Intrusion Detection System using Hybrid Differential Evolution and Group Method of Data Handling Approach. Godfrey C. Onwubolu, Alok Sharma

Abstract. This paper proposes a new intrusion detection methodology based on hybrid of differential evolution (DE) and group method of data handling (GMDH). It focuses on intrusion detection based on system call sequences using text processing techniques. The hybrid DE-GMDH is used to classify a process as either normal or abnormal. This work presents the application of PCA and hybrid DE-GMDH to modeling high dimensional bench-mark DARPA-1998 database. For modeling and classifying the data, we adopted this combination of two stage PCA and hybrid DE-GMDH procedure. The presented technique shows significantly better results than other existing techniques avaliable in the literature in achieving lower false positive rates at 100% detection rate.

Keywords. Forecast, heteroskedastic time series, sliding window, two-stage division.

References.
1. Denning, D.E.: An intrusion-detection model. In: Proceedings of the 1986 IEEE Symposium on Security and Privacy (SSP '86). IEEE Computer Society Press; 1990, p. 118-131.
2. Axelesson, S.: Research in Intrusion Detection Systems: A Suvey, Technical Report No. 98-17, Dept. of Computer Engineering, Chalmers University of Technology, Gteborg, Sweden, 1999.
3. Lane, T., Brodley, C.E.: Temporal sequence learning and data reduction for anomaly detection. In: Proceedings of the fifth ACM Conference on Computer and Communication Security, 1998.
4. Lane, T., Brodley, C.E.: An application of machine learning to anomaly detection. In: Proceedings of the 20th National Information System Security Conference, Baltimore, MD, 366-377, 1997.
5. Forrester, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for Unix processes. In: Proceedings of the 1996 IEEE Symposium on Research in Security and Privacy, Los Alamos, CA, 120-128, 1996
6. Forrester, S., Hofmeyr, S.A., Somayaji, A.: A computer immunology. Communication of the ACM, 40(10), 88-96, 1997
7. Lee, W., Stolfo, S., Chan, P.: Learning patterns from Unix process execution traces for intrusion detection. In: Proceedings of the AAAI97 workshop of AI methods in fraud and risk management. AAAI Press, 50-56, 1997.
8. Lee, W., Stolfo, S.: Data mining for intrusion detection. In: Proceedings of the seventh USENIX Association, 79-94, January, 1998.
9. Warrender, C., Forrest, S., Pearlmutter, B., Detecting intrusions using system calls: alternative data models. In: Proceedings of the 1999 IEEE Symposium on Research in Security and Privacy,133-145, 1999.
10. Rawat, S., Gulati, V. P., Pujari, A. K.: A host-based intrusion detection system using rough theory. Transactions on Rough Sets, 144-161, 2005.
11. Wepsi, A., Dacier, M., Debar, H.: Intrusion detection using variable length audit trail patterns. In: Proceedings of the third international workshop on the recent Advances in Intrusion Detection (RAID'2000), LNCS, vol. 1907, 2000.
12. Asaka, M., Onabuta, T., Inoue, T., Okazawa, S., Goto, S.: A new intrusion detection system based on discriminant analysis. IEICE Transaction on Information and Systems 2001, E84D (5): 570-577
13. Wang, W., Guan, X., Zhang, X.: A novel intrusion detection method based on principal component analysis in computer security. In: Proceedings of the International IEEE Sysmposium on Neural Networks, Dalian, China. Lecture Notes in Computer Science, vol. 3174, 657-662, August 2004.
14. Liao, Y., Vemuri, V. R.: Use of k-nearest neighbor classifier for intrusion detection. Computer & Security 21(5), 439-448, 2002a.
15. Liao, Y., Vemuri, V. R.: Using text categorization techniques for intrusion detection. In: Proceedings of the USENIX security 2002, San Francisco, US, 51-59, 2002b.
16. Wenji, H., Liao, Y., Vemuri, V. R.: Robust support vector machines for anomaly detection in computer security. In: Interantional Conference on Machine Learning, Los Angeles, CA, 2003.
17. Rawat, S., Gulati, V. P., Pujari, A. K., Vemuri, V. R.: Intrusion detection using text processing techniques with a binary-weighted cosine metric. Journal of International Assurance and Security, 1, 43-50, 2006.
18. Sharma, A., Pujari, A. K., Paliwal, K. K.: Intrusion detection using text processing techniques with a kernel based similarity measure, Computer & Security 26, 448-495, 2007.
19. Fukunaga, K.: Introduction to statistical pattern recognition. Academic Press Inc., Hartcourt Brace Jovanovich, Publishers, 1990
20. Sharma, A. and Paliwal, K.K., Onwubolu, G.C.: Class-dependent PCA, LDA and MDC: a combined classifier for pattern classification. Pattern Recognition, 39(7), p. 1215-1229, 2006.
21. Sharma, A. and Paliwal, K.K., Fast principal component analysis using fixed-point algorithm", Pattern Recognition Letters, 28, p. 1151-1155, 2007.
22. Sharma, A., Onwubolu, G.C.: A Hybrid Approach for Modeling High Dimensional Medical Data, Proceedings of International Workshop on Inductive Modeling, Prague, Czech, 2007
23. Ivakhnenko, A. G.: The Group Method of Data Handling - A Rival of the Method of Stochastic Approximation. Soviet Automatic Control, 13, c/c of Avtomatika, 1, 3, (1968) pp.43-55.
24. Storn, R. M., Price, K. V. and Lampinene, J. A.: Differential Evolution: A Practical Approach to Global Optimization, Springer-Verlag, Berlin 2005.
25. Onwubolu, G. C.: Optimization using differential evolution, Institute of Applied Science Technical Report, TR-2001/05, 2001.
26. D. Davendra, G. C. Onwubolu, Scheduling flow shops using enhanced differential evolution algorithm, European Conference on Modeling and Simulation (ECMS), Prague, Czech, 2007.
27. Lemke, F., Mueller, J. A.: Medical data analysis using self-organizing data mining technologies, Systems Analysis Modeling Simulation, 43(10), 1399-1408, 2003.
28. Onwubolu, G. C.: Design of Hybrid Differential Evolution and Group Method of Data Handling for Inductive Modeling, Proceedings of International Workshop on Inductive Modeling, Prague, Czech, 87-95, 2007
29. Onwubolu, G. C.: Design of hybrid differential evolution and group method in data handling networks for modeling and prediction, Information Sciences, 178, 3618-3634, 2008, doi:10.1016/j.ins.2008.05.013.
30. DARPA 1998 MIT Lincoln Laboratory,  http://www.ll.mit.edu/IST/ideval/data/dataindex.html, 1998.