JOURNAL OF COMPUTING, VOLUME 4, ISSUE 12, DECEMBER 2012, ISSN (Online) 2151-9617 https://sites.google.com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.

ORG

17

PRIORITIZATION OF DETECTED INTRUSION IN BIOMETRIC TEMPLATE STORAGE FOR PREVENTION USING NEURO-FUZZY APPROACH
Prof. Maithili Arjunwadkar , Prof. Dr. R. V. Kulkarni
Abstract The biometric authentication process is vulnerable to attacks, which can decline its security. To enhance the security of biometric process, Intrusion detection and prevention techniques are significantly useful. In this paper, a Neuro-Fuzzy approach is used to decide priorities for detected intrusions in biometric template storage to implement preventive actions. A Neuro-Fuzzy approach is used. We used FuzzyJess and Java to achieve this prioritization. Priority table is produced as output which is useful to security administrator to implement preventive actions for detected intrusion in biometric template storage. Keywords: Biometric template, intelligent agent, Java Expert System Shell(JESS), FuzzyJess, fuzzy logic

1 INTRODUCTION
Biometric process or biometric encryption process is divided into two processes namely enrollment & authentication process. During the enrollment process, the users physiological & behavioral characteristics are captured by the sensor. The different feature extractor or key binding algorithms are used to create biometric template. The template is stored during enrollment process to be compared in the future to the one produced during an authenticate process. The stored template & the one produced during authentication process is compared by matching algorithm that produces matching result (response Yes/NO). The match response then sends to the application, on which a decision algorithm is implemented for granting access or not to the user. Ratha et al. [1] analyzed these attacks and grouped them into eight classes. Dimitriadis [2] also suggests different attacks on biometric process. The biometric template stores in smart card, central repository, sensing device. Attacks on the biometric template storage can lead to the vulnerabilities like insertion of a fake template, modification of an existing template, removal of an existing template, and replicate the template which can be replayed to the matcher to gain unauthorized access. Maithili et al [3] proposed an intelligent tool which assists in detection of intrusions in biometric template storage. In this paper authors propose an intelligent agent which assists to decide the priority for prevention of intrusion in the biometric template storage using Neuro-Fuzzy. Neural Network (NN) can be learn from data but cannot be interpreted. They are black boxes to the user. A fuzzy system consists of interpretable linguistic rules but they cannot learn. A fuzzy rule-based model constructed using NN to construct its fuzzy partition of the input space. We use learning algorithm from the domain of neural networks to create fuzzy system from data. The learning algorithm can learn both fuzzy sets and fuzzy rules and can also use prior knowledge. A Neuro-Fuzzy system is a fuzzy system that uses a learning algorithm derived from or inspired by neural network theory to determine its parameters (fuzzy sets and fuzzy rules) by processing data samples. A Neuro-Fuzzy system can be viewed as a 3-layer feedforward neural network. The first layer represents input variables, the middle (hidden) layer represents fuzzy rules and the third layer represents output variables. Fuzzy sets are encoded as (fuzzy) connection weights. It is not necessary to represent a fuzzy system like this to apply a learning algorithm to it. However, it can be convenient, because it represents the data flow of input processing and learning within the model. Neural networks can learn from data, but cannot be interpreted; they are black boxes to the user. Fuzzy Systems consist of

2012 Journal of Computing Press, NY, USA, ISSN 2151-9617

JOURNAL OF COMPUTING, VOLUME 4, ISSUE 12, DECEMBER 2012, ISSN (Online) 2151-9617 https://sites.google.com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.ORG

18

interpretable linguistic rules, but they cannot learn. The learning algorithms can learn both fuzzy sets, and fuzzy rules, and can also use prior knowledge. Membership functions can either be chosen by the user arbitrarily, based on the users experience (MF chosen by two users could be different depending upon their experiences, perspectives, etc.) Or be designed using machine learning methods (e.g., artificial neural networks, genetic algorithms, etc.) There are different shapes of membership functions; triangular, trapezoidal, piecewise-linear, Gaussian, bell-shaped, etc.

2 PROPOSED SYSTEM
The proposed Neuro-Fuzzy model used is feedforward architecture with five layers of neurons. A feedforward neural network is an artificial neural network where connections between the units do not form a directed cycle. It maps a fuzzy system to a neural network that will simulate the inference process executed in the fuzzy system. Maithili et al3 developed intelligent agent as Biometric Template Storage Intrusion Detection Assistant which shown in fig.1. The screen of the Biometric Template Storage Intrusion Detection Assistant which displays two tables namely User Intrusion which contains suspicious activities of normal users and DBA intrusion which contains suspicious activities of DBA. Three tables which are used as suspicious user frequency, suspicious host frequency and suspicious host frequency used by DBA login. These tables are used to find out most suspicious user or host and that knowledge is used for taking any preventive actions. One bar graph shows which transaction is done repeatedly as suspicious activity by normal user while another one that of DBA. We use the first layer of the fuzzy neural system receives input values and feeds them to the second level, so it has four inputs namely type of user, suspicious host frequency, suspicious user frequency and transaction type. The second layer determines the degree of membership of each variable to the fuzzy sets to which it belongs. The third layer represents the fuzzy rules that will combine the input variables using rules of the type if-then. In the next layer, each node will represent one fuzzy set from the consequent elements of the rules, the output variables. The architecture of proposed model is shown in fig.2. Fuzzy concepts are represented using fuzzy variables, fuzzy sets and fuzzy values. A FuzzyVariable is used to describe a general fuzzy concept. It consists of a name (for example,

Suspicious Host Frequency, Suspicious User Frequency, a range (for example, from 0 to Max value), and a set of fuzzy terms that can be used to describe specific fuzzy concepts for this variable. The fuzzy terms are defined using a term name such as Very High, High, Low, and Very Low together with a Fuzzy Set that identifies the degree of membership of the term over the range of the fuzzy variable. Jess, the Java Expert System Shell, provides a rich and flexible environment for creating rule-based Expert systems. The rules of jess allow one to build systems. However these facts and rules cannot capture any uncertainty or ambiguity which is present in the domain. But extension of Jess that allows some form of uncertainty to be captured and represented using fuzzy sets and fuzzy reasoning. The NRC FuzzyJ Toolkit can be used to create Java programs that encode fuzzy operations and fuzzy reasoning. However, a rule based expert system shell (Jess) provides a convenient and suitable way to encode many types of applications. Fuzzy logic programs fit nicely into the rule based paradigm. An integration of the FuzzyJ Toolkit and Jess is FuzzyJess [4]-[5]. FuzzyJess provides a great deal more flexibility in the fuzzy patterns and does not require internal changes to any Jess parsing technique. When fuzzy facts are asserted in the rules, FuzzyJess automatically takes care of the global contribution issue. As identical fuzzy facts are asserted from different rules the contribution from each rule is accumulated. A fuzzy rule fires in Jess when the fuzzy (and crisp) patterns on the left hand side of the rule match. The fuzzy matching is controlled by the use of the fuzzy-match function. However when the right hand side of the rule is executed it is often necessary to know what fuzzy values matched the fuzzy patterns specified in the fuzzy match function calls. In particular, this information is required when a fuzzy fact is being asserted since the shape of the fuzzy value being asserted depends on the degree of matching of the fuzzy patterns on the right hand side.

2.1 Fuzzy Inference Engine The inference engine makes use of FuzzyJess to evaluate fuzzy logic rules. The inputs to the Fuzzy Inference Engine are Fuzzification of the input Variables i.e. FuzzyVariable in FuzzyJess, The fuzzy rules fired within the FuzzyJess environment and the records, which are asserted as facts in FuzzyJess. FuzzyJess can be configured to use Mamdani or Larsen inference mechanisms to compute the firing strength of each rule applied to each fact. Mamdani

2012 Journal of Computing Press, NY, USA, ISSN 2151-9617

JOURNAL OF COMPUTING, VOLUME 4, ISSUE 12, DECEMBER 2012, ISSN (Online) 2151-9617 https://sites.google.com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.ORG

19

Method uses the minimum operation as fuzzy implications and the max-min operator for the composition. Larsen method uses the product operation as a fuzzy implication and the maxproduct operator for the composition. The evaluation of rules begins with the analysis of the antecedent. Rules fire until no more rules match the facts in working memory. Only one rule fires per cycle. The inference engine will match the facts against fuzzy rules, fire rules and execute the associated actions shown in fig 3.

2.2 Our approach A simple implementation of knowledge based Biometric Template storage Intrusion Detection assistant is portrayed3. This intelligent agent is located on the Biometric Template storage database. The intrusion detection is executed in back-ground. When it detects suspicious or illegal activities, it notifies the security administrator. For detecting intrusive activities, IDS can use audit file data. We consider Distributed HOST-based IDS which are in-charge of monitoring several hosts. It performs intrusion detection using Operating Systems audit trail, RDBMS audit trail or information from multiple monitored hosts. Using this intelligent assistant tool we got user role either DBA or normal user, suspicious user name and number of times that user tried for intrusion, suspicious host machine name and number of times that host machine used for intrusion and data about how many times any user tried transactions like modify existing biometric template, Insert a fake biometric template, delete existing biometric template and copy the biometric template for another use. All these values are already stored in facts. We retrieve these values from fact to decide priorities of detected intrusions in biometric template storage for preventive actions. (i) Identity the four parameters or features of the problem statement. a. Type of user which decides intrusion made by DBA or other normal user. b. Suspicious Host frequency which determines number of times intrusion made from suspicious host machine. c. Suspicious User frequency which determines number of times intrusion made by suspicious user. d. Type of transaction which suggest intrusion made by using Update, Delete, Insert or Copy Biometric Template.

(ii) Classify the parameters or features depending on their uncertainty or crisp nature. a. USERTYPE and TRANSACTION both are crisp variables because values are crisp nature. b. SUSPICIOUS HOST FREQ and SUSPICIOUS USER FREQ are the fuzzy variables because of uncertainty. (iii) Once the parameters are classified use fuzzy logic for modeling the uncertain parameters or features referred as fuzzification. a. We classified fuzzy variables in VeryLow, Low, High, VeryHigh fuzzy values as linguistic expressions to describe fuzzy concepts in an English-like manner. b. SUSPICIOUS HOST FREQ and SUSPICIOUS USER FREQ ; fuzzy variables ranges are decided by automated learning method. We use RFuzzySet for VeryLow, two TriangularFuzzySet for Low and High and LFuzzySet for VeryHigh (corresponding to names defined in the Fuzzy Jess Library). Here we show example of SUSPICIOUS HOST FREQ FuzzyVariable. Similarly we define SUSPICIOUS USER FREQ FuzzyVariable. c. Logic used for fuzzification of the input variables (shown in fig. 3) 1. Collect SUSPICIOUS HOST FREQ and SUSPICIOUS USER FREQ into array 2. Find out minimum number (min) and maximum number(max) of array 3. Assume X1 as 0.0. 4. Calculate difference between max and min. 5. Store X2 as difference between max and min. 6. Store X3 as twice the difference between max and min. 7. Store X4 as thrice the difference between max and min. 8. Store X5 as max. 9. Calculate X23 as (X2+X3)/2 and X34 as (X3+X4)/2

(Fig 4: membership functions and linguistic expression)

2012 Journal of Computing Press, NY, USA, ISSN 2151-9617

JOURNAL OF COMPUTING, VOLUME 4, ISSUE 12, DECEMBER 2012, ISSN (Online) 2151-9617 https://sites.google.com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.ORG

20

(defrule pr1 ?a1<-(crispval2 ?ut &:(eq ?ut \"DBA\")) ?b1<-(crispval3 ?an&:(eq ?an \"UPDATE\")) ?c1<-(shostf ?t&:(fuzzy-match ?t "VeryHigh")) ?d1<-(suserf ?t1&:(fuzzy-match ?t1 "VeryHigh")) => (modify ?*pl*(priority "VeryHigh")) (retract ?a1 ?b1 ?c1 ?d1))

(Fig 4: membership functions and linguistic expression)

(defglobal ?*shostfrqFvar* = (new nrc.fuzzy.FuzzyVariable "shostfrq" 0.0 )) (?*shostfrqFvar* addTerm "VeryLow" (new nrc.fuzzy.RFuzzySet (?*shostfrqFvar* addTerm "Low"(new nrc.fuzzy.TriangleFuzzySet (?*shostfrqFvar* addTerm "High"(new nrc.fuzzy.TriangleFuzzySet (?*shostfrqFvar* addTerm "VeryHigh" (new nrc.fuzzy.LFuzzySet

(iv) Encode FuzzyRules after fuzzification of uncertain variables. The FuzzyRule holds three sets of FuzzyValues representing the antecedents, conclusions and input values of the rule. a. As per literature survey we developed more than 128 fuzzy rules to deicide priorities for preventive actions. Some of the rules are shown in Table 1. b. We develop control rule using salience property. By setting salience property to 100 it will fire only after the other rules have fired. It is necessary to perform special processing of fuzzy facts being asserted. A rule might perform the following assert on its right hand side:
(assert(shostf(new nrc.fuzzy.FuzzyValue ?*shostfrqFvar* (new nrc.fuzzy.TriangleFuzzySet ?t ?t ?t ))))

The fuzzy-match function compares a fuzzy value in the fact (slot ?t) to a fuzzy value defined in the second parameter of the fuzzy match function. The fuzzy-match function takes two arguments: either both FuzzyValue objects or a FuzzyValue object and a string that represents a valid fuzzy expression. If one of the arguments is a string then it will be converted to a FuzzyValue using the FuzzyVariable associated with the other FuzzyValue argument. When fuzzy facts are asserted in the rules, FuzzyJess automatically takes care of the global contribution issue. As identical fuzzy facts are asserted from different rules the contribution from each rule is accumulated. Because of this it is necessary to allow all of these rules to fire before the final global conclusion is used. This is done using the salience property in the control rule. Salience is an intrinsic rule property that specifies a rule's priority relative to all other rules. The default salience for all rules is zero. Setting a rule's salience to a large positive value will give that rule a higher priority above all rules of lesser salience. Likewise, giving a rule a large negative value will demote it in priority below all rules of greater salience. By setting it to a value of 100 it will fire only after the other rules have fired.
(defrule result (declare (salience -100)) ?p<- (Priority(usertype ?ut)(userfrq ?uf) (hostfrq ?hf)(action_name ?an)) => (bind ?t ?hf) (bind ?t1 ?uf) (assert(crispval2 ?ut))(assert(crispval1 ?t1 )) (assert(suserf(new nrc.fuzzy.FuzzyValue ?*suserfrqFvar* (new nrc.fuzzy.TriangleFuzzySet ?t1 ?t1 ?t1 )))) (assert(crispval ?t ) (assert(shostf(new nrc.fuzzy.FuzzyValue ?*shostfrqFvar* 2.3 (new nrc.fuzzy.TriangleFuzzySet ?t ?t ?t )))) Result Screen (assert(crispval3 ?an)) (bind ?*pl* ?p) )

These rules are converted into FuzzyJess. example Rule 1 is as follows.

For

Resultant output screen shown in fig 5.

2012 Journal of Computing Press, NY, USA, ISSN 2151-9617

JOURNAL OF COMPUTING, VOLUME 4, ISSUE 12, DECEMBER 2012, ISSN (Online) 2151-9617 https://sites.google.com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.ORG

21

In the output screen shows table which contains column like Priority, type of User, Username, Suspicious User Frequency, Host Name, Suspicious Host Frequency and Transaction type. Here this table will display as intelligent agent which can be notifies by security administrator to implement preventive actions. The priority column shows values like VeryLow, Low, Medium High and VeryHigh. The User Type column shows user is DBA or other normal user. User Name column shows user name of both type of user. The suspicious User Frequency column shows number of times that user performs suspicious transaction; name of suspicious transaction is also display in the column User Action. Similarly Suspicious User frequency shows number of times host machine used for suspicious activity; machine-id is also display in the column Host Name. Table can be sort on any column. As per organization policy security administrator can implement preventive action either using triggers for transactions, block suspicious user or suspicious host.

Neuro-Fuzzy approach. In future the authors would like to expand research to detect other intelligent agents to detect intrusions in biometric system.

5 REFERENCES
[1] [2] [3] Ratha, N.K., J.H. Connell, and R..M.. Bolle, Enhancing security and privacy in biometrics-based authentication systems, IBM Systems Journal, vol. 40, no. 3 Biometric risk and controls by Christos K. Dimitriadis in Information Systems control Journal Vol 4 2004 Maithili Arjunwadkar and Dr. R.V. Kulkarni The Intelligent Intrusion Detection Tool For Biometric Template Storage published in Journal of Artificial Intelligence ISSN: 22293965 & E-ISSN: 22293973, Volume 3, Issue 1, 2012, pp.-42-48 L. A. Zadeh, Fuzzy sets, Information and Control, pp. 338-353, 1965. Orchard, R. Fuzzy Reasoning in Jess: The FuzzuJ Toolkit and FuzzyJess Proceedings of the ICEIS 2001, Third International Conference on Enterprise Information Systems, Setubal, Portugal. Jully 7-10,2001. Pp 533-542. NRC 44882.

[4] [5]

3 CONCLUSION
In this paper, a Neuro-Fuzzy approach is used to prioritization for detected intrusion to implement preventive actions. A Neuro-Fuzzy approach is used for automatic learning to decide ranges of fuzzy variables and fuzzifications. We achieved this using FuzzyJess and Java. Priority table is produced as output which is useful to security administrator to implement preventive actions.

Ms. Maithili Arjunwadkar B.Sc. (Electronics) , MCA, Pursuing PhD. from Symbiosis International University under faculty of Computer Studies. She is working as Assistant Professor in P.E.Ss Modern College of Engineering, Pune-5 , Maharashtra , India Dr. R.V. Kulkarni PhD. , working as professor in SIBER, Kolhapur, Maharashtra , India , Registered guide in various Universities of India

4 FUTURE WORK
In this paper we develop prioritization for detected intrusion to implement preventive actions using

2012 Journal of Computing Press, NY, USA, ISSN 2151-9617

JOURNAL OF COMPUTING, VOLUME 4, ISSUE 12, DECEMBER 2012, ISSN (Online) 2151-9617 https://sites.google.com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.ORG

22

(Fiq. 1 shows screen of intelligent agent)

2012 Journal of Computing Press, NY, USA, ISSN 2151-9617

JOURNAL OF COMPUTING, VOLUME 4, ISSUE 12, DECEMBER 2012, ISSN (Online) 2151-9617 https://sites.google.com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.ORG

23

(Fig. 2 Proposed neuro-fuzzy approach)

Knowledgebase Inference Engine Rules 1. Match Facts against Fuzzy rules. 2. Recognize rules that can fire 3. Act: Fire top rank rule. Working Memory

Facts

(Fig. 3 Fuzzy Production System)

2012 Journal of Computing Press, NY, USA, ISSN 2151-9617

JOURNAL OF COMPUTING, VOLUME 4, ISSUE 12, DECEMBER 2012, ISSN (Online) 2151-9617 https://sites.google.com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.ORG

24

TABLE 1 Few Examples of Fuzzy Rules

RULE - 1: IF USERTYPE IS DBA AND SUSPICIOUS HOST FREQ IS VeryHigh AND SUSPICIOUS USER FREQ IS VeryHigh TRANSCATION IS Modification THEN PRIORITY IS VeryHigh RULE -41: IF USERTYPE IS NormalUser AND SUSPICIOUS HOST FREQ IS VeryHigh AND SUSPICIOUS USER FREQ IS VeryHigh AND TRANSCATION IS Insertion THEN PRIORITY IS High RULE -50: IF USERTYPE IS NormalUser AND SUSPICIOUS HOST FREQ IS VeryHigh AND SUSPICIOUS USER FREQ IS Low AND TRANSCATION IS Deletion THEN PRIORITY IS Medium RULE -102: IF USERTYPE IS NormalUser AND SUSPICIOUS HOST FREQ IS Low AND SUSPICIOUS USER FREQ IS VeryHigh AND TRANSCATION IS Copy THEN PRIORITY IS Low RULE -108: IF USERTYPE IS DBA AND SUSPICIOUS HOST FREQ IS VeryLow AND SUSPICIOUS USER FREQ IS VeryLow AND TRANSCATION IS Copy THEN PRIORITY IS VeryLow RULE -128: IF USERTYPE IS NormalUser AND SUSPICIOUS HOST FREQ IS VeryLow AND SUSPICIOUS USER FREQ IS VeryLow AND TRANSCATION IS Copy THEN PRIORITY IS VeryLow

AND

2012 Journal of Computing Press, NY, USA, ISSN 2151-9617

JOURNAL OF COMPUTING, VOLUME 4, ISSUE 12, DECEMBER 2012, ISSN (Online) 2151-9617 https://sites.google.com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.ORG

25

(Fig 5 : Output screen)

2012 Journal of Computing Press, NY, USA, ISSN 2151-9617