Cellular Neural Network-Based Methods for Distributed Network Intrusion Detection

. According to the problems of current distributed architecture intrusion detection systems (DIDS), a new online distributed intrusion detection model based on cellular neural network (CNN) was proposed, in which discrete-time CNN (DTCNN) was used as weak classifier in each local node and state-controlled CNN (SCCNN) was used as global detection method, respectively. We further proposed a new method for design template parameters of SCCNN via solving Linear Matrix Inequality. Experimental results based on KDD CUP 99 dataset show its feasibility and effectiveness. Emerging evidence has indicated that this new approach is affordable to parallelism and analog very large scale integration (VLSI) implementation which allows the distributed intrusion detection to be performed better.


Introduction
Intrusion detection systems (IDS), which use classification algorithms, effectively discriminate normal behavior from abnormal behavior and play a major role in providing security to networks [1].Traditional IDS can be divided into three categories [2]: integral structure, which integrates all functions but is weak on system prevention [3], and hierarchal structure, which is composed of detector and controller like a tree and shares information of all subsystems for intrusion detection, but the disadvantage of this structure is singlepoint failure [4].Distributed structure IDS can be divided into several modules which distribute in the heterogeneous network environment, receive different information, and report the results to the higher function units.According to the increase of network size and complexity, the distributed structure IDS is matched with the characters of modern network environment and become one of the most important problems in network information security [5,6].The comparison of current IDS policy is shown as Table 1.
The model of distributed IDS (DIDS) can be defined either centralized or distributed.The centralized DIDS is a combination of individual sensors which collect the network data to the central analyzer component where the collected data is stored and processed.In [7], many artificial intelligence techniques are being used for threats detection, such as genetic algorithm, artificial immune and artificial neural network (ANN).Hosseinpour et al. [8] propose a multilayered framework based on Artificial Immune System (AIS) to enhance the detection performance; in their design, the genetic algorithm is used for enhancing the secondary immune response.The AIS-based IDS consists of two main components: IDS central engine and detection sensors.Each of these components is composed of some agents which correlate with each other in order to detect the anomalies and intrusions.Bartos et al. presents a distributed selforganized model for collaboration of multiple heterogeneous IDS sensors in [9].In order to optimize behavior of each IDS sensor with respect to other sensors in highly dynamic environments, the distributed model is based on a Gametheoretical approach and introduces E-FIRE which is a solution concept suitable for solving the game.In the above centralized intrusion detection model, all the network data are sent to a central unit for processing; the raw data  [7] (1) Data communications may occupy considerable network bandwidth.
(2) The privacy of the data cannot be protected and is very sensitive to Denial of service attack.
Multilayered framework [8] Self-organized model [9] Distributed architecture DIDS ANN [12] There is a large number of communications between local nodes.Signature-based multilayer IDS [13] Dynamic Election Algorithm [14] communications may occupy considerable network bandwidth and cause a computational burden in the central site.The privacy of the data obtained from the local nodes cannot be protected and is very sensitive to denial of service attack.
The distributed architecture DIDS includes one or more devices that cooperate in order to perform data gathering and processing reporting functions.Agent-based systems are widely used in distributed model, which is defined as a distinct software process that can be able to carry out activities in an intelligent manner to responsive changes in the environment and cooperate with other agents [11].El Kadhi et al. [12] propose a global agent architecture using ANN as a major decision algorithm.Uddin et al. [13] propose a signature-based multilayer IDS model, which can detect imminent threats by automatically creating and using small multiple databases and provide mechanism to update these small signature databases at regular intervals using mobile agents.In [14], an agent based distributed adaptive IDS is put forward which employs joint detection mechanism for data mining algorithm and dynamic election algorithm for the recovery mechanism.In an agent-based DIDS, there is no central station and central point of failure, therefore overcoming the deficiency of centralized structure.But the limitation is that many raw network data still need to be shared among distributed nodes which make a large number of communications between local nodes.The comparison of current DIDS policy is shown as Table 2.
In each detection node of DIDS, there are various machine learning based anomaly detection algorithms proposed in the literature.These algorithms can be classified as statistics based, data mining based, and classification based [15].Statistics based algorithms construct statistical models of network connections to determine whether a new connection is an attack.In [16], an adaptive blacklist-based packet filter using a statistic-based approach is proposed, the filter employs a blacklist technique to help filter out network packets based on IP confidence and the statistic-based approach allows the blacklist generation and update periodically in an adaptive way.Data mining based algorithm determines whether a new connection is an attack by using mine rules.For example, Mao et al. [17] propose two models based on data mining technology, respectively called frequency patterns (FP) and tree patterns (TP).FP based on frequency analysis and uses a short sequence model to find out frequent sequential patterns in the training system-call.TP make use of tree pattern mining and can get a quality profile from the training system-call sequences.Classification based IDS algorithm construct a classifier that is used to classify network connection as either attacks or normal connections.Pani and de Toro [18] propose an additive decision rules binary classifier which is optimized by a multiobjective evolutionary algorithm in order to maximize the classification accuracy and the coverage level.In [19], a solution for IDS based on the Coarse-to-refined Grid Search Support Vector Machine (GS-SVM) is presented to identify massive intrusive behaviors.In order to classify online traffic data efficiently, Mitra et al. [20] propose a rule based lazy classifier by using genetic algorithm.Sravani and Srinivasu classify the network traffic data by using Naïve Bayes and Neural network in [21].Although there is much more work on anomaly detection algorithms, several issues still require further research, especially in the following areas: as new type of attack emerge, the size of intrusion training data increases rapidly over time.The intrusion detector must be retrained periodically in order to keep up with the changes in the network; in this way, it is time consuming.In addition, new attack data are used to update the detector and are then discarded.The key issue of detection algorithm in each node is to improve the processing time and maintain the accuracy of intrusion detector.The comparison of current machine learning based IDS policy in each detection node is shown as Table 3.
In this paper, we address the above challenges and propose a cellular neural network (CNN) based classification framework for the dynamic distributed network intrusion detection by using the discrete-time (DT) CNN [22] and state-controlled (SC) CNN algorithm [23].These networks take most of their inspiration from the CNN paradigm but have some different peculiarities that make them preferable An additive decision rules binary classifier [18] Processing time should be improved and the accuracy of intrusion detector should be maintained Classification based Coarse-to-refined Grid Search Support Vector Machine (GS-SVM) [19] Lazy classifier by using genetic algorithm [20] Naïve Bayes and Neural network [21] for some applications [10,24,25].CNN is one of the most popular machine learning algorithms [26].The key features of CNN are asynchronous parallel processing, continuous time dynamics, and local interactions among network elements which are called cells.The CNN system can be implemented as a mixed signal very large scale integration (VLSI) chip, the CNN universal machine (CNNUM).Taking advantage of these characteristics, CNN are widely used in research applications that are particularly demanding in terms of computational and time requirements, parallelization of sensing and processing, such as real-time image processing [27], pattern recognition [28], multisensory fusion, and control of complex systems [25,29,30].
In the proposed architecture, the system includes local nodes based on DTCNN and global model based on SCCNN.Each local node is responsible for detecting signs of intrusion independently, then exchanging their local information by sending an update message periodically to their neighboring nodes.On the other hand, the global model could be seen as a complete route picture of the whole network.
The rest of this paper is organized as follows.Section 2 introduces the theoretical foundation.In Section 3, the proposed algorithm of DTCNN-based local intrusion detection model is discussed.Section 4 presents the method for constructing the SCCNN-based global detection model and explains the details for designing SCCNN parameters via solving the Linear Matrix Inequality (LMI).After that, Section 5 presents the experimental results, followed by the conclusions in Section 6.

Theoretical Foundation
Consider a linear, time invariant system  described by statespace equations: where  ∈   is the state vector,  ∈   is the control input, and  ∈   is the measured output.The pairs (, ) and (, ) are assumed to be, respectively, stabilization and measurable, and we assume that (A1):  ≤  and rank() = .

Local Detection Models Based on DTCNN
Intrusion detection problem can be viewed as a pattern classification problem.By building profiles of authorized behaviors, the computer behavior will be classified into authorized or intrusive behavior.DTCNN, as introduced in [22], is a combination from general linear threshold networks, where Output type of R2L intrusion the local cell connectivity and translational invariance of the weights were transferred from CNN, represents an efficient architecture for pattern recognition.Because a cell in the DTCNN has a stable equilibrium point at the two saturation regions of the piece wise linear output function after the transient has decayed to zero.The output at the two saturation regions corresponds to 1 and −1.This significant characteristic of DTCNN shows a possibility as a classifier.In the following, we introduce the classifiers based on DTCNN for intrusion detection.
The circuit equations of a DTCNN cell which satisfies  and  are easily derived as follows.
State equation: Output equation: where is the output which is binary and is determined by the sign of ( − 1),  = 1 denotes an intrusive behavior,  = −1 denotes an authorized behavior, and  = [( 0 ) ( 1 ) ⋅ ⋅ ⋅ (  )]  contains the output functions.The value of  is constant and used for adjusting a bias, the matrices A and B contain the feedback and control parameters, respectively.A set of feedback, control coefficients, and the bias is called a template which is translational invariant.It means that each cell is influenced identically by its neighbors.This reduces the different weights to a small number that can be implemented by global bus lines in VLSI realizations.
The DARPA 1998 and 1999 ID evaluation data sets consist of comprehensive technical evaluation of research IDS.The network connection records fall into four main categories: the denial of service (DOS) includes pod, teardrop, neptune, and smurf.The surveillance and other probing (PRB) consist of satan, portsweep, nmap, and ipsweep.The unauthorized access to local super root privileges (U2R) includes loadmodule, perl, buffer-overflow, and rootkit.The unauthorized access from a remote machine (R2L) consists of spy, guess-passwd, multihop, and warezclient.Each of these data record has 41 unique features, including 34 numeric and 7 discrete features that its value can be converted to numeric value, and the last is the flag of attribute.
The structure of the proposed DTCNN model is shown in Figure 1.The first level is a DTCNN detector which is trained by using normal data, distinguishing abnormal attacks from normal ones.If the first level iteration result  fl () is equal to −1, the test data is reported as normal.When output value  fl () is reported as 1, the lower levels of the HDCNN model are joined in parallel ways which will give the particular type of attacks according to the lower level result   ll (), where  is the number of layers,  is the kind of attacks, such as DOS, R2L, and so forth. If ll2 () = −1, the test data will be determined as new category of attacks.Otherwise,  DOS ll2 () = 1, but  DOS () = ∑  =3  DOS ll = −1, the data can be identified as the new type intrusion of DOS attacks.Finally, the new category of intrusions will be added to the database to train new detectors.The output type of intrusion is labeled as 1, 2, . . .depending on attack samples, and the normal samples are labeled as −1.
The above design of classifiers for intrusion detection has the following advantages.There is only iteration operation in a detection processing, the computation complexity for constructing the decision stumps is very low and online updating of new type of intrusion database can be easily implemented when new intrusion samples are obtained.Furthermore, the output decision stumps fully take into account the type of each attack or the normal samples.Finally, a suitable choice of the template coefficients allows for determining the behavior of the whole system.The improved PSO algorithm carries out the training task and proved in our other paper [10].

Global Detection Models Based on SCCNN
In the distributed intrusion detection framework, each node constructs its own local IDS model independently according to its own data.By combining all the local models, a global model trained using a small number of detection results from each node, without sharing any of the original training data between nodes.The global intrusion detector is more accurate than the local detectors that may be only adequate for each node output, specific attack types, or normal samples, due to the limited training data available at each node.Once local nodes gain their own models, the global models are used to detect intrusions, for the SCCNN connection, the vector of the results from the local models is used as the input to the global whose result determines whether the current network connection is an attack.
Furthermore, DIDS refers to the processing of a large set of data in order to derive hacking information that cannot be obtained by using each node alone.Therefore, real-time processing, high computational capability, and a space distributed parallel structure are required to gather and manage the huge amount of information carried out from the local node IDS system efficiently.This is satisfied for SCCNN as introduced in [23], whose main advantage lies in the possibility to control each node on the basis of global information regardless of having only local connections among neighboring nodes.So, by combining the ability of the SCCNN for sample sets, a global detection model can be constructed effectively in each node.
SCCNN are arrays of locally interconnected analog cells arranged in a regular grid, and the processing is controlled by the values of the templates.The main difference between CNN and SCCNN is that each cell of SCCNN contains the sensing and the actuation part inside its structure.In the following, linear characteristics for DIDS will be considered and some sufficient conditions for the stability of the whole structure will be derived, together with a design methodology for the template coefficient selection.Figure 2 gives the framework that consists of the modules: local models and global model.
As Figure 2 shown, SCCNN-DIDS architectures allow implementing global functions on data obtained from distributed IDS node systems having only local connectivity.In particular, due to the intrinsic characteristics of SCCNN, each node as a cell which output is a function of all the SCCNN cells inputs without a direct global cell interconnection.Following Arena et al. [25,30], the multilayer version of the SCCNN come in a straightforward way, the architecture proposed for one-dimensional DIDS is a circular, and each cell input   represents the output for the node   , that is, a vector ( 1 ,  2 ,  3 , . . .,   ) is constructed, where   is the result of the th local detection model for the sample; each node is connected via the state template  and the control template  to the neighboring nodes.Symmetric templates are considered due to the circular topology adopted:  = [ 1 ,  0 ,  1 ] and  = [ 1 ,  0 ,  1 ].The generalized linear circular SCCNN equations describing system dynamics can be written for  cells as follows: where  = 2 + 1, with the following periodic boundary conditions:  0 =   and  +1 =  1 .It should be remarked that the considered SCCNN is linear, and ( * ) represents the state value of the generic cell.The weighting function (, ) has the following form: where  ( = 0, . . ., ) represents the distance between the cell considered and the cell whose considered input is connected.Moreover, the function (, ) is symmetric with respect to .In order to ensure a control law for the structure, the desired coefficient parameter vector  * = [ * (0, )] is imposed to be the same for all the nodes, which is the same quantity, is available at each node regardless of the network dimension.Furthermore, in order to ensure the asymptotic stability of the system, the formula ( 9) must be satisfied [25], this result ensures that the multinode system will converge to an asymptotically stable state: It is clear that a suitable choice of the template coefficients which determine the behavior of the system must be satisfied, in order to obtain the asymptotic stability of the system.The design problem consists in determining the template coefficients which is still an open issue in current literature [10,33].In the following, we introduce a new methodology for the design of the template coefficients based on LMI.
For the DIDS architecture shown as Figure 2 with  cells, the asymptotic behavior can be written in matrix form as follows: where X, U are vectors of dimension equal to the number  of nodes, while A, B are square real matrices  × .
Proof.In order to compute a static output feedback law  =  that ensures the stability of the system, there exists a matrix  > 0, which makes Corresponding to ( 14), ( 19) can be written as Making congruent transformation for (20), we get Letting  =  2 , we get This completes the proof.
Corresponding to Theorem 4, it is clear that Lyapunov inequality (18) changes into two inequalities containing P > 0 and , when  is fixed.And our aim is to compute a static output feedback law  =  that ensures the stability of the system.There exists a matrix  makes (19) holds.Lemma 3 gives us a solution to determine matrix , , , and .According to this, in the following, we propose a method based on LMI to solve the template parameters.
Step 1. Corresponding to Lemma 2, change the system to specification style structured like (3).
Step 2. Solve inequalities (4) and get the solution matrix  when  reach the minimum value.
Finally, we can get  =  −1 2 .In the following, we first introduce the performances of our local intrusion detection models based on DTCNN, including the ability to handle mixed features and the ability to learn new types of attacks.Then, the performance of our SCCNN-based distributed intrusion detection algorithm is evaluated, such as the effects of parameters on detection performance, the comparison results with other published existing algorithms.

Local Models.
For the local models, the results of handle mixed features are shown as Table 4, when only continuous features or both continuous features and categorical features are used, test on the training and test datasets, respectively.And the percentage of detection rate (%DR) and false alarm rate (%FAR) are chosen to evaluate the performance for anomaly detection.It can be seen that the results obtain by using both continuous and categorical features are more accurate than the results obtained by only using continuous features, which shows the ability of our algorithms to handle mixed features in network connection data.Furthermore, the data set has high dimensionality and contains a lot of irrelevant attributes.After the analysis, we only need to extract the first 10 eigenvectors which can be converted to numeric value as the input principal component (Table 5).
The ability to detect the new types of attacks correctly is an attractive and important characteristic of our DTCNN-based intrusion detection algorithms.Figure 3 show the online processing of the classifier with respect to four types of attack, that is, "neptune, " "satan, " "buffer overflow, " and "multihop, " which belong to the four main categories, respectively.They all appeared before in the training data.
In Figures 3 and 4, the horizontal coordinate indicates the numbers of samples, and the vertical coordinate indicates the class label predicted by the detector for a sample, where  = 1 means that it is correctly classified as a network attack.Corresponding to the four kind of attack,  = 2, 3, 4, 5 means that the sample is mistakenly classified as a normal connection or other type of attack, and  = −1 means that it is correctly classified as a normal connection.It is seen that at the part of processing for four types of attacks, the classifier classifies samples as attacks correctly, and the false alarm rate is low.But the performance of our DTCNN classifier for "buffer overflow" and "multihop" attack which belong to U2R and R2L achieves lower detection rate than other two types of intrusion.Corresponding to the four kind of sample attack, the detection rate are 99.63%,98.89%, 72.73%, and 77.78%.This is mainly due to the few training data sets for "buffer overflow" and "multihop" attack.But this experiment  still shows the effectiveness of the online processing of the algorithm for four type of attacks.
Figure 4 shows the online process of the classifier with respect to four new types of attack, "mailbomb, " "mscan, " "ps, " and "snmpguess" which have not appeared before in the training data.It is seen that for new types of attacks, the proposed DTCNN-based intrusion detection model also can detected the attack accurately.The false alarm rate is low and emerging experiment results have indicated that our DTCNN-based algorithms are also effective for new kinds of attacks.

Global Models. (a)
According to LMI, the coefficients must be chosen as to minimize the quantity | * − | and imposing the stability constraint (17).Table 6 and Figure 5 give us the computation results for various template matrices coefficient values ( = 4).
For different model, it can be derived that the closer the  template coefficients are to the stability condition (8), the smaller is (, ).And in some case, like model 4,  is not exit.Under that condition, it means the system is not stable.Finally, the cell parameters  and  are chosen based on both dynamic and stability considerations, while the  allows customizing the cell output.The desired weighting function was fixed to  = [1.1034,0.7945, 1.1034, 0.7945], and the template coefficients were determined as  0 = −0.3187, 1 = 0.1496,  0 = 0.007, and  1 = 0.256.
(b) The proposed SCCNN-based distributed intrusion detection algorithm is tested with seven nodes.To simulate a distributed intrusion detection environment, neptune, satan, httptunnel, and warezmaster which belong to the four main kinds of attacks in the KDD CUP 99 dataset are used for constructing local detection nodes, and a global model is constructed using the seven local models.Table 7 shows the test datasets used for constructing the global models in the seven nodes.It is seen that the size of the test datasets are comparatively small.Node 1 has not the warezmaster attack samples; Node 2 has not the httptunnel samples; Node 3 has not the satan attack samples; and Node 4 has not the neptune samples.Table 8 show the comparison results by using our algorithm and other traditional methods though DR and FAR.
Overall, it is seen that our DTCNN-based and SCCNNbased algorithm greatly increases the detection rate and decreases the false alarm rate for each model after the local node intrusion detection.Compared with centralized architecture DIDS algorithms, the distributed architecture DIDS algorithms not only gain high DR while keeping low FAR, but also adapt to the local models in online mode.This adaptability is very important for heterogeneous network environment.The detection accuracies of the SCCNN-based algorithms are comparable with the ANN-based algorithm in [12], Signature-based multilayer IDS in [13], and the Dynamic Election algorithm-based in [14].In particular, lower FAR is obtained.The reason for this is that the design processing of SCCNN parameters is based on solving the LMI which come from the equations describing system dynamics that obtains more accurate weights for the global detection model.On the other hand, the computational complexity of our algorithm is relatively low, because the proposed detection approach only

Figure 1 :
Figure 1: The Hierarchical Intrusion Detection model based on DTCNN for local node [10].

Figure 2 :
Figure 2: The DIDS architecture based on the SCCNN paradigm.

Table 1 :
The comparison of current IDS policy.

Table 2 :
The comparison of current DIDS policy.

Table 3 :
The comparison of current machine learning based IDS policy in each detection node.

Table 5 :
The results of handle mixed features.

Table 6 :
The results of various template matrices coefficient values.

Table 7 :
Test datasets in the seven nodes.