Detection of abnormal traffic and network intrusions based on multiple fuzzy rules

Abstract

Fuzzy network intrusion detection systems use a set of fuzzy rules using symmetric Gaussian membership functions to determine the probability of specific or common network attacks. A fuzzy set can be formed to describe traffic on a particular network. Fuzzy association rule sets are used to describe normal and abnormal classes. The belonging of a record to a certain class is determined by using the appropriate metric. Fuzzy association rules are formed on the basis of normal training samples. A tested sample is classified as normal if the index generated by the set of rules will be higher than a certain threshold value. Samples with a lower score are considered abnormal. In addition, a method to speed up rule induction by reducing the number of items from the extracted rules is quite effective. In this article the task of identifying possible attacks on corporate network resources is considered. Analysis of approaches to the detection of violations of information security using the theory of fuzzy sets, including procedures for building Gaussian membership functions based on quantitative even comparison of degrees of individual values, which are formed on the basis of expert evaluations of decision makers. The use of symmetric Gaussian curve for membership functions is due to the fact that this function has a smooth top and smooth transitions and expert evaluations, which will form some statistical array of data, with a high probability will be described by the Normal Distribution. It is shown that in order to in-crease the efficiency of detection of situations of possible intrusion, it is necessary to use modern technologies of intellectual analysis with the use of rules and methods of fuzzy logic. The structural scheme of fuzzy system for detecting abnormal traffic in the network segment is proposed.