Layered Approach Using Conditional Random Fields for Intrusion Detection

Intrusion detection faces a number of challenges; an intrusion detection system must reliably detect malicious activities in a network and must perform efficiently to cope with the large amount of network traffic. In this paper, we address these two issues of Accuracy and Efficiency using Conditional Random Fields and Layered Approach. We demonstrate that high attack detection accuracy can be achieved by using Conditional Random Fields and high efficiency by implementing the Layered Approach. Experimental results on the benchmark KDD '99 intrusion data set show that our proposed system based on Layered Conditional Random Fields outperforms other well-known methods such as the decision trees and the naive Bayes. The improvement in attack detection accuracy is very high, particularly, for the U2R attacks (34.8 percent improvement) and the R2L attacks (34.5 percent improvement). Statistical Tests also demonstrate higher confidence in detection accuracy for our method. Finally, we show that our system is robust and is able to handle noisy data without compromising performance.

[1]  Leonid Portnoy,et al.  Intrusion detection with unlabeled data using clustering , 2000 .

[2]  A. N. Zincir-Heywood,et al.  Intrusion Detection Systems , 2008 .

[3]  Andrew McCallum,et al.  Maximum Entropy Markov Models for Information Extraction and Segmentation , 2000, ICML.

[4]  Yonggang Pang,et al.  A hidden Markov models-based anomaly intrusion detection method , 2004, Fifth World Congress on Intelligent Control and Automation (IEEE Cat. No.04EX788).

[5]  Li Jun,et al.  HIDE: a Hierarchical Network Intrusion Detection System Using Statistical Preprocessing and Neural Network Classification , 2001 .

[6]  Dan Klein,et al.  Conditional Structure versus Conditional Estimation in NLP Models , 2002, EMNLP.

[7]  Kotagiri Ramamohanarao,et al.  Conditional Random Fields for Intrusion Detection , 2007, 21st International Conference on Advanced Information Networking and Applications Workshops (AINAW'07).

[8]  Donald F. Towsley,et al.  Detecting anomalies in network traffic using maximum entropy estimation , 2005, IMC '05.

[9]  Chuanyi Ji,et al.  Combinations of Weak Classifiers , 1996, NIPS.

[10]  Salvatore J. Stolfo,et al.  Data Mining Approaches for Intrusion Detection , 1998, USENIX Security Symposium.

[11]  Hervé Debar,et al.  A serial combination of anomaly and misuse IDSes applied to HTTP traffic , 2004, 20th Annual Computer Security Applications Conference.

[12]  Adwait Ratnaparkhi,et al.  A Maximum Entropy Model for Part-Of-Speech Tagging , 1996, EMNLP.

[13]  Wei Wang,et al.  Modeling program behaviors by hidden Markov models for intrusion detection , 2004, Proceedings of 2004 International Conference on Machine Learning and Cybernetics (IEEE Cat. No.04EX826).

[14]  Andrew McCallum,et al.  Conditional Random Fields: Probabilistic Models for Segmenting and Labeling Sequence Data , 2001, ICML.

[15]  Kotagiri Ramamohanarao,et al.  Attacking Confidentiality: An Agent Based Approach , 2006, ISI.

[16]  Andrew McCallum,et al.  An Introduction to Conditional Random Fields for Relational Learning , 2007 .

[17]  Anupam Joshi,et al.  Fuzzy clustering for intrusion detection , 2003, The 12th IEEE International Conference on Fuzzy Systems, 2003. FUZZ '03..

[18]  Jaideep Srivastava,et al.  Protecting against cyber threats in networked information systems , 2003, SPIE Defense + Commercial Sensing.

[19]  Habiba Drias,et al.  Distributed Intrusion Detection Framework based on Autonomous and Mobile Agents , 2006, 2006 International Conference on Dependability of Computer Systems.

[20]  Sylvain Gombault,et al.  Eigenconnections to Intrusion Detection , 2004, SEC.

[21]  Bernard Zenko,et al.  Is Combining Classifiers Better than Selecting the Best One , 2002, ICML.

[22]  Salvatore J. Stolfo,et al.  Mining Audit Data to Build Intrusion Detection Models , 1998, KDD.

[23]  Saurabh Bagchi,et al.  Collaborative intrusion detection system (CIDS): a framework for accurate and efficient IDS , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[24]  Jaideep Srivastava,et al.  Data Mining for Network Intrusion Detection , 2002 .

[25]  Gürsel Serpen,et al.  Application of Machine Learning Algorithms to KDD Intrusion Detection Dataset within Misuse Detection Context , 2003, MLMTA.

[26]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[27]  Salvatore J. Stolfo,et al.  A data mining framework for building intrusion detection models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[28]  Tomasz Imielinski,et al.  Mining association rules between sets of items in large databases , 1993, SIGMOD Conference.

[29]  Christopher Krügel,et al.  Bayesian event classification for intrusion detection , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[30]  Barak A. Pearlmutter,et al.  Detecting intrusions using system calls: alternative data models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[31]  Andrew McCallum,et al.  Efficiently Inducing Features of Conditional Random Fields , 2002, UAI.

[32]  Zied Elouedi,et al.  Naive Bayes vs decision trees in intrusion detection systems , 2004, SAC '04.

[33]  Dong Seong Kim,et al.  Network-Based Intrusion Detection with Support Vector Machines , 2003, ICOIN.

[34]  Hervé Debar,et al.  A neural network component for an intrusion detection system , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[35]  Thomas G. Dietterich Machine Learning for Sequential Data: A Review , 2002, SSPR/SPR.

[36]  Tamas Abraham IDDM: Intrusion Detection Using Data Mining Techniques , 2001 .

[37]  Kotagiri Ramamohanarao,et al.  Network Security Framework , 2006 .