According to the problems of current distributed architecture intrusion detection systems (DIDS), a new online distributed intrusion detection model based on cellular neural network (CNN) was proposed, in which discrete-time CNN (DTCNN) was used as weak classifier in each local node and state-controlled CNN (SCCNN) was used as global detection method, respectively. We further proposed a new method for design template parameters of SCCNN via solving Linear Matrix Inequality. Experimental results based on KDD CUP 99 dataset show its feasibility and effectiveness. Emerging evidence has indicated that this new approach is affordable to parallelism and analog very large scale integration (VLSI) implementation which allows the distributed intrusion detection to be performed better.
1. Introduction
Intrusion detection systems (IDS), which use classification algorithms, effectively discriminate normal behavior from abnormal behavior and play a major role in providing security to networks [1]. Traditional IDS can be divided into three categories [2]: integral structure, which integrates all functions but is weak on system prevention [3], and hierarchal structure, which is composed of detector and controller like a tree and shares information of all subsystems for intrusion detection, but the disadvantage of this structure is single-point failure [4]. Distributed structure IDS can be divided into several modules which distribute in the heterogeneous network environment, receive different information, and report the results to the higher function units. According to the increase of network size and complexity, the distributed structure IDS is matched with the characters of modern network environment and become one of the most important problems in network information security [5, 6]. The comparison of current IDS policy is shown as Table 1.
The comparison of current IDS policy.
Title
Type
Characteristics
Limitations
Integral structure
Integrates all functions
Weak on system prevention
IDS
Hierarchal structure
Shares information of all subsystems
Single-point failure
Distributed structure
Combination of individual sensors
Data communications are too large and complex
The model of distributed IDS (DIDS) can be defined either centralized or distributed. The centralized DIDS is a combination of individual sensors which collect the network data to the central analyzer component where the collected data is stored and processed. In [7], many artificial intelligence techniques are being used for threats detection, such as genetic algorithm, artificial immune and artificial neural network (ANN). Hosseinpour et al. [8] propose a multilayered framework based on Artificial Immune System (AIS) to enhance the detection performance; in their design, the genetic algorithm is used for enhancing the secondary immune response. The AIS-based IDS consists of two main components: IDS central engine and detection sensors. Each of these components is composed of some agents which correlate with each other in order to detect the anomalies and intrusions. Bartos et al. presents a distributed self-organized model for collaboration of multiple heterogeneous IDS sensors in [9]. In order to optimize behavior of each IDS sensor with respect to other sensors in highly dynamic environments, the distributed model is based on a Game-theoretical approach and introduces E-FIRE which is a solution concept suitable for solving the game. In the above centralized intrusion detection model, all the network data are sent to a central unit for processing; the raw data communications may occupy considerable network bandwidth and cause a computational burden in the central site. The privacy of the data obtained from the local nodes cannot be protected and is very sensitive to denial of service attack.
The distributed architecture DIDS includes one or more devices that cooperate in order to perform data gathering and processing reporting functions. Agent-based systems are widely used in distributed model, which is defined as a distinct software process that can be able to carry out activities in an intelligent manner to responsive changes in the environment and cooperate with other agents [11]. El Kadhi et al. [12] propose a global agent architecture using ANN as a major decision algorithm. Uddin et al. [13] propose a signature-based multilayer IDS model, which can detect imminent threats by automatically creating and using small multiple databases and provide mechanism to update these small signature databases at regular intervals using mobile agents. In [14], an agent based distributed adaptive IDS is put forward which employs joint detection mechanism for data mining algorithm and dynamic election algorithm for the recovery mechanism. In an agent-based DIDS, there is no central station and central point of failure, therefore overcoming the deficiency of centralized structure. But the limitation is that many raw network data still need to be shared among distributed nodes which make a large number of communications between local nodes. The comparison of current DIDS policy is shown as Table 2.
The comparison of current DIDS policy.
Title
Type
Characteristics
Limitations
DIDS
Centralized architecture DIDS
Artificial intelligence techniques [7]
(1) Data communications may occupy considerable network bandwidth. (2) The privacy of the data cannot be protected and is very sensitive to Denial of service attack.
Multilayered framework [8]
Self-organized model [9]
Distributed architecture DIDS
ANN [12]
There is a large number of communications between local nodes.
Signature-based multilayer IDS [13]
Dynamic Election Algorithm [14]
In each detection node of DIDS, there are various machine learning based anomaly detection algorithms proposed in the literature. These algorithms can be classified as statistics based, data mining based, and classification based [15]. Statistics based algorithms construct statistical models of network connections to determine whether a new connection is an attack. In [16], an adaptive blacklist-based packet filter using a statistic-based approach is proposed, the filter employs a blacklist technique to help filter out network packets based on IP confidence and the statistic-based approach allows the blacklist generation and update periodically in an adaptive way. Data mining based algorithm determines whether a new connection is an attack by using mine rules. For example, Mao et al. [17] propose two models based on data mining technology, respectively called frequency patterns (FP) and tree patterns (TP). FP based on frequency analysis and uses a short sequence model to find out frequent sequential patterns in the training system-call. TP make use of tree pattern mining and can get a quality profile from the training system-call sequences. Classification based IDS algorithm construct a classifier that is used to classify network connection as either attacks or normal connections. Pani and de Toro [18] propose an additive decision rules binary classifier which is optimized by a multiobjective evolutionary algorithm in order to maximize the classification accuracy and the coverage level. In [19], a solution for IDS based on the Coarse-to-refined Grid Search Support Vector Machine (GS-SVM) is presented to identify massive intrusive behaviors. In order to classify online traffic data efficiently, Mitra et al. [20] propose a rule based lazy classifier by using genetic algorithm. Sravani and Srinivasu classify the network traffic data by using Naïve Bayes and Neural network in [21]. Although there is much more work on anomaly detection algorithms, several issues still require further research, especially in the following areas: as new type of attack emerge, the size of intrusion training data increases rapidly over time. The intrusion detector must be retrained periodically in order to keep up with the changes in the network; in this way, it is time consuming. In addition, new attack data are used to update the detector and are then discarded. The key issue of detection algorithm in each node is to improve the processing time and maintain the accuracy of intrusion detector. The comparison of current machine learning based IDS policy in each detection node is shown as Table 3.
The comparison of current machine learning based IDS policy in each detection node.
Title
Type
Characteristics
Limitations
Statistics based
Adaptive blacklist-based packet filter [16]
Data mining based
Frequency patterns (FP) and tree patterns (TP) [17]
Machine learning based IDS in each detection node
An additive decision rules binary classifier [18]
Processing time should be improved and the accuracy of intrusion detector should be maintained
Classification based
Coarse-to-refined Grid Search Support Vector Machine (GS-SVM) [19]
Lazy classifier by using genetic algorithm [20]
Naïve Bayes and Neural network [21]
In this paper, we address the above challenges and propose a cellular neural network (CNN) based classification framework for the dynamic distributed network intrusion detection by using the discrete-time (DT) CNN [22] and state-controlled (SC) CNN algorithm [23]. These networks take most of their inspiration from the CNN paradigm but have some different peculiarities that make them preferable for some applications [10, 24, 25]. CNN is one of the most popular machine learning algorithms [26]. The key features of CNN are asynchronous parallel processing, continuous time dynamics, and local interactions among network elements which are called cells. The CNN system can be implemented as a mixed signal very large scale integration (VLSI) chip, the CNN universal machine (CNNUM). Taking advantage of these characteristics, CNN are widely used in research applications that are particularly demanding in terms of computational and time requirements, parallelization of sensing and processing, such as real-time image processing [27], pattern recognition [28], multisensory fusion, and control of complex systems [25, 29, 30].
In the proposed architecture, the system includes local nodes based on DTCNN and global model based on SCCNN. Each local node is responsible for detecting signs of intrusion independently, then exchanging their local information by sending an update message periodically to their neighboring nodes. On the other hand, the global model could be seen as a complete route picture of the whole network.
The rest of this paper is organized as follows. Section 2 introduces the theoretical foundation. In Section 3, the proposed algorithm of DTCNN-based local intrusion detection model is discussed. Section 4 presents the method for constructing the SCCNN-based global detection model and explains the details for designing SCCNN parameters via solving the Linear Matrix Inequality (LMI). After that, Section 5 presents the experimental results, followed by the conclusions in Section 6.
2. Theoretical Foundation
Consider a linear, time invariant system G described by state-space equations:
(1)G:x.=Ax+Bu,y=Cx,
where x∈Rn is the state vector, u∈Rm is the control input, and y∈Rr is the measured output. The pairs (A,B) and (A,C) are assumed to be, respectively, stabilization and measurable, and we assume that
m≤r and rank(CB)=m.
Lemma 1 (see [<xref ref-type="bibr" rid="B32">31</xref>]).
System G is asymptotically stable by a static output feedback if and only if there exist matrix P>0, σ1>0, and σ2>0 such that
(2)ATP+PA-σ1PBBTP<0,ATP+PA-σ2CTC<0.
Lemma 2 (see [<xref ref-type="bibr" rid="B33">32</xref>]).
For the system G satisfies (A1), there exist a liner transformation, which makes input matrix and output matrix have new structures as follows:
(3)B=0Im,C=C1C2,
where C2∈Rr×m is full rank. Rm*n represents real m×n matrices and Im is m×m identity matrix. M>0, where M is symmetric and positive definite, and A+(*)T=A+(A)T.
Formula (3) are definite as the specification style. Without any lose of generality, we regard the system have such specification style.
Lemma 3 (see [<xref ref-type="bibr" rid="B33">32</xref>]).
For the system G satisfies (A1), when μ tends to zero if there exist matrix Q1∈R(n-m)×(n-m), W∈Rr×r and Z∈Rm×(n-m) satisfy follow inequalities:
(4)Q1>0,(A11Q1-A12Z)+*TC1Q1-C2ZTC1Q1-C2Z-W<0,0<W<μI.
There must exist T and P^ satisfying formula (2), where N=ZQ1-1.
3. Local Detection Models Based on DTCNN
Intrusion detection problem can be viewed as a pattern classification problem. By building profiles of authorized behaviors, the computer behavior will be classified into authorized or intrusive behavior. DTCNN, as introduced in [22], is a combination from general linear threshold networks, where the local cell connectivity and translational invariance of the weights were transferred from CNN, represents an efficient architecture for pattern recognition. Because a cell in the DTCNN has a stable equilibrium point at the two saturation regions of the piece wise linear output function after the transient has decayed to zero. The output at the two saturation regions corresponds to 1 and −1. This significant characteristic of DTCNN shows a possibility as a classifier. In the following, we introduce the classifiers based on DTCNN for intrusion detection.
The circuit equations of a DTCNN cell which satisfies KCL and KVL are easily derived as follows.
State equation:
(5)Xn=∑d∈Nr(c)adyd(n)+∑d∈Nr(c)bdud+i=AYn+BU+I.
Output equation:
(6)Y(n)=F(X(n-1))=1,forX(n-1)>0,-1,forX(n-1)<0,
where U=u0u1⋯unT is the input numeric value and X=x0x1⋯xnT is the state. Y=y0y1⋯ynT is the output which is binary and is determined by the sign of X(n-1), Y=1 denotes an intrusive behavior, Y=-1 denotes an authorized behavior, and F=f(x0)f(x1)⋯f(xn)T contains the output functions. The value of I is constant and used for adjusting a bias, the matrices A and B contain the feedback and control parameters, respectively. A set of feedback, control coefficients, and the bias is called a template which is translational invariant. It means that each cell is influenced identically by its neighbors. This reduces the different weights to a small number that can be implemented by global bus lines in VLSI realizations.
The DARPA 1998 and 1999 ID evaluation data sets consist of comprehensive technical evaluation of research IDS. The network connection records fall into four main categories: the denial of service (DOS) includes pod, teardrop, neptune, and smurf. The surveillance and other probing (PRB) consist of satan, portsweep, nmap, and ipsweep. The unauthorized access to local super root privileges (U2R) includes loadmodule, perl, buffer-overflow, and rootkit. The unauthorized access from a remote machine (R2L) consists of spy, guess-passwd, multihop, and warezclient. Each of these data record has 41 unique features, including 34 numeric and 7 discrete features that its value can be converted to numeric value, and the last is the flag of attribute.
The structure of the proposed DTCNN model is shown in Figure 1. The first level is a DTCNN detector which is trained by using normal data, distinguishing abnormal attacks from normal ones. If the first level iteration result yfl(n) is equal to −1, the test data is reported as normal. When output value yfl(n) is reported as 1, the lower levels of the HDCNN model are joined in parallel ways which will give the particular type of attacks according to the lower level result yllmi(n), where m is the number of layers, i is the kind of attacks, such as DOS, R2L, and so forth.
The Hierarchical Intrusion Detection model based on DTCNN for local node [10].
If yfl(n)=1, but zll2(n)=yll2DOS(n)⊕yll2PRB(n)⊕yll2U2L(n)⊕yll2R2L(n)=-1, the test data will be determined as new category of attacks. Otherwise, yll2DOS(n)=1, but zDOS(n)=∑m=3iyllmDOS=-1, the data can be identified as the new type intrusion of DOS attacks. Finally, the new category of intrusions will be added to the database to train new detectors. The output type of intrusion is labeled as 1,2,… depending on attack samples, and the normal samples are labeled as −1.
The above design of classifiers for intrusion detection has the following advantages. There is only iteration operation in a detection processing, the computation complexity for constructing the decision stumps is very low and online updating of new type of intrusion database can be easily implemented when new intrusion samples are obtained. Furthermore, the output decision stumps fully take into account the type of each attack or the normal samples. Finally, a suitable choice of the template coefficients allows for determining the behavior of the whole system. The improved PSO algorithm carries out the training task and proved in our other paper [10].
4. Global Detection Models Based on SCCNN
In the distributed intrusion detection framework, each node constructs its own local IDS model independently according to its own data. By combining all the local models, a global model trained using a small number of detection results from each node, without sharing any of the original training data between nodes. The global intrusion detector is more accurate than the local detectors that may be only adequate for each node output, specific attack types, or normal samples, due to the limited training data available at each node. Once local nodes gain their own models, the global models are used to detect intrusions, for the SCCNN connection, the vector of the results from the local models is used as the input to the global whose result determines whether the current network connection is an attack.
Furthermore, DIDS refers to the processing of a large set of data in order to derive hacking information that cannot be obtained by using each node alone. Therefore, real-time processing, high computational capability, and a space distributed parallel structure are required to gather and manage the huge amount of information carried out from the local node IDS system efficiently. This is satisfied for SCCNN as introduced in [23], whose main advantage lies in the possibility to control each node on the basis of global information regardless of having only local connections among neighboring nodes. So, by combining the ability of the SCCNN for sample sets, a global detection model can be constructed effectively in each node.
SCCNN are arrays of locally interconnected analog cells arranged in a regular grid, and the processing is controlled by the values of the templates. The main difference between CNN and SCCNN is that each cell of SCCNN contains the sensing and the actuation part inside its structure. In the following, linear characteristics for DIDS will be considered and some sufficient conditions for the stability of the whole structure will be derived, together with a design methodology for the template coefficient selection. Figure 2 gives the framework that consists of the modules: local models and global model.
The DIDS architecture based on the SCCNN paradigm.
As Figure 2 shown, SCCNN-DIDS architectures allow implementing global functions on data obtained from distributed IDS node systems having only local connectivity. In particular, due to the intrinsic characteristics of SCCNN, each node as a cell which output is a function of all the SCCNN cells inputs without a direct global cell interconnection. Following Arena et al. [25, 30], the multilayer version of the SCCNN come in a straightforward way, the architecture proposed for one-dimensional DIDS is a circular, and each cell input ui represents the output for the node Ni, that is, a vector (y1,y2,y3,…,yj) is constructed, where yj is the result of the jth local detection model for the sample; each node is connected via the state template C and the control template B to the neighboring nodes. Symmetric templates are considered due to the circular topology adopted: A=[a1,a0,a1] and B=[b1,b0,b1]. The generalized linear circular SCCNN equations describing system dynamics can be written for N cells as follows:
(7)x1.=-x1+a1xN+a0x1+a1x2+b1uNxN.=+b0u1+b1u2,x2.=-x2+a1x1+a0x2+a1x3+b1uNxN.=+b0u1+b1u2,⋮xN.=-xN+a1xN-1+a0xN+a1x1xN.=+b1uN-1+b0uN+b1u1,yi=FN,a0,a1,b0,b1=∑j=-nnCj,nuj,hhhhhhhhhhhhhhhhhhhhhli=1,…,N,
where N=2n+1, with the following periodic boundary conditions: u0=uN and uN+1=u1. It should be remarked that the considered SCCNN is linear, and F(*) represents the state value of the generic cell. The weighting function C(j,n) has the following form:
(8)Cj,n=Xj,na0+2a1-1Yn,
where j(j=0,…,n) represents the distance between the cell considered and the cell whose considered input is connected. Moreover, the function C(j,n) is symmetric with respect to j. In order to ensure a control law for the structure, the desired coefficient parameter vector C*=[C*(0,n)] is imposed to be the same for all the nodes, which is the same quantity, is available at each node regardless of the network dimension. Furthermore, in order to ensure the asymptotic stability of the system, the formula (9) must be satisfied [25], this result ensures that the multinode system will converge to an asymptotically stable state:
(9)a0+2a1-1<0.
It is clear that a suitable choice of the template coefficients which determine the behavior of the system must be satisfied, in order to obtain the asymptotic stability of the system. The design problem consists in determining the template coefficients which is still an open issue in current literature [10, 33]. In the following, we introduce a new methodology for the design of the template coefficients based on LMI.
For the DIDS architecture shown as Figure 2 with N cells, the asymptotic behavior can be written in matrix form as follows:
(10)X˙=AX+BU,Y=CU,
where X, U are vectors of dimension equal to the number N of nodes, while A, B are square real matrices N×N.
Without any loss of generality, let
(11)P=PT∈Rn×n,P=P1+NTP2NNTP2P2NP2
with P1∈R(n-m)×(n-m), P2∈Rm×m, and N∈Rm×(n-m). Define
(12)T=In-m0NIm,P^=P100P2;
then, we get
(13)P=TTP^T.
Through (11) and (12), inequality group (2) can be written as
(14)P^A^+A^TP^-σ1P^B^B^TP^<0,P^A^+A^TP^-σ2C^TC^<0,
where
(15)A^=TAT-1=TA11A12A21A22T-1,(16)B^=TB=0Im,(17)C^=CT-1=C1-C2NC2.
Theorem 4.
System G is asymptotically stable by a static output feedback if and only if there exist matrix P^>0, Y∈Rm×m, and N∈Rm×(n-m) such that
(18)P^A^+B^YC^+*T<0,
with K=P2-1Y.
Proof.
In order to compute a static output feedback law u=Ky that ensures the stability of the system, there exists a matrix P>0, which makes
(19)P(A+BKC)+A+BKCTP<0.
Corresponding to (14), (19) can be written as
(20)TTP^TA+TTP^TBKC+*T<0.
Making congruent transformation for (20), we get
(21)P^TAT-1+BP2KT-1+*T<0.
Letting Y=P2K, we get
(22)P^A^+B^YC^+*T<0.
This completes the proof.
Corresponding to Theorem 4, it is clear that Lyapunov inequality (18) changes into two inequalities containing P^>0 and Y, when N is fixed. And our aim is to compute a static output feedback law u=Ky that ensures the stability of the system. There exists a matrix K makes (19) holds. Lemma 3 gives us a solution to determine matrix A,B,C, and K. According to this, in the following, we propose a method based on LMI to solve the template parameters.
Step 1. Corresponding to Lemma 2, change the system to specification style structured like (3).
Step 2. Solve inequalities (4) and get the solution matrix N when μ reach the minimum value.
Step 3. Corresponding to (12), we get the matrix T and the system matrix A^,B^,C^.
Step 4. Solve the inequalities P^A^+B^YC^+(*)T<0, where P^>0 and structured like (12).
Finally, we can get K=P2-1Y.
5. Experiments
Our algorithms are implemented on a Pentium IV computer with 2.6 GHZ CPU and 256 M RAM, using MATLAB7.0. The knowledge discovery KDD CUP 1999 dataset, which is still the most trustful and credible public benchmark dataset for evaluating network intrusion detection algorithms, are being used to test our algorithms. In the dataset, 41 features describe the basic information about the network packet, network traffic, host traffic, and content information, including nine categorical features, which is discrete type variables, and 32 continuous features are extracted for each network connection, and attacks in the dataset fall into four main categories: DOS, Probe, R2L and U2R. We take part of the kddcup.data_10_percent as the data resource, in which the test dataset includes some attack types that do not exist in the training dataset. The numbers of normal connections and each category of attacks in the training and test datasets are listed in Table 4.
Experimental data.
Categories
DOS
PRB
U2R
R2L
Normal
Others
Total
Training data
1596
980
52
470
1065
0
4163
Test data
1398
796
228
689
850
729
4690
In the following, we first introduce the performances of our local intrusion detection models based on DTCNN, including the ability to handle mixed features and the ability to learn new types of attacks. Then, the performance of our SCCNN-based distributed intrusion detection algorithm is evaluated, such as the effects of parameters on detection performance, the comparison results with other published existing algorithms.
5.1. Local Models
For the local models, the results of handle mixed features are shown as Table 4, when only continuous features or both continuous features and categorical features are used, test on the training and test datasets, respectively. And the percentage of detection rate (%DR) and false alarm rate (%FAR) are chosen to evaluate the performance for anomaly detection. It can be seen that the results obtain by using both continuous and categorical features are more accurate than the results obtained by only using continuous features, which shows the ability of our algorithms to handle mixed features in network connection data. Furthermore, the data set has high dimensionality and contains a lot of irrelevant attributes. After the analysis, we only need to extract the first 10 eigenvectors which can be converted to numeric value as the input principal component (Table 5).
The results of handle mixed features.
Features
Training data
Test data
DR (%)
FAR (%)
DR (%)
FAR (%)
Continuous
98.76
6.50
91.35
10.38
Continuous and categorical
99.31
3.78
94.7
7.67
The ability to detect the new types of attacks correctly is an attractive and important characteristic of our DTCNN-based intrusion detection algorithms. Figure 3 show the online processing of the classifier with respect to four types of attack, that is, “neptune,” “satan,” “buffer overflow,” and “multihop,” which belong to the four main categories, respectively. They all appeared before in the training data.
Online processing of the classifier for “neptune,” “satan,” “buffer overflow,” and “multihop” attack.
In Figures 3 and 4, the horizontal coordinate indicates the numbers of samples, and the vertical coordinate indicates the class label predicted by the detector for a sample, where y=1 means that it is correctly classified as a network attack. Corresponding to the four kind of attack, y=2,3,4,5 means that the sample is mistakenly classified as a normal connection or other type of attack, and y=-1 means that it is correctly classified as a normal connection. It is seen that at the part of processing for four types of attacks, the classifier classifies samples as attacks correctly, and the false alarm rate is low. But the performance of our DTCNN classifier for “buffer overflow” and “multihop” attack which belong to U2R and R2L achieves lower detection rate than other two types of intrusion. Corresponding to the four kind of sample attack, the detection rate are 99.63%, 98.89%, 72.73%, and 77.78%. This is mainly due to the few training data sets for “buffer overflow” and “multihop” attack. But this experiment still shows the effectiveness of the online processing of the algorithm for four type of attacks.
Online processing of the classifier for “mailbomb,” “mscan,” “ps,” and “snmpguess” attacks.
Figure 4 shows the online process of the classifier with respect to four new types of attack, “mailbomb,” “mscan,” “ps,” and “snmpguess” which have not appeared before in the training data. It is seen that for new types of attacks, the proposed DTCNN-based intrusion detection model also can detected the attack accurately. The false alarm rate is low and emerging experiment results have indicated that our DTCNN-based algorithms are also effective for new kinds of attacks.
5.2. Global Models
(a) According to LMI, the coefficients must be chosen as to minimize the quantity C*-C and imposing the stability constraint (17). Table 6 and Figure 5 give us the computation results for various template matrices coefficient values (n=4).
The results of various template matrices coefficient values.
Model
a0
a1
b0
b1
K
1
−10
7
10
10
1.0618
2
−10
7
1
0.5
0.7825
3
−2
1
1
0.5
0.4872
4
−0.3
0.7
0.2
0.1
No exit
C(j,n) for various template matrices coefficient values.
For different model, it can be derived that the closer the A template coefficients are to the stability condition (8), the smaller is c(j,n). And in some case, like model 4, K is not exit. Under that condition, it means the system is not stable. Finally, the cell parameters A and B are chosen based on both dynamic and stability considerations, while the C allows customizing the cell output. The desired weighting function was fixed to C=[1.1034,0.7945,1.1034,0.7945], and the template coefficients were determined as a0=-0.3187, a1=0.1496, b0=0.007, and b1=0.256.
(b) The proposed SCCNN-based distributed intrusion detection algorithm is tested with seven nodes. To simulate a distributed intrusion detection environment, neptune, satan, httptunnel, and warezmaster which belong to the four main kinds of attacks in the KDD CUP 99 dataset are used for constructing local detection nodes, and a global model is constructed using the seven local models. Table 7 shows the test datasets used for constructing the global models in the seven nodes. It is seen that the size of the test datasets are comparatively small. Node 1 has not the warezmaster attack samples; Node 2 has not the httptunnel samples; Node 3 has not the satan attack samples; and Node 4 has not the neptune samples. Table 8 show the comparison results by using our algorithm and other traditional methods though DR and FAR.
Test datasets in the seven nodes.
Attack
Node 1
Node 2
Node 3
Node 4
Node 5
Node 6
Node 7
Neptune
500
500
500
0
500
300
250
Satan
500
500
0
500
500
250
150
Httptunnel
150
0
150
150
150
100
50
Warezmaster
0
250
250
250
250
150
100
Normal
750
750
750
750
0
500
300
The comparison results about DIDS with different methods.
Algorithms
DR (%)
FAR (%)
Centralized architecture DIDS
Genetic algorithm, artificial immune, and ANN [7]
84.52–97.5
2.16–3.64
Artificial Immune System [8]
89.5–96.9
1.2–2.7
Game-theoretical approach [9]
92.3–97.67
0.77–2.9
Our DTCNN-based local detection method
87.83–98.16
0.71–2.94
Distributed architecture DIDS
ANN [12]
Average 96.24
None
Signature-based multilayer IDS [13]
Average 96.7
Average 1.83
Dynamic Election Algorithm [14]
96–97.5
0.93–1.97
Our SCCNN-based global detection method
96.19–97.76
0.795–1.845
Overall, it is seen that our DTCNN-based and SCCNN-based algorithm greatly increases the detection rate and decreases the false alarm rate for each model after the local node intrusion detection. Compared with centralized architecture DIDS algorithms, the distributed architecture DIDS algorithms not only gain high DR while keeping low FAR, but also adapt to the local models in online mode. This adaptability is very important for heterogeneous network environment. The detection accuracies of the SCCNN-based algorithms are comparable with the ANN-based algorithm in [12], Signature-based multilayer IDS in [13], and the Dynamic Election algorithm-based in [14]. In particular, lower FAR is obtained. The reason for this is that the design processing of SCCNN parameters is based on solving the LMI which come from the equations describing system dynamics that obtains more accurate weights for the global detection model. On the other hand, the computational complexity of our algorithm is relatively low, because the proposed detection approach only executes iterations to perform the local and global detection phase which reduces the time consumption and then achieves a better performance.
6. Conclusion
In this paper, we proposed a new DIDS algorithm, in which DTCNNs were used as weak classifiers in local nodes and SCCNN was used as global detection method, respectively. We further proposed a method for design SCCNN parameters based on LMI. And the global detection procedure can be emerged as locally connected, nonlinear processor arrays, while the circular equations describing system dynamics reach their steady state at an equilibrium point which represents a desirable feature in view of VLSI hardware implementations of real time networks. Experiments are carried out to demonstrate the performance of the proposed model, and the comparative results with other traditional centralized or distributed architecture DIDS methods show that the proposed model exhibit superior performance.
Conflict of Interests
The authors declare that there is no conflict of interests regarding the publication of this paper.
Acknowledgments
This work is supported by the National Natural Science Foundation of China (nos. 61121061 and 61161140320) and the National Key Technology R&D Program (2012BAH37B05).
BhuyanM. H.BhattacharyyaD. K.KalitaJ. K.Network anomaly detection: methods, systems and toolsCoronaI.GiacintoG.RoliF.Adversarial attacks against intrusion detection systems: taxonomy, solutions and open issuesChenY.-B.FengC.ZhangQ.TangC.-J.Integrated artificial immune system for intrusion detectionLiL.LiY. H.FuD. Y.WanM.Intrusion detection model based on hierarchical structure in wireless sensor networksProceedings of the International Conference on Electrical and Control Engineering (ICECE '10)June 20102816281910.1109/icece.2010.6882-s2.0-79952219250ChoE. J.HongC. S.LeeS.JeonS.A partially distributed intrusion detection system for wireless sensor networksZhangD.YeoC. K.Distributed Court System for intrusion detection in mobile ad hoc networksAlrajehN. A.LloretJ.Intrusion detection systems based on artificial intelligence techniques in wireless sensor networksHosseinpourF.BakarK. A.HardoroudiA. H.DareshurA. F.Design of a new distributed model for intrusion detection system based on artificial immune systemProceedings of the 6th International Conference on Advanced Information Management and Service (IMS '10)December 2010Seoul, Republic of Korea3783832-s2.0-79952790202BartosK.RehakM.SvobodaM.Self-organized collaboration of distributed IDS sensorsXieK.YangY.ZhangL.LiW.XinY.Research of hierarchical intrusion detection model based on discrete cellular neural networksHouZ.YuZ.ZhengW.ZuoX.Research on distributed intrusion detection system based on mobile agentEl KadhiN.HadjarK.El ZantN.A mobile agents and artificial neural networks for intrusion detectionUddinM.RehmanA. A.UddinN.MemonJ.AlsaqourR.KaziS.Signature-based multi-layer distributed intrusion detection system using mobile agentsLiuY. B.ShiL.WangB. Z.WuY. Q.WangP. H.An new agent based distributed adaptive intrusion detection systemHuW.GaoJ.WangY.WuO.MaybankS.Online adaboost-based parameterized methods for dynamic distributed network intrusion detectionMengY.KwokL.-F.Adaptive blacklist-based packet filter with a statistic-based approach in network intrusion detectionMaoG.WuX.JiangX.Intrusion detection models based on data miningPaniT.de ToroF.An additive decision rules classifier for network intrusion detectionLeiX.ZhouP.An intrusion detection model based on GS-SVM classifierMitraR.MazumderS.SharmaT.SenguptaN.SilJ.Dynamic network traffic data classification for intrusion detection using genetic algorithmSravaniK.SrinivasuP.Comparative study of machine learning algorithm for intrusion detection systemYavuz OrucA.Designing cellular permutation networks through coset decompositions of symmetric groupsHalonenK.PorraV.RoskaT.ChuaL. O.Programmable analogue VLSI CNN chip with local digital logicCaponettoR.FortunaL.OcchipintiL.XibiliaM. G.Hyperchaotic dynamic generation via SC-CNNs for secure transmission applications1Proceedings of the IEEE International Joint Conference on Neural NetworksMay 19984924962-s2.0-0031643594ArenaP.BaglioS.FortunaL.GrazianiS.Analog cellular networks for multisensor fusion and controlChuaL. O.YangL.Cellular neural networks: applicationsParmaksizogluS.GunayE.AlciM.Determining clonning templates of CNN via moga: edge detectionProceedings of the IEEE 19th Conference on Signal Processing and Communications Applications (SIU '11)201175876110.1109/SIU.2011.5929761LiL.MaG.DuX.New method of horizon recognition in seismic dataBaglioS.GrazianiS.ManganaroG.PitroneN.Cellular neural networks: a new paradigm for multisensor data fusionProceedings of the 8th Mediterranean Electrotechnical Conference (MELECON '06)May 19965095122-s2.0-0030377263AndoB.BaglioS.GrazianiS.PitroneN.A novel analog modular sensor fusion architecture for developing ‘smart’ structures2Proceedings of the IEEE Instrumentation and Measurement Technology Conference (IMTC '97)May 1997Ottawa, Canada1221122410.1109/IMTC.1997.612393BentonJ.Jr.SmithD.Static output feedback stabilization with prescribed degree of stabilityXiangJ.ZhangX. Y.SuH. Y.ChuJ.Static output feedback stabilization based on structured Lyapunov MatrixMartínezJ. J.GarrigósJ.ToledoJ.Manuel FerrándezJ.An efficient and expandable hardware implementation of multilayer cellular neural networks