An efficient intrusion detection using relevance vector machine
0 likes416 views
The document summarizes an efficient intrusion detection system using Relevance Vector Machine (RVM). It begins with an introduction to intrusion detection and types of attacks. Then it discusses related work using data mining techniques like SVM for intrusion detection. The proposed methodology preprocesses data from the KDD Cup 99 dataset, performs normalization, and classifies using RVM. RVM can provide sparse solutions and inferences with low computation. Experimental results on the KDD Cup 99 dataset show the technique achieves higher detection rates than regular SVM algorithms.
![International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-
6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME
network analyzers. Intrusion detection aims to achieve the specific goal of detecting attacks
whereas network analysis determines the changing trends in computer networks and
connected systems. [1] Hence network analysis is a generic tool that helps system
administrators to discover what happens on their networks.
Intrusion Detection System is software or hardware systems that automate the process
of monitoring and inspecting the events that takes place in a computer network to reveal
malicious activity. To provide a security infrastructure for most organizations due to the
drastic increase in the severity of attacks occurring in the network, intrusion detection plays
an additional necessary role. Intrusion detection permits organization to guard their systems
from the threats that come with increasing network connectivity and trust on information
systems. [2] Intrusion detection attacks are segmented into two groups,
• Host-based attacks [3-5] and
• Network-based attacks [6, 7].
In case of host-based attacks, the intruders aim at a particular machine and attempt to
get access to privileged services or resources on that specific machine. Recognition of these
kind of attacks typically uses routines that acquire system call data from an audit-process
which monitors all system calls made with the support of each user. It is extremely
complicated for legitimate users to use various network services by purposely occupying or
disrupting network resources and services in case of network-based attacks. Intruders attack
these system by transmitting huge amounts of network traffic, consuming familiar faults in
overloading network hosts and networking services, etc. Recognition of these kind of attacks
uses network traffic data (i.e., tcpdump) to look at traffic addressed to the machines being
monitored.
Several intrusion detection systems are available and they do not meet the challenges of
a susceptible internet atmosphere [8, 9]. In the curent scenario, an IDS is much essential for a
modern computer system. IDS can be categorized into two major groups:
• Misuse detection and
• Anomaly detection.
A misuse detection system traces intrusion activities that follow recognized patterns.
These patterns explain a suspect collection of sequences of activities or operations that can
possibly be dangerous. The major drawback of this detection is that it doesn’t have the
capability to trace or detect new kind of intrusions (certain events that have never occured in
the past). Abnormality detection system examines event data and identifies pattern of
activities that appear to be ordinary. An event which lies outside of the patterns is regarded as
a possible intrusion [10].
The Relevance Vector Machine (RVM) is a Bayesian learning model for regression and
classification of identical functional form to the Support Vector Machine (SVM). RVM can
be generalized well and provide inferences at low computational cost. The proposed method
employs RVM classification.
The paper can be arranged as follows : Section II provides the related works involved in
intrsion systems and the techniques used in it. Section III reveals the proposed methodology
and section IV gives the experimental results of the proposed work.
384](https://image.slidesharecdn.com/anefficientintrusiondetectionusingrelevancevectormachine-130306021521-phpapp01/85/An-efficient-intrusion-detection-using-relevance-vector-machine-2-320.jpg)
![International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-
6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME
II. RELATED WORKS
Security is considered as a major issue in networks since the network has been
dramatically extended. Internet attacks are increasing nowadays. Intrusion detection systems
have been used along with the data mining techniques to detect intrusions. Ektefa et al., [11]
aimed to use data mining techniques including classification tree and support vector machines
for intrusion detection. The result of this approach indicates that the C4.5 algorithm is better
than SVM in detecting network intrusions and false alarm rate in KDD CUP 99 dataset.
The victory of any Intrusion Detection System (IDS) is a major problem due to its
nonlinearity and the quantitative or qualitative network traffic data stream with irrelevant and
redundant features. Selecting the effective and key features to IDS is a major topic in
information security. SVM has been employed to provide potential solutions for the IDS
problem. Though, the practicability of SVM is affected due to the difficulty in selecting
appropriate SVM parameters. Particle swarm optimization (PSO) is an optimization method
which has strong global search capability and it is easy to implement. Wang et al., [12]
proposed PSO–SVM model which is applied to an intrusion detection problem using the
KDD Cup 99 data set. The typical PSO is used to find free parameters of SVM and the binary
PSO is to obtain the optimum feature subset at building intrusion detection system. The
observation results reveals that the PSO–SVM method can achieve higher detection rate than
regular SVM algorithms in the same time.
III. METHODOLOGY
The proposed methodology used for employing Intrusion detection system is
explained in this section. The figure 1 shows the steps involved in the proposed methodology.
Data Collection and Pre-
Processing
Normalization Process unity
based Normalization
Classification using RVM
Fig 1. Steps involved in the proposed method
385](https://image.slidesharecdn.com/anefficientintrusiondetectionusingrelevancevectormachine-130306021521-phpapp01/85/An-efficient-intrusion-detection-using-relevance-vector-machine-3-320.jpg)
![International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-
6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME
1. Data collection and Preprocessing
The proposed IDS is experimented using the Waikato Environment for Knowledge
Analysis (WEKA) and the dataset used is KDD Cup99 dataset. WEKA , a complete set of
Java class libraries that execute several state-of-the-art machine learning and data mining
approaches [13]. KDD Cup99 dataset comes from DARPA 98 Intrusion Detection Evaluation
handled by Lincoln laboratory at MIT [14].
Both training and testing data are divided into following three protocol types such as
TCP, UDP or ICMP in order to train and test the data separately. The number of remaining
data which are repeating has been deleted. The number of training data for TCP and UDP
will be still large. Therefore some number of data has to be deleted randomly. The data to be
deleted were chosen mostly from “normal” labeled data from the dataset. [15] Still there were
some attacks remaining in testing data set that were not in the training data set. These can be
tested using RVM classification.
2. Normalization
Normalizing data means to make the data value within unity (1), hence all the data
values will range from 0 to 1. But some models confuses at the value of zero. It is because an
arbitrary range of 0.1 to 0.9 is chosen instead of zero. To overcome this limitation, a unity-
based normalization technique is employed in the proposed method. [16] The following
equation is used to implement a unity-based normalization:
ܺ ܺ
ܺ െ ሺ ௫ 2 ሻ
ܺ,ିଵ ௧ ଵ ൌ ሺ1ሻ
ܺ ܺ
ሺ ௫ 2 ሻ
Where ܺ indicates each data point I, ܺ represents the minima among all the data
points, ܺ௫ represents the maxima among all the data points, ܺ,ିଵ ௧ ଵ represents the data
point i normalized between 0 and 1.
3. Relevance Vector Machine
The Relevance Vector Machine (RVM) was introduced by [17] as a Bayesian
counterpart to the SVM has made tremendous growth in the Machine Learning community
due to its simplicity and applicability. The Relevance Vector Machine (RVM) presents an
empirical Bayes treatment of function approximation by kernel basis expansion. RVM attains
a sparse representation of the approximating function by structuring a Gaussian prior
distribution in a way that implicitly creates a sparsity pressure on the coefficients appearing
in the expansion. The use of independent Gamma hyperpriors yields a product of independent
marginal prior for the coefficients and hence it achieves the desired sparsity.
Inorder to reduce the dimensionality of the hyperparameter space, specify a prior
structure which reflects the possibility of correlation between the hyperparameters of the
coefficients distribution and hence it is possible to segregate a unique solution.
RVM has been used for classification in the proposed method. Relevance vector
machine (RVM) is a special case of a sparse linear model in which the basis functions are
formed by a kernel function ߮ centred at the different training points:
386](https://image.slidesharecdn.com/anefficientintrusiondetectionusingrelevancevectormachine-130306021521-phpapp01/85/An-efficient-intrusion-detection-using-relevance-vector-machine-4-320.jpg)
![International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-
6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME
ே
ݕሺݔሻ ൌ ݓ ߮ ሺ ݔെ ݔ ሻ ሺ2ሻ
ୀଵ
This model is similar in form to the support vector machines (SVM), the kernel
function in the above equation does not satisfy the Mercer’s condition and it requires φ to be
a continuous symmetric kernel of a positive integral operator.[18]
Multi-kernel RVM is an extension of the RVM model. It consists of different types of
kernels ߮ and it is expressed as:
ே
ݕሺ ݔሻ ൌ ݓ ߮ ሺ ݔെ ݔ ሻ ሺ3ሻ
ୀଵ ୀଵ
The sparseness property enables choosing proper kernel automatically at each location
by pruning all irrelevant kernels, hence it is possible that two different kernels remain on the
same location.
Assume a two-class problem with training points ܺ ൌ ሼ ܺଵ , … . . ܺே ሽ and corresponding class
labels ݐൌ ሼ ݐଵ , … . . ݐே ሽ with ݐ אሼ0, 1ሽ. Applying the Bernoulli distribution, the likelihood
(the target conditional distribution) can be expressed as:
ே
ሺ ݓ|ݐሻ ൌ ෑ ߪ ሼ ൫ݕሺݔ ሻ൯ሽ௧ ሾ1 െ ߪ ሼ ൫ݕሺݔ ሻ൯ሽଵି௧ ሺ4ሻ
ୀଵ
Where ߪሺݕሻ - logistic sigmoid function
1
ߪ൫ݕሺݔሻ൯ ൌ ሺ5ሻ
1 exp ሺെݕሺݔሻሻ
Consider ߙ כdenotes the maximum a posteriori (MAP) estimate of the
hyperparameter ߙ . The MAP approximate for the weights is denoted by wMAP and it can
be obtained by maximizing the posterior distribution of the class labels given the input
vectors. It is equivalent to maximizing the objective of the function given by:
ܬሺݓଵ , ݓଶ , … . ݓே ሻ ൌ ∑ே log ሺ ݐ |ݓ ሻ ∑ே log ሺ ݓ |ߙ כሻ
ୀଵ ୀଵ (6)
where the first term indicates the likelihood of the class labels and the second term
indicates prior on the parameters ݓ . Those samples associated with nonzero coefficients ݓ
which is called relevance vectors will contribute to the decision function.
The gradient of the actual function J with respect to w is given by:
ܬൌ െ ݓ כܣെ ߮ ் ሺ݂ െ ݐሻ ሺ7ሻ
Where ݂ ൌ ሾ ߪ൫ݕሺݔଵ ሻ൯ … . ߪ൫ݕሺݔଵ ሻ൯ሿ் , matrix φ has elements ߮, ൌ ܭ൫ݔ , ݔ ൯. The Hessian
of J is
387](https://image.slidesharecdn.com/anefficientintrusiondetectionusingrelevancevectormachine-130306021521-phpapp01/85/An-efficient-intrusion-detection-using-relevance-vector-machine-5-320.jpg)
![International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-
6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME
The results of false alarm rate for different types of attacks is shown in fig 3. From the
figure it is observed that for DoS attacks, false alarm rate for RVM is lesser in all other
attacks.Thus the experimental results proved that the proposed RVM obtains better results.
V. CONCLUSION
At present, security inside the network communication is of a important thing . Being
the information that the datas are considered as one of the valuable asset for an organization,
providing security in opposition to the intruders is very essential. Intrusion detection system
tries to identify security attacks of intruders by investigating several data records observed in
processes on the network. In this paper, unity-based normalization is proposed to tandardize
data and Relevance Vector Machine (RVM) is proposed for efficient classification. The
experiment is exposed in WEKA by using KDD Cup 1999 dataset and the results indicate
that the proposed system can provide better detection rate and low false alarm rate than the
KSVM with LM. As a future work, various training algorithms are employed to improve its
performance.
REFERENCES
[1] H. Gunes Kayacik, Nur Zincir-Heywood, “Analysis of Three Intrusion Detection
System Benchmark Datasets Using Machine Learning Algorithms ”, Proceedings of the
IEEE international Conference on Intelligence and Security Informatics, Pp.362-367, 2005.
ISBN: 3-540-25999-6 978-3-540-25999-2
[2] Vipin Das, Vijaya Pathak, Sattvik Sharma, Sreevathsan, MVVNS. Srikanth, T.
Gireesh Kumar, “Network Intrusion Detection System based On Machine Learning
Algorithms”, International Journal of Computer Science & Information Technology
(IJCSIT), Vol. 2, No. 6, December 2010.
[3] D. Anderson, T. Frivold and A. Valdes, “Next-generation intrusion detection expert
system (NIDES): a summary”, Technical Report SRI-CSL-95-07. Computer Science
Laboratory, SRI International, Menlo Park, CA, 1995.
[4] S. Axelsson, “Research in intrusion detection systems: a survey”, Technical Report
TR 98-17 (Revised in 1999). Chalmers University of Technology, Goteborg, Sweden, 1999.
[5] S. Freeman, A. Bivens, J. Branch and B. Szymanski, “Host-based intrusion detection
using user Signatures”, Proceedings of the Research Conference. RPI, Troy, NY, 2002.
[6] K. Ilgun, R.A. Kemmerer and P.A. Porras, “State transition analysis: A rule-based
intrusion detection approach”, IEEE Trans. Software Eng, Vol. 21, No. 3, Pp. 181–199, 1995.
[7] D. Marchette, “A statistical method for profiling network traffic”, Proceedings of
the First USENIX Workshop on Intrusion Detection and Network Monitoring, Santa Clara,
CA, Pp.119–128,1999.
[8] R.G. Bace, “Intrusion Detection”, Macmillan Technical Publishing, 2000.
[9] B.V. Dasarathy, “Intrusion detection, Information Fusion”, Vol. 4, No. 4, Pp. 243-
245, 2003.
[10] Kyaw Thet Khaing, “Enhanced Features Ranking and Selection using Recursive
Feature Elimination (RFE) and k-Nearest Neighbor Algorithms in Support Vector Machine
for Intrusion Detection System”, International Journal of Network and Mobile Technologies,
Vol. 1, No. 1, Pp. 8-14, 2010.
[11] Mohammadreza Ektefa, Sara Memar, Fatimah Sidi and Lilly Suriani Affendey,
“Intrusion Detection Using Data Mining Techniques”, IEEE, 2010. ISBN: 978-1-4244-5651-
390](https://image.slidesharecdn.com/anefficientintrusiondetectionusingrelevancevectormachine-130306021521-phpapp01/85/An-efficient-intrusion-detection-using-relevance-vector-machine-8-320.jpg)
![International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-
6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME
2/10
[12] Jun Wang, Xu Hong, Rong-rong Ren and Tai-hang Li, “A Real-time Intrusion Detection
System Based on PSO-SVM”, Proceedings of the 2009 International Workshop on Information
Security and Application (IWISA 2009), November 2009. ISBN 978-952-5726-06-0
[13] Witten, I. H., and Frank E. (1999) Data Mining: Practical Machine Learning Tools
and Techniques with Java Implementations, Morgan Kaufmann, San Francisco.
[14] KDD Cup network intrusion dataset,
http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html
[15] Aslıhan Özkaya and Bekir Karlık, “Protocol Type Based Intrusion Detection Using RBF
Neural Network”, International Journal of Artificial Intelligence and Expert Systems (IJAE), Vol.
3, No. 4, 2012.
[16] Ben Etzkorn, “Data Normalization and Standardization”, Pp 1-3, 2012.
[17] Tipping, M. E., “Sparse Bayesian Learning and the Relevance Vector Machine”,
Journal of Machine Learning Research, Vol.1, Pp. 211-244, 2001.
[18] Dimitris G. Tzikas, Liyang Wei, Aristidis Likas, Yongyi Yang and Nikolas P.
Galatsanos, “ATutorial on Relevance Vector Machines For Regression and Classification with
Applications”.
[19] B.Venkateswara Reddy, Dr.P.Satish Kumar, Dr.P.Bhaskar Reddy and B.Naresh Kumar
Reddy, “Identifying Brain Tumour From MRI Image Using Modified FCM and Support
VECTOR MACHINE” International journal of Computer Engineering & Technology (IJCET),
Volume 4, Issue 1, 2013, pp. 244 - 262, Published by IAEME.
[20] Syeda Gauhar Fatima, Dr. Syed Abdul Sattar and Dr.K.Anita Sheela, “Energy Efficient
Intrusion Detection System for WSN” International journal of Electronics and Communication
Engineering &Technology (IJECET), Volume 3, Issue 3, 2012, pp. 246 - 250, Published by
IAEME.
AUTHOR BIOGRAPHIES
V. JAIGANESH is working as an Assistant Professor in the Department of
Computer Science, Dr. N.G.P. Arts and Science College, Coimbatore,
Tamilnadu, India. and Doing Ph.D., in Manonmaniam Sundaranar
University, Tirunelveli. Tamilnadu, India. He has done his M.Phil in the
area of Data Mining in Periyar University. He has done his post graduate
degrees MCA and MBA in Periyar University, Salem. He has presented and
published a number of papers in reputed conferences and journals. He has about twelve
years of teaching and research experience and his research interests include Data Mining
and Networking.
Dr. P. SUMATHI is working as an Assistant Professor, PG & Research
Department of Computer Science, Government Arts College, Coimbatore,
Tamilnadu, India. She received her Ph.D., in the area of Grid Computing in
Bharathiar University. She has done her M.Phil in the area of Software
Engineering in Mother Teresa Women’s University and received MCA
degree at Kongu Engineering College, Perundurai. She has published a
number of papers in reputed journals and conferences. She has about Sixteen years of
teaching and research experience. Her research interests include Data Mining, Grid
Computing and Software Engineering.
391](https://image.slidesharecdn.com/anefficientintrusiondetectionusingrelevancevectormachine-130306021521-phpapp01/85/An-efficient-intrusion-detection-using-relevance-vector-machine-9-320.jpg)
An efficient intrusion detection using relevance vector machine
- 1. INTERNATIONALComputer EngineeringCOMPUTER ENGINEERING International Journal of JOURNAL OF and Technology (IJCET), ISSN 0976- 6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME & TECHNOLOGY (IJCET) ISSN 0976 – 6367(Print) ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), pp. 383-391 IJCET © IAEME:www.iaeme.com/ijcet.asp Journal Impact Factor (2012): 3.9580 (Calculated by GISI) ©IAEME www.jifactor.com AN EFFICIENT INTRUSION DETECTION USING RELEVANCE VECTOR MACHINE 1 2 V. Jaiganesh , Dr. P. Sumathi 1 Doctoral Research Scholar, Department of Computer Science, Manonmaniam Sundaranar University, Tirunelveli, Tamilnadu, India. 2 Doctoral Research Supervisor, Assistant Professor, PG & Research Department of Computer Science, Government Arts College, Coimbatore, Tamilnadu, India. ABSTRACT Internet becomes a globally used public network. Internet causes tremendous growth in the business to reach the end users. On the other hand, the usage of networks has paved the way for intruders to attack the communication path and to steal the valuable asset (data) of any organization. Hence in order to protect the organization data, Intrusion Detection System (IDS) offers protection from external users and internal attackers. Intrusion detection is the process of examining the events which happens in a computer system or network and evaluates them for signs of possible events, which are imminent threats of violation of computer security policies, standard security practices and acceptable use policies. In the proposed method, an effective intrusion system can be applied using unity-based normalization to standardize data and Relevance Vector Machine (RVM) for classification. The experiment is carried out with the help of WEKA by using KDD Cup 1999 dataset and the results indicate that the proposed technique can achieve higher detection rate and very low false alarm rate than the regular SVM algorithms. Keywords: Cascade forwards back propagation, Intrusion Detection System (IDS), Relevance Vector Machine (RVM), I. INTRODUCTION Internet created several ways to negotiate the stability and security of the systems connected to it. Even though static defense mechanisms such as firewalls and software updates can afford a reasonable level of security, new dynamic mechanisms should also be employed. Examples of such dynamic mechanisms are intrusion detection systems and 383
- 2. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976- 6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME network analyzers. Intrusion detection aims to achieve the specific goal of detecting attacks whereas network analysis determines the changing trends in computer networks and connected systems. [1] Hence network analysis is a generic tool that helps system administrators to discover what happens on their networks. Intrusion Detection System is software or hardware systems that automate the process of monitoring and inspecting the events that takes place in a computer network to reveal malicious activity. To provide a security infrastructure for most organizations due to the drastic increase in the severity of attacks occurring in the network, intrusion detection plays an additional necessary role. Intrusion detection permits organization to guard their systems from the threats that come with increasing network connectivity and trust on information systems. [2] Intrusion detection attacks are segmented into two groups, • Host-based attacks [3-5] and • Network-based attacks [6, 7]. In case of host-based attacks, the intruders aim at a particular machine and attempt to get access to privileged services or resources on that specific machine. Recognition of these kind of attacks typically uses routines that acquire system call data from an audit-process which monitors all system calls made with the support of each user. It is extremely complicated for legitimate users to use various network services by purposely occupying or disrupting network resources and services in case of network-based attacks. Intruders attack these system by transmitting huge amounts of network traffic, consuming familiar faults in overloading network hosts and networking services, etc. Recognition of these kind of attacks uses network traffic data (i.e., tcpdump) to look at traffic addressed to the machines being monitored. Several intrusion detection systems are available and they do not meet the challenges of a susceptible internet atmosphere [8, 9]. In the curent scenario, an IDS is much essential for a modern computer system. IDS can be categorized into two major groups: • Misuse detection and • Anomaly detection. A misuse detection system traces intrusion activities that follow recognized patterns. These patterns explain a suspect collection of sequences of activities or operations that can possibly be dangerous. The major drawback of this detection is that it doesn’t have the capability to trace or detect new kind of intrusions (certain events that have never occured in the past). Abnormality detection system examines event data and identifies pattern of activities that appear to be ordinary. An event which lies outside of the patterns is regarded as a possible intrusion [10]. The Relevance Vector Machine (RVM) is a Bayesian learning model for regression and classification of identical functional form to the Support Vector Machine (SVM). RVM can be generalized well and provide inferences at low computational cost. The proposed method employs RVM classification. The paper can be arranged as follows : Section II provides the related works involved in intrsion systems and the techniques used in it. Section III reveals the proposed methodology and section IV gives the experimental results of the proposed work. 384
- 3. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976- 6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME II. RELATED WORKS Security is considered as a major issue in networks since the network has been dramatically extended. Internet attacks are increasing nowadays. Intrusion detection systems have been used along with the data mining techniques to detect intrusions. Ektefa et al., [11] aimed to use data mining techniques including classification tree and support vector machines for intrusion detection. The result of this approach indicates that the C4.5 algorithm is better than SVM in detecting network intrusions and false alarm rate in KDD CUP 99 dataset. The victory of any Intrusion Detection System (IDS) is a major problem due to its nonlinearity and the quantitative or qualitative network traffic data stream with irrelevant and redundant features. Selecting the effective and key features to IDS is a major topic in information security. SVM has been employed to provide potential solutions for the IDS problem. Though, the practicability of SVM is affected due to the difficulty in selecting appropriate SVM parameters. Particle swarm optimization (PSO) is an optimization method which has strong global search capability and it is easy to implement. Wang et al., [12] proposed PSO–SVM model which is applied to an intrusion detection problem using the KDD Cup 99 data set. The typical PSO is used to find free parameters of SVM and the binary PSO is to obtain the optimum feature subset at building intrusion detection system. The observation results reveals that the PSO–SVM method can achieve higher detection rate than regular SVM algorithms in the same time. III. METHODOLOGY The proposed methodology used for employing Intrusion detection system is explained in this section. The figure 1 shows the steps involved in the proposed methodology. Data Collection and Pre- Processing Normalization Process unity based Normalization Classification using RVM Fig 1. Steps involved in the proposed method 385
- 4. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976- 6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME 1. Data collection and Preprocessing The proposed IDS is experimented using the Waikato Environment for Knowledge Analysis (WEKA) and the dataset used is KDD Cup99 dataset. WEKA , a complete set of Java class libraries that execute several state-of-the-art machine learning and data mining approaches [13]. KDD Cup99 dataset comes from DARPA 98 Intrusion Detection Evaluation handled by Lincoln laboratory at MIT [14]. Both training and testing data are divided into following three protocol types such as TCP, UDP or ICMP in order to train and test the data separately. The number of remaining data which are repeating has been deleted. The number of training data for TCP and UDP will be still large. Therefore some number of data has to be deleted randomly. The data to be deleted were chosen mostly from “normal” labeled data from the dataset. [15] Still there were some attacks remaining in testing data set that were not in the training data set. These can be tested using RVM classification. 2. Normalization Normalizing data means to make the data value within unity (1), hence all the data values will range from 0 to 1. But some models confuses at the value of zero. It is because an arbitrary range of 0.1 to 0.9 is chosen instead of zero. To overcome this limitation, a unity- based normalization technique is employed in the proposed method. [16] The following equation is used to implement a unity-based normalization: ܺ ܺ ܺ െ ሺ ௫ 2 ሻ ܺ,ିଵ ௧ ଵ ൌ ሺ1ሻ ܺ ܺ ሺ ௫ 2 ሻ Where ܺ indicates each data point I, ܺ represents the minima among all the data points, ܺ௫ represents the maxima among all the data points, ܺ,ିଵ ௧ ଵ represents the data point i normalized between 0 and 1. 3. Relevance Vector Machine The Relevance Vector Machine (RVM) was introduced by [17] as a Bayesian counterpart to the SVM has made tremendous growth in the Machine Learning community due to its simplicity and applicability. The Relevance Vector Machine (RVM) presents an empirical Bayes treatment of function approximation by kernel basis expansion. RVM attains a sparse representation of the approximating function by structuring a Gaussian prior distribution in a way that implicitly creates a sparsity pressure on the coefficients appearing in the expansion. The use of independent Gamma hyperpriors yields a product of independent marginal prior for the coefficients and hence it achieves the desired sparsity. Inorder to reduce the dimensionality of the hyperparameter space, specify a prior structure which reflects the possibility of correlation between the hyperparameters of the coefficients distribution and hence it is possible to segregate a unique solution. RVM has been used for classification in the proposed method. Relevance vector machine (RVM) is a special case of a sparse linear model in which the basis functions are formed by a kernel function ߮ centred at the different training points: 386
- 5. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976- 6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME ே ݕሺݔሻ ൌ ݓ ߮ ሺ ݔെ ݔ ሻ ሺ2ሻ ୀଵ This model is similar in form to the support vector machines (SVM), the kernel function in the above equation does not satisfy the Mercer’s condition and it requires φ to be a continuous symmetric kernel of a positive integral operator.[18] Multi-kernel RVM is an extension of the RVM model. It consists of different types of kernels ߮ and it is expressed as: ே ݕሺ ݔሻ ൌ ݓ ߮ ሺ ݔെ ݔ ሻ ሺ3ሻ ୀଵ ୀଵ The sparseness property enables choosing proper kernel automatically at each location by pruning all irrelevant kernels, hence it is possible that two different kernels remain on the same location. Assume a two-class problem with training points ܺ ൌ ሼ ܺଵ , … . . ܺே ሽ and corresponding class labels ݐൌ ሼ ݐଵ , … . . ݐே ሽ with ݐ אሼ0, 1ሽ. Applying the Bernoulli distribution, the likelihood (the target conditional distribution) can be expressed as: ே ሺ ݓ|ݐሻ ൌ ෑ ߪ ሼ ൫ݕሺݔ ሻ൯ሽ௧ ሾ1 െ ߪ ሼ ൫ݕሺݔ ሻ൯ሽଵି௧ ሺ4ሻ ୀଵ Where ߪሺݕሻ - logistic sigmoid function 1 ߪ൫ݕሺݔሻ൯ ൌ ሺ5ሻ 1 exp ሺെݕሺݔሻሻ Consider ߙ כdenotes the maximum a posteriori (MAP) estimate of the hyperparameter ߙ . The MAP approximate for the weights is denoted by wMAP and it can be obtained by maximizing the posterior distribution of the class labels given the input vectors. It is equivalent to maximizing the objective of the function given by: ܬሺݓଵ , ݓଶ , … . ݓே ሻ ൌ ∑ே log ሺ ݐ |ݓ ሻ ∑ே log ሺ ݓ |ߙ כሻ ୀଵ ୀଵ (6) where the first term indicates the likelihood of the class labels and the second term indicates prior on the parameters ݓ . Those samples associated with nonzero coefficients ݓ which is called relevance vectors will contribute to the decision function. The gradient of the actual function J with respect to w is given by: ܬൌ െ ݓ כܣെ ߮ ் ሺ݂ െ ݐሻ ሺ7ሻ Where ݂ ൌ ሾ ߪ൫ݕሺݔଵ ሻ൯ … . ߪ൫ݕሺݔଵ ሻ൯ሿ் , matrix φ has elements ߮, ൌ ܭ൫ݔ , ݔ ൯. The Hessian of J is 387
- 6. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976- 6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME ܪൌ ଶ ሺܬሻ ൌ െሺ߮ ் ߮ܤ כܣሻ ሺ8ሻ Where ܤൌ ݀݅ܽ݃ሺߚଵ , … . . ߚே ሻ is a diagonal matrix with ߚ ൌ ߪሺݕሺݔ ሻ ሻሾ1 െ ߪሺݕሺݔ ሻ ሻሿ. The posterior is approximated around ܹெ by a Gaussian approximation with covariance ൌ െ ሺݓ|ܪெ ሻିଵ ሺ9ሻ and mean is given by, ߤ ൌ ߮ ் ݐܤ ሺ10ሻ RVM has several advantages which includes the number of relevance vectors can be much smaller than that of support vectors , RVM does not need the tuning of a regularization parameter (C ) as in SVM during the training phase. Thus the proposed dataset can be classified using RVM classifier. IV. EXPERIMENTAL RESULTS KDD Cup99 is an audited set of standard dataset which includes training and testing set. Data has the following four major groups of attacks i. Denial-of-Service (DoS) like apache2 ,smurf, pod, etc. ii. Remote-to-Local (R2L) like worm , phf, imap, etc. iii. User to Root (U2R) like rootkit ,perl and so on. iv. Probing like portsweep ,nmap, etc. Attack detection can be calculated by using the following metrics: i. False Positive (FP): Matches the number of detected attacks but it is actually normal. ii. False Negative (FN): Corresponds to the number of detected normal instances but it is really an attack. These attacks are the major target of intrusion detection systems. iii. True Positive (TP): Corresponds to the number of detected attacks and it is in fact attack. iv. True Negative (TN): Matches to the number of detected normal instances and it is actually normal. 1. Performance Measures The performance measure evaluated are used in the proposed KSVM with LM against SVM is • Detection rate and • False-alarm rate The intrusion detection system accuracy is computed based on the detection rate and false alarm rate. 388
- 7. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976- 6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME 2. Detection Rate Comparison Detection rate indicates the percentage of detected attack among all the attack data, and it is given as , ் ݁ݐܴܽ ݊݅ݐܿ݁ݐ݁ܦൌ ்ା்ே ൈ 100 (11) 100 KSVM with LM RVM Detection Rate (%) 80 60 40 20 0 DoS Probe U2R R2L Attacks Fig 2. Comparison of Detection Rate on Four Attacks The results of detection rate for different types of attacks is shown in fig 2. From the results it is observed that in case of DoS attacks, detection rate for RVM obtains better results in all other attacks. 3. False Alarm Rate Comparison False alarm rate indicates the percentage of normal data which is wrongly considered as attack, and it is defined as follows: ܲܨ ݁ݐܴܽ ݉ݎ݈ܽܣ ݁ݏ݈ܽܨൌ ൈ 100 (12) ܲܨ ܶܰ 2 KSVM with LM RVM False Aarm Rate (%) 1.5 1 0.5 0 DoS Probe U2R R2L Attacks Fig 3. Comparison of False Alarm Rate on Four Attacks 389
- 8. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976- 6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME The results of false alarm rate for different types of attacks is shown in fig 3. From the figure it is observed that for DoS attacks, false alarm rate for RVM is lesser in all other attacks.Thus the experimental results proved that the proposed RVM obtains better results. V. CONCLUSION At present, security inside the network communication is of a important thing . Being the information that the datas are considered as one of the valuable asset for an organization, providing security in opposition to the intruders is very essential. Intrusion detection system tries to identify security attacks of intruders by investigating several data records observed in processes on the network. In this paper, unity-based normalization is proposed to tandardize data and Relevance Vector Machine (RVM) is proposed for efficient classification. The experiment is exposed in WEKA by using KDD Cup 1999 dataset and the results indicate that the proposed system can provide better detection rate and low false alarm rate than the KSVM with LM. As a future work, various training algorithms are employed to improve its performance. REFERENCES [1] H. Gunes Kayacik, Nur Zincir-Heywood, “Analysis of Three Intrusion Detection System Benchmark Datasets Using Machine Learning Algorithms ”, Proceedings of the IEEE international Conference on Intelligence and Security Informatics, Pp.362-367, 2005. ISBN: 3-540-25999-6 978-3-540-25999-2 [2] Vipin Das, Vijaya Pathak, Sattvik Sharma, Sreevathsan, MVVNS. Srikanth, T. Gireesh Kumar, “Network Intrusion Detection System based On Machine Learning Algorithms”, International Journal of Computer Science & Information Technology (IJCSIT), Vol. 2, No. 6, December 2010. [3] D. Anderson, T. Frivold and A. Valdes, “Next-generation intrusion detection expert system (NIDES): a summary”, Technical Report SRI-CSL-95-07. Computer Science Laboratory, SRI International, Menlo Park, CA, 1995. [4] S. Axelsson, “Research in intrusion detection systems: a survey”, Technical Report TR 98-17 (Revised in 1999). Chalmers University of Technology, Goteborg, Sweden, 1999. [5] S. Freeman, A. Bivens, J. Branch and B. Szymanski, “Host-based intrusion detection using user Signatures”, Proceedings of the Research Conference. RPI, Troy, NY, 2002. [6] K. Ilgun, R.A. Kemmerer and P.A. Porras, “State transition analysis: A rule-based intrusion detection approach”, IEEE Trans. Software Eng, Vol. 21, No. 3, Pp. 181–199, 1995. [7] D. Marchette, “A statistical method for profiling network traffic”, Proceedings of the First USENIX Workshop on Intrusion Detection and Network Monitoring, Santa Clara, CA, Pp.119–128,1999. [8] R.G. Bace, “Intrusion Detection”, Macmillan Technical Publishing, 2000. [9] B.V. Dasarathy, “Intrusion detection, Information Fusion”, Vol. 4, No. 4, Pp. 243- 245, 2003. [10] Kyaw Thet Khaing, “Enhanced Features Ranking and Selection using Recursive Feature Elimination (RFE) and k-Nearest Neighbor Algorithms in Support Vector Machine for Intrusion Detection System”, International Journal of Network and Mobile Technologies, Vol. 1, No. 1, Pp. 8-14, 2010. [11] Mohammadreza Ektefa, Sara Memar, Fatimah Sidi and Lilly Suriani Affendey, “Intrusion Detection Using Data Mining Techniques”, IEEE, 2010. ISBN: 978-1-4244-5651- 390
- 9. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976- 6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME 2/10 [12] Jun Wang, Xu Hong, Rong-rong Ren and Tai-hang Li, “A Real-time Intrusion Detection System Based on PSO-SVM”, Proceedings of the 2009 International Workshop on Information Security and Application (IWISA 2009), November 2009. ISBN 978-952-5726-06-0 [13] Witten, I. H., and Frank E. (1999) Data Mining: Practical Machine Learning Tools and Techniques with Java Implementations, Morgan Kaufmann, San Francisco. [14] KDD Cup network intrusion dataset, http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html [15] Aslıhan Özkaya and Bekir Karlık, “Protocol Type Based Intrusion Detection Using RBF Neural Network”, International Journal of Artificial Intelligence and Expert Systems (IJAE), Vol. 3, No. 4, 2012. [16] Ben Etzkorn, “Data Normalization and Standardization”, Pp 1-3, 2012. [17] Tipping, M. E., “Sparse Bayesian Learning and the Relevance Vector Machine”, Journal of Machine Learning Research, Vol.1, Pp. 211-244, 2001. [18] Dimitris G. Tzikas, Liyang Wei, Aristidis Likas, Yongyi Yang and Nikolas P. Galatsanos, “ATutorial on Relevance Vector Machines For Regression and Classification with Applications”. [19] B.Venkateswara Reddy, Dr.P.Satish Kumar, Dr.P.Bhaskar Reddy and B.Naresh Kumar Reddy, “Identifying Brain Tumour From MRI Image Using Modified FCM and Support VECTOR MACHINE” International journal of Computer Engineering & Technology (IJCET), Volume 4, Issue 1, 2013, pp. 244 - 262, Published by IAEME. [20] Syeda Gauhar Fatima, Dr. Syed Abdul Sattar and Dr.K.Anita Sheela, “Energy Efficient Intrusion Detection System for WSN” International journal of Electronics and Communication Engineering &Technology (IJECET), Volume 3, Issue 3, 2012, pp. 246 - 250, Published by IAEME. AUTHOR BIOGRAPHIES V. JAIGANESH is working as an Assistant Professor in the Department of Computer Science, Dr. N.G.P. Arts and Science College, Coimbatore, Tamilnadu, India. and Doing Ph.D., in Manonmaniam Sundaranar University, Tirunelveli. Tamilnadu, India. He has done his M.Phil in the area of Data Mining in Periyar University. He has done his post graduate degrees MCA and MBA in Periyar University, Salem. He has presented and published a number of papers in reputed conferences and journals. He has about twelve years of teaching and research experience and his research interests include Data Mining and Networking. Dr. P. SUMATHI is working as an Assistant Professor, PG & Research Department of Computer Science, Government Arts College, Coimbatore, Tamilnadu, India. She received her Ph.D., in the area of Grid Computing in Bharathiar University. She has done her M.Phil in the area of Software Engineering in Mother Teresa Women’s University and received MCA degree at Kongu Engineering College, Perundurai. She has published a number of papers in reputed journals and conferences. She has about Sixteen years of teaching and research experience. Her research interests include Data Mining, Grid Computing and Software Engineering. 391