Scribd
Upload
2 views

Module III

The document discusses various techniques in machine learning for cybersecurity, focusing on misuse/signature detection, rule-based signature analysis, and intrusion detection systems (IDS). It highlights the differences between signature-based and anomaly-based methods for detecting threats, as well as the use of classification through association rules and genetic programming. The document emphasizes the strengths and weaknesses of these methods in identifying known and unknown threats in network traffic.

Uploaded by

teddy haile
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
2 views

Module III

The document discusses various techniques in machine learning for cybersecurity, focusing on misuse/signature detection, rule-based signature analysis, and intrusion detection systems (IDS). It highlights the differences between signature-based and anomaly-based methods for detecting threats, as well as the use of classification through association rules and genetic programming. The document emphasizes the strengths and weaknesses of these methods in identifying known and unknown threats in network traffic.

Uploaded by

teddy haile
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 25

Ethiopian Defence University, College of

Engineering

CT-6713: Machine Learning in


Cybersecurity

Capt. Mehari K (Ph.D) Ethiopian University, Engineering College 1


Learning for Misuse/Signature Detection
• Rule Based Signature Analysis
• Classification Using Association Rules
• Genetic Programming

Capt. Mehari K (Ph.D) Ethiopian University, Engineering College 2 2


Rule Based Signature Analysis
• Rule-based classification in data mining is a technique in
which class decisions are taken based on various
• “if...then… else” rules
• Thus, we define it as a classification type governed by a set
of IF-THEN rules. We write an IF-THEN rule as:
• “IF condition THEN conclusion”

Capt. Mehari K (Ph.D) Ethiopian University, Engineering College 3 3


Intrusion Detection System (IDS)
• An Intrusion Detection System (IDS) maintains network
traffic looks for unusual activity and sends alerts when it
occurs
• The main duties of an Intrusion Detection System (IDS) are
anomaly detection and reporting,
• However, certain Intrusion Detection Systems can take
action when malicious activity or unusual traffic is
discovered

Capt. Mehari K (Ph.D) Ethiopian University, Engineering College 4 4


Detection Method of IDS
• Signature-based Method: Signature-based IDS detects the
attacks on the basis of the specific patterns such as the
number of bytes or a number of 1s or the number of 0s in
the network traffic
• It also detects on the basis of the already known malicious
instruction sequence that is used by the malware
• The detected patterns in the IDS are known as signatures
• Signature-based IDS can easily detect the attacks whose
pattern (signature) already exists in the system but it is
quite difficult to detect new malware attacks as their
pattern (signature) is not known

Capt. Mehari K (Ph.D) Ethiopian University, Engineering College 5 5


Contd…
• Anomaly-based Method: Anomaly-based IDS was
introduced to detect unknown malware attacks as new
malware is developed rapidly
• In anomaly-based IDS there is the use of machine learning
to create a trustful activity model and anything coming is
compared with that model and it is declared suspicious if it
is not found in the model
• The machine learning-based method has a better-
generalized property in comparison to signature-based IDS
as these models can be trained according to the
applications and hardware configurations

Capt. Mehari K (Ph.D) Ethiopian University, Engineering College 6 6


Contd…
• Rule-based signature analysis is a method used in
cybersecurity to detect and identify known threats or
malicious patterns within data or network traffic
• It involves creating specific rules or signatures that define
the characteristics of known threats
• These rules can include patterns, behaviors, or indicators
associated with malicious activity
• When data or network traffic is analyzed, it is compared
against these predefined rules
• If a match is found between the data and a rule, it indicates
the presence of a known threat or malicious activity

Capt. Mehari K (Ph.D) Ethiopian University, Engineering College 7 7


Contd…
• This enables security systems to quickly identify and
respond to potential threats before they can cause harm
• One of the key advantages of rule-based signature analysis
is its ability to detect known threats with a high level of
accuracy and efficiency
• However, it may struggle with detecting previously unseen
or unknown threats, as it relies on predefined rules
• Additionally, maintaining and updating the rules to keep
up with evolving threats is essential to ensure effectiveness
over time

Capt. Mehari K (Ph.D) Ethiopian University, Engineering College 8 8


Classification Using Association Rules
• Classification using association rules is a technique in data
mining and machine learning
• It involves identifying patterns of association between
different variables in a dataset
• Using these associations to classify or predict the outcome
of new data instances
• The process begins with association rule mining, where
frequent item sets are identified within a dataset
• Frequent item sets are combinations of items that appear
together frequently in the data
• This process is often accomplished using algorithms like
Apriori.

Capt. Mehari K (Ph.D) Ethiopian University, Engineering College 9 9


Contd…
• Rule Generation: Once frequent item sets are identified,
association rules are generated from them
• An association rule typically takes the form of "if {A} then
{B}", where A and B are sets of items
• These rules represent relationships between different items
or attributes in the dataset
• Rule Evaluation: The generated association rules are
evaluated based on metrics like support, confidence, and
lift

Capt. Mehari K (Ph.D) Ethiopian University, Engineering College 10 10


Contd…
• Support measures how frequently the items in the rule
appear together in the dataset
• Confidence measures the reliability of the rule as a
predictor of the outcome
• Lift indicates how much more likely the outcome is when
the antecedent (A) and consequent (B) of the rule are
associated compared to if they were independent

Capt. Mehari K (Ph.D) Ethiopian University, Engineering College 11 11


Contd…
• Classification: Once the association rules are generated and
evaluated, they can be used for classification
• This involves applying the rules to new data instances to
predict the outcome or class label
• Each rule acts as a classifier, where if the antecedent part of
the rule matches the attributes of a new instance, the
consequent part predicts the outcome

Capt. Mehari K (Ph.D) Ethiopian University, Engineering College 12 12


Contd…
• Rule Selection: In some cases, not all association rules
generated may be relevant or useful for classification
• Therefore, a selection process may be employed to filter out
irrelevant or redundant rules, leaving only the most
informative ones for classification
• Prediction: Finally, the selected association rules are
applied to new instances of data to predict their class labels
or outcomes based on the patterns identified in the
association rules

Capt. Mehari K (Ph.D) Ethiopian University, Engineering College 13 13


Classification using association rules
• Strengths:
• Can handle large datasets efficiently
• Does not require explicit modeling of relationships
between variables
• Can capture complex patterns and interactions between
variables
• Weaknesses:
• Limited to categorical or binary data.
• May generate a large number of rules, some of which
may be irrelevant or redundant.
• Not well-suited for datasets with continuous or
numerical attributes

Capt. Mehari K (Ph.D) Ethiopian University, Engineering College 14 14


Genetic Programming

Capt. Mehari K (Ph.D) Ethiopian University, Engineering College 15 15


Genetic algorithm – machine learning

Capt. Mehari K (Ph.D) Ethiopian University, Engineering College 16 16


How Genetic Algorithm works

Capt. Mehari K (Ph.D) Ethiopian University, Engineering College 17 17


Initial Population

Capt. Mehari K (Ph.D) Ethiopian University, Engineering College 18 18


Fitness function

Capt. Mehari K (Ph.D) Ethiopian University, Engineering College 19 19


Selection

Capt. Mehari K (Ph.D) Ethiopian University, Engineering College 20 20


Contd…

Capt. Mehari K (Ph.D) Ethiopian University, Engineering College 21 21


Crossover

Capt. Mehari K (Ph.D) Ethiopian University, Engineering College 22 22


offspring

Capt. Mehari K (Ph.D) Ethiopian University, Engineering College 23 23


Mutation

Capt. Mehari K (Ph.D) Ethiopian University, Engineering College 24 24


Termination

Capt. Mehari K (Ph.D) Ethiopian University, Engineering College 25 25

You might also like