Model design artificial intelligence and research of adaptive network intrusion detection and defense system using fuzzy logic

Abstract

Along with improvement of technology in network and continuous expansion of network economy and network applications, the Internet has gradually become an indispensable part of the modern society. However, an endless stream of hacker attacks and network virus events make network security issues stand out. Therefore, network security has become a hot spot in computer network research and development. This paper aims at establishing a real-time detection and dynamic defense security system and makes an in-depth study of intrusion detection technology and defense decision-making technology. The strategy involved in finding the intrusion behavior since the fuzzy base contains the better group of rules. We have utilized an automated fuzzy rule generation strategy. An adaptive network intrusion detection and defense system model is established, and the architecture of the model is discussed in detail. The platform independence, good self-adaptability, expansibility, multi-level data analysis and dynamic defense decision-making are expounded. The experiment proves that the model proposed in this article has a good self-adaptability and open construction, and effectively combines the functions of intrusion detection and defense decision-making.

Keywords

Artificial intelligence adaptive network defense system fuzzy rule

1 Introduction

Today, with the rapid development of science and technology, computer network theaters an important position in human society. Life style of people has undergone tremendous changes. Through the Internet, people can search, acquire, store and exchange information conveniently and quickly, which is the primary tool to accomplish various tasks and solve various problems [1, 2]. China Internet Information Center published “The 27th China Internet development statistics report” in January 2011. The “report” shows that as of the end of December 2010, China’s Internet users exceeded 450 million marks, reaching 457 million. More and more government departments and large enterprises have established information management systems built on the network, such as e-government, enterprise resource management, online banking, e-commerce and so on. These web-centric applications have a huge and far-reaching impact on many industries in society. Because of its advantages of open sharing and real-time shortcut, the Internet has fully brought about common development in other fields. But from a security point of view, the highly free Internet also brings serious security risks in providing simple and convenient services [3 –5]. The obtained frequent items from the internet source about intrusion are useful to determine the important attribute of the dataset which is provided as input and mentioning the effective number of attributes to find a group of indefinite and definite rules using certain deviation strategy. Then, we formally obtain fuzzy rules in accordance with certain set of fuzzy rules for obtaining the set of if-then rules included with constant portion that mentions the normal or abnormal data.

2 Related research based on intrusion detection and defense system

2.1 Technical features of system involving intrusion detection

Intrusion detection is to discover intrusion behavior, analyze information from several key nodes in computer model that judge if there exist any sort of security threat and attack sign in system. Intrusion Detection System (IDS) is a collection of hardware and software that can perform intrusion detection behavior. It works at the key nodes in the network. As an active protection network security technology, IDS effectively expands the security management capabilities of system maintenance personnel, such as network monitoring, security auditing, attack identification and response capabilities. By using model involving intrusion finding, we can significantly avoid network threats. It became another barrier in threat According to the different data sources, the intrusion detection system can be divided into host-based intrusion detection system (HIDS) and network-based intrusion detection system (NIDS). HIDS is installed on the protected host, looking for information sources in the audit log or system operation of the host system for intelligent analysis and judgment; NIDS uses a monitor to find packets that conform to network intrusion templates in the original packet of network communication [6 –9].

2.2 Technical features of the intrusion prevention system

IPS was born because the firewall can’t filter the information of the application layer and IDS can’t prevent the intrusion. IPS organically combines firewall and intrusion detection technology, through direct serial access networks can realize the function of active defense. That is, through a network card to receive the data traffic from an external network and undergo regular matching checks to confirm no intrusion or suspicious behavior Content, then through another piece of network card to send data traffic to the internal network. If a problem packet is encountered, and all the packets that belong to the same connection session will be blocked and discarded in real time. IPS can also be divided into two categories: host-based intrusion defense system (HIPS) and network-based intrusion defense system (NIPS) [10 –12]. HIPS is usually installed on servers, workstations or important hosts that need to be protected, preventing attacks from external networks from invading the operating system or some applications. NIPS adopts a series access network to provide security protection for the internal network by detecting the network data packets flowing through. IPS is the organic combination of firewall and intrusion detection technology. It is a new type of security protection device developed on the basis of firewall technology and intrusion detection technology highly developed. The general network application mode shown in Fig. 1 can illustrate the differences between firewalls, IDS, and PS [12 –15].

Fig. 1

The differences between firewalls, IDS, and IPS.

3 Design and research of adaptive network intrusion detection system model

The architecture diagram of this adaptive intrusion detection and defense system (AID & DS) is illustrated in Fig. 2. The architecture model mainly includes two parts: control point and monitoring point. The monitoring point is responsible for managing and protecting individual hosts, subnets and other resources of the network system and coordinating the communication between the management points and the security components. The control point is responsible for the management of each monitoring point and the analysis of the global data within the managed network segment, as well as the formulation of the global security policy, which is equivalent to the whole brain of AID & DS. The control point and several monitoring points constitute an adaptive system, which can complete the distributed detection, response and global defense strategy analysis of the security system.

Fig. 2

The architecture diagram of this adaptive intrusion detection and defense system.

3.1 Network misuse detection based on Snort

Snort is a insubstantial network intrusion finding model, through the libepap software package to obtain network data packets, and then intrusion detection and analysis of data packets. The analysis method is adopted based on the intrusion rules audit analysis of expert system and can search or match the data content of the package. If the match is successful, the intrusion behavior is considered to be established and the log and alarm systems are activated. At present, Snort can detect many types of attacks, such as buffer overflow, port scanning, CGI attack, denial of service attack and so on, and its rule base can be upgraded or changed according to the actual situation. In the adaptive intrusion detection and prevention system, Snort-based detection process shown in Fig. 3. The methodology is as given below:

The manager of the handle point sends messages to the monitoring point and starts the Snort detection engine.

The monitoring point opens the new process to start the Snort and transmits the test result to the local event filter. Then the local agent sends the alarm event to the manager of the control point according to the specified format.

The control point can send the end message to the monitoring point agent and terminate the Snort process according to the need.

Fig. 3

Snort-based detection process.

3.2 Abnormal detection of program based on neural network

Figure 4 is the flow chart of the BP network algorithm. The normal model of algorithm involving BP is that the process of learning includes two phases, which includes the propagation of the error involving the signal of propagation. During propagation of algorithm the sample input is processed into the final layer and after every layer is gathered by the subsequent input layer. If the actual output of the output layer does not correspond to the desired output, it is transmitted to phase of back propagation for analyzing the error. The samples propagation error is the initial output forming the error in certain form using hidden layer to initial layer by using back propagation and analyzing the rate of error which is allocated to all of every layer, so as to finalize the error obtained in signal of each layer unit, this error signal is the basis for correcting the weights of each unit. This signal forward propagation and error backpropagation layer weight adjustment process is carried out in a circular way. The process of constant weight adjustment, that is, the learning and process of training in network, the method involving the output of network is utilized for reducing the error rate to an level of acceptance or existing total of learning. In this study, three layers of neural network is introduced as an example.

Fig. 4

BP algorithm flow.

In the three layer BP network, the input vector is X = (x₁, x₂, . . . , x_n) ^T, such as adding x₀ = -1, the threshold can be introduced to the hidden layer neuron; The hidden layer output vector is Y = (y₁, y₂, . . . , y_m) ^T; If y₀ = -1 is added to the output layer neuron to introduce threshold; The vector representing the output is O = (o₁, o₂, . . . , o_l) ^T; The expected output course is d = (d₁, d₂ . . . , . . . d_l) ^T. The matrix weight between the input course and the hidden layer is expressed by V, V = (v₁, v₂, . . . , v_m) ^T, in which the vector in column V_j is the vector weight corresponding to the j neuron of the hidden layer. The weight matrix between the hidden course and the output layer is expressed by W, W = (W₁, W₂ . . . , W_K, . . . V_l) ^T, in which the column vector W_K is vector weight representing the k neuron of output course. The following analysis of the mathematical relations between the signals of each layer. The mathematical relationships between each layer of signals are analyzed below.

For the output layer: $o_{k} = f ({net}_{k}), (k = 1, 2, . . ., l)$ (1) ${net}_{k} = \sum_{j = 0}^{m} w_{jk} y_{j}, (k = 1, 2, . . ., l)$ (2)

For the hidden layer: $y_{j} = f ({net}_{j}), (j = 1, 2, . . ., m)$ (3) ${net}_{j} = \sum_{i = 0}^{n} v_{ij} x_{i}, (j = 1, 2, . . ., m)$ (4)

The flow chart of abnormal detection of program based on BP network is shown in Fig. 5. First, data acquisition and preprocessing. Abnormal detection of program is mainly on the privileged process in the system. and in the Linux system, it provides the Strace program that directly gets the system call. This paper refers to the Strace program directly in the data acquisition module, and obtains the system call original data set of the process by specifying the process number of the privileged process.

Fig. 5

The flow chart of abnormal detection of program based on BP network.

Second, the structure design and training of neural network. The neural network includes three phases, the initial phase, input course and layer of hidden and output course. Total layer number in input is the same as the length of the short sequence determined by the sliding window. The number of the hidden layer neurons needs to be determined for the different privileged processes in the training process. Third, use the well-trained network for abnormal detection. BP neural network training process list is shown in Table 1.

Table 1

BP neural network training process list

ID	Training period	Learning rate	Hidden layer number	Error rate of training data	Error rate of test data
1	500	0.3	20	12.23	17.2858
2	750	0.4	20	9.88	12.71
3	750	0.2	80	6.9	11.55
4	750	0.15	80	2.55	5.87
5	750	0.15	120	5.2	10.81
6	750	0.1	180	15.92	11.14
7	1000	0.15	80	1.21	7.52

4 Fuzzy rule generation strategy

This portion of the article illustrates the designing strategy for fuzzy rule regeneration automatically to provide learning effectively. In normal concept, fuzzy rules provides the fuzzy system which is formed manually or by certain experts, who are provided with rules by intrusion behavior analysis. But, in some cases it finds to be very problematic to produce manual rules using fuzzy that basically the model with huge input along with varieties of attributes. Since, some researchers are made provided for finding the rules obtained through fuzzy, automatically in recent past. Interested by fact, we utilize certain mining models for finding a significant good rules from the provided input. Moreover, constant rules formed from the frequent single length items are utilized to provide the proper system learning based on fuzzy.

4.1 Suitable attributes for rule generation

In this process, we find only the significant attributes which are suitable for finding the classification if it is found normal or attack. The purpose for utilizing this process. For identifying the attributes which are found to be suitable, we have utilized method of deviation, where attracted item of frequent length l. At initial phases, the items mined from every attribute are stored in form of vector sorted for every class (class 1 and 2), signified as, B₁ = [W₁, W₂, W₃, W_n] where i = 1, 2. Every vector (W_n) includes frequent items, whose frequency is higher than minimal support. W_n = {l_n ; 1 ⩽ n}, then for every attribute deviation value of frequent items is mentioned by associating the relevant item exist within a vector such a way, the provided deviation value is obtained for each vector. $\begin{matrix} D_{Wn} = {f_{max}, f_{min}}; Where, f_{max} \\ = Max (f_{n}), f_{min} = Min (f_{n}) . \end{matrix}$

Then, one to one association is performed in amongst every class of respective identified vectors for each attributes. The attributes that does not contain the range (max, min) identity is chosen as attribute which is has significant rate of detection than using every attribute for finding the classification. The attribute effectively chosen for rule forming process is formed as, C_n = [W¹, W², …, Wⁿ, W^q].

5 Design and research of adaptive network defense system model

The structure of adaptive network defense decision-making model in this study is the same as that of the Waltz model, that is, it includes three levels of data extraction, from information to data to knowledge. As shown in Fig. 6.

Fig. 6

Design of defense system.

5.1 Global event analysis

In this paper, the global event analysis mainly refers to: using models of data mining to simulate every data monitoring point in AID & DS system from many aspects such as time, protocol, monitoring point and so on, and finally complex attack patterns such as the time interval characteristics of the attack events, multi-step attack events and multi-step cooperative attack events are extracted after a huge number of data. The removal algorithm used in the global event association analysis of this topic is the Aprioir association rule. The Aprioir algorithm is a basic algorithm for finding frequent item sets, which uses an iterative method called layer by layer search, that is, the K item set is used for the search (k + 1) item set. Association rule algorithm is a common algorithm in data mining, which has two kinds of metrics: support and confidence. When the association rules satisfy both the minconf (minimum confidence) and the minsup (minimum support), the association rules are considered to be interesting. I = {I₁, I₂, I₃ . . . I_m} Is a gathering of components, and D is gathering of every transmission in database and every T communications is gathering of items that is, A ⊆ T, T ⊆ I, which is the classic TID mode.

Association rule expression: $A \Rightarrow B, A \subset I, B \subset I$ (5)

Support degree expression: $Support (A \to B) = P (AUB)$ (6)

Confidence expression: $Confidence (A \to B) = P (B | A)$ (7)

Confidence level simplification:

$\begin{matrix} confidence (A \Rightarrow B) = P (B | A) \\ = \frac{sup port - count (A \cup B)}{sup port - count (A)} \end{matrix}$ (8)

The partial code screenshot of the algorithm is shown in Fig. 7.

Fig. 7

Apriori algorithm code partial screenshot.

5.2 Defense decision-making

The function of defense decision module is to analyze the harm of security events to network based on defense knowledge base and attack decision-making knowledge base, and ultimately decide what measures the system should take through cost analysis function. This section focuses on the problem of how the cost functions in the decision-making analysis are defined and the general description of the defense behavior. Before making decision analysis, this paper divides all attacks according to their different degrees of harm into four categories: denial of service attack (DOS), remote access to local authority attack (ZRL), local user illegally obtaining root user authority (UZR) and port scan attack (Probe). The final result of a defensive decision is determined by the crisis and can be expressed as:

$\begin{matrix} Decision = \\ {\begin{matrix} update security policy and record; crisis ⩾ 0 \\ ignore; crisis < 0 \end{matrix} \end{matrix}$ (9)

When the crisis is positive, it shows that such attacks have harmed the system more than the response and risk costs, and the defense strategy of the system needs to be adjusted. And when crisis is negative, it shows that the degree of the attack is not enough to change the system’s defense strategy.

5.3 Experimental results and analysis

This experiment mainly detects the cooperative analysis ability of the defense decision-making subsystem to the data of multiple monitoring points, and the recognition and decision-making ability of the complex attack behavior. The system has opened two network monitoring points on two Linux hosts in 192.168.1.16 and 192.168.1.129 respectively, which monitor the security of all hosts in their respective area. Attacker A and attacker B used the SuPerscan scanning tool to detect the running status of 192.168.1.100–192.168.1.150 and 192.168.1.10 –192.168.1.50 two network segments at the same time interval and get the general information of the host. Then selected two attacked 119 and 10 sent a large number of Syn-flood attacks. The global event analysis results are shown in Fig. 8. The experimental defense decision-making results are shown in Table 2. Through the above experiments, the analysis and decision-making ability of the system for complex attack behavior is basically proved.

Fig. 8

Global event analysis results.

Table 2

System defense decision-making result table

Event analysis output	Hazard coefficient	Type cost
<192.168.1.69, 192.168.166, 192.168.1.119, 192.168.1.10,> > >ICMP _superscan _echo> > >SN_MP_trap_tcp> > >SNMP_trap_tcp> > >Syn_flood> > >SNMP_ request _ tcp> > >Syn_flood>	1.4	crisisP<0 crisisD < 0
<192.168.1.69, 192.168.166, 192.168.1.119, 192.168.1.10,> > >ICMP _superscan _echo> > >Syn_flood> > >Syn_flood> > >SNMP_ request _ tcp> > >SNMP_ trap _ tcp> > >Syn_flood>	1.53	crisisP<0 crisisD > 0
<192.168.1.69, 192.168.166, 192.168.1.119, 192.168.1.10,> > >ICMP _superscan _echo> > >SNMP_ request _ tcp> > >SNMP_ request _ tcp> > >SNMP_ request _ tcp> > >SNMP_ trap _ tcp> > >Syn_flood>	1.40	crisisP<0 crisisD < 0
<192.168.1.69, 192.168.166, 192.168.1.119, 192.168.1.10,> > >ICMP _superscan _echo> > >SNMP_ request _ tcp> > >Syn_flood> > >Syn_flood> > >Syn_flood> > >Syn_flood>	1.68	crisisP<0 crisisD > 0
<192.168.1.69, 192.168.166, 192.168.1.119, 192.168.1.10,> > >ICMP _superscan _echo> > >SNMP_ trap _ tcp> > >Syn_flood> > >SNMP_ request _ tcp> > >Syn_flood>	1.33	crisisP<0 crisisD < 0
<192.168.1.69, 192.168.166, 192.168.1.119, 192.168.1.10,> > >ICMP _superscan _echo> > >SNMP_ request _ tcp> > >Syn_flood> > >Syn_flood> > >SNMP_ request _ tcp> > >Syn_flood>	1.53	crisisP<0 crisisD > 0
<192.168.1.69, 192.168.166, 192.168.1.119, 192.168.1.10,> > >Syn_flood> > >Syn_flood> > >Syn_flood> > >Syn_flood>	1.33	crisisD<0
<192.168.1.69, 192.168.166, 192.168.1.119, 192.168.1.10,> > >SNMP_ request _ tcp> > >SNMP_ request _ tcp> > >SNMP_ trap _ tcp> > >Syn_flood> > >Syn_flood> > >ICMP _superscan _echo>	1.40	crisisP<0 crisisD < 0
<192.168.1.69, 192.168.166, 192.168.1.119, 192.168.1.10,> > >SNMP_ request _ tcp> > >SNMP_ request _ tcp> > >SNMP_ trap _ tcp> > >SNMP_ request _ tcp>	1.16	crisisP<0 crisisD < 0

This Fig. 9 illustrates the various number of IDs in which the training and testing data rate are showed with the percentage of error caused during the intrusion detection.

Fig. 9

Error Rate of Dataset for Various IDs.

6 Conclusion

With the continuous integration of network security products, how to coordinate the relationship between detection and defense becomes the key issue in the process of product integration. In order to realize the goal of dynamic security defense and the intrusion detection in large-scale network environment, this paper uses the distributed technology, data mining technology combined with adaptive thought to solve some key problems in network security detection and defense, and ultimately achieve a system prototype of adaptive network intrusion detection and defense decision-making system in distributed environment. In this paper, some key technologies of intrusion detection and security defense decision-making have been achieved. Therefore, the research in this paper is of great significance to the research of network security in our country.

References

Ahrari

, Deb

and Preuss

, Multimodal Optimization by Covariance Matrix Self-Adaptation Evolution Strategy with Repelling Subpopulations [J], Evolutionary Computation 25(3) (2017), 439–471.

Braberman

, D’Ippolito

, Kramer

, et al., An Extended Description of MORPH: A Reference Architecture for Configuration and Behaviour Self-Adaptation [J], 2017.

Raj

E.D.

, Manogaran

, Srivastava

and Wu

, Information Granulation-Based Community Detection for Social Networks, IEEE Transactions on Computational Social Systems.

Niaz

, Khalid

, Ullah

, Aslam

, Raza

and Priyan

M.K.

, A bonded channel in cognitive wireless body area network based on IEEE 802.15.6 and internet of things, Computer Communications 150 (2020), 131–143.

Farokhnezhad

A.P.

, Foroughan

, Vedadhir

, et al., Psychometric properties of the Persian version of Social Adaptation Self-evaluation Scale in community-dwelling older adults [J], Clinical Interventions in Aging 2017(12) (2017), 579–584.

Fung

and Boutaba

, The Intrusion Detection Networks: A Key to Collaborative Security[J],954}, Crc Press 953{– (2017), 325–329.

Harang

and Kott

, Burstiness of Intrusion Detection Process: Empirical Evidence and a Modeling Approach [J], IEEE Transactions on Information Forensics & Security PP(99) (2017), 1–1.

Hartfield

, Bataillon

and Glémin

, The Evolutionary Interplay between Adaptation and Self-Fertilization [J], Trends in Genetics 33(6) (2017), 420–431.

Jiang

, Shi

C.L.

, Liu

, et al., Response of rice production to climate change based on self-adaptation in Fujian Province [J], Journal of Agricultural Science 2017:1–15.

10.

Kabir

, Hu

, Wang

, et al., A novel statistical technique for intrusion detection systems [J], Future Generation Computer Systems, 2017.

11.

Murugan

N.S.

and Devi

G.U.

, Detecting streaming of Twitter spam using hybrid method, Wireless Personal Communications 103(2) (2018), 1353–1374.

12.

Saleem

and Khattak

M.I.

, Deep Neural Networks for Speech Enhancement in Complex-Noisy Environments, International Journal of Interactive Multimedia and Artificial Intelligence 6(Special Issue on Soft Computing) (2020), 84–90.

13.

Wang

, Zhou

, Yang

, Sun

and Hsu

C.-H.

, Service Composition in Cyber-Physical-Social Systems, IEEE Transactions on Emerging Topics in Computing.

14.

, Study on the intrusion detection system in network security [J], Wireless Internet Technology, 2017.

15.

Zhang

and Su

X.U.

, Multi-Weight of MCU load balancing scheduling with traffic self-adaptation in cloud environment [J], Journal of Nanchang University, 2017.