Jongsub Moon

A hybrid machine learning approach to network anomaly detection

Zero-day cyber attacks such as worms and spy-ware are becoming increasingly widespread and dangerous. The existing signature-based intrusion detection mechanisms are often not sufficient in detecting these types of attacks. As a result, anomaly intrusion detection methods have been developed to cope with such attacks. Among the variety of anomaly detection approaches, the Support Vector Machine (SVM) is known to be one of the best machine learning algorithms to classify abnormal behaviors. The soft-margin SVM is one of the well-known basic SVM methods using supervised learning. However, it is not appropriate to use the soft-margin SVM method for detecting novel attacks in Internet traffic since it requires pre-acquired learning information for supervised learning procedure. Such pre-acquired learning information is divided into normal and attack traffic with labels separately. Furthermore, we apply the one-class SVM approach using unsupervised learning for detecting anomalies. This means one-class SVM does not require the labeled information. However, there is downside to using one-class SVM: it is difficult to use the one-class SVM in the real world, due to its high false positive rate. In this paper, we propose a new SVM approach, named Enhanced SVM, which combines these two methods in order to provide unsupervised learning and low false alarm capability, similar to that of a supervised SVM approach. We use the following additional techniques to improve the performance of the proposed approach (referred to as Anomaly Detector using Enhanced SVM): First, we create a profile of normal packets using Self-Organized Feature Map (SOFM), for SVM learning without pre-existing knowledge. Second, we use a packet filtering scheme based on Passive TCP/IP Fingerprinting (PTF), in order to reject incomplete network traffic that either violates the TCP/IP standard or generation policy inside of well-known platforms. Third, a feature selection technique using a Genetic Algorithm (GA) is used for extracting optimized information from raw internet packets. Fourth, we use the flow of packets based on temporal relationships during data preprocessing, for considering the temporal relationships among the inputs used in SVM learning. Lastly, we demonstrate the effectiveness of the Enhanced SVM approach using the above-mentioned techniques, such as SOFM, PTF, and GA on MIT Lincoln Lab datasets, and a live dataset captured from a real network. The experimental results are verified by m-fold cross validation, and the proposed approach is compared with real world Network Intrusion Detection Systems (NIDS).

A machine learning framework for network anomaly detection using SVM and GA

In todays world of computer security, Internet attacks such as Dos/DDos, worms, and spyware continue to evolve as detection techniques improve. It is not easy, however, to distinguish such new attacks using only knowledge of pre-existing attacks. In this paper the authors focused on machine learning techniques for detecting attacks from Internet anomalies. The machine learning framework consists of two major components: genetic algorithm (GA) for feature selection and support vector machine (SVM) for packet classification. By experiment it is also demonstrated that the proposed framework outperforms currently employed real-world NIDS.

A novel method for SQL injection attack detection based on removing SQL query attribute values

Abstract SQL injection or SQL insertion attack is a code injection technique that exploits a security vulnerability occurring in the database layer of an application and a service. This is most often found within web pages with dynamic content. This paper proposes a very simple and effective detection method for SQL injection attacks. The method removes the value of an SQL query attribute of web pages when parameters are submitted and then compares it with a predetermined one. This method uses combined static and dynamic analysis. The experiments show that the proposed method is very effective and simple than any other methods.

A Study on the Covert Channel Detection of TCP/IP Header Using Support Vector Machine

Nowadays, threats of information security have become a big issue in internet environments. Various security solutions are used as such problems’ countermeasure; IDS, Firewall and VPN. However, a TCP/IP protocol based Internet basically has great vulnerability of protocol itself. It is especially possible to establish a covert channel using TCP/IP header fields such as identification, sequence number, acknowledgement number, timestamp and so on [3]. In this paper, we focus on the covert channels using identification field of IP header and the sequence number field of TCP header. To detect such covert channels, our approach uses a Support Vector Machine which has excellent performance in pattern classification problems. Our experiments showed that the proposed method could discern the abnormal cases(including covert channels) from normal TCP/IP traffic using a Support Vector Machine.

Solar Damage in Skin Tumors: Quantification of Elastotic Material

Background: The elastotic changes of the dermis are thought to be the primary indicator of the cumulative sun exposure of the dermis. The changes of elastotic material have been evaluated by several previous methods, but these did not quantitatively measure the amount of elastic tissue. Objective: The purpose of this study was to quantify dermal elastosis and to assess the significance of sun exposure in the pathogenesis of nonmelanomatous skin tumors such as basal cell carcinoma (BCC), squamous cell carcinoma (SCC) and Bowen’s disease (BD). Methods: Ninety-nine sections from biopsy specimens of histopathologically proven BCC, SCC and BD were stained with Verhoeff-van Gieson stains. We studied the amount of elastotic material adjacent to the tumor by image analysis. Results: There was a 3- to 4-fold increase in the amount of elastotic material in BCC and SCC compared to the sun-exposed skin of normal controls (p < 0.0001). The amount of elastotic material was increased 1.3 times in BD as compared with the nonexposed skins of normal controls (p < 0.01). Conclusion: We demonstrated a quantitative relationship between cumulative solar exposure and skin cancer such as SCC, BCC and BD.

Covert Channel Detection in the ICMP Payload Using Support Vector Machine

ICMP traffic is ubiquitous to almost TCP/IP based network. As such, many network devices consider ICMP traffic to be benign and will allow it to pass through, unmolested. So, attackers can generate arbitrary information tunneling in the payload of ICMP packets. To detect a ICMP covert channel, we used SVM which has excellent performance in pattern classification problems. Our experiments showed that the proposed method could detect the ICMP covert channel from normal ICMP traffic using SVM.

Applying genetic algorithm for classifying anomalous TCP/IP packets

Abstract We present a method for applying genetic algorithms in order to feature selection of TCP/IP packets. The proposed scheme creates an appropriate polynomial equation with weighted coefficients as an objective function for fitness evaluation. The coefficients of the proposed polynomial equation represent the anomaly score of each field. After the evolutionary process is complete, the selected features are used for preprocessing TCP/IP packets before applying TCP/IP packets directly into anomalous detection. To verify the efficiency of the proposed method, various machine learning algorithms were tested with and without a genetic algorithm selecting the optimal fields.

SVM approach with a genetic algorithm for network intrusion detection

Due to the increase in unauthorized access and stealing of internet resources, internet security has become a very significant issue. Network anomalies in particular can cause many potential problems, but it is difficult to discern these from normal traffic. In this paper, we focus on a Support Vector Machine (SVM) and a genetic algorithm to detect network anomalous attacks. We first use a genetic algorithm (GA) for choosing proper fields of traffic packets for analysis. Only the selected fields are used, and a time delay processing is applied to SVM for considering temporal relationships among packets. In order to verify our approach, we tested our proposal with the datasets of MIT Lincoln Lab, and then analyzed its performance. Our SVM approach with selected fields showed excellent performance.

An Approach for Spam E-mail Detection with Support Vector Machine and n-Gram Indexing

Many solutions have been deployed to prevent harmful effects from spam mail. Typical methods are either pattern matching using the keyword or method using the probability such as naive Bayesian method. In this paper, we proposed a classification method of spam mail from normal mail using support vector machine, which has excellent performance in binary pattern classification problems. Especially, the proposed method efficiently practices a learning procedure with a word dictionary by the n-gram. In the conclusion, we showed our proposed method being superior to others in the aspect of comparing performance.

A study of a method for distribution analysis of skin color

Background/aims: The objective and quantitative assessment of the skin is important in medical and cosmeceutical research. Assessment of color is an important element for analyzing the surface of the skin, which is usually determined subjectively by a doctor or using color analysis devices. These devices, however, cannot provide correct color information because color is construed from the mean value of the observation region, and analysis of color distribution is impossible. The purpose of this paper is to develop an objective analysis method to permit skin color measurement of each pixel unit of an image and analyze the distribution of skin surface color.