On the Use of Naive Bayesian Classifiers for Detecting Elementary and Coordinated Attacks

• Autorzy: Kenaza T. , Tabia K. , Benferhat S.
• Języki publikacji: EN

Abstrakty

EN

Bayesian networks are very powerful tools for knowledge representation and reasoning under uncertainty. This paper shows the applicability of naive Bayesian classifiers to two major problems in intrusion detection: the detection of elementary attacks and the detection of coordinated ones. We propose two models starting with stating the problems and defining the variables necessary for model building using naive Bayesian networks. In addition to the fact that the construction of such models is simple and efficient, the performance of naive Bayesian networks on a representative data is competing with the most efficient state of the art classification tools. We show how the decision rules used in naive Bayesian classifiers can be improved to detect new attacks and new anomalous activities. We experimentally show the effectiveness of these improvements on a recent Web-based traffic. Finally, we propose a naive Bayesian network-based approach especially designed to detect coordinated attacks and provide experimental results showing the effectiveness of this approach.

Słowa kluczowe

EN

Bayesian networks; classification; naive Bayes classifiers; intrusion detection; coordinated attacks

• Wydawca: IOS Press
• Czasopismo: Fundamenta Informaticae
• Rocznik: 2011
• Tom: Vol. 105, nr 4
• Strony: 435--466
• Opis fizyczny: Bibliogr. 47 poz., tab., wykr.

Twórcy

autor

Kenaza T.

autor

Tabia K.

autor

Benferhat S.

• Centre de Recherche en Informatique de Lens (CNRS-UMR 8188), Universite d'Artois rue Jean Souvraz, SP 18 F-62307, Lens Cedex, France,

Bibliografia

• [1] N. S. Abouzakhar, A. Gani, G. Manson, M. Abuitbel, and D. King. Bayesian learning networks approach to cybercrime detection. In the 2003 PostGraduate Networking Conference, 2003.
• [2] S.O. Al-Mamory and H. Zhang. Intrusion detection: alarms reduction using root cause analysis and clustering. Computer Communications, 32(2):419-430, 2009.
• [3] J. P. Anderson. Computer security technology planning study. Technical Report ESD-TR-73-51, Vol. II, Electronic Systems Division, Air Force Systems Command, Bedford, MA 01730, 1972.
• [4] S. Axelsson. Combining a Bayesian classifier with visualisation: Understanding the ids. In the 2004 ACM workshop on Visualization and data mining for computer security, pages 99-108, 2004.
• [5] S. Benferhat, F. Autrel, and F. Cuppens. Enhanced correlation in an intrusion detection process. In Second International Workshop on Mathematical Methods, Models, and Architectures for Computer Network Security MMM-ACNS, pages 157-170, 2003.
• [6] N. Ben Amor, S. Benferhat, Z. Elouedi, and K. Mellouli. Decision trees and qualitative possibilistic inference: application to the intrusion detection problem. In European Conference of Symbolic and Quantitative Approaches to Reasoning and Uncertainty (ECSQARU'2003), pages 419-431, Alborg, Danemark, 2003. Springer Verlag.
• [7] C. Byungrae and L. Dongseob. Network-based anomaly intrusion detection improvement by Bayesian network and indirect relation. In KES'07: Knowledge-Based Intelligent Information and Engineering Systems and the XVII Italian Workshop on Neural Networks on Proceedings of the 11th International Conference, pages 141-148, Berlin, Heidelberg, 2007. Springer-Verlag.
• [8] S. Benferhat, T. Kenaza, and A. Mokhtari. A naive Bayes approach for detecting coordinated attacks. In 32rd IEEE International Workshop on Security, Trust, and Privacy for Software Applications (STPSA'08), pages 704-709, 2008.
• [9] S. Benferhat and K. Tabia. Classification features for detecting server-side and client-side web attacks. In 23rd International Security Conference (SEC'08),Milan, Italy, 2008. Springer LNCS.
• [10] D. J. Burroughs, L. F. Wilson, and G. V. Cybenko. Analysis of distributed intrusion detection systems using Bayesian methods. In 21th IEEE International Conference on Performance, Computing, and Communications, pages 329-334, 2002.
• [11] F. Cuppens and A. Mi`ege. Alert correlation in a cooperative intrusion detection framework. In IEEE Symposium on Security and Privacy, pages 202-215, 2002.
• [12] D. Cruwys. Automated webspider/webrobot. http://www.codeproject.com/csharp/davwebspider.asp, 2004.
• [13] A. Darwiche. Modeling and Reasoning with Bayesian Networks. Cambridge University Press, NEWYourk, USA, 2009.
• [14] L. Dai-ping, Z. Ming-wei, and L. Tao. Network traffic analysis using refined Bayesian reasoning to detect flooding and port scan attacks. In ICACTE'08: International Conference on Advanced Computer Theory and Engineering, pages 1000-1004,Washington, DC, USA, 2008. IEEE Computer Society.
• [15] Charles Elkan. Results of the kdd'99 classifier learning. SIGKDD Explor. Newsl., 1(2):63-64, 2000.
• [16] N. Friedman andM. Goldszmidt. Building classifiers using Bayesian networks. In 13th National Conference on Artificial Intelligence AAAI'96, 1996.
• [17] V. K. Frank, R. Silja, and S. Paul. Inference in qualitative probabilistic networks revisited. Int. J. Approx. Reasoning, 50(5):708-720, 2009.
• [18] M. Frigault and L.Wang. Measuring network security using Bayesian network-based attack graph. In 32rd IEEE International Workshop on Security, Trust, and Privacy for Software Applications (STPSA'08), pages 698-703, 2008.
• [19] L. Feng,W.Wang, Lina Zhu, and Y. Zhang. Predicting intrusion goal using dynamic bayesian network with transfer probability estimation. Journal of Network and Computer Applications, 32(3):721-732, 2009.
• [20] V. Gowadia, C. Farkas, and M. Valtorta. Paid: A probabilistic agent-based intrusion detection system. Computers & Security, 24(7):529-545, 2005.
• [21] C. W. Geib and R. P. Goldman. Plan recognition in intrusion detection systems. In DISCEX'01: DARPA Information Survivability Conference and Exposition, volume 1, pages 46-55, 2001.
• [22] Y. Huang, S. Huang, T. Lin, and C. Tsai. Web application security assessment by fault injection and behavior monitoring. In the 12th international conference on World Wide Web, pages 148-159, New York, NY, USA, 2003. ACM.
• [23] K. L. Ingham and H. Inoue. Comparing anomaly detection techniques for http. In Recent Advances in Intrusion Detection, pages 42-62, Queensland, Australia, 2007.
• [24] F. V. Jensen. Introduction to Bayesian networks. UCL Press, London, 1996.
• [25] R. Kohavi, B. Becker, and D. Sommerfield. Improving simple Bayes. In 9th European Conference on Machine Learning, Prague, Czech Republic, 1997.
• [26] D. Kang, D. Fuller, and V. Honavar. Learning classifiers for misuse and anomaly detection using a bag of system calls representation. In IEEE Workshop on Information Assurance and Security, pages 118-125, 2005.
• [27] S. Kals, E. Kirda, C. Kruegel, and N. Jovanovic. Secubat: a web vulnerability scanner. In the 15th international conference on World Wide Web, pages 247-256, New York, NY, USA, 2006. ACM.
• [28] C. Krügel, D.Mutz,W. K. Robertson, and F. Valeur. Bayesian event classification for intrusion detection. In ACSAC'03: the 19th Annual Computer Security Applications Conference, pages 14-23, Washington, DC, USA, 2003.
• [29] P. Langley, W. Iba, and K. Thompson. An analysis of Bayesian classifiers. In 10. th. National Conference on Artificial Intelligence AAAI'92, pages 223-228, San Jose, CA, 1992. AAAI Press.
• [30] N. Ben Amor, S. Benferhat, and Z. Elouedi. Naive Bayesian networks in intrusion detection systems. In Workshop on Probabilistic Graphical Models for Classification - 14th European Conference on Machine Learning (ECML) and the 7th European Conference on Principles and Practice of Knowledge Discovery in Databases (PKDD), Cavtat-Dubrovnik, Croatia, 2003.
• [31] N. Ben Amor, S. Benferhat, and Z. Elouedi. Naive Bayes vs decision trees in intrusion detection systems. In SAC'04: the 2004 ACM symposium on Applied computing, pages 420-424, 2004.
• [32] MITRE. Cve: Common vulnerabilities and exposures, http://cve.mitre.org/, 2007.
• [33] G. Manz, S. Li, and G. Carle. Traffic anomaly detection using k-means clustering. In GI/ITG-Workshop MMBnet 2007, Germany, 2007.
• [34] J. Pearl. Probabilistic reasoning in intelligent systems: Networks of plausible inference. Artif. Intell., 48(1):117-124, 1991.
• [35] Judea Pearl. Causality: Models, Reasoning, and Inference. Cambridge University Press, New York, 2000.
• [36] R. Puttini, Z. Marrakchi, and L. Me. A Bayesian classification model for real-time intrusion detection. In 22nd International Workshop on Bayesian Inference and Maximum Entropy Methods in Science and Engineering, pages 150-162, 2003.
• [37] A. Patcha and J. Park. An overview of anomaly detection techniques: Existing solutions and latest technological trends. Computer Networks, 51(12):3448-3470, 2007.
• [38] X. Qin and W. Lee. Attack plan recognition and prediction using causal networks. In ACSAC: the 20th Annual Computer Security Applications Conference, pages 370-379, 2004.
• [39] L. R. Rabiner. A tutorial on hidden markov models and selected applications in speech recognition. Pages 267-296, San Francisco, CA, USA, 1990. Morgan Kaufmann Publishers Inc.
• [40] A. Riancho. w3af - web application attack and audit framework, 2007.
• [41] Martin Roesch. Snort - lightweight intrusion detection for networks. pages 229-238, 1999.
• [42] P. Suvasini, K. Amlan, S. Shamik, and A. K. Majumdar. Credit card fraud detection: A fusion approach using dempster-shafer theory and Bayesian learning. Inf. Fusion, 10(4):354-363, 2009.
• [43] L. S. Scott. A Bayesian paradigm for designing intrusion detection systems. Computational Statistics & Data Analysis, 45(1):69-83, 2004.
• [44] C.F. Tsaia, Y.F. Hsub, C.Y. Linc, and W.Y. Lin. Intrusion detection by machine learning: A review. Expert Systems with Applications, 36(10):11994-12000, 2009.
• [45] M. P. Wellman. Fundamental concepts of qualitative probabilistic networks. Artif. Intell., 44(3):257-303, 1990.
• [46] G.Wang, J. Hao, J.Ma, and L. Huang. A new approach to intrusion detection using artificial neural networks and fuzzy clustering. Expert Systems with Applications, 37(9):6225-6232, 2010.
• [47] Huajie Zhang, Charles X. Ling, and Zhiduo Zhao. Hidden naive Bayes. In the Canadian Artificial Intelligence Conference, pages 432-441. AAAI Press, 2005.