Mehran University Research Journal of Engineering and Technology (Oct 2010)
An Adaptive Fuzzy Framework based on Optimized Fuzzy Contexts for Detecting Network Intrusions
Abstract
Anomaly based Intrusion Detection System (AIDS) is one of the key component of a reliable security infrastructure. Working at second line of defense, detection accuracy is the key objective that largely depends upon the precision of its normal profile. Due to existence of vague boundaries between normal and anomalous classes and dynamic network behavior, building accurate and generalize normal profile is very difficult. Based on the assumption that intruder?s behavior can be grouped into different phases active at different times, this article proposes to evolve and use ?short-term fuzzy profiles/contexts? for each such individual intrusion phase resulting in enhanced detection accuracy for low-level attacks. The result is a context-driven, adaptable implementation framework based on a double layer hierarchy of fuzzy sensors. The framework adapts to network conditions by switching between different contexts, according to network traffic patterns, anomaly conditions and organization?s security policies. These contexts are evolved in incremental fashion with genetic algorithm using real-time network traces. The framework is tested using DARPA 98/99 dataset showing accurate detection of low-level DoS attack.
