=Paper=
{{Paper
|id=Vol-2739/paper_4
|storemode=property
|title=Semantic Models for Network Intrusion Detection
|pdfUrl=https://ceur-ws.org/Vol-2739/paper_4.pdf
|volume=Vol-2739
|authors=Peter Bednár,Martin Sarnovsky,Pavol Halas
|dblpUrl=https://dblp.org/rec/conf/sam-iot/BednarSH20
}}
==Semantic Models for Network Intrusion Detection==
https://ceur-ws.org/Vol-2739/paper_4.pdf
Semantic Models for Network Intrusion Detection
Peter Bednar, Martin Sarnovsky, Pavol Halas
Department of Artificial Inteligence and Cybernetics
Technical University of Kosice
Kosice, Slovakia
{name.surname}@tuke.sk
Abstract—The presented paper describes the design and proposed combined approach. In this chapter we at first define
validation of the hierarchical intrusion detection system (IDS), quantitative evaluation metrics and then summarize the
which combines machine learning approach with the knowledge- performance of the system on the standard benchmark dataset
based methods. As the knowledge model, we have proposed the from the KDD Cup competition.
ontology of network attacks, which allow to us decompose
detection and classification of the existing types of attacks or
formalize detection rules for the new types. Designed IDS was
evaluated on a widely used KDD 99 dataset and compared to II. HIERARCHICAL KNOWLEDGE-BASED INTRUSION DETECTION
similar approaches. SYSTEM
Keywords—ontologies, network security incidents, machine A. Overall system architecture
learning The main objective of the proposed architecture is to
hierarchically decompose detection and classification of the
I. INTRODUCTION intrusions according to the types of the attacks. For the
With the extensive usage of the information and decomposition we have proposed the Network Intrusion
communication technologies the number and variety of the Ontology which main part is formalized as the taxonomy of
security attacks grow. This is also reflected in the growing of attack types. This ontology allows to capture all knowledge
budget invested by companies or public institutions into the related to the known types of the attacks, including the
security. In order to cope with the current situation, the new and description of rare cases which are difficult to detect using the
innovative techniques are applied in order to automatize the machine learning methods.
security management [1]. The main decomposition of the detection and classification
Recently, we can observe two main approaches to the process can be divided into the following phases:
security of the ICT: the first approach is data-oriented, and it is 1. Coarse attack/normal classification - this phase is
based on the application of machine learning techniques to implemented using the machine learning algorithm
proactively achieve the best possible prediction of the new which distinguish normal traffic and attacks. If a
attacks [2][3][4][5]. The second approach is more user-centric network connection is labelled as a normal one, then an
and it is based on the application of knowledge modelling alarm is not raised. Otherwise, the suspicious
techniques in order to model user behavior and ICT environment connection is processed by a set of models to determine
[8][9][10]. the class of attack during the phase 2.
The presented article tries to combine these two approaches 2. Attack class and type prediction—this phase is guided
into a single system, where the domain knowledge about the by the taxonomy of the attacks from the Network
types, effects and severity of the attacks is used to decompose Intrusion Ontology. The system hierarchically processes
intrusion detection task into the classification subtasks which the taxonomy and selects the appropriate model to
can be handled more efficiently with less training data. The classify the instance on a particular level of a class
design of the proposed intrusion detection system is symmetrical hierarchy. The model can be a machine learning model
in the sense that both approaches (machine learning and statistically inferred from the training data, or rule-based
knowledge based) are equal and mutually contribute to address model formalized using the classes and relations from
the challenges of the detection and prevention of the security the ontology.
threats.
3. When a class of attack is predicted, ontology is queried
The rest of this paper is organized as follows: in the for all relevant sub-types of the attack type and to
following chapter we will present hierarchical knowledge model retrieve the suitable model to predict the particular sub-
in the form of the ontology which will be used for the type. Knowledge model can also be used to extract
decomposition of the detection problem and which will provide specific domain-related information as a new attribute,
additional contextual information. Subsequent part describes which could be used either to improve the classifier’s
implemented machine learning models and how these models performance or to provide context, domain-specific
are combined with the knowledge in the ontology. Subsequent information which could complement the predictive
section then presents the experimental evaluation of the model.
Copyright © 2020 for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0).
25
�The details about the predictive models and their evaluation will system. The main concepts and relations of the ontology are
be presented in the subsequent chapter. represented on the Figure 1.
B. Network Intrusion Ontology The central part of the proposed semantic model is the
The proposed knowledge model captures all essentials taxonomy of Attacks which are summarized in the following
concepts required to describe network intrusion systems. We figure. The taxonomy was extracted from the types of the attacks
have designed our semantic model according to the described in the KDD 99 datasets. Attacks are divided into the
methodology proposed by Grüninger and Fox and with some four main groups such as DOS, R2L, U2R and PROBE. The
extensions from Methodology. main types of the attacks are further specified on the additional
level of the hierarchy.
The designed ontology is formalized using the OWL 2 RL
profile, which allows to formalize common constructs such as
multiple hierarchies and at the same time provides compatibility
with the rule languages for automatic reasoning. As the objective
of the knowledge model was to use it in the data analytical tasks,
the concepts and properties map directly to the data used in the
process. Moreover, ontology was extended with the concepts
related to the classification models, to create the relation
between the particular classifier and its usability on the specific
level of target attribute hierarchy. The main classes of ontology
include:
• Connections - This class represents the status of each
connection record. It specifies Attack connection or
normal traffic. Attack connections are further
conceptualized using the Attack hierarchy described
below.
• Effects - This class contains subclasses that represent all
possible consequences of individual attacks (e.g., slows
down server response, execute commands as root, etc.). Fig. 1. The main concepts of the proposed sematnic model.
• Mechanisms - The subclasses represent all possible
causes of individual ontology attacks (poor environment
sanitation, misconfiguration, etc.).
• Flags - The subclasses represent normal or error states
of individual connections (Established, responder
aborted, Connection attempt was rejected, etc.). Each of
these subclasses has a 1 equivalent instance.
• Protocols - The class contains subclasses that represent
the types of the communication protocols on which the Fig. 2. The hierarchy of Attacks.
connection is running (TCP, UDP, and ICMP).
C. Machine learning models
• Services - The subclasses represent each type of
connection service (http, telnet, etc. ...). Each of these To evaluate the proposed approach, we used the KDD Cup
subclasses has a 1 equivalent instance. 1999 competition dataset, which is a commonly accepted
benchmark for the intrusion detection task. The dataset consists
• Severities - This class represents the severity of the of the records from the device logs in a LAN network collected
attack, its subclasses represent the severity level (weak, over nine weeks. For the evaluation, we have used 10% sample
medium, and high). with the 494,021 records in total. Each record is labeled as the
normal communication or it is assigned to the major attack class
• Targets - The subclasses represent possible targets of a
and specific attack types. There are 22 different attack types
given type of attack (user, network).
which corresponds to the classes in the proposed ontology.
• Models concept covers the classification models used to
The common problem with the diagnostic tasks such as
predict the given target attribute.
intrusion detection systems is that the target attribute (i.e. in our
The instances of the specified classes represent the network case type of the attack) is highly unbalanced with the majority
connections (e.g., connection records from the data set). Trained of normal communication. Table I presents the taxonomy of
and serialized classification models are instantiated as the attack types together with the number of cases in the dataset.
instances of the Model class. The models are represented as the Some attack classes such as Probe are more balanced but
web resources and they could be accessed by their URI property, generally for each attack class we can find some minor types
which points to the location where the model is serialized in the with only the few training examples. The lack of cases is
26
�problematic not only for the training of statistical models but for the classification which were identified in the work of [4].
also for the evaluation. On the other side, rare cases can be still The final list of features includes: service, src_bytes, dst_bytes,
very critical and can in overall a big impact on the security of the logged_in, num_file_creations, srv_diff_host_rate,
system. dst_host_count, dst_host_diff_srv_rate,
dst_host_srv_diff_host_rate, srv_count, serror_rate, rerror_rate,
TABLE I. ATTACK TYPES AND NUMBER OF SAMPLES
Since the data of diagnostic tasks are commonly highly
Attack Attack class # of samples unbalanced towards the normal cases, the proposed approach is
based on the decomposition of the diagnostic classification task
back 2203
into the hierarchy of classifiers. At the top level of the class
land 21 hierarchy, an attack detection model is used for the prediction to
distinguish between the attack connections and normal traffic.
neptune 107,201 The classifier on this level was trained on the whole dataset and
DoS
pod 264 target attribute was transformed to the binary indicator. The
main goal of this top-level classifier is to reliably separate
smurf 280,790 normal connections from the attack ones.
teardrop 979 If the top-level model detects an attack connection, the cases
are further classified by the ensemble models into the one of the
satan 1589
four types of the attack on the second level of the taxonomy
ipsweap 1247 (DoS, R2L, U2R, Probe). In this level, we use ensemble
Probe classifier with voting scheme trained on all attack instances (i.e.
nmap 231 without the normal communication cases). We found that the
portsweep 1040 proposed ensemble model is more efficient in the case of
unbalanced target classes. The standard machine learning
guess_passwd 53 models proposed in the previous works were able to gain good
accuracy, achieved mostly on the dominant class (in our case on
ftp_write 8
KDD 99 dataset, on the most common DoS attack). However,
imap 12 the simple models struggled to predict minor classes such as
U2R, which can be even more serious from the point of view of
phf 4 network security. For example, when training a decision tree
R2L
multihop 7 model, the model has very good performance for the DoS and
R2L classes but missed a significant amount of the Probe attacks
warezmaster 20 and was not able to detect the U2R class at all.
warezclient 1020 Proposed weighting schema is based on the idea of
complementing classifiers which is based on the performance of
spy 2
a particular model on the particular class. This weighting schema
buffer_overflow 30 is presented on the Table II. The wi,j terms represent the weight
associated with the i-th model and j-th class.
loadmodule 9
U2R TABLE II. WEIGHTING SCHEME OF THE ENSEMBLE MODEL
perl 3
rootkit 10 Model DoS R2L U2R Probe
normal Normal 97,227 model 1 w1,1 w2,1 w3,1 w4,1
model 2 w1,2 w2,2 w3,2 w4,2
The records for each connection are described by set of model 3 w1,3 w2,3 w3,3 w4,3
features, which are represented in the ontology as the data ... ... ... ... ...
attributes. The features can be divided into the basic features,
content features and traffic features. Overall there are 32
features. The first group describes the type of the communication After the binary classification and classification of the attack
protocol, duration of the connection, service on the destination class by ensemble weighted classifier, we have trained particular
network node and other standard attributes describing the TCP models to further classify specific type of the attack on the most
connection. Content features are attributes that can be linked to specific level of the taxonomy. Four different models were
the domain specific knowledge depending on the applications trained using only the records of particular attack classes (i.e.
and environment in which communication occurs. The last models for DoS, R2L, U2R and Probe). The most problematic
group of features (traffic) describe the communication attributes was minority U2R class, as the dataset contains very few records
captured during the 2 seconds time window, e.g. the number of of that type. The final implemented classification schema is
hosts communicating with the target host etc. For the data presented on the Figure 3. All models were implemented in the
preprocessing, we have selected only the most relevant features Python environment using the standard pandas and scikit-learn
27
�stack. Predictive models were then persistently stored and the was in fact an attack, etc. The entire system was also evaluated
models URIs (Uniform Resource Locators) were added as the with the number of missed attacks and raised false alarms as
data properties to the knowledge model. FAR metric (False Alarm Rate), which corresponds to the false
positive records divided by total number of normal traffic
records (true negative + false positive).
For the evaluation of the binary classification on the top level
of the taxonomy, we used directly precision and recall metrics.
In the subsequent stages on the more specific levels of taxonomy
we have computed precision and recall for each class and used
macro-averaging for overall evaluation. Additionally, we have
computed multi-class confusion matrix to further investigate the
types of the errors produced by the system.
A. Training and evaluation
Fig. 3. The implemented hierarchical classification schema.
For the binary classification for the attack detection, we used
The main role of the semantic model in the proposed the decision tree classifier. Dataset includes all records and
detection system is to navigate through the target class taxonomy target attribute was transformed to binary indicator
and decompose classification problem to the sub-problems attack/normal traffic. The classifier was trained without the limit
implemented by the particular models for the specific type of for maximum depth with default settings for pruning and gini
attack. The system is implemented using the Python language index as the splitting criterion. We split the dataset randomly to
and RDFlib package which provides integration with the 70/30 training/testing ration. The testing data were also used for
ontology using the SPARQL query interface. When predicting overall evaluation of the entire system. Model for the binary
the unknown connection, system query the ontology using the classification achieved the accuracy 0.9997. The detailed
SPARQL query and retrieve correspondent model for the confusion matrix is presented in the Table III.
particular class of the attacks according to the URL stored in the
TABLE III. PERFORMANCE OF THE BINARY ATTACK CLASSIFICATION
hasTargetAttribute property. Once the classification of the main
type is performed, the system checks in the ontology if there is a Normal Attack Precision Recall
classifier able to process the record further and to detect subtype
of the attack. Normal 29,095 11
0.999 0.999
Besides the hierarchical decomposition of the detection Attack 35 119,066
process, knowledge model provides also additional context
which can be leveraged during the classification and improve
detection of the minor classes. We have mainly extended the For the training of ensemble classifier, we have selected only
context with the potential effect of the attack. Additionally, if the the attack records from the training set. As the base classifiers
models are not reliable enough to predict the concrete attack sub- we have used various configuration of the Naive Bayes and
type, the system can be used to classify attacks at least according Decision Tree models. The experiments proved that the Decision
to the severity which is retrieved from the knowledge model for Tree classifier performed well on the Probe, DoS and R2L
the particular main class of the attack. This could serve as a attacks. On the other hand, for the U2R class model produces
supporting source of information, completing the attach type many false alarms or (depending on pruning) the model was not
classification. able to detect U2R attacks at all. For this reason, we have trained
one-vs-all model just to separate U2R class. We have then
III. EVALUATION combined both types of the models into the ensemble classifier.
For the evaluation, we used the most common metrics The weights of the base classifiers were computed according to
employed in the classification tasks such as recall and precision. the accuracies of the models on the training data. For the
We have also computed confusion matrix for the particular evaluation we have used the same 70/30 dataset split as for the
classes of attacks. The confusion matrices were especially binary classification, but we have further selected only the attack
informative since they record number of correctly and records (since the normal communication is filtered already by
incorrectly classified examples and also the types of the error. the binary classifier). In total, models were trained on 396743
For the binary classification on the top level of the taxonomy records. The confusion matrix of the ensemble classifier is
hierarchy we used standard evaluation metrics: presented on the Table IV.
• Precision: P = TP / (TP + FP) TABLE IV. PERFORMANCE OF THE ENSEMBLE ATTACK CLASSIFICATION
• Recall: R = TP / (TP + FN) Probe U2R DoS R2L Prec. Rec.
where TP, TN, FP, FN are numbers of true positive, true Probe 1279 0 1 0 0.992 0.992
negative, false positive and false negative records (e.g. for true
positive number of records when the predicted attack was in fact U2R 0 15 0 0 1 0.882
attack, false positive when the predicted attack was in fact a DoS 6 0 117,385 0 0.999 0.999
normal traffic, false negative when the predicted normal traffic
28
� R2L 4 2 0 331 0.982 1 model for the detection of the attack class. Overall achieved
performance was 0.999 precision and recall with very good
accuracy for the high and low severity. The Table VIII presents
On the most specific level of the taxonomy, each major the confusion matrix for the severity detection in comparison for
attack class has dedicated one model for the further classification each class of the attack.
of subtypes. The performance of each model was evaluated
using the precision and recall macro-averaged for each subtype. TABLE VIII. CONFUSION MATRIX FOR THE SEVERITY DETECTION
The overall performance of the models is summarized in Table High Low Medium Prec. Recall
V.
DoS 117695 0 0
TABLE V. PERFORMANCE OF THE SUBTYPE CLASSIFICATION
Probe 443 0 779
Probe U2R DoS R2L 0.999 0.999
R2L 0 346 6
Accuracy 0.991 0.937 0.999 0.989
U2R 0 0 20
Precision 0.989 0.927 0.999 0.879
Recall 0.989 0.875 0.999 0.833
Medium severity was biased by our model towards the high
severity which has the similar effect like the higher false positive
rate. Further details and information about the designed model
The overall system with the hierarchical classification was were published in [9].
evaluated using the standard precision, recall F-measure and
FAR (False Alarm Rate) metrics. Comparison of the proposed IV. CONCLUSION AND FUTURE WORK
system and models published in previous works [4][6][7][11] is
presented in Table VI. In this paper we have proposed an approach based on the
combination of knowledge based and machine learning methods
TABLE VI. OVERALL PREFORMANCE OF THE SYSTEM for intrusion detection. The proposed knowledge model in the
form of the ontology is used for the hierarchical decomposition
Classifier Acc. Prec. F1 FAR of the detection process according to the types of the attack. This
decomposition allows to overcome the problems with the
C4.5 0.969 0.947 0.970 0.005
unbalanced training data which are typical for the diagnostic
Random forests 0.964 0.998 0.986 0.025 machine learning tasks. By the leveraging of the domain
knowledge, our combined approach also provides an additional
Forest PA 0.975 0.998 0.998 0.002 context which includes for example the effects and severity of
Ensemble model 0.976 0.998 0.998 0.001 the attacks.
Our approach 0.998 0.998 0.998 0.001 The performance of the proposed IDS is 0.998 in terms of
precision as well as recall and 0.001 in terms of FAR metric,
which on the standard benchmark dataset outperforms other
state-of-the-art methods. Moreover, the proposed method has
Additionally, we have computed confusion matrix, which
also potential to partially detect new emerging types of attacks
summarizes the performance for each attack class. The
in terms of the contextual information stored in the knowledge
confusion matrix is presented in the Table VII.
model.
TABLE VII. CONFUSION MATRIX FOR THE OVERALL PREFORMANCE OF In the future work we plan to extend the role of the
THE SYSTEM
knowledge model by introducing a rule-based classifier which
Probe U2R DoS R2L Normal will be based on the declarative rules and application of
automatic reasoning technique and logical programming. We
Probe 1176 0 5 0 7 hope that this will allow to further improve accuracy for minor
U2R 0 15 0 0 5 classes with the low number of training examples. Additionally,
extended knowledge model will allow to create formalized
DoS 4 0 117547 0 1 knowledge base of the existing cases.
R2L 3 1 0 346 7 ACKNOWLEDGMENT
Normal 1 0 3 1 48454 This work was supported by Slovak Research and
Development Agency under the contract No. APVV-16-0213
and by the VEGA project under grant No. 1/0493/16.
Besides the classification of attack types, we have
implemented and also evaluated the classification of the attack
severity. To train the severity detector we have used 10 % of
KDD 99 dataset with the 70/30 training/testing ratio. The
severity classifier was applied complementary to the ensemble
29
� REFERENCES [6] Sharma, N.; Mukherjee, S. A Novel Multi-Classifier Layered Approach
to Improve Minority Attack Detection in IDS. Procedia Technol. 2012, 6,
913–921.
[1] Park, J. Advances in Future Internet and the Industrial Internet of Things. [7] Ahmim, A.; Ghoualmi Zine, N. A new hierarchical intrusion detection
Symmetry 2019, 11, 244. system based on a binary tree of classifiers. Inf. Comput. Secur. 2015, 23,
[2] Javaid, A.; Niyaz, Q.; Sun, W.; Alam, M. A Deep Learning Approach for 31–57.
Network Intrusion Detection System. In Proceedings of the 9th EAI [8] Abdoli, F.; Kahani, M. Ontology-based distributed intrusion detection
International Conference on Bio-inspired Information and system. In Proceedings of the 2009 14th International CSI Computer
Communications Technologies (formerly BIONETICS), New York, NY, Conference, Tehran, Iran, 20–21 October 2009; pp. 65–70.
USA, 3-5 December 2016.
[9] Sarnovsky, M.; Paralic, J. Hierarchical Intrusion Detection Using
[3] Khan, M.A.; Karim, M.d.R.; Kim, Y. A Scalable and Hybrid Intrusion Machine Learning and Knowledge Model. Symmetry 2020, 12, 203.
Detection System Based on the Convolutional-LSTM Network.
Symmetry 2019, 11, 583. [10] More, S.; Matthews, M.; Joshi, A.; Finin, T. A Knowledge-Based
Approach to Intrusion Detection Modeling. In Proceedings of the 2012
[4] Zhou, Y.; Cheng, G; Jiang, S.; dai, M. An efficient detection system based IEEE Symposium on Security and Privacy Workshops, San Francisco,
on feature selection and ensemble classifier. arXiv 2019, CA, USA, 24–25 May 2012; pp. 75–81.
arXiv:190401352
[11] Özgür, A.; Erdem, H. A review of KDD99 dataset usage in intrusion
[5] Aljawarneh, S.; Aldwairi, M.; Yassein, M.B. Anomaly-based intrusion detection and machine learning between 2010 and 2015. PeerJ Preprints
detection system through feature selection analysis and building hybrid 2016, 4, e1954v1.
efficient model. J. Comput. Sci. 2018, 25, 152–160.
30
�