• Proceedings of the Korean Institute of Intelligent Systems Conference
• /
• 2002.12a
• /
• pp.243-248
• /
• 2002

빠르게 변해 가는 정보화사회에서 침입 탐지 시스템은 정밀성과 적웅성, 그리고 확장성을 필요로 한다. 또한 복잡한 Network 환경에서 중요하고 기밀성이 유지되어야 할 리소스를 보호하기 위해, 더욱 구조적이고 지능적인 IDS(Intrusion Detection System)개발의 필요성이 요구되고 있다. 본 연구는 이를 위한, 지능적인 IDS를 위해 침입패턴을 생성하기 위한 모델을 도출함에 목적이 있다. 침입 패턴은 방대한 양의 데이터를 갖게 되고, 이를 정확하고 효율적으로 관리하기 위해서 데이터마이닝의 주요 2분야인 Link analysis와 Sequence analysis를 이용하여 정확하고 신뢰성 있는 침입규칙을 생성하기 위한 모델을 도출해낸다 이 모델은 "Time Based Traffic Model", "Host Based Traffic Model", "Content Model"로 각각 상이한 침입 패턴을 생성하게 된다. 이 모델을 이용하면 좀더 효율적이고 안정적으로 패턴을 생성 할 수 있다, 즉 지능형 시스템기반의 침입 탐지 모델을 구현할 수 있다. 이러한 모델로 생성한 규칙은 침입데이터를 대표하는 규칙이 되고, 이는 비정상 사용자와 정상 사용자를 분류하게 된다 모델에 사용된 데이터는 KDD컨테스트의 데이터를 이용하였다. 사용된 데이터는 KDD컨테스트의 데이터를 이용하였다.

• Journal of Intelligence and Information Systems
• /
• v.17 no.4
• /
• pp.157-173
• /
• 2011

As the Internet use explodes recently, the malicious attacks and hacking for a system connected to network occur frequently. This means the fatal damage can be caused by these intrusions in the government agency, public office, and company operating various systems. For such reasons, there are growing interests and demand about the intrusion detection systems (IDS)-the security systems for detecting, identifying and responding to unauthorized or abnormal activities appropriately. The intrusion detection models that have been applied in conventional IDS are generally designed by modeling the experts' implicit knowledge on the network intrusions or the hackers' abnormal behaviors. These kinds of intrusion detection models perform well under the normal situations. However, they show poor performance when they meet a new or unknown pattern of the network attacks. For this reason, several recent studies try to adopt various artificial intelligence techniques, which can proactively respond to the unknown threats. Especially, artificial neural networks (ANNs) have popularly been applied in the prior studies because of its superior prediction accuracy. However, ANNs have some intrinsic limitations such as the risk of overfitting, the requirement of the large sample size, and the lack of understanding the prediction process (i.e. black box theory). As a result, the most recent studies on IDS have started to adopt support vector machine (SVM), the classification technique that is more stable and powerful compared to ANNs. SVM is known as a relatively high predictive power and generalization capability. Under this background, this study proposes a novel intelligent intrusion detection model that uses SVM as the classification model in order to improve the predictive ability of IDS. Also, our model is designed to consider the asymmetric error cost by optimizing the classification threshold. Generally, there are two common forms of errors in intrusion detection. The first error type is the False-Positive Error (FPE). In the case of FPE, the wrong judgment on it may result in the unnecessary fixation. The second error type is the False-Negative Error (FNE) that mainly misjudges the malware of the program as normal. Compared to FPE, FNE is more fatal. Thus, when considering total cost of misclassification in IDS, it is more reasonable to assign heavier weights on FNE rather than FPE. Therefore, we designed our proposed intrusion detection model to optimize the classification threshold in order to minimize the total misclassification cost. In this case, conventional SVM cannot be applied because it is designed to generate discrete output (i.e. a class). To resolve this problem, we used the revised SVM technique proposed by Platt(2000), which is able to generate the probability estimate. To validate the practical applicability of our model, we applied it to the real-world dataset for network intrusion detection. The experimental dataset was collected from the IDS sensor of an official institution in Korea from January to June 2010. We collected 15,000 log data in total, and selected 1,000 samples from them by using random sampling method. In addition, the SVM model was compared with the logistic regression (LOGIT), decision trees (DT), and ANN to confirm the superiority of the proposed model. LOGIT and DT was experimented using PASW Statistics v18.0, and ANN was experimented using Neuroshell 4.0. For SVM, LIBSVM v2.90-a freeware for training SVM classifier-was used. Empirical results showed that our proposed model based on SVM outperformed all the other comparative models in detecting network intrusions from the accuracy perspective. They also showed that our model reduced the total misclassification cost compared to the ANN-based intrusion detection model. As a result, it is expected that the intrusion detection model proposed in this paper would not only enhance the performance of IDS, but also lead to better management of FNE.

• Journal of the Korean Institute of Intelligent Systems
• /
• v.13 no.2
• /
• pp.237-242
• /
• 2003

In this paper, we propose a new adaptive intrusion detection algorithm based on clustering: Kernel-ART, which is composed of the on-line clustering algorithm, ART (adaptive resonance theory), combining with mercer-kernel and concept vector. Kernel-ART is not only satisfying all desirable characteristics in the context of clustering-based IDS but also alleviating drawbacks associated with the supervised learning IDS. It is able to detect various types of intrusions in real-time by means of generating clusters incrementally.

• Journal of Intelligence and Information Systems
• /
• v.15 no.4
• /
• pp.23-36
• /
• 2009

Network intrusion detection have been continuously improved by using data mining techniques. There are two kinds of methods in intrusion detection using data mining-supervised learning with class label and unsupervised learning without class label. In this paper we have studied the way of improving network intrusion detection accuracy by using LBG clustering algorithm which is one of unsupervised learning methods. The K-means method, that starts with random initial centroids and performs clustering based on the Euclidean distance, is vulnerable to noisy data and outliers. The nonuniform binary split algorithm uses binary decomposition without assigning initial values, and it is relatively fast. In this paper we applied the EM(Expectation Maximization) based LBG algorithm that incorporates the strength of two algorithms to intrusion detection. The experimental results using the KDD cup dataset showed that the accuracy of detection can be improved by using the LBG algorithm.

• The Transactions of the Korea Information Processing Society
• /
• v.6 no.12
• /
• pp.3622-3633
• /
• 1999

Computer security is considered important due to tile side effect generated from the expansion of computer network and rapid increase of the use of computers. Intrusion Detection System(IDS) has been an active research area to reduce the risk from intruders. This paper discusses IDS of detecting anomaly behaviors and proposes a new intelligent IDS model, which consists of several computers with intelligent IDS, based on computer immune system. The intelligent IDSs are distributed and if any of distributed IDSs detect anomaly system call among system call sequences generated by a privilege process, the anomaly system call can be dynamically shared with other IDSs. This makes the intelligent IDSs improve the ability of immunity for new intruders.

• Proceedings of the Korea Inteligent Information System Society Conference
• /
• 1999.03a
• /
• pp.373-379
• /
• 1999

This pqer investigates the subject of intrusion detection over networks. Existing network-based IDS's are categorised into three groups and the overall architecture of each group is summarised and assessed. A new methodology to this problem is then presented, which is inspired by the human immune system and based on a novel artificial immune model. The architecture of the model is presented and its characteristics are compared with the requirements of network-based IDS's. The paper concludes that this new approach shows considerable promise for future network-based IDS's.

• Proceedings of the KIEE Conference
• /
• 2006.04a
• /
• pp.147-149
• /
• 2006

We designed an intelligent intrusion detection scheme that works based on target system's operational states and doesn't depend on humans' analysis. As a prior work, we presents a scheme to describe computer system's operational states. For this, Hidden Markov Model is used. As input to modeling, huge amount of system audit trail including data on events occurred in target system connected to network and target system's resource usage monitoring data is used. We can predict system's future state based on current events' sequence using developed model and determine whether it would be in daniel or not.

• International Journal of Fuzzy Logic and Intelligent Systems
• /
• v.8 no.4
• /
• pp.316-321
• /
• 2008

Advanced computer network technology enables computers to be connected in an open network environment. Despite the growing numbers of security threats to networks, most intrusion detection identifies security attacks mainly by detecting misuse using a set of rules based on past hacking patterns. This pattern matching has a high rate of false positives and can not detect new hacking patterns, which makes it vulnerable to previously unidentified attack patterns and variations in attack and increases false negatives. Intrusion detection and analysis technologies are thus required. This paper investigates the asymmetric costs of false errors to enhance the performances the detection systems. The proposed method utilizes the network model to consider the cost ratio of false errors. By comparing false positive errors with false negative errors, this scheme achieved better performance on the view point of both security and system performance objectives. The results of our empirical experiment show that the network model provides high accuracy in detection. In addition, the simulation results show that effectiveness of anomaly traffic detection is enhanced by considering the costs of false errors.

• KIPS Transactions on Software and Data Engineering
• /
• v.10 no.2
• /
• pp.65-72
• /
• 2021

Recently, attacks on the network environment have been rapidly escalating and intelligent. Thus, the signature-based network intrusion detection system is becoming clear about its limitations. To solve these problems, research on machine learning-based intrusion detection systems is being conducted in many ways, but two problems are encountered to use machine learning for intrusion detection. The first is to find important features associated with learning for real-time detection, and the second is the imbalance of data used in learning. This problem is fatal because the performance of machine learning algorithms is data-dependent. In this paper, we propose the HSF-DNN, a network intrusion detection model based on a deep neural network to solve the problems presented above. The proposed HFS-DNN was learned through the NSL-KDD data set and performs performance comparisons with existing classification models. Experiments have confirmed that the proposed Hybrid Feature Selection algorithm does not degrade performance, and in an experiment between learning models that solved the imbalance problem, the model proposed in this paper showed the best performance.

• Journal of the Korean Institute of Intelligent Systems
• /
• v.12 no.5
• /
• pp.411-416
• /
• 2002

Recently, the trial and success of malicious cyber attacks has been increased rapidly with spreading of Internet and the activation of a internet shopping mall and the supply of an online internet, so it is expected to make a problem more and more. Currently, the general security system based on Internet couldn't cope with the attack properly, if ever, other regular systems have depended on common softwares to cope with the attack. In this paper, we propose the positive selection mechanism and negative selection mechanism of T-cell, which is the biological distributed autonomous system, to develop the self/non-self recognition algorithm, the anomalous behavior detection algorithm, and AIS (Artificial Immune System) that is easy to be concrete on the artificial system. The proposed algorithm can cope with new intrusion as well as existing one to intrusion detection system in the network environment.