Use of K-Nearest Neighbor classifier for intrusion detection Yihua Liao, V. Rao Vemuri Mingxing Gong CISC850 Cyber Analytics
Outline • Introduction • Methodology • Experiments • Discussion & Conclusion
Outline • Introduction • Methodology • Experiments • Discussion & Conclusion
Introduction ▪ High false alarm probability or low attack detection accuracy ▪ Two general approaches: • Misuse detection • Anomaly detection ▪ Local ordering vs. frequency of system calls
Nearest Neighbour Rule Consider a two class problem where each sample consists of two measurements ( x,y ). k = 1 Compute the k nearest neighbours and assign the class by majority vote. k = 3 Reference: www.robots.ox.ac.uk/~dclaus/cameraloc/samples/nearestneighbour.ppt
Outline • Introduction • Methodology • Experiments • Discussion & Conclusion
Methodology • Apply text categorization methods to intrusion detection
Methodology • Each document is represented by a vector of words • Weighting approach tf·idf (term frequency – inverse document frequency) • The cosine similarity is defined as follows:
Outline • Introduction • Methodology • Experiments • Discussion & Conclusion
Experiments • DARPA data • Cross validation and 50 distinct system calls
KNN classifier algorithm for anomaly detection
KNN classifier performance
Anomaly Detection • The overall running time of the kNN method is O(N) • Integrate with signature verification
Frequency Weighting vs. tf·idf Weighting
Frequency Weighting vs. tf·idf Weighting
Outline • Introduction • Methodology • Experiments • Discussion & Conclusion
Discussion • kNN Classifier advantages • Compared tf·idf weighting with the frequency weighting • Classification cost can be further reduced by only using most influential system calls
Conclusion • kNN Classifier is able to effectively detect intrusive program behavior with low false positive rate • Further research is in process to investigate the reliability and scaling properties of the kNN classifier method
Reference [1] www.robots.ox.ac.uk/~dclaus/cameraloc/samples/nearestneighbour.ppt [2] Yihua Liao, V. Rao Vemuri , ‘Use of K -Nearest Neighbor classifier for intrusion detection’, Computers & Security, Volume 21, Issue 5 , 1 October 2002, Pages 439-448
Recommend
More recommend