Multivariate correlation analysis and geometric linear similarity for real-time intrusion detection systems

2.1 Statistical methods

Statistical-based anomaly detection methods [27-29] compute some statistical measures of normal observations like mean and variance to build the normal profile, and they check whether the test observations significantly deviate from the normal one. The main advantage of statistical-based approaches is that there is no need for knowledge of attacks beforehand. It has been proven that most of the statistical-based approaches can ensure real-time detection [7]. However, the hypothesis of quasi-stationary process, which is adopted by the statistical-based methods, does not always hold true. In addition, setting a threshold for deviations, and which does not incur high false alarms or low detection, is a difficult task. Statistical-based methods can further be classified into the following approaches:

1. Univariate model: It considers the features as independent Gaussian random variables.
2. Multivariate model: It considers the correlations between two or more features. This model is useful when two or more features are related.
3. Time series model: It identifies abnormal activities by considering their time occurrences. An activity is considered abnormal if the probability of its occurrence is low.

2.2 Knowledge-based methods

The knowledge-based methods [30] use a set of rules, manually created by a human expert, to define the normal behavior of the system. The specification rules can also be derived using some formal tools like automata, expert systems, and Petri nets approaches. However, this approach requires long time to construct complex knowledge.

2.3 Data mining-based methods

Data mining-based methods attempt to derive a reduced amount of data for comparison with test data [7]. Data mining-based methods can further be divided into clustering and classification approaches.

2.4 Machine learning-based methods

Machine learning method builds a model that adapts its performance based on previous observations. The machine learning methods can further be divided into the following approaches:

1. Bayesian networks [34];
2. Neural networks [35-39];
3. Fuzzy logic [40-42];
4. Genetic algorithms [43];
5. Support vector machine (SVM) [44].

The main characteristic of these approaches is to label data in order to learn the behavior model. However, this operation requires high resource consumption.

2.5 Discussion

Based on some comparative studies, Table 1 summarizes the main advantages and disadvantages of the anomaly-based IDS approaches presented earlier. The approaches are also compared in terms of usage frequency, which is the frequency of performing the detection process. Here, we distinguish two types: batch (periodic analysis) and real time (continuous analysis).

The main advantage of knowledge-based IDS is that they are robust, flexible, and scalable [23]. Their main drawback is that the generation of knowledge-based model is difficult and time consuming. In addition, expert systems require intensive computations when the size of the rule set increases, and hence, the IDS becomes slower and eventually becomes unsuitable for real-time detection.

Data mining-based IDSs are fast during the detection phase. They (and also machine learning-based IDSs) have the ability to adapt to changes as a new information is acquired. Because this adaptation incurs high computational cost, the methods are considered batch detection.

Statistical-based IDSs require no prior knowledge on attacks, and hence, they are appropriate for real-time detection. Some approaches [45, 46] have shown an acceptable performance in real traffic scenarios. However, the unrealistic hypothesis of a quasi-stationary network flow prevents the statistical-based IDSs from adapting to normal changes. In this category, the multivariate models are a good choice because they can achieve better detection rate with less false-alarm rate as compared with other statistical-based models. Experiments have shown that better results can be produced by combining the features rather than individually. For the previous reasons, we adopt in this paper the multivariate model for the anomaly-based IDSs.

4.1 Training dataset model

Let P be a set of object profiles. These profiles are defined by n features (s₁,s₂,…,s_n). The training dataset D is defined as a set of N profiles, denoted by Z, collected during the training phase. The training dataset is denoted by a matrix A = [a_ij], where a_ij is the number of times that a feature s_i in profile Z_j occurs.

As in [74], an information retrieval (IR) vector is used to represent the set of profiles. A profile is represented in IR as a binary (0-1) vector. The value 1 means that the feature has occurred in the profile, and 0 means that the feature has never occurred in the profile. We, thus, define a matrix B = [b_ij], where b_ij=1, if the ith feature s_i is present in the jth profile Z_j, and b_ij=0, otherwise.

4.2 Background on similarity and dissimilarity measures

A similarity measure [75], denoted by Sim, is a function: P×P→R, which satisfies the following properties:

• (P1) ∀x,y∈P:Sim(x,y)≥0
• (P2) ∀x,y∈P:Sim(x,x) = Sim(y,y)≥Sim(x,y)
• (P3) ∀x,y∈P:Sim(x,y) = Sim(y,x)

Likewise, a dissimilarity measure [75] (also known as distance), denoted by Dis, is a function: P×P→R, which satisfies the following properties:

• (P4) ∀x,y∈P:Dis(x,y)≥0
• (P5) ∀x,y∈P:Dis(x,x) = 0
• (P6) ∀x,y∈P:Dis(x,y) = Dis(y,x)

Typically, a similarity measure can be converted to serve as the dissimilarity measure and vice versa. In general, any monotonically decreasing function can be applied to convert similarity measures into dissimilarity measures, and any monotonically increasing function can be applied to convert the measures the other way around. The similarity (dissimilarity) measures can be classified as feature based and distance based.

In the feature-based category, we find the binary similarity (known also as Jaccard similarity) [75]. The binary similarity measure between the two profiles, Z_j and Z_k, is calculated as follows:

μZj,Zk=∑inbij∧bik∑inbij∨bik

It can also be written as: aa+b+c, where

• a: the number of shared features between Z_j and Z_k;
• b: the number of features belonging to Z_j and not to Z_k;
• c: the number of features belonging to Z_k and not to Z_j.

As 0≤μ(Z_j,Z_k)≤1, the Jaccard dissimilarity, denoted by μ(Z_j,Z_k)_d , is obtained by subtracting the Jaccard similarity from 1. Formally, μ(Z_j,Z_k)_d=1 − μ(Z_j,Z_k).

In the distance-based category, we find the following dissimilarity measures:

1. Euclidean distance:
   DisZj,Zk=∑i=1naij−aik2
2. Minkowski distance:
   DisZj,Zk=∑i=1naij−aikλ1λ
3. Chebychev distance:
   DisZj,Zk=maxi=1,⋯,naij−aik
4. Manhattan distance:
   DisZj,Zk=∑i=1naij−aik

The previous distances and their corresponding similarity measures can be related via an exponential function [76, 77]. Formally, Sim(a,b) = e^−Dis(a,b).

4.3 Basic idea

The basic idea of our new similarity measure is that the two profiles are similar with respect to feature C if

1. They both have C in common, or
2. Neither of them has C.

Also, the two profiles are dissimilar with respect to a characteristic C if only one of them has C.

4.4 Problem formulation

We formally define the binary atomic similarity (dissimilarity) measure between the two profiles, Z_j and Z_k, with respect to a characteristic s_i by using the XNOR (resp., XOR) logic operation as follows:

bijXNORbik=1ifbij=bik,0otherwisebij⊕bik=1ifbij≠bik,0otherwise

It is obvious that the binary atomic similarity is property based, and there is a need to represent the value associated with the characteristic, that is, bij=bik⇏aij=aik. Also, the XOR operation has its limitations as it cannot be used to measure the dissimilarity between the two profiles, especially the case when b_ij=b_ik=1 and a_ij≠0∧a_ik≠0. To address this issue, we propose a new similarity measure, named quantitative atomic similarity(resp., dissimilarity), denoted by Sim (resp., Dis), in which the elements of matrix A are used and the XOR operation is replaced by the OR operation.

Formally, the similarity (resp., dissimilarity) measure between the two profiles is as follows:

SimZj,Zk=∑i=1nQSaij,aik×bijXNORbik, where

QS(a,b)=1ifa=bmin(a,b)max(a,b)else

DisZj,Zk=∑i=1nQDaij,aik×bij∨bik, where

QD(a,b)=0ifa=bmax(a,b)−min(a,b)max(a,b)else

It is easy to show that our proposed similarity (resp., dissimilarity) measure satisfies the properties (P1), (P2), and (P3) (resp., (P4), (P5), and (P6)).

It is obvious from the definition of Sim and Dis that Sim(x,y)≥0 and Dis(x,y)≥0. As all the elements of matrix A are nonnegative, (P1) and (P4) hold true.

Property (P2) is satisfied as Sim(x,x)=Sim(y,y)=∑i=1n1=n.

Property (P5) is satisfied as Dis(x,x)=∑i=1n0=0.

As min(a,b) = min(b,a),max(a,b) = max(b,a), and ⊕ and ∨ are symmetric operations, P(3) and P(6) hold true.

We prove that the similarity and dissimilarity measures can be combined to yield the following theorem:

Proof.

SimZj,Zk=∑bij=bikQSaij,aik×bijXNORbik+∑bij≠bikQSaij,aik×bijXNORbik=∑bij=bikQSaij,aik+∑bij≠bik0=∑bij=bik∧aij=aik1+∑bij=bik∧aij≠aikminaij,aikmaxaij,aik+∑bij≠bik0

DisZj,Zk=∑bij=bikQDaij,aik×bij∨bik+∑bij≠bikQDaij,aik×bij∨bik=∑bij=bikQDaij,aik+∑bij≠bikQDaij,aik

(b_ij≠b_ik)⇒(a_ij≠0∨a_ik≠0)⇒a_ij≠a_ik. Then, ∑bij≠bikQDaij,aik=∑bij≠bik1

DisZj,Zk=∑bij=bik∧aij=aikQDaij,aik+∑bij=bik∧aij≠aikQDaij,aik+∑bij≠bik1

Dis(Z_j,Z_k) can also be written as follows:

∑bij=bik∧aij=aik0+∑bij=bik∧aij≠aikmaxaij,aik−minaij,aikmaxaij,aik+∑bij≠bik1

SimZj,Zk+DisZj,Zk=∑bij=bik∧aij=aik1+∑bij=bik∧aij≠aik1+∑bij≠bik1=n

□

Thus, Theorem 1 is proven. From Properties (P1), (P4), and Theorem 1, it is obvious that Sim(a,b)≤n and Dis(a,b)≤n and both are related via a geometric linear function. Figure 2 shows the graphic representation of the relation between similarity and dissimilarity measures. The two measures between any two profiles can form a two-dimensional point that lies on the line y = n − x.

4.5 Comparison of similarity measures

In the following, we compare between the geometric linear similarity (resp., dissimilarity) measure and the other measures proposed in the literature.

4.5.3 Geometric linear similarity versus symmetric radial basis function

The kernel similarity measure smooth radial basis function (SRBF) is defined as follows:

Sim(Z,A)=exp−12||Z−A||2/||A||

where ||.|| is the Euclidean norm. The first problem with SRBF is that it cannot measure the similarity between vectors composed only of null values. In addition, it suffers from the same issue as the distance-based measure, that is, the similarity between vectors, which are totally different from each other, is different from 0. The following example in Table 3 clearly explains this issue.

Table 3. Comparison between geometric linear similarity and symmetric radial basis function.

P1	P2	Ls(P1,P2)	SRBF
(1,1,1,1)	(1,1,1,1)	4	1
(1,1,1,1)	(1,1,1,0)	3	0.84
(1,1,1,1)	(1,1,0,0)	2	0.71
(1,1,1,1)	(1,0,0,0)	1	0.60
(1,1,1,1)	(0,0,0,0)	0	0.51

5.1 Framework of normal behavioral graph model

The framework of the NBG approach, as illustrated in Figure 3, is composed of two phases: offline training phase and online detection phase. In the offline phase, a labeled training dataset is partitioned into normal and attack datasets. From each resulted dataset, we compute its corresponding correlation matrix, which is used to generate a graph of correlated low-level features. The two resulted graphs are combined to generate the NBG. In the online detection phase, the data packets captured during each x seconds are combined into one data record. We only extract from the data record the low-level features that compose the NBG. Then, we compute the high-level features that will be used as an input for the NBG. The NBG will examine whether the input values correspond to a normal connection or an attack.

5.2 Training phase: generation of normal behavioral graph

In the training phase, we investigate the associations between features. We are interested in identifying the degree of correlation between those features, that is, the correlation coefficient. First, we show that a correlation matrix is constructed from a dataset. Because we consider all observations from the training dataset, we refer to Pearson's correlation coefficient when applied to a population as the population correlation coefficient. We use the formula:

ρ(X,Y)=COV(X,Y)σXσY=Ex−μXy−μYσXσY(1)

If ρ(X,Y) = 1, then X and Y have a linear correlation. If 0.7≤ρ(X,Y) < 1, then X and Y have a strong linear correlation. If 0.5≤ρ(X,Y) < 0.7, then X and Y have a modest linear correlation. Finally, with 0≤ρ(X,Y) < 0.5, X and Y are said to have a weak linear correlation.

In our notation, we consider the set of all features F=Fi,i=1,…,n. For each pair of features (F_i,F_j), we calculate ρ(F_i,F_j). Then, we construct Ω^[N], a n × n correlation matrix, where Ωij∈R.

Ωij=ρFi,Fj

and −1≤Ω_ij≤+1.

In addition to these developments, we select only significant features, that is, those association of features with p-value < 0.05. The p-value is a probability used to show if a correlation exists between two features.

Ω=Ω11Ω12…Ω1nΩ21Ω22…Ω2n⋮⋮⋱⋮Ωn1Ωn2…Ωnn

Then, we derive a graph G = (V,E,w) from matrix Ω, defined as

• V={v₁…v_n}, the set of vertices (features) where |V|=n;
• E={(v_i,v_j),whereΩ_ij≠0,w_ij=Ω_ijand|E|=m}.

We consider that the dataset is composed of normal and abnormal connections, and hence, the dataset is partitioned into two partitions (or clusters): normal dataset and abnormal dataset. We apply the previous calculations on the two datasets separately to generate two matrices: Ω^[N] and Ω^[A]. We also generate their corresponding graphs G^[N]=(V,E^[N],w^[N]) and G^[A]=(V,E^[A],w^[A]).

We define a composition operation ⊙ that creates a new graph G^[C] from the two graphs. Formally, G^[C]=G^[N]⊙G^[A] is defined as follows:

• EC=vi,vj,whereΩijA−ΩijN>Th[C],EC=M;
• V^[C]={x∈V:∃y∈V(x,y)∈E^[C]};
• wijC=maxΩijN,ΩijA.

G^[C] is composed of strongly connected subgraphs, in the sense that if a subset of features is strongly correlated, then the subgraph associated with this subset of nodes will be strongly connected. A clique, or complete graph, is formed when each pair of this subset is forming a strong association.

For example, suppose that we have four network features, namely F₁,F₂,F₃, and F₄. The correlation coefficient matrices Ω^[N] and Ω^[A] between these features are

Ω[N]=10.9340.9920.2510.93410.2430.8120.9920.24310.3470.2510.8120.3471

Ω[A]=10.1570.9450.2480.15710.9780.7920.9450.97810.3010.2480.7920.3011

According to the correlation matrices, we generate the graph G^[C], as shown in Figure 4.

Then, for each edge (F_i,F_j)∈G^[C], we compute a high-level feature using a function H^ij. Formally, HF_k=H^ij(F_i,F_j), where k=1,…,M. The methodology to choose H^ij is described as follows:

• If F_i and F_j are originally taken from G^[N], we choose a function H^ij in a way that maximizes (resp., minimizes) HF_k when a normal (resp., abnormal) connection occurs.
• If F_i and F_j are originally taken from G^[A], we choose a function H^ij in a way that maximizes (resp., minimizes) HF_k when an abnormal (resp., normal) connection occurs.

Then, we define a reference vector HFref=HF1ref,…,HFMref that represents normal behavior as follows:

HFkref=maxHijFi,FjifFiandFjareoriginally taken fromGNminHijFi,Fjotherwise

5.3 Detection phase

To check whether a profile Z is normal or anomalous, we first convert Z of n features to a vector Z^HF of M elements: HF1,…,M, such that each element is a high-level feature computed from the low-level features of Z. Then, we carry out the following pseudo-code depicted in Algorithm 1.

6.1 Discussion of dataset accuracy

To assess the efficiency of an IDS, it is required to test it with a dataset. There are two ways to obtain a labeled dataset: (i) use the available public labeled datasets like DARPA [78], KDD99 [79], and NSL-KDD [22] or (ii) build a new dataset from real-network traffic.

Collecting data from real networks raises concerns about its accurate classification and labeling. Anomaly-based IDSs generally needs training with attack-free data. Nevertheless, the data collected from real networks might not satisfy this requirement. Shafi and Abbas [80] have described a methodology to generate a customized labeled dataset. The dataset is composed of background traffic obtained from a real network and attack traffic obtained through simulation. To label the background traffic, Snort IDS is executed. The authors have acknowledged that this methodology might falsely label a normal connection as an attack. Spathoulas et al., [81] have also criticized the use of datasets obtained from real-network traffic and argued that it can create a lot of ambiguity as it is not possible to distinguish with certainty between normal and attack traffic. As network traffic can never be fully accurate because the attacks are more and more sophisticated and stealthy, it can be concluded then that there is no methodology that can accurately label network connections as legitimate or intrusion, and if such an accurate methodology exists, it means that this methodology itself is an IDS.

On the other hand, the available public labeled datasets like DARPA, KDD99, and NSL-KDD have been widely used by research community [82, 83]. However, some studies have pointed out some drawbacks of DARPA and KDD99. One of the drawbacks is the presence of simulation artifacts in DARPA dataset. These artifacts could exist as well in the KDD99 datasets. Although these critics, Thomas et al., [84], have given the following supporting reasons for the use of DARPA dataset,

• Brugger and Chow in [85], while analyzing DARPA 1998, concluded that it is possible, with the means of sophisticated IDS, to reach good rate of false positive detection on the DARPA IDS dataset.
• On the other hand, Mahoney and Chan in [83] argued that there is a sort of ‘positive relationship’ between the use of an IDS on DARPA dataset and that on real data. They claimed that any IDS not performing well on DARPA dataset would not perform well on real data with regard to attack detection.
• Labeling the network connections with raw data is not 100% accurate.

Researchers have wildly used KDD99 [79], which is a labeled dataset, to assess new methods for anomaly detection. This dataset is a subset of the DARPA98 IDS evaluation program [78]. NSL-KDD is a reduced and cleansed version of the original KDD99 dataset [79]. NSL-KDD solves the following problems of the original KDD99 dataset:

• It eliminates redundancies from the original data in order to avoid any possibility of bias.
• The test dataset does not contain duplicate records. Hence, the performance of the IDS is not biased toward redundant records.

Ibrahim et al., [86] have evaluated the performance of an IDS using KDD99 and NSL-KDD. Their results have shown that detection rate is 92.37% for KDD99 and 75.49% for NSL-KDD. This indicates that KDD99, which has redundant records, produces questionable and inaccurate results.

For these reasons, NSL-KDD is used in this work. To the best of our knowledge, our work is the first multivariate IDS tested under NSL-KDD. In NSL-KDD, there are 41 features for each connection. A connection is a group of sequential packets collected over a time window of 2 s. Detailed description about these features can be found in [87].

In this work, we aim at detecting DOS attacks. The DOS attacks, as defined in the dataset, are divided into six types: Teardrop, Smurf, Pod, Neptune, Land, and Back. Table 4 shows the number of normal and DOS records in the training dataset.

According to the normal and the abnormal datasets in NSL-KDD, we generate G^[C] as explained in section 5. To increase the accuracy detection of a specific DOS attack, for example, Teardrop or Smurf, we perform the following operations:

1. Extract the corresponding attack (e.g., Teardrop) from the abnormal dataset.
2. Calculate its corresponding correlation matrix Ω^[T].
3. Calculate its corresponding graph G^[T].
4. Calculate G^{[N − T]}=G^[N]⊙G^[T].
5. Add G^{[N − T]} to G^[C].

G^[C] resulted from the previous operations is depicted in Figure 5. It is composed of 15 low-level features, which are used to generate 20 high-level features.

6.2 Accuracy evaluation

We assess the accuracy of NBG under NSL-KDD, using the following two metrics:

• Detection rate: The percentage of attack connections detected by the IDS to the total number of connection attacks.
• False positive rate: The percentage of normal connections that are misclassified as attacks to the total number of normal connections.

Table 5 shows the performance of our multivariate IDS in terms of detection rate of attacks and normal connections under different values of thresholds. We vary the threshold from 1 to 2.5 with an increment of 0.5. The overall detection rate of all DOS attacks ranges between 99.08% and 83.53%. The detection rate of normal connections rises sharply from 63.53% to 98.45% along with the increase of the threshold. The Land and Pod attacks are completely detected in all the cases. As for Neptune, our IDS achieves a detection rate as close as possible to 100% (between 99.69% and 100%). Our IDS also suffers from a slight decline in detecting Back and Teardrop attacks when the threshold reaches 2, but it still manages to detect approximately 80% of the Back attacks and 83% of the Teardrop attacks. As for Smurf, there is a drastic decrease from 100% to 27.36% when the threshold is 2. This can be explained that the features generated in the G^[C] are mostly dominated by the Neptune attack, which consists of 89.73% of the total DOS records in the training dataset.

To better understand the tradeoff offered by the proposed IDS, the results given in Table 5 are plotted as a receiver operating characteristic (ROC) curve in Figures 6 and 7. To measure the performance of IDSs, the ROC curve is obtained by plotting a pair of coordinates (X,Y) such that X is the false positive rate and Y is the detection rate. The two metrics change in relation to each other as a threshold varies. A better ROC curve has y-values, which grow at a faster rate than its x-value. ROC curve is better to be near the upper left-hand corner (or the point of perfection at (0,1)), at the very best; that is, the further to the top left, the better. Figure 6 shows the ROC curve for all the DOS attacks, and Figure 7 shows the ROC curve for each attack, separately. To detect all DOS attacks, we can consider that the best tradeoff between detection rate and false positive rate, which is ensured by our multivariate IDS, is when the threshold is 2. We can draw the same observation in the case of Back and Teardrop attacks. As for Land, Pod, and Neptune attacks, the perfect configuration setting is when the threshold is 2, as a detection rate of (or very close to) 100% is achieved while keeping the lowest false positive. As for Smurf, we have to tolerate relatively a high false positive rate of 36.47% if high detection rate is a requirement of high priority.

To further assess the accuracy of our IDS, we perform two comparison studies: one study compares NBG with two statistical-based IDSs, which are EDM multivariate correlation analysis-based IDS and CFS IDS. The other one compares NBG with other data mining and machine learning-based IDSs presented in section 3.

6.3 Running time evaluation

In this section, the IDSs are evaluated in terms of the following two metrics:

• Training time: The required time to train the classifier or build the normal profile model.
• Detecting time: The required time to decide whether a connection is normal or anomalous. Some parameters, which are used to compute the detection time under online detection, are not considered under offline dataset. For instance, there is no need to compute the time of data acquisition (i.e., collecting raw data packets over a time window) and the time of preprocessing (i.e., converting the raw data connections into feature vectors) as the offline dataset is already formatted as feature vectors.

It is not easy to fairly compare between the IDSs in terms of running time as the latter is not usually reported in research studies. Also, the experimental settings, under which the tests are carried out, are unknown. In some cases, there is considerable divergence from one test to another one. The obvious case is SVM, which incurred a training time of 267.22 s in [54] and 4.231 s in [65]. Therefore, this comparison is provided in Table 8 just for reference. As for NBG, it is implemented on a 2.83 GHz Intel Pentium Core 2 Quad 9550 processor with 4 GB RAM. NBG requires 25.14 s under KDD99 to build the graph of strongly correlated features. This value is reduced to 3.34 s under NSL-KDD, as the latter has smaller size compared with KDD99. NBG requires just a few microseconds to classify the connection as normal or anomalous. This result is logical as, during the testing phase, NBG performs the following operations for each test connection Z:

1. It extracts 15 low-level features from the connection Z (The features are already available in the dataset).

2. It uses simple arithmetic operations to convert 15 low-level features into 20 high-level ones; that is, it converts Z to Z^HF.
3. It computes the geometric linear similarity between Z^HF and the reference vector HF^ref.
4. It executes a conditional instruction to decide the type of the connection.

6.4 Resource consumption evaluation

While NBG was running, we used the Windows task manager to measure the CPU and memory consumption, as shown in Figures 8 and 9. Under KDD99 dataset, NBG uses 26% of CPU while consuming 85 MB of memory. Under NSL-KDD, the same CPU usage is observed with less memory consumption, which is 41 MB. We also observe that the CPU occupation lasts longer in case of KDD99 because of its bigger size compared with NSL-KDD.