220 likes | 337 Views
Apply Prefix-based matching and Fuzy Art to IDS. Outline. Introduction ( The Proposed Two-Stage PC Algorithm) Our Method ANN – ART(Adaptive Resonace Theory).
E N D
Outline • Introduction(The Proposed Two-Stage PC Algorithm) • Our Method • ANN – ART(Adaptive Resonace Theory)
Introduction --The Proposed Two-Stage PC Algorithm (2003, IEEE 17th International Conference Advanced Information Networking and Applications) network1 (0**, 0**, TCP, 7,6) network2 Router network3 Routing Table (Policy)
The Proposed Two-Stage PC Algorithm (2003, IEEE 17th International Conference Advanced Information Networking and Applications) Stage 1 10 00 01 00 TCP UDP TCP, UDP The Prefix-matching-tree (PMT)
The Proposed Two-Stage PC Algorithm (2003, IEEE 17th International Conference Advanced Information Networking and Applications) R7 2, 3, 4, 5 R8 3 R9 3 Stage 2 4-5,4-6 2-3,1-3 2-3,4-6 4-5,1-3 3,3 2,1-2 2,4-5 4-5,3 4-5, 6 3,6 2,3 4-5,1-2 2,6 4-5,4-5 3,1-2 3,4-5 R7 R7 R7 R7 R7 R7, R8 R7 R7 2,2 2,1 3,1 3,2 3,3 2,3 2,3 R7 R7 R7 R7 R7, R8 R7, R8,R9
Our method Two-Stage PC Algorithm Log Packet Routing table(policy) Our method Prefix-based matching Log Assemble Policy Compare Routing table(policy)
Our method Transfer 1. 38 records 2. 233 records FireWall Log Frefix-based FireWall Log 1. 10,000 records 2. 10,000 records Clustering(Neural Network:Art) Correct FireWall Policy Reduce FireWall Rules 7 categories
Our method • step1: Prefix-based Matching (built prefix matching tree) • step2: Fuzzy Art Clustering • Step3: Compare to Routing table(Policy)
Our method FireWall Log Prefix-based FireWall Log R2 R0tcp, 192.168.*202.12.27.33 R3 Key= Rule + Protocol + SA + DA R5
Our method Prefix-based FireWall Log Fuzzy ART(Clustering) Attribute transfer to 0~1 因Fuzzy Art 只能處理介於0至1 的數值,故必須將資料正規化,其公式如下: 語意轉換
Our method Routing Table Policy FireWall Log(Prefix-based matching and Fuzzy Art Clustering) Compare
ANN – ART(Adaptive Resonace Theory) • Proposed by Grossberg in 1976 • ART has many models, ex: ART1(input:0,1), ART2(input:real number), and Fuzzy ART. • The network features • Use the bottom-up competitive learning and the top-down outstar pattern learning • It is an unsupervised learning network • Message are fed in and back between layers until it resonate. • When unfamiliar input is fed in, the new output node is generated for learning input. Y1 Y2 Y1 Competive Learning X2 X2
ANN – ART(Adaptive Resonace Theory) • The network structure Y1 Output layer Input layer X1 X2 … Xn Input layer: it must have value of 0 & 1 Output layer: It is a cluster layer. The network starts from only one node and grows until all the input patterns are learned. Connections: Every input node has one bottom-up link to output node and one top-down link from output node to input node.
ANN – ART(Adaptive Resonace Theory) • The network structure Y1 Output layer 1/4 1 1 1/4 1 1/4 Input layer =1 X1 X2 =0 X3 =1 1. Initial: = {1, 1, 1} = = {1/4, 1/4, 1/4 } 2. calculate: = 1* 1/4 + 0 * 1/4 + 1 * 1/4 = 0.5
ANN – ART(Adaptive Resonace Theory) • The network structure Y1 Net1 = 0.5 Net2 = 0.2 Y2 1 1 1 X1 =1 X2 =0 X3 =1 3. Find the winning node : Net1 = 0.5 4. Calculate “Similar value” : = (1*1+0*1+1*1) / (1+1+1) = 0.7
5. Vigilance Test for winning node : Case 2. Vj >ρ Case 1. Vj <ρ Y1 ρ= 0.6 ρ= 0.9 V1 = 0.7 V1 = 0.7 0 Y1 Y3 1 1 1 0 1 X1 =1 X2 =0 X3 =1 X1 =1 X2 1. = {1*1, 1*0, 0*1} = {1, 0, 0} =0 X3 =1 1. set new node Y3 2. = {1, 0, 1} • = {1/1.5, 0/1.5, 0/1.5} 3. = {1/2.5, 0/2.5, 1/2.5}
ANN – ART(Adaptive Resonace Theory) Y1 Ym … • Method • Set up network • Let = 1 and = • Input the pattern x • Calculate “matching value” for every output • Find the winning node j* , • Caculate “Similar value” , • Vigilance Test for winning nodeCase 1: if Vj < ρ (Vigilance Value) => Input pattern does not similar. Setup Output node: If j = j*, then Yj= 1 X1 X2 Xn …
ANN – ART(Adaptive Resonace Theory) • Method Case 2: if Vj ≧ p (Vigilance Value) => Input pattern match output node j*. Update weights: 8. Repeat 3~8 until all the input patterns are learned and there are no more output nodes generated.
ANN – ART(Example) Let ρ = 0.5 1 0 1 0 1 0 Set Weights: 3 4 Update weights 5 1 2 {1,1,1,1,1,1}
ANN – ART(Example) Weights: 4 5 Set new node Y2 and set new weights for Y2 1 2 Y2 3 Y1 0 1 0 1 0 1
ANN – Y2 Y1 1 1 1 0 0 0 Weights: 2 3 4 > 3 5 Update weights (Y1) 1