IMT4741 – Intrusion detection and prevention Exercise 3. Anomaly
advertisement
IMT4741 – Intrusion detection and prevention
Exercise 3. Anomaly detection systems
1. Suppose that IDES monitors 3 parameters of a computer system: CPU usage, memory usage
and network usage. Denote CPU usage by S1, memory usage by S2 and network usage by S3.
a) Suppose that S1, S2 and S3 are mutually correlated and that the correlation coefficients
are the following: c(S1,S2)=0.3, c(S1,S3)=0.2, c(S2,S3)=0.1. Let the values of S1, S2 and S3 be
0.2, 0.4 and 0.3, respectively, at the time instant t. Compute the IDES score of the system
at the time instant t.
b) Suppose that S1, S2 and S3 are not correlated. Compute the IDES score of the system at
the time instant t, for the same values of S1, S2 and S3 as in the case a). Compute the
NIDES score T2 for the case without correlation.
1 0.3 0.2
a) n=3. The correlation matrix C = [0.3 1 0.1]. We represent the values of the system
0.2 0.1 1
parameters in the vectorial form S = [π1 , π2 , π3 ] . The IDES score πΌπ = SC−1 ST. To
compute IS, we have to invert the correlation matrix C first. Recall from linear algebra
C−1
1 πΆ11
=
[πΆ21
det C πΆ
31
πΆ12
πΆ22
πΆ32
πΆ13 T
πΆ23 ]
πΆ33
Now the minors Cij are:
π22
πΆ11 = (−1)1+1 |π
32
π23
π
1+2 21
|π
π33 |, πΆ12 = (−1)
31
π23
π
1+3 21
|π
π33 |, πΆ13 = (−1)
31
π22
π32 |
π12
πΆ21 = (−1)2+1 |π
32
π13
π
2+2 11
|π
π33 |, πΆ22 = (−1)
31
π13
π
2+3 11
|π
π33 |, πΆ23 = (−1)
31
π12
π32 |
π12
πΆ31 = (−1)3+1 |π
π13
π
3+2 11
(−1)
πΆ
=
|,
|
32
π23
π21
π13
π
3+3 11
(−1)
πΆ
=
|,
|
33
π23
π21
π12
π22 |
22
By means of the Kramer’s rule, we compute these minors:
πΆ11 = π22 π33 − π32 π23 = 1 β 1 − 0.1 β 0.1 = 0.99
πΆ12 = −(π21 π33 − π31 π23 ) = −(0.3 β 1 − 0.2 β 0.1) = −0.28
πΆ13 = π21 π32 − π31 π22 = 0.3 β 0.1 − 0.2 β 1 = −0.17
πΆ21 = −(π12 π33 − π32 π13 ) = −(0.3 β 1 − 0.1 β 0.2) = −0.28
πΆ22 = π11 π33 − π31 π13 = 1 β 1 − 0.2 β 0.2 = 0.96
πΆ23 = −(π11 π32 − π31 π12 ) = −(1 β 0.1 − 0.2 β 0.3) = −0.04
πΆ31 = π12 π23 − π22 π13 = 0.3 β 0.1 − 1 β 0.2 = −0.17
πΆ32 = −(π11 π23 − π21 π13 ) = −(1 β 0.1 − 0.3 β 0.2) = −0.04
πΆ33 = π11 π22 − π21 π12 = 1 β 1 − 0.3 β 0.3 = 0.91
The determinant det C is:
1 0.3 0.2 1 0.3
det π = |0.3 1 0.1| 0.3 1 =
0.2 0.1 1 0.2 0.1
= 1 β 1 β 1 + 0.3 β 0.1 β 0.2 + 0.2 β 0.3 β 0.1 − 0.2 β 1 β 0.2 − 0.1 β 0.1 β 1 − 1 β 0.3 β 0.3 =
= 0.872
Then, the inverted correlation matrix is:
π −1
0.99 −0.28 −0.17 T
0.99 −0.28 −0.17
1
1
=
[−0.28 0.96 −0.04] =
[−0.28 0.96 −0.04] =
0.872
0.872
−0.17 −0.04 0.91
−0.17 −0.04 0.91
1.135 −0.321 −0.195
= [−0.321 1.101 −0.046]
−0.195 −0.046 1.044
We can now compute the IDES score:
πΌπ = SC−1 ST
1.135 −0.321 −0.195
ππ −1 = [0.2 0.4 0.3] β [−0.321 1.101 −0.046] = [0.0401 0.3624 0.2363]
−0.195 −0.046 1.044
0.2
πΌπ = [0.0401 0.3624 0.2363] β [0.4] = 0.22387.
0.3
1 0 0
1
b) No-correlation case means π = π = [0 1 0]. Then, π −1 = π = [0
0 0 1
0
compute IS directly:
πΌπ = SC−1 ST
1 0 0
ππ −1 = [0.2 0.4 0.3] β [0 1 0] = [0.2 0.4 0.3]
0 0 1
0.2
πΌπ = [0.2 0.4 0.3] β [0.4] = 0.29
0.3
The NIDES score T2:
1
0 0
1 0]. We can
0 1
1
π 2 = π ∑ππ=1 ππ2 = 3 (0.22 + 0.42 + 0.32 ) = 0.097 .
2. A clustering-based IDS that uses k-means clustering algorithm monitors 3 parameters of a
computer system: CPU usage, memory usage and network usage. The following observations
of these parameters were obtained at 10 different time intervals t1, …, t10:
π1 = [0.2 0.4 0.1]
π2 = [0.9 0.7 0.3]
π3 = [0.9 0.7 0.2]
π4 = [0.8 0.6 0.4]
π5 = [0.8 0.5 0.4]
π6 = [0.8 0.5 0.3]
π7 = [0.2 0.2 0.2]
π8 = [0.2 0.3 0.2]
π9 = [0.2 0.2 0.1]
π10 = [0.3 0.2 0.2]
If k=2 and the k-means algorithm performs only one iteration, determine the clusters and the
new centers of the clusters after that iteration. The initial centers are V1 and V2. Euclidean
distance is used.
The initial assignment of the given vectors:
π(π3 , π1 ) = √(0.9 − 0.2)2 + (0.7 − 0.4)2 + (0.2 − 0.1)2 = 0.768
π(π3 , π2 ) = √(0.9 − 0.9)2 + (0.7 − 0.7)2 + (0.2 − 0.3)2 = 0.1
⇒ π3 → π2
π(π4 , π1 ) = √(0.8 − 0.2)2 + (0.6 − 0.4)2 + (0.4 − 0.1)2 = 0.7
π(π4 , π2 ) = √(0.8 − 0.9)2 + (0.6 − 0.7)2 + (0.4 − 0.3)2 = 0.173
⇒ π4 → π2
π(π5 , π1 ) = √(0.8 − 0.2)2 + (0.5 − 0.4)2 + (0.4 − 0.1)2 = 0.678
π(π5 , π2 ) = √(0.8 − 0.9)2 + (0.5 − 0.7)2 + (0.4 − 0.3)2 = 0.245
⇒ π5 → π2
π(π6 , π1 ) = √(0.8 − 0.2)2 + (0.5 − 0.4)2 + (0.3 − 0.1)2 = 0.64
π(π6 , π2 ) = √(0.8 − 0.9)2 + (0.5 − 0.7)2 + (0.3 − 0.3)2 = 0.224
⇒ π6 → π2
π(π7 , π1 ) = √(0.2 − 0.2)2 + (0.2 − 0.4)2 + (0.2 − 0.1)2 = 0.224
π(π7 , π2 ) = √(0.2 − 0.9)2 + (0.2 − 0.7)2 + (0.2 − 0.3)2 = 0.866
⇒ π7 → π1
π(π8 , π1 ) = √(0.2 − 0.2)2 + (0.3 − 0.4)2 + (0.2 − 0.1)2 = 0.141
π(π8 , π2 ) = √(0.2 − 0.9)2 + (0.3 − 0.7)2 + (0.2 − 0.3)2 = 0.812
⇒ π8 → π1
π(π9 , π1 ) = √(0.2 − 0.2)2 + (0.2 − 0.4)2 + (0.1 − 0.1)2 = 0.2
π(π9 , π2 ) = √(0.2 − 0.9)2 + (0.2 − 0.7)2 + (0.1 − 0.3)2 = 0.883
⇒ π9 → π1
π(π10 , π1 ) = √(0.3 − 0.2)2 + (0.2 − 0.4)2 + (0.2 − 0.1)2 = 0.245
π(π10 , π2 ) = √(0.3 − 0.9)2 + (0.2 − 0.7)2 + (0.2 − 0.3)2 = 0.787
⇒ π10 → π1
The clusters, after the first iteration:
Cluster 1: V1, V7, V8, V9, V10
Cluster 2: V2, V3, V4, V5, V6
Calculation of the new centers:
π1 = [0.2 0.4 0.1]
π7 = [0.2 0.2 0.2]
π8 = [0.2 0.3 0.2]
π9 = [0.2 0.2 0.1]
π10 = [0.3 0.2 0.2]
πΆ1′ = [0.22 0.26 0.16]
π2 = [0.9 0.7 0.3]
π3 = [0.9
π4 = [0.8
π5 = [0.8
π6 = [0.8
πΆ2′ = [0.84
0.7
0.6
0.5
0.5
0.6
0.2]
0.4]
0.4]
0.3]
0.32]
3. Determine the Davies-Bouldin index of the clustering obtained in the previous example. Use
the centroid diameter for the intra-cluster distance and centroid linkage for the inter-cluster
distance. Euclidean distance is used.
πΏ
Δ(πΆπ ) + Δ(πΆπ )
1
π·π΅(πΆ) = ∑ max {
}
π≠π
πΏ
πΏ(πΆπ , πΆπ )
π=1
Δ(πΆπ ) intra-cluster distance
δ(Ci , Cj ) inter-cluster distance
Centroid diameter:
Δ(πΆπ ) = 2
π¬πΆπ =
∑ππ ∈πΆπ π(ππ , π¬πΆπ )
|πΆπ |
1
∑ ππ
|πΆπ |
π π ∈πΆπ
π¬πΆπ is the centroid vector. π π are the vectors of the cluster πΆπ .
In our case = 2 , πΆ1 = {π1 , π7 , π8 , π9 , π10 } , πΆ2 = {π2 , π3 , π4 , π5 , π6 } ,
π¬πΆ1 = πΆ1′ = [0.22 0.26 0.16] , π¬πΆ2 = πΆ2′ = [0.84 0.6 0.32].
To compute intra-cluster distances (in this case the centroid diameters), we need the
distances of all the vectors in the clusters to their corresponding centroids:
π(π1 , π¬πΆ1 ) = √(0.2 − 0.22)2 + (0.4 − 0.26)2 + (0.1 − 0.16)2 = 0.154
π(π7 , π¬πΆ1 ) = √(0.2 − 0.22)2 + (0.2 − 0.26)2 + (0.2 − 0.16)2 = 0.075
π(π8 , π¬πΆ1 ) = √(0.2 − 0.22)2 + (0.3 − 0.26)2 + (0.2 − 0.16)2 = 0.06
π(π9 , π¬πΆ1 ) = √(0.2 − 0.22)2 + (0.2 − 0.26)2 + (0.1 − 0.16)2 = 0.087
π(π10 , π¬πΆ1 ) = √(0.3 − 0.22)2 + (0.2 − 0.26)2 + (0.2 − 0.16)2 = 0.108
π(π2 , π¬πΆ2 ) = √(0.9 − 0.84)2 + (0.7 − 0.6)2 + (0.3 − 0.32)2 = 0.118
π(π3 , π¬πΆ2 ) = √(0.9 − 0.84)2 + (0.7 − 0.6)2 + (0.2 − 0.32)2 = 0.167
π(π4 , π¬πΆ2 ) = √(0.8 − 0.84)2 + (0.6 − 0.6)2 + (0.4 − 0.32)2 = 0.089
π(π5 , π¬πΆ2 ) = √(0.8 − 0.84)2 + (0.5 − 0.6)2 + (0.4 − 0.32)2 = 0.134
π(π6 , π¬πΆ2 ) = √(0.8 − 0.84)2 + (0.5 − 0.6)2 + (0.3 − 0.32)2 = 0.11
The centroid diameters are:
0.154 + 0.075 + 0.06 + 0.087 + 0.108
Δ(πΆ1 ) = 2
= 0.1936
5
0.118 + 0.167 + 0.089 + 0.134 + 0.11
Δ(πΆ2 ) = 2
= 0.2472
5
The inter-cluster distance (in this case centroid-linkage) is:
πΏ(πΆπ , πΆπ ) = π (π¬πΆπ , π¬πΆπ )
πΏ(πΆ1 , πΆ2 ) = √(0.22 − 0.84)2 + (0.26 − 0.6)2 + (0.16 − 0.32)2 = 0.725
Then we can compute the Davies-Bouldin index:
1 Δ(πΆ1 )+Δ(πΆ2 )
Δ(πΆ )+Δ(πΆ1 )
+ 2
)
2
πΏ(πΆ1 ,πΆ2 )
πΏ(πΆ2 ,πΆ1 )
π·π΅(πΆ) = (
= 0.608 .
