Sei sulla pagina 1di 4

ISSN: 2277 9043 International Journal of Advanced Research in Computer Science and Electronics Engineering Volume 1, Issue 2, April

l 2012

Attack Detection By Clustering And Classification Approach

Ms. Priyanka J. Pathak , Asst. Prof. Snehlata S. Dongre
AbstractIntrusion detection is a software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station. Security is becoming big issue for all networks. Hackers and intruders have made many successful attempts to bring down high profile company networks and web services. Intrusion Detection System (IDS) is an important detection that is used as a countermeasure to preserve data integrity and system availability from attacks. The work is implemented in two phases, in first phase clustering by K-means is done and in next step of classification is done with k-nearest neighbours and decision trees. The objects are clustered or grouped based on the principle of maximizing the intra-class similarity and minimizing the interclass similarity. This paper proposes an approach which make the clusters of similar attacks and in next step of classification with K nearest neighbours and Decision trees it detect the attack types. This method is advantageous over single classifier as it detect better class than single classifier system. Index TermsData mining, Decision Trees, K-Means, K-Nearest Neighbours,

streams for intrusion detection. Clustering is done by K-means algorithm this will generates clusters of similar attack type which fall into same category. The centroids generated by this algorithm is used in next step of classification. In classification step K-nearest neighbors and decision tree algorithms are used which detects the different types of attacks. II. CLUSTERING A cluster [Han & Camber] is a collection of data objects that are similar to one another within the same cluster and are dissimilar to the objects in other clusters. A cluster of data objects can be treated collectively as one group and so may be Considered as a form of data compression. Although classification is an effective means for distinguishing groups or classes of objects, it requires the often costly collection and labeling of a large set of training tuples or patterns, which the classifier uses to model each group. It is often more desirable to proceed in the reverse direction: First partition the set of data into groups based on data similarity (e.g., using clustering), and then assign labels to the relatively small number of groups. Additional advantages of such a clustering-based process are that it is adaptable to changes and helps single out useful features that distinguish different groups. Clustering[8],[10] is an unsupervised learning technique which divides the datasets into subparts, which share common properties. For clustering data points, there should be high intra cluster similarity and low inter cluster similarity. A clustering method which results in such type of clusters is considered as good clustering algorithm. A. K-Means Algorithm K-means [Han & Camber] is one of the simplest unsupervised learning algorithms that solve the well known clustering problem. The procedure follows a simple and easy way to classify a given data set through a certain number of clusters (assume k clusters) fixed a priori. The main idea is to define k centroids, one for each cluster. These centroids should be placed in a cunning way because of different location causes different result. So, the better choice is to place them as much as possible far away from each other. The next step is to take each point belonging to a given data set and associate it to the nearest centroid. When no point is pending, the first step is completed and an early groupage is done. At this point we need to re-calculate k new centroids as

I. INTRODUCTION Now a day everyone gets connected to the system but, there are many issues in network environment. So there is need of securing information, because there are lots of security threats are present in network environment. Intrusion detection[9] is a software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station. Intrusion detection systems are usually classified as host based or network based in terms of target domain. A number of techniques are available for intrusion detection [8],[11]. Data mining is the one of the efficient techniques available for intrusion detection. Data mining refers to extracting or mining knowledge from large amounts of data. Data mining techniques may be supervised or unsupervised. The Clustering[10] and Classification are the two important techniques used in data mining for extracting valuable information. This paper proposes clustering and classification. Classification is the processing of finding a set of models which describe and distinguish data classes or concepts, for the purposes of being able to use the model to predict the class of objects whose class label is unknown. The paper is organized as follows. Section 2 gives the details of clustering algorithms. Section 3 & Section 4 details about strategies for classification for novel class detection in data

115 All Rights Reserved 2012 IJARCSEE

ISSN: 2277 9043 International Journal of Advanced Research in Computer Science and Electronics Engineering Volume 1, Issue 2, April 2012

barycenters of the clusters resulting from the previous step. After we have these k new centroids, a new binding has to be done between the same data set points and the nearest new centroid. A loop has been generated. As a result of this loop we may notice that the k centroids change their location step by step until no more changes are done. The algorithm is composed of the following steps: Algorithm: k-means The k-means algorithm for partitioning, where each clusters center is represented by the mean value of the objects in the cluster. Input: k: the number of clusters, D: a data set containing n objects. Output: A set of k clusters. Method: (1) Arbitrarily choose k objects from D as the initial cluster centers; (2) Repeat (3) Reassign each object to the cluster to which the object is the most similar, based on the mean value of the objects in the cluster; (4) Update the cluster means, i.e., calculate the mean value of the objects for each cluster; (5) Until no change;

figure shows overall system architecture. The Clustering and Classification are the two parts of system. The input to the system is KDD data set. The first step is preprocess the input and this preprocessed input is applied to the K-Means Clustering algorithm. The Preprocessing steps contains : Data cleaning Feature Selection Data transformation etc.

Fig.3 System Architecture

Fig: 1 Clustering of a set of objects based on the k-means method

This produces a separation of the objects into groups from which the metric to be minimized can be calculated.

The K-Means creates the clusters of similar attacks based on similarity measure. Each record of data set contains 42 different features. The values of these features are already pre-processed in training data. The calculated centroid values are used in next K-Nearest neighbours classification.

Fig4:Preprocessed Data Fig2: output of K-means algorithm



Classification [4],[13] is a process of finding a model that describes and distinguishes data classes or concept for the purpose of being able to use the model to predict the class of objects whose class label is unknown. The derived model is based on the analysis of set of training data. This paper introduces a method about clustering and classification. The clustering is done by K-Means algorithm which is explained in earlier section. The classification method is proposed through which novel class can be detected. The following

A. K-Nearest Neighbour Classification In this method, one simply finds in the N-dimensional feature space the closest object from the training set to an object being classified. Since the neighbour is nearby, it is likely to be similar to the object being classified and so is likely to be the same class as that object. Nearest neighbour methods have the advantage that they are easy to implement. They can also give quite good results if the features are chosen carefully. A new sample is classified by calculating the distance to the nearest training case; the sign of that point then determines the classification of the sample. Closeness"

116 All Rights Reserved 2012 IJARCSEE

ISSN: 2277 9043 International Journal of Advanced Research in Computer Science and Electronics Engineering Volume 1, Issue 2, April 2012

is defined in terms of Euclidean distance, where the Euclidean distance between two points,

2. 3.

Choose attribute for which entropy is minimum (or, equivalently, information gain is maximum) Make node containing that attribute

Fig5: Flow Chart of K-Nearest Neighbour algorithm

The unknown sample is assigned the most common class among its k nearest neighbours. Following fig. shows attack types and their number of nodes detected by K-Nearest neighbour algorithm.

The algorithm is as follows: Input: A data set, S Output: A decision tree If all the instances have the same value for the target attribute then return a decision tree that is simply this value. Else Compute Gain values for all attributes and select an attribute with the highest value and create a node for that attribute. Make a branch from this node for every value of the attribute Assign all possible values of the attribute to branches. Follow each branch by partitioning the dataset to be only instances whereby the value of the branch is present and then go back to 1. This algorithm usually produces small trees, but it does not always produce the smallest possible tree. The optimization step makes use of information entropy: Entropy:

Fig6: Output of K-Nearest-Neighbour algorithm

B. Decision Trees Decision tree learning [5] ,[6] is a method commonly used in data mining. The goal is to create a model that predicts the value of a target variable based on several input variables. Each interior node corresponds to one of the input variables; there are edges to children for each of the possible values of that input variable. Each leaf represents a value of the target variable given the values of the input variables represented by the path from the root to the leaf. A tree can be "learned" by splitting the source set into subsets based on an attribute value test. This process is repeated on each derived subset in a recursive manner called recursive partitioning. The recursion is completed when the subset at a node all has the same value of the target variable, or when splitting no longer adds value to the predictions. C. ID3 Algorithm In decision tree learning, ID3 (Iterative Dichotomiser 3)[6] is an algorithm used to generate a decision tree. The ID3 algorithm can be summarized as follows: 1. Take all unused attributes and count their entropy concerning test samples

Where : E(S) is the information entropy of the set S; n is the number of different values of the attribute in S (entropy is computed for one chosen attribute) f S(j) is the frequency (proportion) of the value j in the set S. log2 is the binary logarithm An entropy of 0 identifies a perfectly classified set. Entropy is used to determine which node to split next in the algorithm. The higher the entropy, the higher the potential to improve the classification.

Gain: Gain is computed to estimate the gain produced by a split over an attribute :

Where :
G(S,A) is the gain of the set S after a split over the A attribute E(S) is the information entropy of the set S. m is the number of different values of the attribute A in S. Fs(Ai) is the frequency (proportion) of the items possessing Ai as value for A in S. Ai is ith possible value of A. 117

All Rights Reserved 2012 IJARCSEE

ISSN: 2277 9043 International Journal of Advanced Research in Computer Science and Electronics Engineering Volume 1, Issue 2, April 2012

SAi is a subset of S containing all items where the value of A is Ai.

Gain quantifies the entropy improvement by splitting over an attribute.

[12] Srilatha Chebrolua, Ajith Abrahama, Johnson P. Thomasa Feature deduction and ensemble design of intrusion detection systems 2004 Elsevier Ltd [13] Sandhya Peddabachigaria, Ajith Abrahamb,,Crina Grosanc, Johnson Thomasa Modeling intrusion detection system using hybrid intelligent systems 2005 Elsevier Ltd.

First Author: Priyanka J. Pathak IV sem MTech[CSE], G.H.Raisoni College of Engineering,Nagpur, R.T.M.N.U, Nagpur Second Author : Asst. Prof. Snehlata Dongre CSE Department, G.H.Raisoni College of engineering,Nagpur R.T.M.N.U, Nagpur

Fig7: Output of ID3 algorithm

IV. CONCLUSION In this paper, the work is done through which the novel class is detected The system uses K-Means clustering algorithm which produces different clusters of similar type of attacks and total nodes per clusters in the input dataset. Also it shows the updated centroids of each parameter in the input dataset. The Classification stage gives details about detection of different types of attacks and number of nodes in dataset. REFERENCES
[1] Kapil K. Wankhade, Snehlata S. Dongre, Prakash S. Prasad , Mrudula M. Gudadhe, Kalpana A. Mankar, Intrusion Detection System Using New Ensemble Boosting Approach 2011 3rd International Conference on Computer Modeling and Simulation (ICCMS 2011) [2] Kapil K. Wankhade, Snehlata S. Dongre, Kalpana A. Mankar, Prashant K. Adakane, A New Adaptive Ensemble Boosting Classifier for Concept Drifting Stream Data 2011 3rd International Conference on Computer Modeling and Simulation (ICCMS 2011) [3] Hongbo Zhu, Yaqiang Wang, Zhonghua Yu Clustering of Evolving Data Stream with Multiple Adaptive Sliding Window International Conference on Data Storage and Data Engineering, 2010. [4] Peng Zhang, Xingquan Zhu, Jianlong Tan, Li Guo Classifier and Cluster Ensembles for Mining Concept Drifting Data Streams IEEE International Conference on Data Mining, 2010. [5] T.Jyothirmayi, Suresh Reddy An Algorithm for Better Decision Tree T.Jyothirmayi et. al. / (IJCSE) International Journal on Computer Science and Engineering , 2010 [6] Yongjin Liu, NaLi, Leina Shi, Fangping Li An Intrusion Detection Method Based on Decision Tree, International Conference on E-Health Networking, Digital Ecosystems and Technologies, 2010. [7] A. Bifet, G. Holmes, B. Pfahringer, R. Kirkby and R. Gavalda, New ensemble methods for evloving data streams, In KDD09, ACM, Paris, 2009, pp. 139-148. [8] LID Li-xiong, KANGJing, GUO Yun-fei, HUANGHai A Three-Step Clustering Algorithm over an Evolving Data Stream The National High Technology Research and Development Program("863" Program) of China, Fund 2008 AAOII002 sponsors. [9] Mrutyunjaya Panda, Manas Ranjan Patra A COMPARATIVE STUDY OF DATA MINING ALGORITHMS FOR NETWORK INTRUSION DETECTION First International Conference on Emerging Trends in Engineering and Technology,2008 [10] Shuang Wu, Chunyu Yang and Jie Zhou Clustering-training for Data Stream Mining Sixth IEEE International Conference on Data Mining Workshops (ICDMW'06) [11] Sang-Hyun Oh, Jin-Suk Kang, Yung-Cheol Byun, Gyung-Leen Park3 and Sang-Yong Byun3 Intrusion Detection based on Clustering a Data Stream Third ACIS Int'l Conference on Software Engineering Research, Management and Applications (SERA05).

118 All Rights Reserved 2012 IJARCSEE

Potrebbero piacerti anche