210 likes | 315 Vues
Learn about a cyber intrusion detection algorithm based on Bayes' Theorem. This method helps secure the Smart Grid by identifying unauthorized use and misuse of computer systems. Discover the process of pattern recognition and the application of the Maximum a-posterior probability (MAP) in intrusion detection. Detailed steps, code, and results are provided. Explore references for further insights.
E N D
Cyber Intrusion Detection Algorithm Based on Bayes’ Theorem Stephanie Steren-Ruta- West High School ‘12 SyedaFaizaIslam- Farragut High School ‘15 Young Scholars Program July 17, 2012 Knoxville, Tennessee
The problem • Securing the Smart Grid • Effective ways
Terms • Intrusion Detection • Pattern recognition • Bayes Theorem • Maximum a-posterior probability (MAP)
Intrusion Detection • identify unauthorized use, misuse and abuse of computer systems by both system insiders and external predators.
Types of Intrusions • Denial of Service (DOS) • Remote to Local (R2L) • User to Root (U2R) • Probing
Pattern Recognition • identifying the patterns in a set of data and classifying and categorizing it
Bayes' Theorem • is a mathematical formula used for calculating conditional probabilities
Maximum a-posterior probability (MAP) • Assigning to the sample of interest the membership based on which the sample has the highest a-posterior probability.
Discriminant Function =ln +ln[P(B)]
Analysis of Data • Have a training data and testing data that have results. • Take the training and separate into the different categories • Acquire the covariance and mean • Make a loop that tests all categories with the discriminant function • Check for accuracy • Change prior-probability until acquiring most accurate result
Code • for i=1:length(test_data); • current_entry = test_data(i,:); • Function_1 = (-.5*((current_entry-mean_1)*inv(cov_1)*(current_entry-mean_1)'))-(.5*(log(det(cov_1))))+(log(.7));%Table_0 discriminant function • Function_2 = (-.5*(current_entry-mean_2)*inv(cov_2)*(current_entry-mean_2)')-(.5*(log(det(cov_2))))+(log(.0025));%Table_1 discriminant function • Function_3 = (-.5*((current_entry-mean_3)*inv(cov_3)*(current_entry-mean_3)'))-(.5*(log(det(cov_3))))+(log(.0025));%Table_0 discriminant function • Function_4 = (-.5*(current_entry-mean_4)*inv(cov_4)*(current_entry-mean_4)')-(.5*(log(det(cov_4))))+(log(.05));%Table_1 discriminant function • Function_5 = (-.5*((current_entry-mean_5)*inv(cov_5)*(current_entry-mean_5)'))-(.5*(log(det(cov_5))))+(log(.2));%Table_0 discriminant function • [C,I] = max([Function_1,Function_2,Function_3,Function_4,Function_5]); • Decision(i,1)= I; • end
Results • Accuracy • Prior Probability
Confusion Matrix 1-DOS 2- R2L 3- U2R 4- Probing 5- Normal Connection 1 2 3 4 5 1 2 3 4 5
1 2 3 4 5 1 2 3 4 5
Error • Future Improvements
References • [1]Mukherjee, B.; Heberlein, L.T.; Levitt, K.N.; , "Network intrusion detection," Network, IEEE , vol.8, no.3, pp.26-41, May-June 1994doi: 10.1109/65.283931URL: http://ieeexplore.ieee.org.proxy.lib.utk.edu:90/stamp/stamp.jsp?tp=&arnumber=283931&isnumber=7023 • [2]Jain, A.K.; Duin, R.P.W.; Jianchang Mao; , "Statistical pattern recognition: a review," Pattern Analysis and Machine Intelligence, IEEE Transactions on , vol.22, no.1, pp.4-37, Jan 2000doi: 10.1109/34.824819URL: http://ieeexplore.ieee.org.proxy.lib.utk.edu:90/stamp/stamp.jsp?tp=&arnumber=824819&isnumber=17859 • [3]Anonymous. Maximum Security: A Hacker's Guide to Protecting Your Internet Site and Network, Chapter 15, pp. 359-362. Sams.net , 201 West 103rd Street, Indianapolis, IN, 46290. 1997. • [4] SimsonGarfinkel and Gene Spafford. Practical Unix & Internet Security. O'Reilly & Associates, Inc., 101 Morris Street, Sebastopol CA, 95472, 2nd edition, April 1996. • [5]. N.p., n.d. Web. 10 Jul 2012. <http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/docs/attackDB.html • [6]Joyce, James, "Bayes' Theorem", The Stanford Encyclopedia of Philosophy (Fall 2008 Edition), Edward N. Zalta (ed.), URL = <http://plato.stanford.edu/archives/fall2008/entries/bayes-theorem/>.