TELKOM
NIKA Indonesia
n
Journal of
Electrical En
gineering
Vol.12, No.4, April 201
4, pp. 2816 ~ 2
8
2
5
DOI: http://dx.doi.org/10.11591/telkomni
ka.v12i4.4288
2816
Re
cei
v
ed Au
gust 10, 20
13
; Revi
sed O
c
t
ober 2
3
, 201
3; Acce
pted
No
vem
ber 2
0
,
2013
Network Intrusion Detection System Based on
Optimized Fuzzy Rules Algorithm
Liang Lei
QingDao H
o
tel
Manag
eme
n
t Coll
eg
e, QingD
ao Sha
n
D
ong
266
10
0, Chin
a
email: l
e
i_
lia
ng
010
2@1
63.co
m
A
b
st
r
a
ct
As co
mp
uter n
e
tw
orks and
di
stributed
ap
plic
ations
more
co
mp
lex, d
i
vers
e
and
inte
lli
ge
nt, netw
o
r
k
beh
avior
ano
ma
ly detecti
on
has gra
dua
ll
y beco
m
e t
h
e
effective mo
nitori
ng a
nd s
ystem co
ntroll
i
n
g
techno
lo
gy. The pa
per esta
b
lishe
d a n
e
tw
ork intrus
io
n det
ection syste
m
and to in
v
e
stig
ate the data ru
l
e
s,
sensors and a
bnor
mal
b
e
h
a
v
i
or
aut
omat
ic i
dentific
atio
n in
this system,
a
kind
of alg
o
rith
m b
a
se
d on fu
zz
y
rules to
d
e
scri
be th
e n
e
tw
ork ab
nor
ma
l b
e
h
a
vior w
a
s
intro
duce
d
i
n
to this
pa
per. It w
a
s
used
to d
e
scri
b
e
the
miscl
assific
a
tion
inv
a
sio
n
r
u
les
effectively
an
d the
n
to convert the
m
i
sclassifica
tion
invasion rules to t
he
issue
of seeki
n
g opti
m
al se
pa
rating
hyper
pl
ane. Su
bs
e
que
ntly, the do
ubl
e
super
bal
l me
mb
ershi
p
functi
o
n
w
a
s introduc
ed
into the syste
m
to restrict the intrusi
on feat
ures, and to
e
s
tablis
h intrusi
on rul
e
set w
h
ic
h
w
a
s used to
mak
e
o
p
ti
mi
z
e
d descr
ipti
on o
f
the intrus
ion
rule s
e
t an
d th
en co
mpl
e
te in
trusion
detecti
on
.
The ex
perimental res
u
lts s
h
owed that:
in the context of
dif
f
erent networ
k
attacks, the sy
stem can complet
e
a variety of attacks and effici
ent detectio
n
. The detecti
o
n
error w
a
s not mor
e
than 1
%
w
h
ich basic
ally
me
t
the re
quir
e
me
nts of the
rel
i
abl
e, hi
gh
pre
c
ision,
ant
i-
int
e
rferenc
e a
b
i
lit
y in
auto
m
atic
netw
o
rk i
n
tru
s
ion
detectio
n
an
d provi
ded a r
e
fe
rence to the fut
u
re
rese
arch o
n
netw
o
rk intru
s
ion d
e
tectio
n.
Ke
y
w
ords
: com
p
uter networ
k
, integrat
ed intrusion detection system
, fu
z
zy rule descr
iption
Copy
right
©
2014 In
stitu
t
e o
f
Ad
van
ced
En
g
i
n
eerin
g and
Scien
ce. All
rig
h
t
s reser
ve
d
.
1. Introduc
tion
With the
rapi
d develo
p
me
nt of com
put
er a
nd n
e
two
r
k te
ch
nology
, comp
uter
n
e
tworkin
g
techn
o
logy h
a
s p
enet
rate
d into the
so
cial, politi
c
al,
cultu
r
al, e
c
o
nomic, milita
r
y area
and
o
t
her
asp
e
ct
s of pe
ople’
s wo
rki
n
g life. The impact of it
is also growi
ng. Mean
while, o
n
the other h
and,
becau
se
of t
he o
pen
ne
ss and
sha
r
ing
ch
aracte
ri
sti
c
s
of com
put
er network, netwo
rk se
cu
rity
issue such a
s
ha
cki
ng in
cide
nt appea
rs fre
que
nt
ly, which ca
use a great th
reat to natio
nal
se
curity, eco
nomic, a
nd
social life. Th
e
r
efore, ho
w to prote
c
t the
se
curity of th
e system, d
e
v
elop
an ap
pro
p
ri
ate co
mpute
r
n
e
twork
se
cu
ri
ty technolo
g
y and
co
rre
sp
ondin
g
mea
s
ure
s
, be
com
e
s
t
he f
o
cu
s of
r
e
se
ar
che
r
s [
1
-3]
.
In ord
e
r to o
v
erco
me th
e
defect
s
of th
e curr
ent
system, it is n
e
cessary to
e
s
tablish a
n
intrusi
on d
e
tection
syste
m
with g
ood
adapta
b
ility,
scalability, flexibility, intelligent, low f
a
lse
positive rate
and lo
w false
negative rate. Re
sea
r
che
r
s h
a
ve u
s
ed
a variety of method
s to b
u
ild
mathemati
c
al
model
s an
d
intrusi
on d
e
tection
sy
ste
m
s. Fu
zzy in
trusio
n dete
c
tion is o
ne o
f
a
modelin
g a
p
p
r
oa
ch,
whi
c
h
use
s
fu
zzy m
a
th an
d fu
zzy
data
mining
to buil
d
fu
zzy
analysi
s
engi
ne
to achi
eve intrusi
on d
e
tecti
on. At presen
t, fuzzy
intru
s
i
on dete
c
tion
rese
arch a
nd
developm
ent
is
still at a preli
m
inary
stage
[4]. The exi
s
ting int
r
us
ion detection sy
stems
based on
fuzzy
rul
e
oft
e
n
use th
e
kno
w
ledge
of exp
e
rt in o
r
d
e
r t
o
prepa
re
d
e
t
ection
rule
s.
This
artifici
al
rule
s o
b
viou
sly
have great subje
c
tivity and uncertainty
, and wi
th th
e cha
nge
s i
n
the netwo
rk environme
n
t.
These rule
s
do not fulfill the ki
nd
s of chang
es, a
nd
thus a
dapta
b
ility is poor [5,
6]. To solve
this
probl
em, we
prop
ose an o
p
timized fu
zzy rule to
describ
e the intrusio
n detecti
on system. T
h
e
experim
ental
results sh
ow
that this i
s
an
effect
ive fuzz
y intrus
ion detec
t
ion attempts
. It not
only
provide
s
a ref
e
ren
c
e
for th
e future i
n
-de
p
th study
of intrusi
on
dete
c
tion te
chn
o
l
ogy and
provides
a theoreti
c
al
and techni
cal
supp
ort for e
s
t
abli
s
hin
g
informatio
n se
curity system.
Evaluation Warning : The document was created with Spire.PDF for Python.
TELKOM
NIKA
ISSN:
2302-4
046
Network Intru
s
ion
Dete
ctio
n System
Based o
n
Optim
i
zed Fu
zzy
Rules Algo
rith
m
(Liang Lei)
2817
2.
The De
tec
t
io
n Sy
stem
2.1. Compos
ition of the S
y
stem
Normally the
intrusio
n d
e
tection
syst
em
is co
mp
ose
d
of eleven com
pon
e
n
ts-d
ata
sou
r
ce, sen
s
or, be
havior,
analysi
s
, eve
n
ts, ale
r
t, ma
nger,
ala
r
m, resp
on
se, ad
min an
d o
perator.
For the ho
st
(su
c
h a
s
Web se
rver) which i
s
ea
sy to be attacke
d
by
hackers in the syste
m
,
becau
se it ca
n use h
o
st
-b
ase
d
intru
s
io
n detecti
o
n
techn
o
logy, the
installed IDS
comp
onent
can
detect the
d
e
crypte
d dat
a to protect
the ma
ch
in
e from the i
n
trusi
on [7
-9]
.
Netwo
r
k-b
a
s
ed
intrusi
on dete
c
tion technol
ogy can al
so
be applie
d
on
the host, so that only detecting the ho
st
-
related data
t
r
an
smi
ssi
on can preve
n
t
hacke
r
attacks,
the cost of
detectio
n
is
relatively smal
l in
this way. Additionally, this dete
c
tion
method
can
benefit oth
e
r ap
plicatio
n-ba
se
d intrusio
n
detectio
n
and
very effective for som
e
ho
sts in the exchang
e networks [10
-
12]
Figure1. Dete
ction System
Comp
one
nts
In the network that shared
transmi
ssi
on
medi
a, there are multipl
e
intrusi
on d
e
tection
sy
st
em
s ca
n be set
in t
he
key
net
w
o
r
k
s
e
ct
ion
s
an
d some ho
sts ne
ed to install HIDS comp
one
nt
to ensurethe data will not be pr
ocessed by NI
DS com
ponent. The purpose i
s
to avoid
dupli
c
ation of
data pro
c
e
s
sing to relea
s
e
the NIDS co
mpone
nt wo
rkloa
d
s.
For th
e hig
h
spe
ed n
e
two
r
k
se
ction, se
veral
NIDS in
the same
ne
twork
se
ction
ca
n be
fairly load
ed t
o
avoid
the
“Floodin
g
” de
nial of
se
rvice attack
(DDOS), an
d p
r
o
c
e
s
s the
ca
pture
d
data pa
ckets
in se
ction. When t
here are
some fault
s
of the hos
t a
nd the HIDS
comp
one
nt can’t
work p
r
op
erly
, the NIDS in the same
se
ction c
an repl
ace
HIDS to captu
r
e a
nd
detect the da
ta
from the h
o
st,
at the sam
e
t
i
me, alert the
likely
intru
s
io
n immedi
atel
y, which
ca
n
greatly in
crea
se
the stability of the intrusion detection
system. If t
here were
som
e
faults
of the NIDS component,
the KIDS
co
mpone
nt in th
e same
network sectio
n
can b
e
u
s
e
d
t
o
dete
c
t by
changi
ng th
e range
of capture. Whe
n
a syst
em c
ont
rol compon
ent is set in the system, the en
crypted o
ne
can
comm
uni
cate
with
IDS
co
mpone
nt
saf
e
ly. The
en
cryption is for
effective ma
n
ageme
n
t of I
D
S
and avoidin
g
coo
perative attacks.
The main fun
c
tion
s of the system a
r
e:
(1) Ma
nag
e, control and
configure the IDS com
pon
e
n
t;
(2)
Colle
ct, analyze a
nd e
v
aluate the d
e
tection resul
t
s from differe
nt compo
nent
s in
orde
r to make the comp
on
ent can
respo
n
se a
c
curatel
y
.
2.2. The Sy
st
em
Dete
ction sy
stem work flow chart, with Fi
gure 2 d
e
scri
p
tion.
In orde
r to a
dapt to cu
rre
n
t compl
e
x network e
n
vironment, we
desi
gne
d a secu
rity
defen
se
syst
em for multip
le attack
mo
des.
The
op
eration
cha
r
a
c
teri
stics
and
metho
d
s of
the
safe integ
r
ate
d
intrusi
on de
tection sy
ste
m
are a
s
follo
ws.
(1) Emb
edd
e
d
ope
rating m
ode. It can de
fense the
attacks, disca
r
d
suspi
c
io
us p
a
ckag
es
in real time a
nd stop the fo
llowing
data communi
catio
n
.
Evaluation Warning : The document was created with Spire.PDF for Python.
ISSN: 23
02-4
046
TELKOM
NI
KA
Vol. 12, No. 4, April 2014: 2816 – 2
825
2818
(2) Availabilit
y and
relia
bil
i
ty. When th
ere
are
som
e
faults, it
ca
n be
re
pla
c
e
d
by the
other sy
stem
detecto
r to maintain the sy
stem.
(3)
Low l
a
ten
c
y. The data
packa
ge
s ca
n be
p
r
o
c
e
s
sed ra
pidly an
d the delay a
m
ong th
e
link layer, net
work laye
r an
d overall eq
ui
pment are clo
s
e.
(4)
High
perf
o
rma
n
ce. Th
e rate requi
re
d by
the pra
c
tical environ
ment equi
pm
ent is the
same
a
s
the
data p
r
o
c
e
ssi
ng capa
bility. Whe
n
all
of the rule
s are
open, fp
s
cou
l
d meet all
of
the
above re
qui
re
ments.
(5) Hi
gh i
n
trusio
n d
e
tecti
on a
c
cu
ra
cy
rate. Th
ere i
s
n
o
n
eed
to
re
start
to a
pply the
cha
r
a
c
teri
stic rules
rapidl
y. When so
me ope
ra
tio
n
in the co
ntrol ce
nter
is applie
d, the
corre
s
p
ondin
g
rule
s are effective in the detecto
rs.
(6) Fin
e
-grai
n
ed co
ntrol to stop mali
ciou
s co
mmuni
ca
tion.
(7) Alert process and forens
ic analy
s
is
capabilities.
When the sensors al
ert, the
surveill
an
ce
cente
r
can
p
r
ovide real
-time an
d p
r
evio
us
re
co
rd
s to
find
wheth
e
r there a
r
e
so
me
correl
ation
s
a
nd determine
how to re
sp
o
n
se.
Figure 2. Det
e
ction Syste
m
Work Flo
w
cha
r
t
Figure 3 is the sch
eme
of the netwo
rk in
tru
s
io
n detectio
n
system. The o
peratio
n
module
s
are cla
ssifie
d
by sy
stem logi
c
based on the
operatio
n
st
age and ta
sks. There are
two
stage
s fo
r th
e
dete
c
tion
sy
stem-t
rainin
g
and te
sting.
T
he training
st
age i
s
to
an
al
yze the
trai
ning
dataan
d store the mode rules into SQ
L. The test
in
g stage is to analyze the capture
d
data with
SQL and furt
her p
r
o
c
e
ss t
he analyzed
results by
the
resp
on
se m
odule. All of the above tasks
are finished b
y
central
cont
rol mod
u
le.
Figure 3. Sch
e
me of the Networ
k Intru
s
i
on Dete
ction
System
Evaluation Warning : The document was created with Spire.PDF for Python.
TELKOM
NIKA
ISSN:
2302-4
046
Network Intru
s
ion
Dete
ctio
n System
Based o
n
Optim
i
zed Fu
zzy
Rules Algo
rith
m
(Liang Lei)
2819
The syste
m
control cente
r
is
the co
re of the wh
ole mo
del. T
he co
ntrol logi
c of the whole
system is g
e
n
e
rated by the
module. The
control
cente
r
distrib
u
tes a
nd disp
atch
e
s
the sep
a
rated
function lo
gic to increa
se t
he ope
ration
efficien
cy, and benefit furt
her up
date a
nd mainten
a
n
c
e.
The
cont
rol
central d
e
fin
e
s m
u
ltiple f
unctio
n
s i
n
t
he
system,
such
a
s
no
rm
al fun
c
tion in
the
control inte
rface, inte
rio
r
function i
n
the
co
ntrol mo
dule, and th
e ope
ration f
unctio
n
s
am
on
g
module
s
. Th
e control ce
ntral pre-d
e
fines
several
cla
s
ses- ca
pture cl
ass,
pre-p
r
o
c
e
ss
cl
ass,
analysi
s
cl
ass, and
re
spo
n
se
cla
ss. T
he abov
e
cla
s
ses
ca
n be
disp
atch
ed a
nd man
age
d
by
visible man
a
gement interf
ace. The mai
n
function
s a
r
e:
①
test u
n
it managem
ent;
②
re
cei
v
e
alert info
rma
t
ion and di
splay;
③
log
data man
a
gement;
④
use
r
ma
nag
ement;
⑤
rules
definition.
3.
Fuzz
y
In
v
asion Char
ac
te
ristics Rules
3.1. Fuzzy
Rules of Train
i
ng Set
Assu
ming th
e trainin
g
set of intrusi
on
detectio
n
sy
stem is
11
1
{
(
,
,
(
)),
.
.
.
,
(
,
,
(
))}
ll
l
Sx
y
u
x
x
y
u
x
,
in which
n
j
x
R
,
()
{
1
,
1
}
j
ux
,
()
1
j
ux
,
is
real
num
ber whi
c
h
is greater t
han
0
.
()
j
ux
is the
traini
ng
point, the
ou
tput is
(,
,
(
)
)
j
jj
x
yu
x
1
j
y
(p
ositi
v
e) o
r
1
j
y
(ne
gat
ive),
the fuzzy me
mbershi
p
is
(
1
,
.
..,
)
j
l
. The fuzzy me
mbershi
p
()
j
ux
is the degree of training poi
nt
(,
,
(
)
)
j
jj
x
yu
x
belon
ging t
o
a
certai
n
kind, th
e
para
m
eter
j
is the m
e
a
s
urem
ent of
the
miscl
assification de
gre
e
, so
()
j
j
ux
has
be
co
me the mea
s
urem
ent for a
measure of variabl
e
wro
ng ind
e
xing of differe
nt importan
c
e. For linea
r problem
s, finding the op
timal sepa
rat
i
ng
hyperpl
ane i
s
chan
ged into
solving a qu
adrati
c
programming p
r
obl
em as follo
ws:
2
,,
1
1
()
2
..
(
(
)
)
1
0
1
,
2
,
.
..,
mi
n
l
j
j
wb
j
jj
j
j
wC
u
x
st
y
w
x
b
jl
,
(1)
In which
0
C
is puni
sh
men
t
paramete
r
s,
1
(
,
...,
)
T
j
,
()
j
ux
is the d
egree of
training point
(,
,
(
)
)
j
jj
x
yu
x
belongin
g
to a certai
n
cla
ss. Solvin
g the dual p
r
og
rammi
ng
o
f
quad
ratic p
r
o
g
rammi
ng (1).
Acco
rdi
ng to the dual de
finition of
W
o
lfe
, getting minimu
m value of
L
agrange
function with
w
,
b
,
j
as
follows
.
1
(,
,,
,
)
0
l
jj
j
j
Lw
b
wy
x
w
1
(,
,
,
,
)
0
l
jj
j
Lw
b
y
b
(,
,
,
,
)
()
0
jj
j
j
Lw
b
ux
C
(2)
Bring Eq
uatio
n (2
),
see
k
in
g the m
a
ximu
m of
to find
the d
ual
pro
g
rammi
ng
of
great
Quad
ratic.
Evaluation Warning : The document was created with Spire.PDF for Python.
ISSN: 23
02-4
046
TELKOM
NI
KA
Vol. 12, No. 4, April 2014: 2816 – 2
825
2820
11
1
1
1
()
2
..
0
0
(
)
1
,
2
,
...,
ma
x
ll
l
ji
j
i
j
i
j
ji
j
l
jj
j
jj
yy
x
x
st
y
ux
C
j
l
,
(3)
The see
k
ing
of optimal
hyperpl
ane
p
r
oble
m
is transfo
rme
d
in
to solving
q
uadratic
prog
ram
m
ing
(1)
dual Pl
annin
g
(3
)-e
nded
que
stio
ns. Planni
ng
(3) i
s
a
co
nvex quad
ra
tic
prog
ram
m
ing
solution, the optimal solution is
**
*
1
(
,
...,
)
T
l
, so the fuzzy optimal
c
l
as
s
i
fic
a
tion
func
tion is
as
follows
.
**
()
s
g
n
{
(
)
}
f
xw
x
b
,
n
x
R
(4)
In which,
**
1
l
j
jj
j
wy
x
,
*
1
()
l
i
j
jji
j
by
y
x
x
,
*
{0
(
)
}
ii
ii
u
x
C
.
In
**
*
1
(
,
...,
)
T
l
, only part
of
*
0
j
is OK, t
he input
j
x
of the corre
s
p
ondin
g
training
poi
nt
is
sup
port
ve
ctor. T
h
e
r
e
are u
s
ua
lly t
w
o
gen
eral
vect
ors
set
whi
c
h
are
sup
porte
d.
One is the
suppo
rt vector
which is
correspon
ded to
*
0(
)
jj
ux
C
, the distrib
u
tion of the
sup
port vecto
r
is at the ed
ge of hyperpl
ane the othe
r one is corre
s
po
nde
d to
*
()
jj
ux
C
,
t
h
is
supp
ort
v
e
ct
or i
s
mi
s
c
la
ssif
i
e
d
s
a
mples.
The
bigge
st difference bet
wee
n
fuzzy supp
ort
vector ma
chi
ne and tra
d
itional suppo
rt
vector ma
chine is the e
x
istence of
()
j
ux
, in fuz
z
y
sup
port ve
ct
or m
a
chine,
the
corre
s
p
ondin
g
supp
ort vecto
r
of
*
j
is different
from
*
j
in
traditional ve
ctor ma
chi
ne.
For no
nlinea
r proble
m
, the function of
(,
)
ij
kx
x
is used, the classificatio
n
can be
expre
s
sed in
quad
ratic p
r
o
g
rammi
ng a
s
follows.
11
1
1
1
(,
)
2
..
0
0
(
)
1
,
2
,
...
,
mi
n
ll
l
ij
i
j
i
j
j
ij
j
l
jj
j
jj
yy
K
x
x
st
y
ux
C
j
l
,
(5)
Planning
(5
) is a con
v
ex quadratic pr
ogram
ming. The
optimal solution is
**
*
1
(
,
..
.,
)
T
l
, s
o
the fuz
z
y
optimal c
l
as
sific
a
tion func
tion is
as
follows
.
**
1
()
s
g
n
{
(
,
)
}
l
jj
j
j
f
xy
K
x
x
b
,
n
x
R
(6)
Evaluation Warning : The document was created with Spire.PDF for Python.
TELKOM
NIKA
ISSN:
2302-4
046
Network Intru
s
ion
Dete
ctio
n System
Based o
n
Optim
i
zed Fu
zzy
Rules Algo
rith
m
(Liang Lei)
2821
Whe
r
e,
*
1
(,
)
l
ij
j
j
i
j
b
yy
Kx
x
,
*
{0
(
)
}
ii
ii
u
x
C
.
3.2. Double
H
y
persphere
Membershi
p
Function
A doubl
e h
y
persphe
re
membe
r
ship
function
is introd
uced
into the
system. The
relation
shi
p
betwe
en the
sample
and
the cl
ass center, and t
he relatio
n
sh
ip betwe
en
each
sampl
e
in
cl
ass a
r
e
co
nsidere
d
suffici
ently whe
n
d
e
termini
ng th
e deg
re
e of
membe
r
ship.
In
addition, the
sampl
e
me
m
bership
is
se
en a
s
a
non
-li
near rel
a
tion
ship with th
e d
i
stan
ce b
e
twe
en
the sample
a
nd the
cente
r
of the
cla
s
s. The
traditio
n
a
l SVM ma
kes
an
app
rop
r
iate dividi
ng
of
valid sampl
e
s, noises and
outliers, most
of the
samples located on
the one side
of classificati
on
surfa
c
e
a
r
e v
a
lid
sampl
e
s
while
the
oth
e
r
sid
e
a
r
e
n
o
ise
s
and
ou
tliers. T
h
e
ce
nter
of sampl
e
data
0
x
is rega
rded as
the ce
nter of
sphe
re,
buildi
ng
a cutting ball wi
th
the radi
us R whi
c
h
i
s
th
e
distan
ce b
e
twee
n cla
s
sification
surfa
c
e H
and the
centre poi
nt, denoted a
s
sp
here A. The
n
0
x
is
taken a
s
sp
h
e
re cente
r
to build a ne
w sphere with ra
dius 2
R
, whi
c
h is sph
e
re B. The sample
s in
sph
e
re
A are
taken
a
s
val
i
d sa
mple
s,
and a
r
e
give
n large m
e
m
bership; th
e
sampl
e
s lo
ca
te
d
outsid
e
of th
e sp
he
re B a
r
e rega
rd
ed
as n
o
ises
an
d outlie
rs, th
e memb
ershi
p
deg
re
e is zero,
then, the
sa
mples bet
we
en the t
w
o
sph
e
re
sa
re
g
i
ven a
small
e
r d
egree
of membe
r
ship
to
indicate that it is the d
egre
e
of valid sa
mples
.
After SVM
c
l
ass
i
fier, ac
cording to the
cla
ssifi
cation function,
{,
1
,
2
,
3
,
}
j
x
jn
can
be obtai
ned, t
he cente
r
vector is
0
1
1
n
j
j
x
x
n
,
linear di
scri
minant functi
on is
()
gx
w
x
b
, the distan
ce fro
m
the arbitrary point x to the
cla
ssifi
cation
surfa
c
e
can b
e
expre
s
sed
as
()
/
gx
w
, radius is
0
()
/
R
gx
w
.
The S-s
haped func
tion is
combined
to define the fuzzy members
h
ip
()
j
ux
as
:
2
2
2
2
()
1,
(
(
)
)
2
[(
)
2
]
()
,
(
()
2
)
2
0,
(
(
)
2
)
j
j
j
jj
j
dx
dx
R
R
dx
R
ux
R
d
x
R
R
dx
R
(7)
0
()
jj
dx
x
x
is the distan
ce betwe
en
j
x
an
d
0
x
.
3.3. Algorith
m
Descrip
tio
n
Fuzzy Sup
p
o
r
t Vecto
r
M
a
chin
e (FSVM) alg
o
rithm
make
s
use o
f
the ab
ove
prin
ciple
s
and fo
rmula
s
to de
sign i
n
trusi
on
dete
c
tion cl
assifie
r
, input the
tra
i
ning d
a
ta a
n
d
testing
dat
a,
output the type of detectio
n
data (n
orm
a
l, intrusio
n o
r
abno
rmal
). The algo
rith
m is de
scribe
d as
follows
.
1) Train trad
itional SVM cla
ssifie
r
, ob
tain the initial sup
port v
e
ctor, a
nd u
s
e it to
con
s
t
i
t
u
t
e
a d
e
ci
sion
cla
ssi
f
i
cat
i
on s
u
rf
a
c
e
0
wx
b
.
2) Cal
c
ul
ate the vector of
Comp
uting Center
0
x
.
3) Cal
c
ul
ate radiu
s
R an
d 2R a
c
cordi
n
g
to the decisi
on cla
s
sificati
on su
rface an
d
0
x
.
4) Cal
c
ul
ate membe
r
ship functio
n
()
j
ux
acco
rding to eq
uat
ion (10
)
.
5) Get fuzz
y training s
e
t
11
1
2
2
2
{(
,
,
(
)
),
(
,
,
(
))
,
...,
(
,
,
(
)
)
}
ll
l
x
yu
x
x
y
u
x
x
yu
x
.
Evaluation Warning : The document was created with Spire.PDF for Python.
ISSN: 23
02-4
046
TELKOM
NI
KA
Vol. 12, No. 4, April 2014: 2816 – 2
825
2822
6)
Train fuzzy tr
aining points
,
build the optimal
s
t
ruc
t
ur
e
of the c
l
as
s
i
fic
a
tion
func
tion,
and obtai
n fuzzy supp
ort vector m
a
chin
e cla
ssifie
r
4.
Optimal De
tection Proc
e
ss of th
e Rul
e
s
Fuzzy rule
s
can b
e
obtai
ned by su
ch
above me
tho
d
s, but the d
e
tection
spe
e
d
of the
system i
s
limi
t
ed by the nu
mber
of rule
s, in orde
r to i
m
prove th
e p
r
ocessin
g
sp
eed, the
rule
set
need to be o
p
timized. During the optimization p
r
o
c
e
ss, the rule
set must be constructe
d a
n
d
sele
ct
ed.
4.1. Cons
tru
c
tion of the
Rule Set
It is necessa
ry for the rule set detectio
n
me
thod to stru
cture the rule set by using the
rule
optimizer. There a
r
e t
w
o
req
u
ire
m
e
n
ts for t
he
rul
e
optimi
z
e
r
. (1) T
he
rule
o
p
timize
r mu
st
be
set to achiev
e the purp
o
se of con
s
tru
c
ting small
e
st
and mo
st efficient rul
e
set.
(2) Di
screte
rule
set sh
ould b
e
stru
cture
d
. Thus, ea
ch d
a
ta packet only
need
s to sea
r
ch o
ne rule set.
In the initialization p
r
o
c
e
ss, the
rule
se
t is
stru
ctured
with th
e most in
de
pend
ent
optimize
r
Sn
ort rul
e
pa
ra
meters by the
rule o
p
timize
r. The diffe
re
nt para
m
eters for
each type of
transmissio
n
protocol are indepe
nde
nt, so the
selecte
d
rule
param
eters for the typ
e
of
transmissio
n proto
c
ol is dif
f
erent. For ex
ample,
the T
C
P rule
set can be di
sting
u
ish
ed from e
a
ch
other with
th
e
so
urce and
destin
a
tion ports, and
th
e ICMP
rule
setcan b
e
di
stingui
sh
ed from
each othe
r a
c
cordi
ng to t
he rul
e
s
of ICMP type.
A sub
s
et i
s
structured
with
the inde
pend
ent
para
m
eters,
whi
c
hallo
ws the dete
c
tion
engine of m
u
ltiple rule
s can dete
c
t the smalle
r rule
set.
More imp
o
rta
n
tly, it allows
the data pa
ssing by
the co
rre
sp
ondi
ng subset
of the rules a
c
cordin
g
to the cha
r
act
e
risti
c
of the data pa
ckets.
4.2. Choosin
g the Rule S
e
t
Whe
n
the
sn
ort i
s
run
n
in
g, a
rule
set
for
ea
ch
da
ta pa
cket i
s
sele
cted
by t
he
rule
optimize
r
. So
me of the p
a
rameters a
nd
rule
set a
r
e
selecte
d
de
pe
nding
on the
matchin
g
results
of received p
a
ckets lu
mpe
d
paramete
r
. Thus, onl
y t
hose rul
e
s
which m
a
tch t
he pa
cket of the
rule
s are sel
e
ct. Since th
en multiple rules
sea
r
ch engin
e
s
can
detect the conte
n
t by th
e
detectio
n
me
thod ba
sed o
n
the rule
se
t of the
rule set testing m
e
thod
s. For
some
abno
rmal
packet
s
, maybe two
sets
of the rule
s
will be
sele
cted, this is a
con
d
ition call
ed “in
depe
nd
ent
confli
ct”.
4.3. Actu
al Application
of the Rule Optimiz
e
r
Acco
rdi
ng to the indep
end
ent paramete
r
s of tr
an
smi
s
sion p
r
oto
c
ol
the rule
s are divided
into defin
able
rule
s and
small rule
set
s
by th
e
rule
optimi
z
er to
improve the
sp
eed
of
sn
ort
detectio
n
. By analyzin
g, the so
urce p
o
rt and d
e
sti
nation po
rt can be u
s
e
d
as ind
epe
nd
ent
para
m
eters o
f
the TCP/UDP packet. The ICMP
types can be u
s
e
d
as an in
depe
ndent pa
ram
e
ter
of the ICMP pack
e
ts
.
Set of rules
with the optimized ove
r
all
structu
r
e i
s
con
s
tru
c
ted,
whi
c
h is mo
re detailed.
Whe
n
a p
a
cket is got, first
of all, determine whethe
r
the IP proto
c
ol field i
s
ex
ist, if not, treat it
with commo
n IP rule
s. If yes, judg
e
whi
c
h the
rul
e
is, TCP/
UDP, ICMP or others. If it is
TCP/UDP rul
e
, it should b
e
pro
c
e
s
sed
according to
the app
rop
r
ia
te rule
s set
of indepe
nde
nt
para
m
eters, at last, according to the detection resu
l
t
to judge wh
ether it is mal
i
ciou
s pa
cket
s or
the invasio
n
.
5. Simulation
5.1. Data So
urce and T
e
st Env
i
ronmen
t
The expe
rim
ental data is from stand
a
r
d dat
a
set KDD 19
99, there a
r
e fou
r
kind
s of
attacks in the
data set. Th
ey are sca
nni
ng and p
r
obi
ng (Probe
). denial of se
rvice attacks (DoS),
unauth
o
ri
zed
remote a
c
ce
ss (R2L
) and t
he local su
pe
r use
r
illeg
a
l acce
ss (R2
R
), the other da
ta
are n
o
rm
al, the 4 types
of intrusi
on d
a
ta set a
r
e
sel
e
cted
ran
d
o
m
ly from the
data set as
shown
in Table 1.
Evaluation Warning : The document was created with Spire.PDF for Python.
TELKOM
NIKA
ISSN:
2302-4
046
Network Intru
s
ion
Dete
ctio
n System
Based o
n
Optim
i
zed Fu
zzy
Rules Algo
rith
m
(Liang Lei)
2823
Table 1. Sam
p
le Data
intrusion T
y
pe
training test
ormal ntrusion
ormal ntrusion
Probe
731 711 576 970
DoS
150 904 640 287
U2R
84 3 57
80
R2L
72 89 24 18
Figure 4 is a
intrusio
n det
ection e
n
viro
nment
with
Gigabit spee
d, all of them are PC
comp
uters wi
th Windo
ws XP operating
system, t
he pro
c
e
s
sor i
s
P4 dual-co
r
e
1.8G, the DDR
memory is 1
G
, the hard di
sk i
s
160
GB, and the Ethernet card is 1
G
igabit.
Figure 4. Test Environmen
t
Test ca
rd will
send Ethern
e
t Frame dire
ctly to
the user level, with
out any treatment, in
the ca
se of di
fferent IP packet si
ze, pa
cket
captu
r
e pe
rforma
nce, as sho
w
n in Ta
ble 2
Table 2. IP Packag
e Ca
pture
IP package
Size by
es)
Speed of sendin
g
package(pps)
Flow of sending
package(bps)
Receiving packa
ge
speed (pps)
Flow of receiving
package(bps)
Receive
rate
64
585968
200M
585968
200M
100%
645875
280M
645875
280M
100%
786550
350M
663061
295M
84%
256
244141
500M
244141
500M
100%
400000
600M
324000
486M
81%
1024
97656
800M
97656
800M
100%
110000
900M
100100
819M
91%
Seen from t
he data
capt
ure p
a
cka
g
e
techn
o
logy
with Wi
np
ca
p, the packe
t capture
platform with
Winp
cap h
a
s
better p
e
rf
orma
nce th
a
n
the traditio
nal pa
cket capture pl
atform.
It
can a
dapt the
large flow of
netwo
rk e
n
vir
onment for th
e high-sp
eed
packet re
ce
ption rate.
5.2. Compar
ativ
e Models and Ev
aluation of Model
Performanc
e
In order to make the
network intrus
io
n
dete
c
ti
on system more
convin
cing, all
eigenvalu
e
s
and
su
ppo
rt v
e
ctor ma
chi
n
e mo
del
(SVM
) a
r
e
u
s
ed,
the pa
rticl
e
swarm in
divid
ually
is sele
cted
and
th
e sup
port
ve
ctor machi
n
e
pa
rameter mo
d
e
l (PSO
-SVM) i
s
ta
ke
n
as a
comp
ari
s
o
n
model to eval
uate the perf
o
rma
n
ce with
detection rate and ru
n time.
5.3. Test of F
eatur
e Selec
t
ion
The co
mpa
r
e
d
result between PSO-SV
M
algorithm a
nd algo
rithm i
n
this pap
er u
s
ed to
sele
ct feature
of the network intru
s
ion d
e
t
ection is
sho
w
n in Tabl
e 3
.
Evaluation Warning : The document was created with Spire.PDF for Python.
ISSN: 23
02-4
046
TELKOM
NI
KA
Vol. 12, No. 4, April 2014: 2816 – 2
825
2824
Table 3. Diffe
rent Mod
e
ls F
eature Sel
e
cti
on Re
sult
s
T
y
pe
of intrusion
Num befor
e choo
se
PSO
-
SVM
Algorithm in this paper
Probe
41
17
15
DoS 41
18
17
U2R
41
12
10
R2L
41
14
11
Seen fro
m
T
able 3
after f
eature
sele
ction al
g
o
rithm,
the num
be
r
of feature
proce
s
sed
with algo
rith
m in this pap
er is le
ss tha
n
that of PSO-SVM, and
the numbe
r o
f
chara
c
te
risti
cs i
s
less tha
n
the
num
ber of
pre
-
sele
ct fe
ature,
so
it i
s
n
e
cessa
r
y
to sel
e
ct
the
num
ber of t
he
netwo
rk int
r
u
s
ion featu
r
e
s
, with which, the num
be
r of input variable
s
for the
supp
ort vector
machi
ne
ca
n
be
redu
ce
g
r
eatly, and th
e lea
r
nin
g
sp
eed of
netwo
rk i
n
tru
s
ion
d
e
tection
ca
n
be
accele
rated.
5.4. Compari
ng of the
De
tection
Resul
t
The sel
e
cte
d
characte
ri
stics a
r
e inp
u
t to the supp
ort vector m
a
chi
ne to le
arn with
optimal su
pp
ort vector ma
chin
e modeli
ng, the test
sample is
che
c
ked with the
optimal dete
c
tion
model, and the detectio
n
result is sho
w
n in Tabl
e
4. Seen from
the compa
r
i
s
on result of the
table, the m
odel
with fea
t
ure
sele
ctio
n ha
s a
hi
gh
er dete
c
tion
rate than
mo
del with
all the
origin
al featu
r
es,
and the
detectio
n
rat
e
of the
p
r
op
ose
d
alg
o
rith
m is hig
h
e
r
than that of P
S
O-
SVM, the co
mpari
s
o
n
re
sult sho
w
s tha
t
the comb
i
n
e
d
model
of chara
c
te
risti
c
s of sele
ction
and
sup
port ve
ctor ma
chin
e
para
m
eters
can take
the
advantag
e of each algo
rit
h
m and
dig
the
netwo
rk statu
s
inform
ation.
Table 4. Dete
ction Rate Co
mpari
s
o
n
of Different Mo
d
e
ls
t
y
pe
SVM(%)
PSO
-
SVM(%)
Algorithm in this paper(
%
)
Probe
99.51
98.31
99.56
DoS 98.38
97.60
99.51
U2R
98.14
98.16
99.71
R2L
98.00
97.64
99.17
6. Conclusio
n
A characte
ristics de
scripti
on algo
rithm
of
abnormal
netwo
rk b
e
h
a
vior dete
c
tio
n
based
on
fu
zzy re
prese
n
tation rul
e
s wa
s propo
sed
in
thi
s
pa
per. T
h
e
deta
il of the
miscl
a
ssificatio
n of
invasio
n
rule
s
wa
s
de
scri
bed
and
con
v
erted i
n
to a
n
issu
e
of se
ekin
g the
opt
imal
sep
a
rati
ng
hyperpl
ane.
Furthe
rmo
r
e,
the do
uble
su
per ball
me
m
bership
de
gree fun
c
tion
was i
n
tro
duced
to
the system to
restri
ct the in
trus
io
n ch
ara
c
teri
stics and
the set of
invasio
n
rule
s was e
s
tabli
s
he
d.
At last, the set of rule
s we
re optimi
z
ed t
o
com
p
lete in
trusio
n dete
c
t
i
on. The resul
t
s sh
owe
d
th
at
the de
signati
on in this
pa
per
wa
s effe
ctive, f
easibl
e
. It not only provide
d
a referen
c
e fo
r
the
future in-dept
h study of in
trusio
n dete
c
tion tech
n
o
lo
gy, but also
provide
d
a theoretical a
n
d
techni
cal
sup
port to esta
blish a security netwo
rk
syste
m
.
Referen
ces
[1]
Mohamm
ad S
ani
ee Ab
ad
eh,
Jafar Ha
bib
i
, Z
e
y
n
ab B
a
rze
gar, Mun
a
Ser
g
i. A par
all
e
l
gen
etic loc
a
l
search
alg
o
rith
m for intrusi
o
n
detectio
n
i
n
c
o
mputer
net
w
o
rks
. Engin
eeri
ng Ap
plic
atio
n
s
of Artificial
Intelli
genc
e
. 20
07; 20(8): 1
058
-106
9.
[2]
Roberto Perdisci, Giorgio Giacin
to, F
a
b
i
o
Roli. Al
arm cl
usterin
g
for i
n
trusio
n det
ectio
n
s
y
st
ems i
n
computer n
e
t
w
orks.
Engin
eeri
ng App
licati
ons
of Artificial Intelli
ge
nce
, 20
06
; 19(4): 429-4
3
8
.
[3]
GUO Rong-
ya
n, HU Xue-
hui
. Stud
y
a
bout
Lice
nse Pl
ate Reco
gniti
on B
a
sed o
n
Back
Propag
ati
o
n
Neur
al Net
w
o
r
k.
Comp
uter Si
mu
lati
on
. 20
10
; 27(9): 299-3
0
1
.
[4]
Ivan Goethals,
Kristiaan Pe
l
ckmans, Joha
n AK Su
y
k
en
s, Bart De Moor. I
dentificati
on of MIMO
Hammerstei
n
mode
ls usin
g l
east squar
es s
upp
ort vector machi
nes.
Automatica
. 20
05;
41(7): 126
3-
127
2.
[5]
Youp
ing Z
h
ao,
Lizda
bel M
o
rales-T
i
rado, C
ogn
it
ive Ra
di
o. F
o
rging a
h
e
a
d
from Conce
p
t
T
e
stbed t
o
Larg
e
-Scal
e
D
epl
o
y
ment.
Jou
r
nal of Co
mmu
nicati
ons
. 20
12
; 7(7): 514-52
3
.
Evaluation Warning : The document was created with Spire.PDF for Python.
TELKOM
NIKA
ISSN:
2302-4
046
Network Intru
s
ion
Dete
ctio
n System
Based o
n
Optim
i
zed Fu
zzy
Rules Algo
rith
m
(Liang Lei)
2825
[6]
Xu
e Hu
a, Li Xue-
yi
ng, Che
n
Yu. Researc
h
on t
he intrus
io
n detectio
n
an
d its impleme
n
t
ation throu
g
h
Data streaming.
Comp
uter Ap
plicati
ons.
2
0
0
4
; 4(1): 112-1
1
4
.
[7]
Z
hu Ho
ng. F
a
ult Di
agn
osis f
o
r Ana
l
og
Circ
u
its Base
d o
n
D-S Evid
enc
e T
heor
y
an
d
PSO Neura
l
Net
w
ork.
Co
mputer Meas
ure
m
e
n
t & Control
. 2013; 21(
4): 868-8
70.
[8]
Xi
ao
jia
n W
u
, A
L
Nar
a
simh
a.
Red
d
y
A N
o
ve
l
Appr
oach
to
Mana
ge A
H
y
b
r
id Stora
g
e
S
ystem.
Journ
a
l
of Commun
i
cat
i
ons
. 20
12; 7(7
)
: 473-48
3.
[9]
F
o
rrestS, Hofme
y
r
SA, Som
a
yjia. C
o
mp
uter I
mmunol
og
y.
C
o
mmunic
a
tio
n
s
of the
ACM
. 1
997;
40(
10):
88-9
6
.
[10]
Shari
e
f MA Oteaf
y
,
H
o
ssam
S Hassan
e
i
n
. Reso
urce
Re-
u
se in W
i
rel
e
ss
Sensor N
e
t
w
or
ks: Realiz
ing
a
S
y
n
e
rg
etic Inte
rnet of T
h
ings.
Journ
a
l of Co
mmu
n
ic
ations
. 2
012; 7(7): 4
84-
493.
[11]
Hammad
M, Con
o
r RA.
Less
Destr
u
ctive C
onte
x
t-a
w
a
-re
Cros
sover Op
erat
or for GP.
Berlin/H
ei
del
be
rg: Spring
er-Ve
r
lag
. 20
06; 45(
5): 36-48.
[12]
Saei
d Asg
a
ri
T
agh
an
aki, Be
h
z
ad Z
a
m
ani
D
ehk
or
di, Ahm
a
d H
a
tam, Be
hz
ad B
ahram
in
ej
ad. S
y
nth
e
tic
F
eature T
r
ansformatio
n
w
i
th
RBF
neura
l
net
w
o
rk to
improv
e the Intrusio
n Detectio
n S
y
st
em Accurac
y
and
Decre
a
se
Comp
utatio
na
l Costs.
Intern
ation
a
l Jo
urn
a
l
of Electr
ica
l
and Co
mp
uter
Engi
ne
erin
g
.
201
2; 1(1): 28-
36.
Evaluation Warning : The document was created with Spire.PDF for Python.