Incremental learning for large-scale stream data and its application to cybersecurity
As many human currently depend on technologies to assist with daily tasks, there are more and more applications which have been developed to be fit in one small gadget such as smart phone and tablet. Thus, by carrying this small gadget alone, most of our tasks are able to be settled efficiently a...
Saved in:
| Main Author: | |
|---|---|
| Format: | Thesis |
| Language: | English |
| Published: |
2015
|
| Subjects: | |
| Online Access: | http://eprints.uthm.edu.my/1748/1/24p%20SITI%20HAJAR%20AMINAH%20ALI.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Summary: | As many human currently depend on technologies to assist with daily tasks,
there are more and more applications which have been developed to be fit in one
small gadget such as smart phone and tablet. Thus, by carrying this small gadget
alone, most of our tasks are able to be settled efficiently and fast. Until the end
of 20th century, mobile phones are only used to call and to send short message
service (sms). However, in early 21st century, a rapid revolution of communi�cation technology from mobile phone into smart phone has been seen in which
the smart phone is equipped by 4G Internet line along with the telephone service
provider line. Thus, the users are able to make a phone call, send messages using
variety of application such as Whatsapp and Line, send email, serving websites,
accessing maps and handling some daily tasks via online using online banking,
online shopping and online meetings via video conferences. In previous years, if
there are cases of missing children or missing cars, the victims would rely on the
police investigation. But now, as easy as uploading a notification about the loss
on Facebook and spread the news among Facebook users, there are more people
are able to help in the search. Despite the advantages that can be obtained using
these technologies, there are a group of irresponsible people who take advan�tage of current technologies for their own self-interest. Among the applications
that are usually being used by almost Internet users and also are often misused
by cyber criminals are email and websites. Therefore, we take this initiative to
make enhancement in cyber security application to avoid the Internet users from
being trapped and deceived by the trick of cyber criminals by developing detec�tion system of malicious spam email and Distributed Denial of Services (DDoS) 377$
3(53867$.$$1781.8781$0,1$+
iii
backscatter.
Imagine that a notice with a logo of Mobile Phone company is received by
an email informing that the customer had recently run up a large mobile phone
bill. A link regarding the bill is attached for him/her to find out the details.
Since, the customer thinks that the billing might be wrong, thus the link is
clicked. However, the link is directed to a webpage which displays a status that
currently the webpage is under construction. Then the customer closes the page
and thinking of to visit the website again at other time. Unfortunately, after
a single click actually a malicious file is downloaded and installed without the
customer aware of it. That malicious file most probably is a Trojan that capable
to steal confidential information from victim’s computer. On the next day, when
the same person is using the same computer to log in the online banking, all
of a sudden find out that his/her money is lost totally. This is one of a worst
case scenario of malicious spam email which is usually handled by cybersecurity
field. Another different case of cybersecurity is the Distributed Denial of Services
(DDoS) attack. Let say, Company X is selling flowers via online in which the
market is from the local and international customer. The online business of
Company X is running normally as usual, until a day before mother’s day, the
webpage of Company X is totally down and the prospective customers could not
open the webpage to make order to be sent specially for their beloved mother.
Thus, the customers would search another company that sells the same item. The
Company X server is down, most probably because of the DDoS attack where a
junk traffic is sent to that company server which makes that server could not
serve the request by the legitimate customers. This attack effect not only the
profit of the company, but also reputation damage, regular customer turnover
and productivity decline.
Unfortunately, it is difficult for a normal user like us to detect malicious spam 377$
3(53867$.$$1781.8781$0,1$+
email or DDoS attack with naked eyes. It is because recently the spammers
and attacker had improved their strategy so that the malicious email and the
DDoS packets are hardly able to be differentiated with the normal email and
data packets. Once the Social Engineering is used by the spammers to create
relevant email content in the malicious spam email and when a new campaign
of DDoS attack is launched by the attacker, no normal users are capable to
distinguish the benign and malicious email or data packets. This is where my
Ph.D project comes in handy. My Ph.d is focusing on constructing a detection
system of malicious spam email and DDoS attack using a large number of dataset
which are obtained by a server that collect double-bounce email and darknet for
malicious spam email detection system and DDoS backscatter detection system,
respectively. As many up-to-date data are used during the learning, the detection
system would become more robust to the latest strategy of the cybercriminal.
Therefore, the scenario mentioned above can be avoided by assisting the user
with important information at the user-end such as malicious spam email filter
or at the server firewall. First of all, the method to learn large-scale stream
data must be solved before implementing it in the detection system. Therefore,
in Chapter 2, the general learning strategy of large-scale data is introduced to
be used in the cybersecurity applications which are discussed in Chapter 3 and
Chapter 4, respectively.
One of a critical criterion of the detection system is capable to learn fast because
after the learning, the updated information needs to be passed to user to avoid
the user from being deceived by the cybercriminal. To process large-scale data
sequences, it is important to choose a suitable learning algorithm that is capable
to learn in real time. Incremental learning has an ability to process large data
in chunk and update the parameters after learning each chunk. Such type of
learning keep and update only the minimum information on a classifier model. 377$
3(53867$.$$1781.8781$0,1$+
Therefore, it requires relatively small memory and short learning time. On the
other hand, batch learning is not suitable because it needs to store all training
data, which consume a large memory capacity. Due to the limited memory, it is
certainly impossible to process online large-scale data sequences using the batch
learning. Therefore, the learning of large-scale stream data should be conducted
incrementally.
This dissertation contains of five chapters. In Chapter 1, the concept of in�cremental learning is briefly described and basic theories on Resource Allocating
Network (RAN) and conventional data selection method are discussed in this
chapter. Besides that, the overview of this dissertation is also elaborated in this
chapter. In Chapter 2, we propose a new algorithm based on incremental Radial
Basis Function Network (RBFN) to accelerate the learning in stream data. The
data sequences are represented as a large chunk size of data given continuously
within a short time. In order to learn such data, the learning should be carried
out incrementally. Since it is certainly impossible to learn all data in a short pe�riod, selecting essential data from a given chunk can shorten the learning time. In
our method, we select data that are located in untrained or “not well-learned”
region and discard data at trained or “well-learned” region. These regions are
represented by margin flag. Each region is consisted of similar data which are
near to each other. To search the similar data, the well-known LSH method pro�posed by Andoni et al. is used. The LSH method indeed has proven be able to
quickly find similar objects in a large database. Moreover, we utilize the LSH ʼs
properties; hash value and Hash Table to further reduced the processing time. A
flag as a criterion to decide whether to choose or not the training data is added in
the Hash Table and is updated in each chunk sequence. Whereas, the hash value
of RBF bases that is identical with the hash value of the training data is used to
select the RBF bases that is near to the training data. The performance results of 377$
3(53867$.$$1781.8781$0,1$+
vi
the numerical simulation on nine UC Irvine (UCI) Machine Learning Repository
datasets indicate that the proposed method can reduce the learning time, while
keeping the similar accuracy rate to the conventional method. These results indi�cate that the proposed method can improve the RAN learning algorithm towards
the large-scale stream data processing.
In Chapter 3, we propose a new online system to detect malicious spam emails
and to adapt to the changes of malicious URLs in the body of spam emails by
updating the system daily. For this purpose, we develop an autonomous system
that learns from double-bounce emails collected at a mail server. To adapt to new
malicious campaigns, only new types of spam emails are learned by introducing an
active learning scheme into a classifier model. Here, we adopt Resource Allocating
Network with Locality Sensitive Hashing (RAN-LSH) as a classifier model with
data selection. In this data selection, the same or similar spam emails that
have already been learned are quickly searched for a hash table using Locally
Sensitive Hashing, and such spam emails are discarded without learning. On
the other hand, malicious spam emails are sometimes drastically changed along
with a new arrival of malicious campaign. In this case, it is not appropriate to
classify such spam emails into malicious or benign by a classifier. It should be
analyzed by using a more reliable method such as a malware analyzer. In order
to find new types of spam emails, an outlier detection mechanism is implemented
in RAN-LSH. To analyze email contents, we adopt the Bag-of-Words (BoW)
approach and generate feature vectors whose attributes are transformed based
on the normalized term frequency-inverse document frequency. To evaluate the
developed system, we use a dataset of double-bounce spam emails which are
collected from March 1, 2013 to May 10, 2013. In the experiment, we study the
effect of introducing the outlier detection in RAN-LSH. As a result, by introducing
the outlier detection, we confirm that the detection accuracy is enhanced on 377$
3(53867$.$$1781.8781$0,1$+
average over the testing period.
In Chapter 4, we propose a fast Distributed Denial of Service (DDoS) backscat�ter detection system to detect DDoS backscatter from a combination of protocols
and ports other than the following two labeled packets: Transmission Control
Protocol (TCP) Port 80 (80/TCP) and User datagram Protocol (UDP) Port 53
(53/UDP). Usually, it is hard to detect DDoS backscatter from the unlabeled
packets, where an expert is needed to analyze every packet manually. Since it
is a costly approach, we propose a detection system using Resource Allocating
Network (RAN) with data selection to select essential data. Using this method,
the learning time is shorten, and thus, the DDoS backscatter can be detected
fast. This detection system consists of two modules which are pre-processing
and classifier. With the former module, the packets information are transformed
into 17 feature-vectors. With the latter module, the RAN-LSH classifier is used,
where only data located at untrained region are selected. The performance of the
proposed detection system is evaluated using 9,968 training data from 80/TCP
and 53/UDP, whereas 5,933 test data are from unlabeled packets which are col�lected from January 1st, 2013 until January 20th, 2014 at National Institute of
Information and Communications Technology (NICT), Japan. The results indi�cate that detection system can detect the DDoS backscatter from both labeled
and unlabeled packets with high recall and precision rate within a short time.
Finally, in Chapter 5, we discussed the conclusions and the future work of our
study: RAN-LSH classifier, malicious spam email detection system and DDoS
backscatter detection system. |
|---|