Transcript A Geometric Framework for Unsupervised Anomaly Detection

A Geometric Framework for
Unsupervised Anomaly Detection:
Detecting Intrusions in Unlabeled Data
Authors: Eleazar Eskin, Andrew Arnold, Michael Prerau, Leonid Portnoy, Sal Stolfo
Presenter: Marbin Pazos-Revilla
Cognitive Radio Group
TTU-2011
1
Motivation
• Machine Learning Algorithms
– Cluster
– K-Means
– SVM
• Datasets
– KDD Cup
• Intrusion Detection
• Among best ROC curves and overall IDS
performance
2
Contributions
• The authors proposed three improved
methods for clustering, K-NN and SVM to be
used in Unsupervised Intrusion Detection
• The methods show to have very good
performance (ROC curves)
3
Introduction
• Commercially available methods for intrusion
detection employ signature based detection
• The signature database has to be manually
revised for newly discovered signatures and
until a new update is applied systems are left
vulnerable to new attacks
4
IDS Types
• Misuse
– Each instance in a set of data is labeled as normal or
intrusion, and a machine learning algorithm is trained
over the labeled data
– Classification rules
– Manuel updates are needed
• Anomaly
– A given normal set data is given
– A new set of data is tested and system is supposed to
detect whether it is normal or not
– It can detect new types of attacks
5
Supervised Anomaly Detection
• Supervised Anomaly Detection require a set of
purely normal data from which they train their
model. If intrusions are present in “normal”
data, then these intrusions won’t be detected.
• It is hard in practice to have labeled or purely
normal data
• In the event of having labeled data by
simulating intrusions, we would be limited by
the set of known attacks in the simulation
6
Unsupervised Anomaly Detection
• Goal is to differentiate normal elements from
anomalous elements buried in the data
• Do not require a purely normal training set
• No need for labeled data
• Raw data is much easier to obtain
7
Geometric Framework
• Maps Data to a d-dimentional Feature Space
– Better capture intrusion in this feature space
– Represent and map different types of data
• Data-dependent normalization feature map
• Spectrum Kernel feature map
• Points can be classified as outliers (anomalies)
based on their position in this space
• In general anomalies tend to be distant from
other points (parallel with sparse)
8
Datasets and Algorithms
• Datasets
– KDD CUP 99 data (IDS dataset)
– Lincoln Labs DARPA intrusion detection evaluation
• Algorithms
– Clustering
– KNN
– SVM
9
Unsupervised Anomaly Detection
• Intrusions are buried in the data
• Can help in forensic analysis
• Assumptions
– Most (significant) of the elements are normal
– Anomalies are qualitatively different than normal
instances
• With the previous assumptions anomalies will
appear to be rare and different from normal
elements and show as outliers
10
Geometric Framework
for Unsupervised Anomaly Detection
• Mapping records from audit stream to a
feature space
• The distance between two elements in the
feature space then becomes
or
11
In many cases is difficult to map data instances to a
feature space and calculate distances
• High Dimentionality of the feature space (memory
considerations)
• Explicit map might be difficult to determine
We can define a kernel function to compute these dot
products in the feature space (Hilbert)
Then we could get distances by using Kernel functions
12
• Radial Basis Kernel Function
Defined over input spaces which are vector spaces
• Using Convolution kernels we can then use
arbitrary input spaces.
• The author suggests the use of convolution
kernels to avoid converting audit data into a
vector in
13
Detecting Outliers
• Detecting points that are distant from other
points or in relatively sparse regions of the
feature space
14
Cluster-based Estimation
• Count the number of points within a sphere of
radius w around the point
• Sort clusters based on size
• The points in the small clusters are labeled
anomalous
15
Cluster-based Estimation
• Any points x1,x2 are considered near if their
distance is less than or equal to
• Define N(x) to be the number of points that are
within w of point x
• Since we have to compute the pairwise distance
among points the computation of N(x) for all
points has complexity
• We are interested in the outliers
16
• To reduce computation, an approximation can
be done via fixed width clustering
– The first point is the center of the first cluster
– For every subsequent point, if it is within w of a
cluster center, it is added to that cluster
• Otherwise it becomes the center of a new
cluster
– Points may be added to several clusters
– Complexity
with c number of clusters
and n number of data points
– A threshold on n is used to find outliers
17
K-Nearest Neighbor
• Find points that lie in a sparse region of the
feature space by computing the distances to
the k-nearest neighbors of the point
• Dense regions will have many points near
them and will have a small k-NN score
• If k exceeds the frequency of any given attack
and the images of the attack elements are far
from the images of the normal elements, then
the k-NN score can be used to detect attacks
18
• K-NN is computationally expensive
• Since we’re interested in only the k-nearest
points to a given point we can reduce the
computational cost by using canopy clustering
– Canopy Clustering is used to reduce the space into
smaller subsets avoiding the need to check every
data point
19
Modified Canopy Clustering
• Cluster data with fixed-width approach with
the variation of placing each element in only
one cluster
• For each two points x1,x2 in a cluster
• And in all cases
20
• Let C be the set of clusters (initially containing
all clusters in the data)
• At any step, we have a set of points which are
potentially among the k-nearest neighbor
points. This set is denoted as P.
• We also have a set of points that are in fact
among the k-nearest points. This set is
denotes as K.
• Initially K and P are empty
21
• Pre-compute the distance from x to each
cluster.
• For the cluster with center closest to x we
remove it from C and add all its points to P.
Called Opening the Cluster
• We can use the lower bound on distance given
by
• For each point xi in P we compare distances
to other points in P
• If this distance is <dmin we can guarantee that
xi is closer to point x than all the points in the
clusters in C
22
• In this case we remove xi from P and add it to
K
• If distance is >dmin then we open the closest
cluster and add all the points to P and remove
that cluster from C
• Every time we remove a cluster from C dmin
will increase
• Once K has k elements we terminate
23
• Computation is spent checking distance
between points in D to the cluster centers,
which is more efficient than computing
pairwise distances among all points
• Choice of w effects only the efficiency, not the
K-NN score
• Intuitively we want to choose a w that splits
the data into reasonably sized clusters
24
One Class SVM
• Map feature space into a second feature space
with a radial basis kernel Standard SVM
requires supervised learning algorithms (it
requires labeled data)
25
• A newly modified SVM was adapted to
unsupervised learning algorithm
• Attempts to separate the entire set of data
from the origin with maximal margin
• Classes will be labeled as +1 and -1
26
• The hyperplane is estimated by the
hyperplane’s normal vector in the feature
space w and offset from the origin
Decision function
27
Optimization is solved with a variant of Sequential Minimal Optimization
28
Feature Space
• Data Sets
– Network Records with 41 features and 4,900,00
instances (KDD Cup 1999 Data)
– System Call Traces (process) from 5 weeks from
the Basic Security Module of the MIT Lincoln Labs
IDS Evaluation created on 1999
29
Experimental Results
30
ROC Curves
31
• Questions
32