Modelo de detección de intrusiones en sistemas de red, realizando selección de características con FDR y entrenamiento y clasificación con SOM

  • Emiro De la Hoz Franco Corporación Universidad de la Costa - CUC. Barranquilla, Colombia.
  • Eduardo Miguel De la Hoz Correa
  • Andrés Ortiz Universidad de Málaga. Madrid, España
  • Julio Ortega Universidad de Granada. Granada, España

Resumen

Los Sistemas de Detección de Intrusos (IDS, por sus siglas en inglés) comerciales actuales clasifican el tráfico de red, detectando conexiones normales e intrusiones, mediante la aplicación de métodos basados en firmas; ello conlleva problemas pues solo se detectan intrusiones previamente conocidas y existe desactualización periódica de la base de datos de firmas. En este artículo se evalúa la eficiencia de un modelo de detección de intrusiones de red propuesto, utilizando métricas de sensibilidad y especificidad, mediante un proceso de simulación que emplea el dataset NSL-KDD DARPA, seleccionando de éste las características más relevantes con FDR y entrenando una red neuronal que haga uso de un algoritmo de aprendizaje no supervisado basado en mapas auto-organizativos, con el propósito de clasificar el tráfico de la red en conexiones normales y ataques, de forma automática. La simulación generó métricas de sensibilidad del 99,69% y de especificidad del 56,15% utilizando 20 y 15 características, respectivamente.

Palabras clave: IDS (Sistema de Detección de Intrusos), FDR (Razón Discriminante de Fisher), SOM (Mapas Auto-organizativos), dataset NSL-KDD DARPA.

Referencias

[1] SourceFire - Snort. Disponible en: http://www.snort.org/

[2] CheckPoint® Software Technologies Ltd. NFR (Network Flight Recorder). Disponible en: http://www.checkpoint.com/corporate/nfr/index.html

[3] L. T. Heberlein. Network Security Monitor, Final Report. Lawrence Livermore National Laboratory (LLNL) and the University of California, Davis (UCD). February 1995. Disponible en: http://seclab.cs.ucdavis.edu/papers/NSM-final.pdf

[4] CISCO System. Cisco Intrusion Detection (NetRanger). Disponible en: http://www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/index.shtml

[5] IBM. RealSecure Network Sensor. Disponible en: http://www-947.ibm.com/support/entry/portal/Overview/Software/Tivoli/ RealSecure_Network_Sensor

[6] M. Tavallaee, E. Bagheri, W. Lu, and A. A. Ghorbani. “A Detailed Analysis of the KDD CUP 99 Data Set”, IEEE Symposium on Computational Intelligence for Security and Defense Applications, 2009. CISDA 2009, pp. 1-6, july 2009.

[7] M. Shyu, S. Chen, K. Sarinnapakorn, and L. Chang. “A novel anomaly detection scheme based on principal component classifier,” Proceedings of the IEEE Foundations and New Directions of Data Mining Workshop, in conjunction with the Third IEEE International Conference on Data Mining (ICDM03), pp. 172-179, 2003.

[8] USC Information Sciences Intitute. “Common Intrusion Detection Framework”, Disponible en: http://gost.isi.edu/cidf/

[9] CIDF Working Group (Clifford Kahn, Don Bolinger and Dan Schnackenberg). DRAFT Specification. Communication in the Common Intrusion Detection Framework v 0.7. 8 June 1998. Disponible en: http://gost.isi.edu/cidf/drafts/communication.txt

[10] Rich Feiertag, Cliff Kahn, Phil Porras, Dan Schnackenberg et al. A Common Intrusion Specification Language (CISL). 11 June 1999. Disponible en: http://gost.isi.edu/cidf/drafts/language.txt

[11] Australian Computer Emergency Response Team. Disponible en: http://www.auscert.org.au/

[12] Internet Engineering Task Force. Disponible en: http://datatracker.ietf.org/wg/idwg/

[13] Common Vulnerabilities and Exposures -CVE. Disponible en: http://cve.mitre.org/about/index.html

[14] Prelude Technologies. Disponible en: http://www.prelude-technologies.com/

[15] National Institute of Standards and Technology- National Computer Security Center. National Computer Security Conference. DIANE Publishing Company. October 1992. p. 272.

[16] SRI - International a real-time Intrusion- Detection Expert System (IDES). Disponible en: http://www.csl.sri.com/ papers/9sri/9sri.pdf

[17] S. Noel, D. Wijesekera, and C. Youman. “Modern Intrusion Detection, Data Mining, and Degrees of Attack Guilt”. In Applications of Data Mining in Computer Security, D. Barbarà and S. Jajodia (eds.), Kluwer Academic Publisher, 2002.

[18] A. Lazarevic, J. Srivastava, and V. A. Kumar, “Survey of Intrusion Detection techniques”. Managing Cyber Threats: Issues, Approaches and Challenges, to be published by Kluwer in spring 2004.

[19] Working Group 2 of the Joint Committee for Guides in Metrology (JCGM/WG 2). International vocabulary of metrology - Basic and general concepts and associated terms (VIM). 3rd edition. 2008. Disponible en: http://www.bipm.org/utils/common/documents/jcgm/JCGM_200_2008.pdf

[20] Lincoln Laboratory of Massachusetts Institute Tecnology - MIT. Disponible en: http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/index.html

[21] KDD Cup 1999. Disponible en: http:// kdd.ics.uci.edu/databases/kddcup99/kddcup99.html

[22] The NSL-KDD Data Set. Disponible en: http://nsl.cs.unb.ca/NSL-KDD/

[23] The University of Waikato. Disponible en: http://www.cs.waikato.ac.nz/~ml/weka/index.html

[24] D. Graupe, Principles of Artificial Neural Networks, World Scientific Publishing Co. Pte. Ltd., Singapore. pp. 191-222, 1997.

[25] S. Balakrishnama and A. Ganapathiraju, Linear Discriminant Analysis - A Brief Tutorial, Institute for Signal and Information Processing, Department of Electrical and Computer Engineering, Mississippi State University. 1998.

[26] R. Fisher. “The Use of Multiple Measurements in Taxonomic Problems” In: Annals of Eugenics, 7, p. 179-188. 1936.

[27] McLachlan. “Discriminant Analysis and Statistical Pattern Recognition” In: Wiley Interscience. 2004.

[28] Martinez & Kak. “PCA versus LDA” In: IEEE Transactions on Pattern Analysis and Machine Intelligence, 23(2): 228-233. 2004.

[29] V. Venkatachalam and S. Selvan. “Performance comparison of intrusion detection system classifiers using various feature reduction techniques”. International journal of simulation, 2008 - Citeseer.

[30] A. Hyvärinen and E. Oja, “Independent Component Analysis: Algorithms and Applications”, Neural Networks, Volume 13, Issue 4-5 pp. 411-430. 2000.

[31] I. T. Jolliffe, Principal Component Analysis, Springer Verlag, New York, NY, third edition. 2002.

[32] K. Pearson, “On Lines and Planes of Closest Fit to Systems of Points in Space” (PDF). Philosophical Magazine 2 (6): 559-572. 1901.

[33] T. Kohonen. “Self-organizing Maps”. Springer Series in Information Sciences. Volume 30, 1997. 2nd edition.

[34] Kohonen’s Self Organizing Feature Maps. Disponible en: http://www.ai-junkie.com/ann/som/som1.html

[35] Do Phuc, and Mai Xuan Hung, “Using SOM based Graph Clustering for Extracting Main Ideas from Documents”. Research, Innovation and Vision for the Future, 2008. RIVF 2008. IEEE International Conference on. pp. 209-214. July 2008.

[36] I. Nakaoka, J.-I. Kushida and K. Kamei, “Proposal of Group Decision Support System Using “SOM” for Purchase of Automobiles”. Innovative Computing Information and Control, 2008. ICICIC ‘08. 3rd International Conference on p. 482. June 2008.

[37] M. O. Afolabi and O. Olude, “Predicting Stock Prices Using a Hybrid Kohonen Self Organizing Map (SOM)”. System Sciences, 2007. HICSS 2007. 40th Annual Hawaii International Conference on. p. 48. Jan. 2007.

[38] I. Manolakos and E. Logaras, “High throughput systolic SOM IP core for FPGAs”. Acoustics, Speech and Signal Processing, 2007. ICASSP 2007. IEEE International Conference on. pp. II-61 - II-64. April 2007.

[39] Kuang Yin and Luo Gang, “Fault Pattern Recognition of Thermodynamic System Based on SOM”. Electrical and Control Engineering (ICECE), 2010. International Conference on. pp. 3742-3745. June 2010.

[40] Hao Ying, Wang Li-qiang and Zhao Xi’an. “Automatic Roads Extraction From Highresolution Remote Sensing Images Based on SOM”. Natural Computation (ICNC), 2010 Sixth International Conference on. pp. 1194-1198. Aug. 2010.

[41] H. Tokutaka, K. Yoshihara, K. Fujimura, K. Iwamoto, T. Watanabe and S. Kishida, “Applications of Self-organizing Maps (SOM) to the Composition Determination of Chemical Products”. Neural Networks Proceedings, 1998. IEEE World Congress on Computational Intelligence. The 1998 IEEE International Joint Conference on. pp. 301-305 vol. 1. May 1998.

[42] Li Min and Wang Dongliang, “Anormaly Intrusion Detection Based on SOM”. Information Engineering, 2009. ICIE ‘09. WASE International Conference on. pp. 40-43. July 2009.

[43] J.C. Patra, J. Abraham, P.K. Meher, and G. Chakraborty, “An Improved SOM-based Visualization Technique for DNA Microarray Data Analysis”. Neural Networks (IJCNN), The 2010 International Joint Conference on. pp. 1-7. July 2010.

[44] Y . V. Venkatesh, S.K. Raja, and N. Ramya, “A Novel SOM-based Approach for Active Contour Modeling”. Intelligent Sensors, Sensor Networks and Information Processing Conference, 2004. Proceedings of the 2004. pp. 229-234. Dec. 2004.

[45] E. Cuadros-Vargas, Recuperação de informação por similaridad e utilizando técnicas inteligentes. PhD thesis, Department of Computer Science - University of Sao Paulo. 2004.

[46] J. Blackmore and R. Miikkulainen, “Incremental grid growing: Encoding highdimensional structure into a two-dimensional feature map”. In Proceedings of the International Conference on Neural Networks ICNN93, 1993, volume I, pp. 450- 455, Piscataway, NJ. IEEE Service Center.

[47] D. Alahakoon, S. K. Halgamuge and B. Srinivasan, “A structure adapting feature map for optimal cluster representation”. In International Conference on Neural Information Processing ICONIP98, 1998. pp. 809-812.

[48] B. Fritzke, “A growing neural gas network learns topologies”. In G. Tesauro, D. S. Touretzky and T. K. Leen, editors, Advances in Neural Information Processing Systems 7, 1995, pp. 625-632. MIT Press, Cambridge MA.

[49] T. Martinetz and K. Schulten, “Topology representing networks”. Neural Networks, 1994. 7(3):507-522.

[50] A. Ocsa, C. Bedregal and E. Cuadros-Vargas, “DB-GNG: A constructive self-organizing map based on density”. In Proceedings of the International Joint Conference on Neural Networks (IJCNN07). IEEE, 2007.

[51] Y . Prudent and A. Ennaji, A k nearest classifier design. ELCVIA, 2005. 5(2): 58-71.

[52] R. H. White, “Competitive hebbian learning: algorithm and demonstrations”. Neural Networks, 1992. 5(2): 261-275.

[53] The Growing Hierarchical Self-Organizing Map. Department of Software Technology. Vienna University of Technology. Septiembre 2011. Disponible en: http://www.ifs.tuwien.ac.at/~andi/ghsom/description.html#inse

Descargas

La descarga de datos todavía no está disponible.

Acerca de los Autores

Emiro De la Hoz Franco, Corporación Universidad de la Costa - CUC. Barranquilla, Colombia.

 

Magíster en Ingeniería de Computadores y Redes, Corporación Universidad de la Costa - CUC. Barranquilla, Colombia, edelahoz@cuc.edu.co

Eduardo Miguel De la Hoz Correa

Magíster en Ingeniería de Computadores y Redes, Corporación Universidad de la Costa - CUC. Barranquilla, Colombia, edelahoz6@cuc.edu.co

Andrés Ortiz, Universidad de Málaga. Madrid, España

Doctor en Tecnologías de la Información y las Comunicaciones, Universidad de Málaga. Madrid, España, aortiz@ic.uma.es

Julio Ortega, Universidad de Granada. Granada, España

 

Doctor en Tecnologías de la Información y las Comunicaciones, Universidad de Granada. Granada, España, julio@atc.ugr.es

Publicado
2012-10-31
Cómo citar
De la Hoz Franco, E., De la Hoz Correa, E. M., Ortiz, A., & Ortega, J. (2012). Modelo de detección de intrusiones en sistemas de red, realizando selección de características con FDR y entrenamiento y clasificación con SOM. INGE CUC, 8(1), 85-116. Recuperado a partir de https://revistascientificas.cuc.edu.co/ingecuc/article/view/225