Journal of the Korean Institute of Intelligent Systems (한국지능시스템학회논문지)

Korean Institute of Intelligent Systems (한국지능시스템학회)
권호 표지
DOI QR코드

DOI QR Code

IDS Model using Improved Bayesian Network to improve the Intrusion Detection Rate

베이지안 네트워크 개선을 통한 탐지율 향상의 IDS 모델

  • Choi, Bomin (Department of Security Technology Team, Korea Internet & Security Agent) ;
  • Lee, Jungsik (Agency for Defense Development) ;
  • Han, Myung-Mook (Department of Computer Engineering, Gachon University)
  • Received : 2014.01.14
  • Accepted : 2014.09.13
  • Published : 2014.10.25
Download PDF
⟨ Previous Next ⟩

Abstract

In recent days, a study of the intrusion detection system collecting and analyzing network data, packet or logs, has been actively performed to response the network threats in computer security fields. In particular, Bayesian network has advantage of the inference functionality which can infer with only some of provided data, so studies of the intrusion system based on Bayesian network have been conducted in the prior. However, there were some limitations to calculate high detection performance because it didn't consider the problems as like complexity of the relation among network packets or continuos input data processing. Therefore, in this paper we proposed two methodologies based on K-menas clustering to improve detection rate by reforming the problems of prior models. At first, it can be improved by sophisticatedly setting interval range of nodes based on K-means clustering. And for the second, it can be improved by calculating robust CPT through applying weighted-leaning based on K-means clustering, too. We conducted the experiments to prove performance of our proposed methodologies by comparing K_WTAN_EM applied to proposed two methodologies with prior models. As the results of experiment, the detection rate of proposed model is higher about 7.78% than existing NBN(Naive Bayesian Network) IDS model, and is higher about 5.24% than TAN(Tree Augmented Bayesian Network) IDS mode and then we could prove excellence our proposing ideas.

최근 보안 분야에서는 네트워크 패킷이나 로그와 같은 네트워크 정보를 수집하고 분석함으로써 네트워크 위협에 대응할 수 있는 침입탐지 시스템에 대한 연구를 활발히 진행되고 있다. 특히, 베이지안 네트워크는 주어진 몇 몇 자료만으로도 정확도 높은 침입에 대한 추론이 가능한 이점으로 이를 이용한 침입탐지 시스템의 모델링 기법들이 이전에도 진행되어 왔다. 그러나 이전 연구들에서는 네트워크 패킷간의 복잡성 문제와 이용되는 패킷 데이터의 연속성 문제를 반영하지 못하고 있기 때문에 높은 탐지정확도 산출에 한계가 있다. 따라서 본 논문에서는 이전 모델들이 갖는 문제들의 개선을 통하여 탐지율을 향상시키기 위해 K-means 클러스터링 기반의 두 가지 방법론을 제안한다. 첫 번째로는 K-means 클러스터링 기반의 정교한 노드구간 범위를 설정방법을 제안하여 연속성 데이터 처리 문제를 개선할 수 있다. 또한, 두 번째로는 K-means 클러스터링 기반으로 산출된 가중치를 학습에 적용하여 보다 견고한 CPT를 산출하여 탐지성능을 향상 시킬 수 있다. 제안하는 방법론들의 성능을 입증하기 위하여 방법론 모두를 적용한 K_WTAN_EM에 대한 탐지율을 이전 모델들과 비교 실험을 수행하였다. 실험 결과 제안하는 모델의 탐지율이 이전의 순수베이지안 네트워크기반(NBN) 모델 보다는 약 7.78%의 향상도를 보였고 트리확장 순수베이지안 네트워크(TAN) 모델 보다는 약 5.24%의 향상도를 산출하여 제안하는 방법의 우수성을 입증하였다.

Keywords

References

  1. Tsuchiya, Paul F. "The IP Network Address Translator (Nat): Preliminary Design," work in progress, 1991.
  2. Kim Hyun-Woo, Shin Seong-Jun, Lee Seung-Min, and Jeong Seok-Bong, "Network-based Intrusion Detection Scheme using Markov Chin Model," Journal of Decision Science, vol.20, no.1, pp.75-88, Nov. 2012.
  3. Chickering, David Maxwell, "Learning equivalence classes of Bayesian-network structures," The Journal of Machine Learning Research, no.2, pp.445-498, 2002.
  4. M. Julia Flores, Jose A, Gamez, Ana M, Martinez, Jose M, and PuertaFlores, "Handling numeric attributes when comparing Bayesian network classifiers: does the discretization method matter?," Applied Intelligence, vol.34, no.3, pp.372-385, 2011. https://doi.org/10.1007/s10489-011-0286-z
  5. Bayes, Thomas, "An essay toward solving a problem in the doctrine of chances," Philosophical Transactions of the Royal Society of London 53, 1984.
  6. Jun-hyeng choi, Joong-bae Kim, Dae-su Kim and Kee-wook Rim, "Bayesian Model for Probabilistic Unsupervised Learning," Proceedings of KIIS Conference, vol.11, no.9, pp.849-854, 2011.
  7. Murphy, Kevin. "A brief introduction to graphical models and Bayesian networks," 1998.
  8. Jemili, Farah, Montaceur Zaghdoud, and M. Ben Ahmed, "A framework for an adaptive intrusion detection system using Bayesian network," Intelligence and Security Informatics, pp.66-70, 2007.
  9. Khor, Kok-Chin, Choo-Yee Ting, and Somnuk-Phon Amnuaisuk, "From feature selection to building of Bayesian classifiers: A network intrusion detection perspective," American Journal of applied sciences, vol.6, no.11, 2009.
  10. Najafi, R., and Mohsen Afsharchi. "Network Intrusion Detection Using Tree Augmented Naive-Bayes." The Third International Conference on Contemporary Issues in Computer and Information Sciences (CICIS'12), 2012.
  11. Ian H. Witten, Eibe Frank, "Data Mining," Morgan Kaufmann Publishers, pp.238-246, 2000.
  12. Kayacik, H. Gunes, A. Nur Zincir-Heywood, and Malcolm I. Heywood. "Selecting features for intrusion detection: a feature relevance analysis on KDD 99 intrusion detection datasets," Proceedings of the third annual conference on privacy, security and trust, 2005.

Cited by

  1. Learning and Propagation Framework of Bayesian Network using Meta-Heuristics and EM algorithm considering Dynamic Environments vol.26, pp.5, 2016, https://doi.org/10.5391/JKIIS.2016.26.5.335