A Novel Method for Intrusion Detection Based on SARSA and Radial Bias Feed Forward Network (RBFFN)

The Internet, computer networks and information are vital resources of current information trend and their protection has increased importance in current existence. Any attempt, successful or unsuccessful to finding the middle ground the discretion, truthfulness and accessibility of any information resource or the information itself is measured a security attack or an intrusion. Intrusion compromised a loose of information credential and trust of security concern. The mechanism of intrusion detection faced a problem of new generated schema and pattern of attack data. Various authors and researchers proposed a method for intrusion detection based on machine learning approach and neural network approach all these compromised with new pattern and schema. Now in this paper a new model of intrusion detection based on SARAS reinforced learning scheme and RBF neural network has proposed. SARAS method imposed a state of attack behaviour and RBF neural network process for training pattern for new schema. Our empirical result shows that the proposed model is better in compression of SARSA and other machine learning technique.


INTRODUCTION
Reinforced learning and neural network play an important role in intrusion detection. The property of reinforced learning is multi-stage and multi-agent uses differentiate different attack and anomaly category in intrusion [1]. Intrusion detection system algorithms can be categorized into three types: supervised learning, unsupervised learning and reinforced learning. A supervised learning is a technique that builds detection rule/model by learning pattern from provided information. The supervised learning normally has high detection rate and low false alarm rate. On the other hand, this technique can detect only known pattern. For that reason, it is not secure enough because in actuality there are many new and mysterious attacks in the network [2]. The second type of algorithms is an unsupervised learning technique. It is able to learn new/ unknown attacks without training information. However, it often has relatively lower detection rate and having high false alarm rate. A reinforced learning implies as multi-state modeling technique for intrusion detection. The learning rate of reinforced mechanism implies the training pattern of unknown attack of intrusion in RBF neural network. The current scenario of intrusion detection system suffered from detection rate and false alarm generation. The problem of detection and false alarm generation arise due to large features attribute of intruder file [3]. No any process of algorithm find during survey of intrusion detection system based reinforced learning work directly on dynamic feature reduction of intruder file. The feature reduction is important issues in improving of detection rate of intrusion detection system. All feature attribute of anomaly file are not involved in reaction of action, so we reduce those attribute and improve the efficiency of method of intrusion detection system. In this paper we discuss a hybrid method for feature reduction using reinforced learning with SARAS learning factor and radial bias function network (RBF) [4]. A great advantage of hybrid method is without learning of parameter work a complete system and reduces feature of anomaly file. Radial bias function network (RBF) to identify important input features for intrusion detection. Through identifying the important inputs and redundant inputs, a classifier can achieve the reduced problem size, faster training and more accurate results. Feature extraction is an important issue in intrusion detection. Of the large number of features that can be monitored for intrusion detection purpose, which are truly useful, which are less significant, or which may be useless? The question is relevant because the elimination of useless features (the so-called audit trail reduction) enhances the accuracy of detection while speeding up the computation, thus improving the overall performance of IDS. In this paper, we focus on network intrusion detection for unknown attack types meaning that the approach is able to detect new or unknown type of attacks in the network. In particular, the network intrusion detection system should be able to identify normal network activity and classify attack types. We are interested in designing an IDS technique using SARSA and RBF neural network. The SARSA is reinforced learning technique and RBF neural network able to learn new attacks by itself. Moreover, this technique has high detection rate and robust. Therefore, we apply the Q-learning factor approach for SARSA intrusion detection system i.e. the data is detected right after it arrived to the detection system [5]. We evaluate our IDS in terms of, detection rate and alarm generation rate. The rest of paper is organized as follows. In related work of IDS then discuss methodology, some experimental result and finally followed conclusion and future scope.

RELATED WORK
In survey, numbers of anomaly detection systems are study based on many different machine learning techniques. Some studies apply single agent learning technique, such as neural networks, genetic algorithms, support vector machines, etc. On the other hand, some systems are based on combining different learning techniques, such as hybrid or ensemble techniques. In particular, these techniques are developed as classifiers, which are used to classify or recognize whether the incoming Internet access is the normal access or an attack. In 2011, Z. Muda et al. [6] proposed network detection solution by combining supervised learning technique and unsupervised learning technique. They used K-Means algorithm for unsupervised learning and Naive Bayes algorithm for supervised learning. The first step of algorithm is using K-Means algorithm to group data to normal or attack. Then, use Naïve Bayes algorithm to classify the obtained result into attack type. The KDD99 dataset was used to evaluate the performance of this algorithm. The detection rate was improved to 99.6 percent. However, this solution is not practical for real network because K-Means algorithm requires more time to process huge data in real networks which could lead to bottleneck problem and system clash. In 2009, T. Komviriyavut et al. [1] proposed a real-time detection approach. They used packet sniffer to sniff network packets in every 2 seconds and pre-processed it into 12 features and used decision tree algorithm to classify the network data. The output can be categorized into 3 types which are DoS, Probe and normal. The result shows that this algorithm has 97.5 percent of detection rate. This technique is fast and able to use in real network. However, it was not designed to detect unknown attacks. N. Ngamwitthayanon and N. Wattanapongsakorn [2] proposed Fuzzy-Adaptive Resonance Theory (ART) in network anomaly detection with feature-reduction dataset. The Adaptive Resonance is one type of neural network algorithm. The main algorithm is ART algorithm while Fuzzy is used to simplified network structure of ART. Moreover, they applied feature reduction method to KDD99 dataset [7]. This approach can offer 98.07 percent detection rate and use only 14 features of KDD99's 41 features. A Dependable Network Intrusion Detection System (DNIDS) based on the Combined Strangeness and Isolation measure K-Nearest Neighbor (CSIKNN) algorithm. The intrusion detection algorithm analyses different characteristics of network data by employing two measures: strangeness and isolation. But in general the K-NN still needs intensive computations. The Unsupervised Anomaly Detection Using an Optimized K-Nearest Neighbors Algorithm can work without the need for massive sets of pre-labeled training data. A k-nearest neighbors algorithm to detect anomalies in network connections, as well as the optimization necessary to make the algorithm feasible for a realworld system [8]. The development of anomaly based intrusion detection systems during the recent years. As several supervised and unsupervised clustering techniques were optimized resulting in more elegant techniques that provided J u n e 10, 2 0 1 3 more detection accuracy and lower false alarm rate. Moreover, the newly proposed techniques tend to avoid the creation of unnecessary neurons in the training process to faithfully represent data inputs as applied in hierarchical clustering. Furthermore, this restriction in creating neurons significantly contributes in reducing the complexity of the training process and producing more accurate topologies. Since, our main concern in our research is to increase the quality of clustering and attacks classification for larger scope of attacks. Additionally, increasing the identification rate of novel patterns in the training process as well. Intrusion Detection System (IDS) is an important detection that is used as a countermeasure to preserve data integrity and system availability from attacks. The work is implemented in two phases; in first phase clustering by K-means is done and in next step of classification is done with k-nearest neighbors and decision trees. The objects are clustered or grouped based on the principle of maximizing the intra-class similarity and minimizing the interclass similarity. This paper proposes an approach which makes the clusters of similar attacks and in next step of classification with K nearest neighbors it detect the attack types. This method is advantageous over single classifier as it detect better class than single classifier system [3].

PROPOSED METHODOLOGY
The proposed methodology of intrusion detection based on reinforced learning and RBF neural network for classification of attack in off line intrusion data. The proposed method work in dual mode first SARSA make a policy for detection and different the category of attack and finally RBF neural network classified all these state in separate group of data [5]. The process of classification improves the detection rate of intrusion.

SARSA-RBF
The algorithm will randomly find learning rate of SARSA and pick the initial sate of cluster dataset. Then, we use pattern learning concept from RBF neural network algorithm to improve the policy in training phase. Then, we will use the policy to classify dataset in testing phase. The pseudo code of the SARSA-RBF algorithm can be given below. Initial policy (); while { for each datasetset { for each policy{ for each attribute{ event = SARSA(); totalevent = totalevent + event; } If (total event > Q factor) class is attack; else class is normal; } Compare the label class with test class data } Calculate optimal state for next process of classification Stored_Pattern() Selection-state () Voting-process () } Variable C: number of clusters cj : center of the j-th cluster nj : number of patterns in the j-th cluster di j : distance between xi and the j-th cluster begin C =1; c1 x1;n1 :=1; for i :=2 to P do /* for each pattern */ for j :=1 to C do /* for each cluster */ compute di j; if di j _R0 then /* include xi into the j-th cluster */ cj (cjnj +xi)=(ni+1); ni :=ni+1; exit from the loop; end if end for if xi is not included in any clusters then /* create a new cluster */ C :=C+1; cC xi; nC :=1; end if end for end

EXPERIMENTAL ANALYSIS
We implement our intrusion detection system with MATLAB 7.8.0 and perform experiments in our personal computer with 2.67 GHz Intel core i5 CPU 750 and 4 GB RAM. We use 4000 records of normal data and 3000 records of attack data. The record of attack contains 1000 of DoS and 500 of Probe attack types. We use 1,000 records for each type of DoS attack which are Smurf, UDP-flood, HTTP-flood and Jping. They were generated from closed LAN network with attack generator namely Smurf.c, NetTool5 and Jping.c . We use 500 records for each type of Probe attack. Port scan and Host scan were generated by NetTool5, Connect attack is generated by Host Scan 1.6 . Other 10 types of attack were generated using NMap Win 1.3.1 which are SYN Stealt, FIN Stealt, UDP Scan, Null Scan, IP Scan, Window Scan, RCP Scan, Advanced Port Scan, Xmas Tree and ACK Scan.

Work evaluation on the basis of following parameters
Precision-Precision measures the proportion of predicted positives/negatives which are actually positive/negative.
Recall -It is the proportion of actual positives/negatives which are predicted positive/negative. Accuracy-It is the proportion of the total number of predictions that were correct or it is the percentage of correctly classified instances.
False-negative rate (FNR) -It is the percentage that attacks are misclassified from total number of attack records.
False-positive (FPR)-It is the percentage that normal data records are classified as attacks from total number of normal data records.

CONCLUSION AND FUTURE WORK
In this paper proposed a method for intrusion detection based on SARSA and RBF neural network. The proposed method classified attack and normal data of KDDCUP99 is very accurately. The proposed method work in process of making policy of SARSA learning par diagram. The learning process of Q factor and RBF training process makes very efficient classification rate of intrusion data. Our empirical result shows better performance in compression of SARSA and another machine learning approach technique for intrusion detection process. In future we will reduce the iteration process of RBF neural network for speed classification and detection of intrusion.