Application of Bayesian belief networks and fuzzy cognitive maps in intrusion analysis

Abstract

Bayesian belief networks (BBN) and fuzzy cognitive maps (FCM) are two major causal knowledge frameworks that are frequently used in various domains for cause and effect analysis. However, most researchers use these as separate approaches to analyse the cause(s) and effect(s) of an event. In practice, both methods have their own strengths and weaknesses in both causal modelling and causal analysis. In this paper, a combination of BBN and FCM is used in order to model and analyse network intrusions. First, the BBN is learnt from network intrusion data; following this, an FCM is generated from the BBN, using a migration method. A data-mining approach is suitable for use in the construction of a BBN for network intrusion since this is a data-rich domain, while an FCM is appropriate for the intuitive representation of complex domains. The proposed method of network intrusion analysis using both BBN and FCM consists of several stages, in order to leverage the capabilities of each approach in building the causal model and performing causal analysis. Both the intuitive representation of the causal model in FCM and the wide variety of reasoning methods supported by BBN are exploited in this research to facilitate network intrusion analysis.

Keywords

Root cause analysis fuzzy cognitive map Bayesian belief network causal reasoning intrusion analysis

1 Introduction

A causal model is a representation of the cause and effect relationships between two events. Automated reasoning about a causal model is particularly useful in decision making, since this emulates human thinking in terms of a cause-and-effect analysis. Bayesian belief networks (BBN) and fuzzy cognitive maps (FCM) are the two most frequently used frameworks for constructing causal models and reasoning about causal knowledge [1]. However, the majority of researchers use these approaches separately to analyse the cause(s) and effect(s) of an event. BBNs are more widely used in data mining, and there are a number of commercial tools available for learning the causal model from the data. BBNs support a variety of reasoning methods and can perform diagnostic analysis, which FCM cannot. However, BBN lacks intuitiveness in terms of representation and suffers from complexity problems in inference [2]. FCM, on the other hand, is well known as a simple, intuitive and high-level approach to causal modelling, and the inference mechanism in FCM is simpler and more time-efficient than that of BBN. However, FCM is weaker in terms of its inference capability, since it does not support backward diagnostic reasoning. Both BBN and FCM have certain strengths and weaknesses in terms of modelling and reasoning processes, and can complement each other when applied in combination in the same domain.

A network intrusion is any unauthorised activity that attempts to compromise the confidentiality, integrity or availability of computer systems or networks. An intrusion detection system (IDS) gathers and analyses network information in order to identify unauthorised accesses and abuses of authority within computer networks. Intrusion analysis is the first line of defence for deriving intrusion information and assumptions from network traffic data, and for improving the performance of the IDS. Information on the ways in which an intrusion can take place and its impact can be garnered from the results of the analysis. Causal reasoning is useful in network intrusion analysis, since it is able to identify the root cause(s) and to predict the effect(s) of an intrusion event. Although the causal analysis approach is more intuitive and effective, the main challenges involve ways of modelling the network intrusion domain and, subsequently, ways of performing causal analysis based on the model [3].

Hence, the objective of this research work is the collaborative application of both BBN and FCM in representing the network intrusion domain and in reasoning about causal models. Intrusion analysis can be carried out using a series of reasoning processes which leverage the strengths of both BBN and FCM. The KDD Cup 1999 network intrusion dataset [4] is used to test the correctness of the resultant causal models and the accuracy of the intrusion analysis. This is a benchmark dataset which is widely used in the network intrusion domain. Although this dataset does not contain the latest network intrusion data, it is well structured and sufficient for use in the verification of the proposed method. The BBN and FCM are not constructed separately in this work; instead, the BBN is first constructed automatically from the intrusion data. The reliability of the data mining approach relies heavily on the availability of a huge set of data. Since network intrusion is a data-rich domain, it is appropriate for the BBN to be learnt from the data. Following this, a migration method is used to construct the FCM from the previously constructed BBN. This migration method is useful in minimising the effort required for the construction of the FCM. Before the FCM is used to perform causal analysis, it is verified through a comparison of the reasoning results from both the FCM and the BBN from which it is derived.

This work makes two main contributions to the existing research. The first is the joint application of both BBN and FCM, so that intrusion analysis can be carried out based on the causal relationships between domain variables. This is the first attempt to utilise a combination of BBN and FCM in carrying out network intrusion analysis. A more thorough analysis can be achieved by leveraging the strengths of both of these causal frameworks. There is very little prior research work on the application of a causal knowledge-driven approach in the analysis of network intrusions; although some researchers have applied both BBN and FCM in the domain of network intrusions, these have been used separately with no integration, and usually for classification, in order to increase the detection rate and reduce false alarms [5 –9]. The second contribution of this research is the application of a method of migration from BBN to FCM, in order to minimise the human effort involved in the construction of the FCM. The collaboration of both frameworks is accomplished using this migration method and the complementary nature of their reasoning abilities.

The superiority of the proposed method is highlighted in terms of knowledge acquisition, representation and reasoning. In the method proposed here, the detection process is made transparent by means of the cause-and-effect relationships between the domain variables. Classification algorithms such as artificial neural networks and support vector machines are often used to predict the class of an intrusion due to their remarkable performance [10]. However, although these “black-box” operations can achieve high accuracy in terms of classification results, their inner workings are very hard to understand, and they do not generally provide a clear explanation of the reasons for a particular prediction [11]. A causal analysis yielding an explanation of a particular outcome in terms of the cause-and-effect relationships involved is presented in this research work. A decision made with a rationale based on causality information is more convincing and acceptable than one made using a black-box operation.

Although there are several research works which adopt causal frameworks such as BBN and FCM in the field of network intrusion, these are mainly used for classification purposes [6 , 12–14]. The relationships between domain variables are established implicitly, and the rationale for the classification process is not apparent. In the method proposed here, BBN and FCM are used, beyond the limits of classification, to incorporate a causal analysis that is more transparent and visible. The transparency and visibility of the causal reasoning process are important, since these make explicit the information on the causal relationships between the domain’s attributes, enabling the inherent characteristics of a particular type of intrusion to be studied. The proposed method is also superior in that it supports a wider range of reasoning processes, such as effect analysis, cause analysis, hybrid analysis, direct causal effect analysis and indirect causal effect analysis.

Another superiority of the proposed method is the formulation of a migration method from BBN to FCM. BBN is chosen in order to learn the causal model from network intrusion data, due to the availability of commercial BBN learners such as BayesiaLab [15], Hugin [16] and Netica [17]. In contrast, FCM is less mature than BBN in terms of learning a causal model from data. In addition, network intrusion is a data-rich domain, and it is therefore appropriate to learn the causal model from data rather than to construct it manually using a knowledge engineering approach. Moreover, the availability of a very large set of network intrusion data ensures the reliability of the analysis results. Furthermore, in the proposed method FCM is automatically generated from the BBN which was previously learnt from data. This minimises the effort required for causal knowledge acquisition and causal model construction in both BBN and FCM.

2 Method of network intrusion modelling and analysis

In this study, BBN and FCM are used jointly in order to carry out causal analysis for network intrusion. Before the BBN is constructed, a feature selection technique is used to remove insignificant attributes from the dataset. Following this, a complete dataset with all variables and a partial dataset with selected variables are used in a classification task; the results show that the partial dataset offers a better prediction capability. The dataset with selected variables is therefore used in learning the BBN causal model. In addition, various analysis methods supported by BBN are applied in the domain of network intrusion. An FCM is then generated from the BBN using a migration method based on a probability-possibility transformation [18]. The validity of the FCM generated in this way is verified by experiment, before intrusion analysis is carried out on the causal model. In this experiment, the consistency of the reasoning results from BBN and FCM are compared. Following this, an analysis of the causal relationships is conducted in FCM in a simple and intuitive way. Each process is described in more detail in the subsections below.

2.1 Pre-processing of network intrusion data

The KDD Cup 1999 dataset [4] is used in this experiment to evaluate the reliability of the causal model and the soundness of the analysis process. This is a current benchmark dataset which is widely used for comparing the performance of different IDS methods due to the lack of appropriate public network datasets. This dataset is provided by the UCI Machine Learning Repository and was collected at MIT’s Lincoln Labs by simulating a typical U.S. Air Force local area network (LAN) environment. Each connection record consists of 41 attributes and is classified as either ‘normal’ or ‘attack’; the latter is divided into four main categories, as follows:

Denial of service (DoS): the intruder attempts to flood the network traffic to cause the system to be unavailable to its intended request or user, e.g. using a SYN flood.

User to root (U2R): the intruder attempts to obtain access rights from a legitimate user account, e.g. using password guessing.

Remote to local (R2L): the intruder attempts to exploit the system weaknesses in the remote machine as a local user, e.g. using a buffer overflow.

Probing: the intruder attempts to collect useful network information for intrusion, e.g. using port scanning.

A randomly selected set of 25,000 records from a 10% subset of the KDD Cup 1999 dataset is used in this experiment. Only 25,000 records are used here due to limitations on the hardware and restrictions arising from the classification algorithms on the Weka [19] platform. The 41 attributes in the dataset are shown in Table 1.

Table 1
Attribute labels for the KDD Cup 1999 dataset

Label Feature Label Feature Label Feature

X1 duration X15 su_attempted X29 same_srv_rate

X2 Protocol_type X16 num_root X30 diff_srv_rate

X3 service X17 num_file_creations X31 srv_diff_host_rate

X4 flag X18 num_shells X32 dst_host_count

X5 src_bytes X19 num_access_files X33 dst_host_src_count

X6 dst_bytes X20 num_outbound_cmds X34 dst_host_same_srv_rate

X7 land X21 is_host_login X35 dst_host_diff_srv_rate

X8 wrong_fragment X22 is_guest_login X36 dst_host_same_src_port_rate

X9 urgent X23 count X37 dst_host_srv_diff_host_rate

X10 hot X24 srv_count X38 dst_host_serror_rate

X11 num_failed_logins X25 serror_rate X39 dst_host_srv_serror_rate

X12 logged_in X26 srv_serror_rate X40 dst_host_rerror_rate

X13 num_compromised X27 rerror_rate X41 dst_host_srv_rerror_rate

X14 root_shell X28 srv_rerror_rate

Label	Feature	Label	Feature	Label	Feature
X1	duration	X15	su_attempted	X29	same_srv_rate
X2	Protocol_type	X16	num_root	X30	diff_srv_rate
X3	service	X17	num_file_creations	X31	srv_diff_host_rate
X4	flag	X18	num_shells	X32	dst_host_count
X5	src_bytes	X19	num_access_files	X33	dst_host_src_count
X6	dst_bytes	X20	num_outbound_cmds	X34	dst_host_same_srv_rate
X7	land	X21	is_host_login	X35	dst_host_diff_srv_rate
X8	wrong_fragment	X22	is_guest_login	X36	dst_host_same_src_port_rate
X9	urgent	X23	count	X37	dst_host_srv_diff_host_rate
X10	hot	X24	srv_count	X38	dst_host_serror_rate
X11	num_failed_logins	X25	serror_rate	X39	dst_host_srv_serror_rate
X12	logged_in	X26	srv_serror_rate	X40	dst_host_rerror_rate
X13	num_compromised	X27	rerror_rate	X41	dst_host_srv_rerror_rate
X14	root_shell	X28	srv_rerror_rate

2.2 Discovery of BBN causal model from data

The discovery of a causal model from data involves identifying and quantifying the causal relationships between the domain’s attributes. In essence, BBN learning involves the two stages of structure and parameter learning. In this experiment, the structure of the BBN is automatically learnt using structural learning algorithms in BayesiaLab [15]. After the structure of the BBN has been constructed, the parameters are learnt to determine the probabilistic relationships between attributes, and the probability values are recorded in a conditional probability table (CPT) attached to each node.

Due to the large number of features in the KDD Cup 1999 dataset, it is likely that a focus on the most important of these will improve the time performance of the detection mechanism. The elimination of less significant or valueless features enhances the accuracy of detection while speeding up the computation, thus improving the overall performance of the IDS. To reduce the complexity of the causal model, a feature selection method is used to obtain a smaller BBN without compromising the accuracy of the causal network. An unsupervised structural learning algorithm in BayesiaLab is used to discover the probabilistic relationships between a large number of variables, using five of the unsupervised structural learning algorithms in BayesiaLab: Maximum Spanning Tree, Taboo, EQ, SopLEQ, and Taboo Order. Attributes are selected using various structural learning algorithms, and are then combined and adopted into an accuracy test, which uses several classification algorithms. The accuracy of the classification of these reduced datasets is then compared to that of the original dataset. The classification accuracy does not vary significantly, and this forms the basis for verification of the BBN learning. In this experiment, the complete original dataset with 41 attributes (the original dataset), five datasets with various attributes selected using different structural learning algorithms in BayesiaLab (datasets A, B, C, D, and E), and one dataset that combines all the attributes selected using the five learning algorithms (dataset F) are used to perform the accuracy tests. The accuracy tests use various classification algorithms such as the J48 Decision Tree [20], voting feature intervals (VFI) [21], instance-based learning with parameter K (IBK) [22], ClassificationViaClustering [23], decision table [24], a radial basis function (RBF) network [25], naïve Bayes [26] and sequential minimal optimisation (SMO) [27], and are conducted using Weka. A list of datasets and the percentage of correctly classified instances for each are listed in Tables 2 and 3 respectively.

Table 2
List of selected attributes using various structural learning algorithms

Structural learning algorithm Attributes selected by the structural learning algorithm Name of dataset with selected attributes

Maximum Spanning Tree X23 Dataset A

Taboo X3, X34 Dataset B

EQ X4, X30, X33, X34 Dataset C

SopLEQ X4, X34 Dataset D

Taboo Order X32, X33, X36 Dataset E

Combination of five algorithms X3, X4, X23, X30, X32, X33, X34, X36 Dataset F

Structural learning algorithm	Attributes selected by the structural learning algorithm	Name of dataset with selected attributes
Maximum Spanning Tree	X23	Dataset A
Taboo	X3, X34	Dataset B
EQ	X4, X30, X33, X34	Dataset C
SopLEQ	X4, X34	Dataset D
Taboo Order	X32, X33, X36	Dataset E
Combination of five algorithms	X3, X4, X23, X30, X32, X33, X34, X36	Dataset F

It can be seen from the experimental results in Table 3 that the percentages of the correctly classified instances in the various datasets with a significantly smaller number of selected features do not vary a great deal from the results of the original dataset with 41 features. In fact, in some of the datasets with selected features the classification accuracy is better in that of the original dataset. Thus, the experimental results verify the reliability of the BBN learning capability. As compared to the original dataset with 42 attributes, the number of attributes in dataset F has been reduced significantly, although the classification accuracy of these two datasets is almost the same. Moreover, some of the classification results are even better than the classification results obtained from the original dataset. Dataset F, which allows better classification results, is therefore used in the experiment for BBN learning and analysis.

Table 3

Percentage of correctly classified instances in various datasets

Classification algorithm	Original dataset	Dataset with selected attributes
		A	B	C	D	E	F
J48	99.7952	86.1944	98.0566	78.4088	75.7628	96.6528	99.6288
VFI	87.7856	55.3532	66.4992	42.0868	21.5920	92.0436	91.2108
IBK	99.8412	86.1944	98.0566	78.4064	75.7620	96.6528	99.6560
ClassificationVia Clustering	57.3444	77.8644	53.1728	53.0636	55.3376	64.2364	52.6048
Decision table	99.6244	86.1944	98.0496	78.3968	75.7604	96.6528	99.5168
RBF network	97.7404	86.1944	97.6644	80.2119	75.7612	96.6368	99.2824
Naïve Bayes	89.9180	86.1944	93.1000	51.5960	65.5484	82.5248	96.2268
SMO	99.8048	86.1944	97.9856	76.7180	73.6012	94.9020	99.5560

2.3 Generating the FCM causal model from BBN

FCM is another well-known causal knowledge representation framework, which is applied in various domains and is usually constructed using a knowledge engineering approach. A knowledge engineer acquires causal knowledge from domain experts through a series of interview sessions and constructs the causal model manually. However, the network intrusion domain is complicated and data-rich, and is not suitable for the manual construction of a causal model. The automatic generation of an FCM from data is another option, although this is not well-established compared to BBN. Hence, a migration method has been proposed from BBN to FCM [18]. This method is adopted in this experiment to generate the FCM from the BBN for the network intrusion domain. There are several differences between FCM and BBN in terms of causal knowledge representation, with FCM offering a more intuitive representation than BBN.

The same set of data (the original dataset) from Section 3.1 is used here; however, the data is discretised into two states. We refine our area of interest to two types of protocols (ICMP and TCP) in attribute X2; two types of services (ecr _ i and private) in attribute X3; and two types of flags (SF and S0) in attribute X4. These two types of services and flags are selected since they have the highest frequency among the various types in the dataset. In addition, the focus is on whether the activity in the class attribute X42 is normal or constitutes an attack. The restriction to only two states in each node arises from the limitations of the migration method used in this research. The same steps used in the discovery of the BBN causal model from the data are applied to the two-state dataset to construct another BBN causal model. The CPTs of the BBN learnt from data and the BBN causal model are shown in Figs. 1 and 2 respectively.

Fig.1

CPTs of the generated BBN.

After the BBN has been constructed, the next step is to quantify the causal effect of each relationship, i.e. to compute the causal strength/weight between each pair of nodes. The BBN approach quantifies a combination of the causal effects on a particular node and represents the causal strength as a CPT attached to the node. FCM, on the other hand, represents the strength of a causal effect by attaching a value (i.e. a causal weight) directly to the causal relationship. The absolute value of the Pearson correlation coefficient (PCC), as shown in Equation (1) below, is used to extract the strength/weight of individual causal effects from a CPT: $| r | = \frac{cov (X, Y)}{σ X σ Y}$ (1) where r is the value of the PCC between two random variables X and Y.

The covariance between X and Y is shown in Equation (2):

$\begin{matrix} cov (X, Y) \\ = \sum_{x, y} P (X, Y) \times (V_{x} - v_{X}) \times (V_{y} - v_{Y}) \end{matrix}$ (2) where P(X, Y) is the joint probability of X and Y; V_x and V_y are the values associated with states x and y respectively; and v_x and v_y are the expected values of nodes x and y respectively.

The standard deviation of X is given as: $σ X = \sqrt{\sum_{x} p_{x} \times (V_{x} - v_{X})^{2}}$ (3) where p_x is the marginal probability of state x.

The absolute PCC value for each causal relationship is stored in a table, and these values are sorted in descending order of probability before the probability-to-possibility transformation process is carried out. This transformation process is needed since BBN is fundamentally based on probability theory, while FCM is based on possibility theory. The log-interval-scale transformation method proposed by Klir [28] is used in this transformation process. Normalisation is then carried out by converting the largest possibility value, representing the causal strength, to 1; the other values are then converted proportionally. The set of possibility values for all the causal relationships in Fig. 2 are shown in Table 4.

Fig.2

Another BBN generated from a two-state dataset.

Table 4

Possibility for each causal relationship

i	Relationship	Probability	Possibility
1	X38 ⟶ X2	0.9989	1.0000
2	X2 ⟶ X5	0.9950	0.9965
3	X5 ⟶ X24	0.8635	0.8777
4	X2 ⟶ X24	0.8573	0.8721
5	X8 ⟶ X32	0.4108	0.4513
6	X42 ⟶ X5	0.0690	0.0914
7	X8 ⟶ X24	0.0559	0.0757
8	X5 ⟶ X24	0.0512	0.0699
9	X38 ⟶ X42	0.0295	0.0427
10	X2 ⟶ X42	0.0292	0.0423
11	X8 ⟶ X2	0.0218	0.0326
12	X38 ⟶ X32	0.0149	0.0232

After the possibility value of each causal relationship has been found, the next step is to determine the causality sign of each of these. The causality sign is determined by whether there is an increase (‘+’) or a decrease (‘– ’) in the state of interest in the effect node after the evidence is set in the state of interest of the cause node.

Lastly, when the causality sign for each relationship has been determined, the corresponding FCM is generated, as shown in Fig. 3. Network intrusion analysis can then be performed based on the FCM generated.

Fig.3

FCM for a network intrusion domain with selected attributes.

2.4 Verification of the generated FCM

The FCM generated in the previous section is a representation of the domain knowledge, and can be used as a tool to analyse the causal relationships between domain variables. The validity of the FCM generated from the BBN must therefore be confirmed in order to avoid any misinformation. An experiment was therefore conducted to verify the FCM before it was used to carry out causal analysis, to ensure the soundness of the analysis process and the reliability of the analysis results.

2.4.1 Experimental setup

The experiment was carried out by comparing the consistency of the reasoning results obtained from both BBN and FCM in terms of their causality sign, ‘+’ or ‘– ’, which represents an increase or decrease respectively. In BBN, when evidence is found for a particular variable (that is, the variable state is set to 0 or 100), the changes in the probability values of all other nodes are recorded, as shown in Table 5, to determine whether an increase or decrease is expected at each node. For verification purposes, a simple inference method is adopted to simulate the BBN reasoning in FCM. To retain the original characteristics of FCM, the main focus is on forward prognostic reasoning, since backward diagnostic reasoning is not inherently supported in the original FCM. The results obtained from the simulated BBN reasoning in FCM are then compared to the actual reasoning results of BBN.

Table 5
BBN reasoning results in probability values

X2 X5 X8 X24 X32 X38 X42

X2 0 ⟶ 100 99.7 ⟶ 0 0.16 ⟶ 0 99.5 ⟶ 18.9 99.6 ⟶ 99.99 0.1 ⟶ 100 99.7 ⟶ 100

X5 99.3 ⟶ 0 0 ⟶ 100 0 ⟶ 0.16 18.8 ⟶ 99.8 99.2 ⟶ 99.9 99.3 ⟶ 0.1 99.3 ⟶ 100

X8 30 ⟶ 0 69.8 ⟶ 99.3 0 ⟶ 100 75.4 ⟶ 2.87 99.7 ⟶ 27.1 30 ⟶ 30 99.8 ⟶ 99.3

X24 98.7 ⟶ 7.52 0.48 ⟶ 92.5 0.43 ⟶ 0 0 ⟶ 100 98.7 ⟶ 100 98.8 ⟶ 7.54 99.2 ⟶ 100

X32 11.6 ⟶ 30 29.8 ⟶ 69.9 23.2 ⟶ 0 9.75 ⟶ 75.6 0 ⟶ 100 18.4 ⟶ 30.1 42.4 ⟶ 100

X38 0 ⟶ 99.9 99.7 ⟶ 0.15 0.1 ⟶ 0.1 99.6 ⟶ 18.9 99.6 ⟶ 99.8 0 ⟶ 100 99.7 ⟶ 100

X42 0.67 ⟶ 30 0.34 ⟶ 70 0.39 ⟶ 0.11 0.59 ⟶ 75.5 4.23 ⟶ 99.9 0.38 ⟶ 30.1 0 ⟶ 100

	X2	X5	X8	X24	X32	X38	X42
X2	0 ⟶ 100	99.7 ⟶ 0	0.16 ⟶ 0	99.5 ⟶ 18.9	99.6 ⟶ 99.99	0.1 ⟶ 100	99.7 ⟶ 100
X5	99.3 ⟶ 0	0 ⟶ 100	0 ⟶ 0.16	18.8 ⟶ 99.8	99.2 ⟶ 99.9	99.3 ⟶ 0.1	99.3 ⟶ 100
X8	30 ⟶ 0	69.8 ⟶ 99.3	0 ⟶ 100	75.4 ⟶ 2.87	99.7 ⟶ 27.1	30 ⟶ 30	99.8 ⟶ 99.3
X24	98.7 ⟶ 7.52	0.48 ⟶ 92.5	0.43 ⟶ 0	0 ⟶ 100	98.7 ⟶ 100	98.8 ⟶ 7.54	99.2 ⟶ 100
X32	11.6 ⟶ 30	29.8 ⟶ 69.9	23.2 ⟶ 0	9.75 ⟶ 75.6	0 ⟶ 100	18.4 ⟶ 30.1	42.4 ⟶ 100
X38	0 ⟶ 99.9	99.7 ⟶ 0.15	0.1 ⟶ 0.1	99.6 ⟶ 18.9	99.6 ⟶ 99.8	0 ⟶ 100	99.7 ⟶ 100
X42	0.67 ⟶ 30	0.34 ⟶ 70	0.39 ⟶ 0.11	0.59 ⟶ 75.5	4.23 ⟶ 99.9	0.38 ⟶ 30.1	0 ⟶ 100

The simple inference method adopted in this experiment was carried out in three different ways, depending on the type of causal relationship between two nodes. For direct causal relationships, the sign of the causality (i.e. an increase or decrease) is obtained directly from the sign of the causal weight. For example, in FCM, the causality sign of the direct causal relationship between X8 and X32 is a decrease, since the sign of the causal weight attached to link X8 ⟶ X32 is negative. For indirect causal relationships which include the link with the strongest effect to the target node, the sign of causality is obtained using a simple calculation. For example, an indirect causal relationship representing an effect from X8 on X5 can be traced using the route X8 ⟶ X2 ⟶ X5. The causality sign is obtained by multiplying the sign of the causal weight attached to link X8 ⟶ X2 with the sign of the causal weight attached to link X2 ⟶ X5. Hence, the final outcome for the causality sign from X8 to X5 is an increase. For indirect causal relationships which do not include the link that has the strongest effect on the target node, the calculation of the total causal impact involves both forward and backward chaining. For example, the impact of the indirect causal relationship from node X2 to node X32 can be traced using the routes X2 ⟶ X5 ⟶ X32 and X2 ⟶ X42 ⟶ X5 ⟶ X32. However, the causal effect of X5 on X32, which is involved in both routes, has a weaker effect than that of X8 on X32. To simulate the reasoning process of the BBN, the strongest effect on X32 needs to be considered. This is because the effect propagates throughout the network, using either backward or forward chaining in BBN reasoning; the strongest effect nullifies the weaker effects from the other links, resulting in the net effect having the sign of the strongest effect. Thus, backward chaining is performed on the link X8 ⟶ X2 to obtain the causal effect of X8 on X32. The net effect of X2 on X32 is an increase, since the stronger effect from X8 nullifies the effect from X5.

2.4.2 Experimental results

The results for the reasoning of the BBN are acquired using Netica [6] and are used as the criteria for deciding whether the reasoning results obtained from FCM are consistent. Each of the BBN nodes in turn is set with evidence, and its effects on all other nodes (i.e. an increase or decrease) are recorded, as shown in Table 5. The 0 ⟶ 100 sign indicates that the state of interest in the evidence node changes from 0% to 100%. In Table 6, an increase or decrease of the probability value in a state is represented using the signs ‘+’ or ‘– ’, and ‘0’ indicates no change in the probability value. These routes are marked as ‘N/A’ (not available) in Table 6, since FCM does not support backward diagnostic reasoning. From Table 6, it is obvious that the reasoning results obtained from FCM are consistent with the corresponding reasoning results obtained from BBN. Hence, the validity of the FCM is verified.

Table 6
Comparison of reasoning results between BBN and the generated FCM

X2 X5 X8 X24 X32 X38 X42

BBN X2 0 ⟶ 100 – – – + + +

X5 – 0 ⟶ 100 + + + – +

X8 – + 0 ⟶ 100 – – 0 –

X24 – + – 0 ⟶ 100 + – +

X32 + + – + 0 ⟶ 100 + +

X38 + – 0 – + 0 ⟶ 100 +

X42 + + – + + + 0 ⟶ 100

FCM X2 0 ⟶ 100 – N/A – + N/A +

X5 N/A 0 ⟶ 100 N/A + + N/A N/A

X8 – + 0 ⟶ 100 – – N/A –

X24 N/A N/A N/A 0 ⟶ 100 N/A N/A N/A

X32 N/A N/A N/A N/A 0 ⟶ 100 N/A N/A

X38 + – N/A – + 0 ⟶ 100 +

X42 N/A + N/A + + N/A 0 ⟶ 100

		X2	X5	X8	X24	X32	X38	X42
BBN	X2	0 ⟶ 100	–	–	–	+	+	+
X5	–	0 ⟶ 100	+	+	+	–	+
X8	–	+	0 ⟶ 100	–	–	0	–
X24	–	+	–	0 ⟶ 100	+	–	+
X32	+	+	–	+	0 ⟶ 100	+	+
X38	+	–	0	–	+	0 ⟶ 100	+
X42	+	+	–	+	+	+	0 ⟶ 100
FCM	X2	0 ⟶ 100	–	N/A	–	+	N/A	+
X5	N/A	0 ⟶ 100	N/A	+	+	N/A	N/A
X8	–	+	0 ⟶ 100	–	–	N/A	–
X24	N/A	N/A	N/A	0 ⟶ 100	N/A	N/A	N/A
X32	N/A	N/A	N/A	N/A	0 ⟶ 100	N/A	N/A
X38	+	–	N/A	–	+	0 ⟶ 100	+
X42	N/A	+	N/A	+	+	N/A	0 ⟶ 100

3 Network intrusion analysis

3.1 Network intrusion analysis using a BBN causal model

The BBN causal model, which is learnt from data, is a representation of the domain of the network intrusion, and is used to analyse the causal relationships between the domain variables. It supports a variety of causal analysis methods such as effect analysis, cause analysis and hybrid analysis; each type of analysis is explained in more detail below. The initial BBN, learnt from Dataset F before setting any evidence, is shown in Fig. 4.

Fig.4

The initial BBN causal model before evidence is found.

3.1.1 Effect analysis

Effect analysis allows the future outcome to be forecast when evidence is found for a particular variable. The evidence will propagate within the network to update the probabilities of certain other nodes. For example, in Fig. 5, the probabilities of the states in each node are automatically updated after evidence is found for state ecr_i of node X3. One noticeable change is that there is an increase in the probability of state DoS of X42 from 65.7% to 99.6%. The prediction is convincing, since in this dataset, the majority of the DoS attacks are simulated by targeting the ICMP vulnerability. For instance, to initiate a smurf attack, a simulated DoS attack is created by sending an ICMP echo request packet to IP broadcast addresses from multiple remote locations, resulting in a significant number of echo reply packets (ecr_i) which flood the victim machine, exploiting its DoS vulnerability. In addition, the state SF in X4 increases to 100% when the evidence is set. This is because ICMP is a connectionless protocol, and all connections are deemed to be normally established and terminated once they are sent.

Fig.5

Effect analysis in the BBN causal model by setting evidence for X3.

3.1.2 Cause analysis

Cause analysis is another type of analysis used to diagnose the root cause of the occurrence of an event; finding the factor(s) of or reason(s) for an intrusion is often paramount. For example, in Fig. 6, a BBN is used to diagnose the possible cause(s) for a DoS attack by setting evidence for a particular target node (X42). It can be observed that the probability values of ecr_i and private for node X3 have increased to 61.7% and 36%, respectively. It is likely that this situation occurred because the DoS attacks were simulated by targeting ICMP vulnerability (i.e. smurf attack, self ping), which contribute to the value of ecr_i. In addition, vulnerabilities are exploited in a particular network daemon and service (Apache 2, ARP poisoning, back, CrashIIS, DoSNuke, syslogd, SSH Processtable), which use their own private ports and services, contributing to the values of private and other services.

Fig.6

Cause analysis in the BBN causal model by setting evidence for X42.

3.1.3 Hybrid analysis

Hybrid analysis allows both effect analysis and cause analysis to be carried out simultaneously, in order to observe the change(s) in the probability values of the other nodes when there is evidence at both the target and cause nodes. This combination provides either a cumulative or cancellation effect on the probability of certain states of the other nodes. The probability of a state is increased to a higher value or reduced to a lower value, in comparison to the effect of analysis carried out separately. For example, it can be seen in Fig. 7 that the probability of state S170.333 (>170.333) in X33 increases to 99.8% when both analyses are carried out simultaneously (i.e. when evidence is set for ecr_i and DOS in X3 and X42 respectively). As another example, when evidence is found only for state DoS of node X42, the probabilities of states REJ (connection attempt rejected), S0 (connection attempt seen with no reply) and SF (normal establishment and termination) in X4 are 11.4%, 26.1% and 62.1% respectively, as shown in Fig. 6. However, when there is evidence for state DoS of X42 and state ecr_i of X3, as shown in Fig. 7, the probability value of state SF in X4 is increased to 100%, and the probability values of states REJ and S0 are reduced to 0%. This is because when DoS attacks are performed, they may be either successful or unsuccessful. The victim machine may be able to block or filter an attack, resulting in an REJ value when the attack is unsuccessful. However, if the attack is successful, the value of S0 is triggered by abusing the three-way handshake mechanism in the TCP protocol in a specific way, and the value of SF is triggered by using a connectionless protocol (ICMP) to cause all connections to appear as normal establishment and termination. When a DoS attack is carried out, and all packets are ICMP (ecr_i), the flag status can be predicted, and is shown as SF due to the connectionless mechanism of ICMP.

Fig.7

Hybrid analysis of the BBN causal model by setting evidence for X3 and X42.

3.2 Network intrusion analysis using an FCM causal model

FCM provides an intuitive understanding of the causal influences between domain variables. Observations can be easily made with FCM, and these facilitate the cause-and-effect analysis of the domain through both direct and indirect causal relationships. Although BBN offers a variety of reasoning methods, the computation of the evidence propagation is complex and time-consuming. Unlike BBN, the simplicity of FCM allows a quick and approximate analysis to be carried out manually, in order to learn certain implicit pieces of information about the domain. This is particularly useful in many applications in which only a rough estimation is required to support immediate decision making. All the analyses are performed according to Fig. 3.

3.2.1 Analysis of the direct causal effects

A direct causal relationship between nodes means that the cause node affects the effect node directly, without involving any intermediate node(s). For example, an immediate observation can be made since there is a positive effect on the relationship between nodes X2 and X42. This indicates that when the connection protocol changes from ICMP to TCP, it will cause the attack activities to increase. TCP/IP protocols, which serve as the backbone of the internet transmission structure, are always a prime target for exploitive attacks. Both TCP and ICMP protocols may be used as the vector of an attack. Tools such as Nmap and Saint can be used to abuse TCP connections in probing attacks, in place of ICMP. SYN flood attacks also target TCP connections rather than ICMP. However, a greater number of attacks are simulated using TCP connections than ICMP, since TCP is one of the main transport protocols used in network communications due to its reliability. ICMP, on the other hand, is not a transport protocol used for exchanging data; instead, it is normally used for troubleshooting or error-reporting.

Another example is the direct causal relationship between nodes X2 and X42. X2 has a strong negative influence on X24. This indicates that the type of connection protocol will cause a large change in the number of connections with the same service type as the current connection within the previous two seconds. An immediate observation can be made from the FCM, where ICMP will cause an increase in the number of connections to the same service. This is as expected, since most of the attacks using ICMP use a large number of connections to overwhelm the victim machine. For example, in a ‘smurf’ attack (a simulated DoS attack), ICMP echo request packets are sent from various remote locations (hackers) to IP broadcast addresses, in order to flood the victim machine using a large and continuous stream of ‘ECHO’ reply packets. There is another causal relationship between X2 and X5, in which X2 has a strong negative impact on X5. This indicates that the type of connection protocol will cause a large change in the number of data bytes sent from the source IP address. It can be immediately derived from FCM that ICMP will cause a large increase in the number of data bytes sent from the source IP address. This is as expected, since the ‘Ping of Death’, a type of DoS attack which causes an increase in the number of data bytes sent from source to destination, can only be performed using the ICMP protocol.

The negative influence of node X8 on node X32 is another example of a direct causal relationship that can be observed in the FCM. This causal relationship indicates that wrong fragments often arise when the ICMP connection protocol is used. This is as expected, since an ICMP error message is normally used to notify the sender when a wrong fragment is received. The increase in the number of wrong fragments indicates a high possibility of the ‘Ping of Death’ and ‘Teardrop’ attacks, which both target the ICMP protocol. A further observation can be made in that node X38 has the strongest influence on node X2 in this FCM. This indicates that connections to the current host that contain SYN errors generally use the TCP connection protocol. This result is also as expected, since a SYN flood targets a TCP connection. A SYN flood abuses the TCP three-way handshake mechanism by continuously sending SYN packets with spoofed IP addresses to generate half-open connections. Node X38 has a positive influence on node X42, indicating that an increase in the percentage of connections to the current host that contain SYN errors will cause an attack on the network. This is because an increase in the percentage of connections containing SYN errors may cause a SYN flooding attack.

3.2.2 Analysis of the indirect causal effects

The propagation of a causal effect can be observed easily using the FCM. For example, two routes are available for tracing the propagation of the causal effect of node X8 on node X5; these are X8 ⟶ X2 ⟶ X5, and X8 ⟶ X2 ⟶ X42 ⟶ X5. It is obvious that an increase in X8 indirectly causes a decrease in X5. However, the ICMP protocol of X2 and the attack activities of X42 exert contradictory effects on X5 (X2 exerts a positive effect and X42 exerts a negative effect). X5 will eventually increase, since the causal effect of X2 on X5 is stronger than the causal effect of X42 on X5. Using a simple analysis of the propagation of a causal effect, it can be shown that an increase in the number of wrong fragments indirectly causes an increase in the number of data bytes sent from the source. This is as expected, since fragmentation exploits typically send an excessive number of incomplete fragmented packets; this will cause failure of the datagram to reassemble at the destination, due to the presence of wrong fragmentation packets.

Another example of the propagation of a causal effect can be observed from nodes X38 to X24. In FCM, the propagation of a causal effect from X38 to X24 can be traced by four routes, which are X38 ⟶ X2 ⟶ X24, X38 ⟶ X2 ⟶ X42 ⟶ X5 ⟶ X24, X38 ⟶ X2 ⟶ X5 ⟶ X24, and X38 ⟶ X42 ⟶ X5 ⟶ X24. It is noticeable that an increase in X38 indirectly causes a significant decrease in X24; this is because the TCP protocol of X2, combined with a decrease in the number of data bytes in X5, will cause a decrease in X24. The impact of X2 on X24 is almost the same as the impact of X5 on X24, meaning that X24 is affected by X2 as much as by X5. Through a simple analysis, it can be shown that an increase in the percentage of connections to the current host that contain SYN errors will cause a decrease in the number of connections with the same service type as the current connection. This is as expected, since SYN flood attacks will overwhelm the victim machine by consuming its resources; this will then prohibit the establishment of a TCP three-way handshake connection. This attack will paralyze both the ability of the victim machine to handle other connections to the same service and its ability to process new TCP connection requests, when its memory buffer is full.

It can be observed that the negative impact of node X8 on node X2 is weaker than the positive impact of node X38 on node X2. This means that X2 will eventually change to TCP if both X8 and X38 increase at the same time. This is because a change in X2 is mostly affected by X38 rather than X8. This indicates that a wrong fragment has a weaker causal effect on the connection protocols in comparison with the percentage of connections to the current host containing a SYN error. This is as expected, since packets containing wrong fragments may be used in attacks using both the ICMP and TCP connection protocols. However, connections to the current host containing SYN errors can only arise in TCP. Therefore, an increase in the number of wrong fragments causes a weaker change in the connection protocols compared to the percentage of the connections to the current host that contain a SYN error.

4 Conclusions and future work

This study has carried out a cause-and-effect analysis of the intrusion detection domain based on two major causal frameworks constructed using a novel migration method. It explores the roles of BBN and FCM in the modelling and analysis of network intrusions. It is found that the combined use of these two frameworks can leverage their respective strengths in modelling and analysing domain knowledge. The migration method adopted in this paper is able to eliminate the effort required to construct an FCM from scratch. Instead, an FCM causal model can be generated directly from a BBN which been learnt from network intrusion data. The experiments conducted in this research demonstrate the soundness and reliability of the analysis capability of BBN and the intuitiveness of the modelling capability of FCM. BBN is able to provide more implicit information, since it has the ability to perform various types of analysis. However, the representation of the causal model in FCM offers an intuitive understanding for human users, and the interpretation or gathering of information can be carried out more easily using FCM than BBN. The use of both the BBN and FCM causal models provides a more thorough analysis of the network intrusion domain. Future work includes the application of both the BBN and FCM approaches to real-time network intrusion data in order to take account of the temporal issues in real-time intrusion detection. This is important in identifying the cause(s) and effect(s) of new intrusion types, which are updated in real time.

Footnotes

Acknowledgments

This research work was supported by the Fundamental Research Grant Scheme (FRGS) from the Ministry of Higher Education and Multimedia University, Malaysia (Project ID: MMUE/130121).

References

Cheah

W.P.

, Kim

Y.S.

, Kim

K.Y.

and Yang

H.J.

, Systematic causal knowledge acquisition using FCM constructor for product design decision support, Expert Systems with Applications38(12) (2011), 15316–15331.

Cooper

G.F.

, The computational complexity of probabilistic inference using Bayesian belief networks, Artificial Intelligence42(2–3) (1990), 393–405.

Lee

, Stolfo

S.J.

and Mok

K.W.

, A data mining framework for building intrusion detection models, Proceedings of the 1999 IEEE Symposium on Security and Privacy (1999)pp. 120–132.

KDD Cup 1999. Available at:.http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html Accessed 02.10.17.

Siraj

, Bridges

S.M.

and Vaughn

R.B.

, Fuzzy cognitive maps for decision support in an intelligent intrusion detection system, Joint 9th IFSA World Congress and 20th NAFIPS International Conference4, (2001)pp 2165–2170.

Jazzar

and Jantan

A.B.

, Using fuzzy cognitive maps to reduce false alerts in SOM-based intrusion detection sensors, IEEE Second Asia International Conference on Modelling & Simulation (AMS) (2008) pp 1054–1060.

Goeschel

, Reducing false positives in intrusion detection systems using data-mining techniques utilizing support vector machines decision trees and naive Bayes for off-line analysis, SoutheastCon, Norfolk (2016), 1–6.

Wen

and He

, Network security situation abnormal detection method based on hypothesis test, Journal of Computational Methods in Sciences and Engineering16(3) (2016), 505–518.

Kabir

M.R.

, Onik

A.R.

and Samad

, A network intrusion detection framework based on Bayesian network using wrapper approach, International Journal of Computer Applications166(4) (2017), 13–17.

10.

Baig

M.M.

, Awais

M.M.

and El-Alfy

E.-S.M.

, A multiclass cascade of artificial neural network for network intrusion detection, Journal of Intelligent & Fuzzy Systems (JIFS)32 (2017), 2875–2883.

11.

Turner

A model explanation system, Black Box Learning and Inference NIS Workshop,(2015) Available at http://www.blackboxworkshop.org/pdf/Turner_MES.pdf.

12.

Wang

and Wang

, Application of improved fuzzy cognitive map based on fuzzy neural network in intrusion detection, Journal of Information & Computational Science10(1) (2013), 271–278.

13.

Muda

, Yassin

, Sulaiman

and Udzir

, K-means clustering and naïve Bayes classification forintrusion detection, Journal of IT in Asia4(1) (2016), 3–25.

14.

Xiao

, Chen

and Chang

C.K.

, Bayesian model averaging of Bayesian network classifiers for intrusiondetection, IEEE 38th International Computer Software and Applications ConferenceWorkshops (COMPSACW) (2014) pp. 128–133.

15.

BayesiaLab, retrieved from <http://www.bayesialab.com/> Accessed 02.10.17.

16.

Hugin Expert Software, retrieved from <http://www.hugin.com/> Accessed05.10.17.

17.

Netica, retrieved from <http://www.norsys.com/netica.html> Accessed 02.10.17

18.

Wee

Y.Y.

, Cheah

W.P.

, Tan

S.C.

and Wee

, A method for root cause analysis with a Bayesian belief network and fuzzy cognitive map, Expert Systems with Applications42(1) (2015), 468–487.

19.

Weka, retrieved from <http://www.cs.waikato.ac.nz/ml/weka/> Accessed 02.10.17

20.

Quinlan

J.R.

C4.5: Programs for machine learning, Morgan Kaufmann Publishers

San Mateo, CA

2014

21.

Demiröz

, Güvenir

H.A.

Classification by voting feature intervals, in, Machine Learning: ECML-97Sringer, Berlin Heidelberg, (1997) pp. 85–92

22.

Aha

D.W.

, Kibler

and Albert

M.K.

, Instance-based learning algorithms, Machine Learning6(1) (1991), 37–66.

23.

Krakovsky

and Forgac

, Neural network approach to multidimensional data classification via clustering, IEEE 9th International Symposium on Intelligent Systems and Informatics (SISY) (2011)pp 169–174.

24.

Kohavi

, The power of decision tables,, Proceedings of the 8th European Conference on Machine Learning (1995) pp. 174–189.

25.

Chen

, Cowan

C.F.

and Grant

P.M.

, Orthogonal least squares learning algorithm for radial basis function networks, IEEE Transactions on Neural Networks2(2) (1991), 302–309.

26.

Murphy

K.P.

Naive Bayes classifiers, University of British Columbia, (2006) pp. 1–8. Available at https://datajobs.com/data-science-repo/Naive-Bayes-[Kevin-Murphy].pdf.

27.

Platt

12 fast training of support vector machines using sequential minimal optimization, in: Schőlkof

, Burges

C.J.C.

and Smola

A.J.

Advances in Kernel Methods - Support Vector LearningCambridge, MAMA, MIT Press, 1999, pp. 185–208.

28.

Klir

G.J.

, Uncertainty and information: Foundations of generalized information theory, Wiley-IEEE Press, 2005