Entropy Based Fuzzy Rule Weighting for Hierarchical Intrusion Detection

Document Type: Research Paper


Department of Computer Science and Eng. and IT, School of Electrical and Computer Engineering, Shiraz University, Shiraz, Iran


Predicting different behaviors in computer networks is the subject of many data mining researches. Providing a balanced Intrusion Detection System (IDS) that directly addresses the trade-off between the ability to detect new attack types and providing low false detection rate is a fundamental challenge. Many of the proposed methods perform well in one of the two aspects, and concentrate on a subset of system requirements. There are many non-functional requirements for an applicable and practical IDS. The process should be online, incremental and adaptive to ever changing behaviors of normal users and attackers. Moreover providing comprehensive and interactive IDS could both, enhance the performance of the system and extend the knowledge of domain experts.
In this paper, we propose a fuzzy rule-based classification system using a hierarchical rule learning method. In each stage of the hierarchy, a set of rules with certain length of antecedent are investigated. A novel rule weighting method, based on the entropy measure, determines the appropriateness of each rule. The experimental results on KDD99 intrusion detection dataset show the effectiveness of the proposed method in tackling the tradeoff between accuracy and comprehensibility of fuzzy rule-based systems. Although the dimension of antecedents is not limited, the resultant rule-base contains a small number of complex rules, which are essential to reach the desired accuracy.


bibitem{ref55}    R. Agarwal and M. V. Joshi, {it PNrule: a new framework for learning classifier models in data mining (a case-study in network intrusion detection}, 2000.

bibitem{ref46}    A. Ahmad and L. Dey, {it A k-means type clustering algorithm for subspace clustering of mixed numeric and categorical datasets}, Pattern Recognition Letters, {bf 32(7)} (2011), 1062-1069.

bibitem{ref2}    R. Bace and P. Mell, {it Intrusion detection systems. US Dept. of Commerce, Technology Administration}, National Institute of Standards and Technology, 2001.

bibitem{ref27}    M. Behdad, L. Barone, T. French and M. Bennamoun, {it On XCSR for electronic fraud detection}, (2012), 139-150.

bibitem{ref7}    E. Biermann, E. Cloete and L. M. Venter, {it A comparison of Intrusion detection systems}, Computers $&$ Security, {bf 20}textbf{(8)} (2001), 676-683.

bibitem{ref24}    S. M. Bridges and R. B. Vaughn, {it Fuzzy data mining and genetic algorithms applied to intrusion detection}, The 23rd National Information Systems Security Conference, Baltimore, MA, (2000), 13-31.

bibitem{ref3}    D. J. Brown, B. Suckow and T. Wang, {it A survey of intrusion detection systems}, Department of Computer Science, University of California, San Diego, 2002.

bibitem{ref5}    V. Chandola, A. Banerjee and V. Kumar, {it Anomaly detection for discrete sequences: a survey}, IEEE Transactions on Knowledge and Data Engineering, {bf 24}textbf{(5)} (2012), 823-839.

bibitem{ref48}    C. H. Cheng, A. W. Fu, Y. Zhang and Y. Chen {it Entropy-based subspace clustering for mining numerical data}, The fifth ACM SIGKDD international conference on Knowledge discovery and data mining, {bf 1(4)} (1999), 84-93.

bibitem{ref41}    T. S. Chou, K. K. Yen and J. Luo, {it Network intrusion detection design using feature selection of soft computing paradigms}, International Journal of Computational Intelligence, {bf 4(3)} (2008), 196-208.

bibitem{ref32}    O. Cord'{o}n, M. J. del Jesus and F. Herrera, {it A proposal on reasoning methods in fuzzy rule-based classification systems}, International Journal of Approximate Reasoning, {bf 20 (1)} (1999), 21-45.

bibitem{ref56}    H. Dam, K. Shafi and H. Abbass, {it Can evolutionary computation handle large datasets? A study into network intrusion detection}, AI 2005: Advances in Artificial Intelligence, Springer Berlin Heidelberg, (2005), 1092-1095.

bibitem{ref26}    P. Dixon, D. Corne and M. Oates, {it A rule set reduction algorithm for the XCS learning classifier system}, Springer Berlin Heidelberg, (2003), 20-29.

bibitem{ref38}    C. Elkan, {it Results of the KDD$'$99 classifier learning}, ACM SIGKDD Explorations Newsletter, {bf 1(2)} (2000), 63-64.

bibitem{ref59}    S. Ghodratnama, M. R. Moosavi, M. Taheri and M. Zolghadri Jahromi, {it A cost sensitive learning algorithm for intrusion detection}, The 18th Iranian Conference on Electrical Engineering (ICEE), (2010), 559-565.

bibitem{ref1}    G. Giacinto, F. Roli and L. Didaci, {it A modular multiple classifier system for the detection of intrusions in computer networks}, Multiple Classifier Systems, (2003), 346-355.

bibitem{ref29}    A. Gonzalez, R. Perez and J. L. Verdegay, {it Learning the structure of a fuzzy rule: a genetic approach}, Fuzzy Systems and Artificial Intelligence, {bf 3(1)} (1994), 57-70.

bibitem{ref30}    A. Gonzalez and R. Perez, {it SLAVE: a genetic learning system based on an iterative approach}, Fuzzy Systems, IEEE Transactions on, {bf 7(2)} (1999), 176-191.

bibitem{newref54}    A. Gonzalez and R. Perez, {it Completeness and consistency conditions for learning fuzzy rules}, Fuzzy Sets and Systems, {bf 96(1)} (1998), 37-51.

bibitem{ref13}    S. J. Han and S. B. Cho, {it Detecting intrusion with rule-based integration of multiple models}, Computers $&$ Security, {bf22(7)} (2003), 613-623.

bibitem{ref52}    J. Han, M. Kamber and J. Pei, {it Data mining: concepts and techniques, second edition (The Morgan Kaufmann series in data management systems)}, Morgan Kaufmann, (2005), 800.

bibitem{ref37}    S. J. Horng, M. Y. Su, Y. H. Chen, T. W. Kao, R. J. Chen, J. L. Lai and C. D. Perkasa, {it A novel intrusion detection system based on hierarchical clustering and support vector machines}, Expert Systems with Applications, {bf 38(1)} (2011).

bibitem{ref21}    H. H. Hosmer, {it Security is fuzzy!: applying the fuzzy logic paradigm to the multipolicy paradigm}, In Proceedings of the 1992-1993 workshop on New security paradigms, (1993), 175-184.

bibitem{ref20}    K. Hwang, M. Cai, Y. Chen and M. Qin, {it Hybrid intrusion detection with weighted signature generation over anomalous internet episodes}, IEEE Transactions on Dependable and Secure Computing, {bf 4} (2007), 41-55.

bibitem{ref34}    H. Ishibuchi and T. Nakashima, {it Effect of rule weights in fuzzy rule-based}, IEEE Transactions on Fuzzy Systems, {bf 9(4)} (2001), 506-515.

bibitem{ref35}    H. Ishibuchi, T. Nakashima and T. Murata, {it Performance evaluation of fuzzy classifier systems for multidimensional pattern classification problems}, IEEE Transactions on Systems, Man and Cybernetics, Part B: Cybernetics, {bf 29(5)} (1999), 601-618.

bibitem{ref36}    H. Ishibuchi and T. Yamamoto, {it Fuzzy rule selection by multi-objective genetic local search algorithms and rule evaluation measures in data mining}, Fuzzy Sets and Systems, {bf 141} (2004), 59 - 88.

bibitem{newref53}    H. Ishibuchi and T. Yamamoto, {it Comparison of heuristic criteria for fuzzy rule selection in classification problems}, Fuzzy Optimization and Decision Making, {bf 3(2)} (2004), 119-139.

bibitem{ref31}    M. Z. Jahromi and M. R. Moosavi, {it Designing cost-sensitive fuzzy classification systems using rule-weight}, The First International Conference on Advances in Information Mining and Management (IMMM), (2011), 168-173.

bibitem{newref39_1}    H. G. Kayacik, A. Nur Zincir-Heywood and M. I. Heywood, {it Selecting features for intrusion detection: a feature relevance analysis on KDD 99 intrusion detection datasets}, The Third Annual Conference on Privacy, Security and Trust, 2005.

bibitem{ref40}    KDD Cup 1999 Intrusion detection dataset, http://kdd.ics.uci.edu / databases / kddcup99 / kddcup99.html, 2007.

bibitem{ref4}    T. D. Lane, {it Machine learning techniques for the computer security domain of anomaly detection}, Department of Electrical and Computer Engineering, Purdue University, 2000.

bibitem{ref12}    H. Lee, J. Song and D. Park, {it Intrusion Detection System Based on Multi-class SVM}, Springer-Verlag Berlin Heidelberg, (2005), 511-519.

bibitem{ref22}    K. C. Lee and L. Mikhailov, {it Intelligent Intrusion Detection System}, Intelligent Systems, 2nd International IEEE Conference, {bf 2} (2004), 497-502.

bibitem{ref54}    I. Levin and H. marganit Street, {it KDD-99 classifier learning contest: LLSoft$'$s results overview},  SIGKDD explorations, {bf 1(2)} (2000), 67-75.

bibitem{ref39}    R. P. Lippmann, J. W. Haines, D. J. Fried, J. Korba and K. Das, {it The 1999 DARPA off-line intrusion detection evaluation}, Computer Networks, {bf 34(4)} (2000), 579-595.

bibitem{ref42}    R. P. Lippmann, D. J. Fried, I. Graf, J. W. Haines, K. R. Kendall, D. McClung, D. Weber, S. E. Webster, D. Wyschogrod, R. K. Cunningham, others and M. A. Zissman, {it Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation}, DARPA Information Survivability Conference and Exposition (DISCEX  $'$00), {bf 2} (2000), 12-26.

bibitem{ref10}    A. Mitrokotsa and C. Dimitrakakis, {it Ad Hoc Networks Intrusion detection in MANET using classification algorithms : the effects of cost and model selection}, AD HOC Networks, 2012.

bibitem{ref8}    M. R. Moosavi, M. Zolghadri Jahromi, S. Ghodratnama, M. Taheri and M. H. Sadreddini, {it A Cost sensitive learning method to tune the nearest neighbour for intrusion detection}, The Iranian Journal of Science and Technology, Transaction of Electrical $&$ Computer Engineering, {bf 36(E2)} (2012).

bibitem{ref50}    M. R. Moosavi, M. Fazaeli Javan, M. Zolghadri Jahromi and M. H. Sadreddini, {it An adaptive nearest neighbor classifier for noisy environments}, The 18th Iranian Conference on Electrical Engineering, (2010), 576-580.

bibitem{ref11}    T. Ozyer, R. Alhajj and K. Barker, {it Intrusion detection by integrating boosting genetic fuzzy classifier and data mining criteria for rule pre-screening}, Journal of Network and Computer Applications, {bf 30} (2007), 99-113.

bibitem{ref19}    Z. S. Pan, S. Chen, G. B. Hu and D. Q. Zhang, {it Hybrid neural network and C4. 5 for misuse detection}, Machine Learning and Cybernetics, International Conference on, {bf 4} (2003), 2463-2467.

bibitem{ref6}    M. Panda, A. Abraham, S. Das and M. R. Patra, {it Network intrusion detection system: a machine learning approach}, Intelligent Decision Technologies, {bf 5}textbf{(4)} (2011), 347-356.

bibitem{ref14}    A. Patcha and J. min Park, {it An overview of anomaly detection techniques : existing solutions and latest technological trends}, Computer Networks, {bf 51} (2007), 3448-3470.

bibitem{ref47}    L. Peng and J. Zhang, {it An entropy weighting mixture model for subspace clustering of high-dimensional data}, Pattern Recognition Letters, {bf32(8)} (2011), 1154-1161.

bibitem{ref18}    B. Pfahringer, {it Winning the KDD99 classification cup: bagged boosting}, ACM SIGKDD Explorations Newsletter, {bf 1(2)} (2000),65-66.

bibitem{ref9}    P. E. Proctor,{it Practical intrusion detection handbook}, Prentice Hall PTR, (2001), 392.

bibitem{ref44}    J. R. Quinlan, {it C4.5: programs for machine learning}, Morgan Kaufmann, (1993), 280.

bibitem{ref43}    M. Sabhnani and G. Serpen, {it Why machine learning algorithms fail in misuse detection on KDD intrusion detection data set}, Intelligent Data Analysis, {bf 8(4)} (2004), 403-415.

bibitem{ref23}    H. Schumacher and S. Ghosh, {it A fundamental framework for network security}, Journal of Network and Computer Applications, {bf 20(3)} (1997), 305-322.

bibitem{ref25}    K. Shafi and H. A. Abbass, {it An adaptive genetic-based signature learning system for intrusion detection}, Expert Systems with Applications, {bf 36(10)} (2009),12036-12043.

bibitem{ref57}    K. Shafi, T. Kovacs, H. Abbass and W. Zhu, {it Intrusion detection with evolutionary learning classifier systems}, Natural Computing, {bf 8(1)} (2009), 3-27.

bibitem{ref51}    C. E. Shannon and W. Weaver, {it The mathematical theory of communication}, Urbana, IL: Univ. of Illinois Press, 1949.

bibitem{ref45}    S. S. Sivatha Sindhu, S. Geetha and A. Kannan, {it Decision tree based light weight intrusion detection using a wrapper approach}, Expert Systems with Applications, {bf 39(1)} (2012), 129-141.

bibitem{ref53}    M. Tavallaee, E. Bagheri, W. Lu and A. A. Ghorbani, {it A detailed analysis of the KDD CUP 99 data set}, The Second IEEE International Conference on Computational intelligence for Security and Defense Applications, (2009), 53-58.

bibitem{ref28}    A. N. Toosi and M. Kahani, {it A new approach to intrusion detection based on an evolutionary soft computing model using neuro-fuzzy classifiers}, Computer Communications, {bf 30(10)} (2007), 2201-2212.

bibitem{ref15}    C. H. Tsang, S. Kwong and H. Wang, {it Genetic-fuzzy rule mining approach and evaluation of feature selection techniques for anomaly intrusion detection}, Pattern Recognition, {bf40(9)} (2007), 2373-2391.

bibitem{ref58}    S. X. Wu and W. Banzhaf, {it The use of computational intelligence in intrusion detection systems: A review}, Applied Soft Computing, {bf 10(1)} (2010), 1-35.

bibitem{ref16}    C. Xiang, M. Y. Chong and H. L. Zhu, {it Design of mnitiple-level tree classifiers for intrusion detection system}, IEEE Conference on Cybernetics and Intelligent Systems 2004, {bf 2 } (2004), 873-878.

bibitem{ref17}    C. Xiang, P. C. P. C. Yong and L. S. L. S. Meng, {it Design of multiple-level hybrid classifier for intrusion detection system using Bayesian clustering and decision trees}, Pattern Recognition Letters, {bf 29(7)} (2008),918-924.

bibitem{ref49}    J. Yao, M. Dash, S. S. Tan and H. Liu, {it Entropy-based fuzzy clustering and fuzzy modeling}, Fuzzy Sets and Systems, {bf 113(3)} (2000), 381-388.

bibitem{ref33}    M. J. Zolghadri and E. G. Mansoori, {it Weighting fuzzy classification rules using receiver operating characteristics (ROC) analysis}, Information Sciences, {bf 177(11)} (2007), 2296-2307.