature is not matching with the knowledge base, it understands its behavior and warns the user about the intrusion. Strictly speaking both the approaches are important. Why, because we must shield the IT infrastructure from known and unknown threats.

There are two levels of intrusion detection system host-based intrusion detection system (HIDS) and network-based intrusion detection system (NIDS). NIDS fails when some malicious activity takes place inside the organization’s network behind NIDS, it fails to identify as it is not in its scope and NIDS is engaged in the process of incoming packets. It happens when a malicious packet enters the network because of overflow or congestion at the entry point of the organization's network. Thus, it is bypassed by the network security mechanism and creates damage within the organization's network. Hence, network-based intrusion detection cannot protect alone. Alternately, HIDS can be combined along with HIDS for combating against incoming threats. HIDS can be helpful in the collection of audit data from different hosts within the organization's network and report back to NIDS and NIDS acts accordingly in the case of any detection of malicious activity.

Complete Article List

Search this Journal:
Reset
Open Access Articles: Forthcoming
Volume 15: 4 Issues (2020): 1 Released, 3 Forthcoming
Volume 14: 4 Issues (2019)
Volume 13: 4 Issues (2018)
Volume 12: 4 Issues (2017)
Volume 11: 4 Issues (2016)
Volume 10: 4 Issues (2015)
Volume 9: 4 Issues (2014)
Volume 8: 4 Issues (2013)
Volume 7: 4 Issues (2012)
Volume 6: 4 Issues (2011)
Volume 5: 4 Issues (2010)
Volume 4: 4 Issues (2009)
Volume 3: 4 Issues (2008)
Volume 2: 4 Issues (2007)
Volume 1: 4 Issues (2006)
View Complete Journal Contents Listing