Feature Selection in Mobile Ad-hoc Network Intrusion Detection System

1
Feature Selection in Mobile Ad-hoc Network
Intrusion Detection System

• Xia Wang, Tu-liang Lin
• Computer Science DepartmentIowa State
  UniversityAmes, Iowa 50010

2
Contents

• Motivation
• Profile based neighbor monitoring intrusion
  detection technique
• Markov Blanket Discovery
• Experimental studies
• Conclusion

3
Motivation

• Mobile wireless ad-hoc network (MANET) is getting
  more popular
• Secure MANET is very important
• Military field operation
• MANET is more vulnerable than wired network
• No fixed infrastructure
• Shared open media
• Dynamic topology

4
Intrusion detection system

• An intrusion detection system analyzes network or
  system activities captured in audit data and uses
  patterns of well known attacks or normal profile
  to detect potential attacks
• two different analyzing methods
• Misuse detection use signature of well known
  attacks to match activity as an attack instance
• Anomaly detection to filter out those system
  behaviors that deviate from the profile.

5
Profile based neighbor monitoring intrusion
detection technique (1)
2

• Each node keeps a profile for its neighbors, for
  instance, 6 keeps a profile for 1, 2, 3, 4, 5, 7
• Profile is used as a threshold to detection
  intrusions

5
1
6
7
3
8
4
6
Profile based neighbor monitoring intrusion
detection technique (2)
Traffic Related Features
Dimension Values
Packet type Data, route (all), ROUTE REQUEST, ROUTE REPLY, ROUTE ERROR and HELLO message.
Flow direction Received, sent, forwarded and dropped
Sampling periods 5 seconds, 60 seconds and 900 seconds
Statistics measures Count the average and standard deviation of number of packet or size of data packets,

• Total number of features (74 3) 3 75
  /sampling period
• Too many features could cause memory explosion.
• Consider feature selection --- Markov Blanket
  Algorithm

7
D-Separation rule

• Look all paths between X,Y given E
• (D1)X?Z?Y, If Z E, blocked.
• (D2)X?Z?Y, If Z E, blocked.
• (D3)X?Z?Y, If Z E or any D E, opened
• If all paths between X and Y are blocked, X and Y
  are independent given E

D
8
Markov Blanket

• Three types of Paths
• Upward paths
• Blocked by parents
• D1,D2 (Given Xs Parents)

9
Markov Blanket

• Three types of Paths
• Upward paths
• Blocked by parents
• D1,D2 (Given Xs Parents)
• Downward paths
• Blocked by children
• D1,D2 (Given Xs Children)

X
10
Markov Blanket

• Three types of Paths
• Upward paths
• Blocked by parents
• D1,D2 (Given Xs Parents)
• Downward paths
• Blocked by children
• D1,D2 (Given Xs Children)
• Sideway paths
• Blocked by spouses
• D3 (Given Xs Children)
• D1,D2(Given Xs Childrens Parents)

11
Markov Blanket

• G(V,E)
• P(XV)P(XMB(X))

12
Learn Bayesian Network Structure

• Constraint-based Approach
• Infer dependence and independence relationships
  from data(Spirtes et al., 1993)
• Score-based Approach
• Bayesian measure(Cooper and Herskovits, 1992)
• Calculate the maximum likelihood of P(BsD)
• Minimum description length (MDL)
  measure(Bouckaert,1994)
• Ockhams principle
• Punish a network structure which is too complex.
• L(Bs,D)logP(Bs)-NH(Bs,D)-1/2KlogN
• where K
• and H(Bs,D)

13
MDL Score (Example)
a b
0 0
0 0
0 0
0 1
1 0
1 0
1 1
1 1

• K
• 2(2-1)(2-1)
• Sum of the size of conditional probability tables
  of all nodes

a
b
14
MDL Score (Example)
a Count
0 4
1 4
a b Count
0 0 3
0 1 1
1 0 2
1 1 2
a b
0 0
0 0
0 0
0 1
1 0
1 0
1 1
1 1
a
b

• H(Bs,D)
• -3/8log(3/4)-1/8log(1/4)
• -2/8log(2/4)-2/8log(2/4)
• -4/8log(4/8)-4/8log(4/8)

15
Search for best network structure

• We treat MDL score of a network structure as a
  heuristic value of a search algorithm.
• Use a random hill-climbing search algorithm.
• Run the random hill-climbing search algorithm
  several times.
• Pick the output network structure which has the
  maximum MDL score among all local maxima.

16
Experiment

• Our program takes the simulation data collected
  from one node and infer the best (Have the
  maximum MDL score among several local maxima)
  Bayesian network structure from the data.
• Infer the Markov Blanket from the best Bayesian
  network structure.

17
Experiment result
Features MDL Score
DataFrwd, NBRREQRecv, NBDataSend, NBRREQDrop -1614
DataFrwd, NBRERRFrwd -1932
NBDataFrwd, NBRREQDrop -2066
DataFrwd, NBRREPDrop -2063
NBDataFrwd, DataRecv, NBHELLOSend -1890
18
Result Verification

• Use Weka, a machine learning software, to verify
  the result.
• Choose two learning algorithms, decision tree and
  Bayes net.
• For each algorithm, Construct two classifiers
  which one use all the attributes and the other
  use only the four selected attributes.
• Conduct 10-cross validation using these four
  classifiers on the simulation data collected by
  every nodes.

19
Verification results
The node that the simulation data were collected Accuracy of the classifier using decision tree with all features Accuracy of the classifier using decision tree with only four selected features Accuracy of the classifier using Bayes Net with all features Accuracy of the classifier using Bayes Net with only four selected features
1 96.3235 94.8529 99.2647 98.5294
2 97.3684 96.3158 92.6316 96.3158
3 98.5714 98.5714 98.5714 98.5714
4 100 100 100 100
5 97.3684 94.2105 99.4737 94.2105
6 97.861 89.8396 91.9786 94.6524
7 100 96.6851 98.3425 96.6851
8 99.4764 99.4764 99.4764 99.4764
9 99.4048 99.4048 99.4048 99.4048
20
Conclusion and future work

• Conclusion
• We described a profile based neighbor monitoring
  intrusion detection approach in MANET
• Apply Markov blanket discovery on feature
  selection.
• The experimental results are quite promising.
• Future work
• Markov Blanket discovery using the
  constraint-based approach, such as Grow-Shrink
  Markov blanket algorithm
• Feature selection on all network features.