Embedded Files
After completing this learning module, students will be able to:
Describe Intrusion Detection and Support Vector Machine (SVM)
Explain when Support Vector Machine (SVM) algorithm is useful for Anomaly Detection.
Apply Support Vector Machine (SVM) to build a regular model from baseline usage at time intervals and detect unknown attacks.
Support Vector Machine for Anomaly-Based Intrusion Detection
Intrusion Detection System (IDS):
An intrusion detection system (IDS) can be referred to an application that monitors incoming and outgoing network traffic for signs of malicious activity or violations of security policies with the aim to identify intrusions with a low false alarm rate and a high detection rate. The IDS is broadly classified as misuse detection systems and anomaly-based detection systems where anomaly-based network intrusion detection plays a vital role in protecting networks against malicious activities where IDS are often likened to intruder alarms, notifying you of any activity that might compromise your data or network.
Figure 1: Common intrusion detection framework architecture.
Anomaly-based IDS begins with a model of normal behavior on the network, then alert an admin anytime it detects any deviation from that model of normal behavior. Anomaly-based IDS begins at installation with a training phase where it “learns” normal behavior. AI and machine learning have been very effective in this phase of anomaly-based systems.
Figure 2: Linear SVM model, two classes (red versus blue) were classified.
Support Vector Machine (SVM):
“Support Vector Machine” (SVM) is a supervised machine learning algorithm that learns by example to assign labels to objects. SVM is simple to learn, use, and solve classification or regression challenges; for instance, an SVM can learn to recognize fraudulent credit card activity by examining hundreds or thousands of fraudulent and nonfraudulent credit card activity reports. The SVM algorithm was originally proposed to construct a linear classifier in 1963 by Vapnik while an alternative use for SVM is the kernel method, which enables us to model higher dimensional, non-linear models. Figure 2 and Figure 3 display the Linear SVM model Kernel function where a kernel function could help do certain calculations faster which would otherwise need computations in high dimensional space
Figure 3: Kernel function where data that cannot be separated by linear SVM can be transformed and separated by a kernel function.
Support Vector Machine for Anomaly-Based Intrusion Detection:
As we mentioned earlier, SVM learning is one of many machine learning methods and is very powerful at recognizing subtle patterns in complex datasets. SVM can be used to recognize handwriting, recognize fraudulent credit cards, identify a speaker, as well as Malware Detection. In order to detect Anomaly-based intrusion, we will use Support Vector Machine (SVM).
Let's learn how SVM work, we first perform classification by finding the hyper-plane where SVM classifier is a frontier that best segregates the two classes (hyper-plane/ line).
Identify the right hyper-plane (Scenario-1): Here, we have three hyper-planes (A, B, and C). Now, identify the right hyper-plane to classify stars and circles. In Scenario-1: Here, we have three hyper-planes (A, B, and C). Now, identify the right hyper-plane to classify stars and circles. In Scenario-2 (A): here, we have three hyper-planes (A, B, and C) and all are segregating the classes well. Maximizing the distances between the nearest data point (either class) and hyper-plane will help us to decide the right hyper-plane and the distance is called "Margin", Scenario-2 (B). The margin for hyper-plane C is high as compared to both A and B and we name the right hyper-plane as C. Another lightning reason for selecting the hyper-plane with higher margin is robustness. If we select a hyper-plane having low margin then there is high chance of miss-classification. SVM selects the hyper-plane which classifies the classes accurately prior to maximizing margin and hyper-plane B has a classification error and A has classified all correctly. Therefore, the right hyper-plane is A in Scenario-3.
Scenario-1
Scenario-2 (A)
Scenario-2 (B)
Scenario-3
Scenario-4
Scenario-5 (A)
Scenario-5 (B)
Scenario-5 (C)
In Scenario-4, we segregate the two classes using a straight line, as one of the stars lies in the territory of other (circle) class as an outlier. The SVM algorithm has a feature to ignore outliers and find the hyper-plane that has the maximum margin. Hence, we can say, SVM classification is robust to outliers. A new feature z=x^2+y^2 was added into Scenario-5 (B) for plotting the data points on axis x and z, in Scenario-5 (B). The SVM algorithm has a technique called the "kernel" where it takes low dimensional input space and transforms it to a higher-dimensional space, Scenario-5 (C).
For understanding the Support Vector Machine for Anomaly-Based Intrusion Detection, we practice the following code using the dataset sms_spam_svm.csv:
import pandas as pd
import numpy as np
# Upload the dataset "sms_spam_svm.csv"
from google.colab import files
uploaded = files.upload()
# reading the dataset
df = pd.read_csv('sms_spam_svm.csv')
df.head()
X = df.iloc[:, [1,2]]
y = df.iloc[:, 0].values
y = np.where(y == 'spam', -1, 1)
from sklearn.model_selection import train_test_split
X_train, X_test, y_train, y_test = train_test_split(X, y, test_size=0.3,
random_state=0)
from sklearn.svm import SVC
clfs = SVC(kernel='linear', C=1.0, random_state=0)
clfs.fit(X_train, y_train)
y_pred = clfs.predict(X_test)
print("Train score is:", clfs.score(X_train, y_train))
print("Test score is:", clfs.score(X_test, y_test))
Output:
Train score is: 0.819047619047619
Test score is: 0.8444444444444444
from sklearn.metrics import accuracy_score
print('Misclassified samples: %d' % (y_test != y_pred).sum())
print('Accuracy: %.2f' % accuracy_score(y_test, y_pred))
from sklearn.metrics import classification_report
class_report=classification_report(y_test,y_pred)
print(class_report)
Page updated
Google Sites
Report abuse