Fuzzy Logic Based Anomaly Detection for Embedded Network Security Cyber Sensor Page: 3 of 9
This article is part of the collection entitled: Office of Scientific & Technical Information Technical Reports and was provided to Digital Library by the UNT Libraries Government Documents Department.
- Adjust Image
- Rotate Left
- Rotate Right
- Brightness, Contast, etc. (Experimental)
- Download Sizes
- Preview all sizes/dimensions or...
- Download Thumbnail
- Download Small
- Download Medium
- Download Large
- High Resolution Files
- Accessibility
- View Extracted Text
Extracted Text
The following text was automatically extracted from the image on this page using optical character recognition software:
Fuzzy rule base
Crisp Fuzzification Fuzzy Inference Defuzzification Crisp
Input Engine Output
Fig. 2 Fuzzy logic system.
maintaining the previously acquired knowledge. The
performance of the algorithm was tested on an experimental
test-bed mimicking the critical infrastructure control system.
The rest of the paper is structured as follows. Section II
provides a brief overview of fuzzy logic systems and the
nearest neighbor clustering algorithm. The considered
hardware platform for the embedded network security device
is described in Section III. Section IV and V explain the
network behavior feature extraction technique and the
proposed anomaly detection algorithm, respectively. The
system is experimentally evaluated in Section VI and Section
VII concludes the paper.
II. BACKGROUND OVERVIEW
This section provides a brief background overview of fuzzy
logic systems and the nearest neighbor clustering algorithm.
A. Fuzzy Logic Systems
Fuzzy logic has been originally proposed by Zadeh as a tool
for dealing with linguistic uncertainty and vagueness
ubiquitous in the imprecise meaning of words [23]. A Fuzzy
Logic System (FLS) is composed of four primary parts - input
fuzzification, fuzzy inference engine, fuzzy rule base and
output defuzzification, as depicted in Fig. 2. The Mamdani
FLS considered in this work maintains a fuzzy rule base
populated with fuzzy linguistic rules in an implicative form.
Consider rule Rk that is described as follows [24], [25]:
Rule Rk: IF x1 is Al AND ... AND x~ is Ant
THENykisBk (1)
Here, symbol A7 and Bk denote the i'h input fuzzy set and
the output fuzzy set of the kh rule, respectively, n is the
dimensionality of the input vector z and yk is the associated
output variable. Each element of the input vector i is first
fuzzified using the respective fuzzy membership function (e.g.
Gaussian, triangular, trapezoidal, etc.). The fuzzification of
input value x, into fuzzy set A, yields a fuzzy membership
grade pAk (x,) . Using the minimum t-norm the degree of
firing of rule Rk can be calculated as:
PR (z) = minipAk (x )}, i =1..n (2)
After applying the rule firing strength via the t-norm
operator to each rule consequent, the output fuzzy sets are
aggregated using the t-conorm operator (e.g. the maximumoperator) resulting in a output fuzzy set B. For detailed
description of the fuzzy inference process refer to [24], [25].
In order to obtain the crisp output value, one of the available
defuzzification techniques is applied. Upon discretizing the
output domain into N samples, for example the centroid
defuzzifier can be applied:N
I PB(Yl)
i=N(3)
B. Nearest Neighbor Clustering
The Nearest Neighbor Clustering (NNC) algorithm is an
unsupervised clustering technique [9]. The clustering process
is controlled by an established maximum cluster radius
parameter. The smaller the radius the more clusters will be
generated and vice versa.
Assume an input dataset X composed of N input patterns
denoted as:X ={x1,...,xN},' e9",
(4)
Here, n denotes the dimensionality of the input domain.
Vector x1 can be expressed as 7, = {x ,..., }
Each cluster constitutes a prototype of similar instances,
subject to a specific similarity measure. The Euclidean
distance similarity measure is considered in this work. Each
cluster P, is described by its Center Of Gravity (COG) E, and
its associated weight w,. The weight w, stores the number of
patterns previously assigned to cluster P,. Following this
notation, cluster P, can be expressed as:P ={,,w,}, , G%"'W, eK
(5)
The learning process of the NNC algorithm begins by
creating an initial cluster P1 at the location of the first input
pattern x1. Next, input patterns from dataset X are selected in
a sequential manner. The nearest prototype from the set of
available clusters is determined for each instance. For an input
pattern xi , the nearest cluster Pa is determined using the
Euclidean distance norm:dist(Ea,,)=min -xt +...+( -x,7 j
':1...C (6)
Here, C denotes the number of currently acquired clusters.
Using the maximum cluster radius parameter - rad, the input
pattern x1 is assigned to cluster Pa if the following condition
holds: dist(,,Ji ) rad . In this case, the parameters of cluster
Pa are updated as:
Upcoming Pages
Here’s what’s next.
Search Inside
This article can be searched. Note: Results may vary based on the legibility of text within the document.
Tools / Downloads
Get a copy of this page or view the extracted text.
Citing and Sharing
Basic information for referencing this web page. We also provide extended guidance on usage rights, references, copying or embedding.
Reference the current page of this Article.
Linda, Ondrej; Vollmer, Todd; Wright, Jason & Manic, Milos. Fuzzy Logic Based Anomaly Detection for Embedded Network Security Cyber Sensor, article, April 1, 2011; Idaho Falls, Idaho. (digital.library.unt.edu/ark:/67531/metadc836339/m1/3/: accessed November 17, 2017), University of North Texas Libraries, Digital Library, digital.library.unt.edu; crediting UNT Libraries Government Documents Department.