Anomaly detection in computer networks using hierarchically organized teams of learning automata

Abstract

With the increasing number of computer systems connected to the Internet, security becomes a critical issue. To combat this problem, several attack detection methods have emerged in the past years, such as the rule based Intrusion Detection System (IDS) Snort - or anomaly based alternatives that are able to detect novel attacks without any prior knowledge about them. Most current anomaly based IDS require labeled attacks or extensively filtered training data, such that certain attack types, which generate large amounts of noise in terms of false positives, are effectively removed. This thesis describes a novel anomaly based scheme for detecting attacks, using frequent itemset mining, without performing extensive filtering of the input data. In brief, the scheme, which is named the Grimstad Data Classifier (GRIDAC), uses teams of hierarchically organized Learning Automata to generate a rule tree with a set of linked nodes – where the granularity of each node increases along with the current level in the tree. In turn, GRIDAC was implemented as an anomaly based IDS called Inspectobot, and evaluated using the 1999 DARPA IDS Evaluation Sets. At best, the prototype was able to detect 51 out of 62 attacks in the 1999 DARPA IDS Evaluation Sets with 56 false alarms, giving a detection rate of 82 %, after training on one week of attack-free traffic, and classifying another full week of data containing attacks. The empirical results are quite conclusive, demonstrating that the prototype shows an excellent ability to mine frequent itemsets from network packets, such that normal behavior can be modeled. With an average detection rate of 73 % of all attacks in the DARPA set, and a fairly low amount of false positives, it is also shown that Inspectobot can be used for IDS purposes. In its current state, Inspectobot requires a high processing capacity to perform the rule matching. When compared to the popular IDS Snort, it is currently not as useful outside of a testbed environment. Nonetheless, the scheme has the potential of serving as a complementary anomaly based IDS alongside Snort for detecting novel attacks, given a more optimized implementation.