Incremental learning for large-scale stream data and its application to cybersecurity

As many human currently depend on technologies to assist with daily tasks, there are more and more applications which have been developed to be fit in one small gadget such as smart phone and tablet. Thus, by carrying this small gadget alone, most of our tasks are able to be settled efficiently a...

Full description

Saved in:
Bibliographic Details
Main Author: Ali, Siti Hajar Aminah
Format: Thesis
Language:English
Published: 2015
Subjects:
Online Access:http://eprints.uthm.edu.my/1748/1/24p%20SITI%20HAJAR%20AMINAH%20ALI.pdf
http://eprints.uthm.edu.my/1748/
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:As many human currently depend on technologies to assist with daily tasks, there are more and more applications which have been developed to be fit in one small gadget such as smart phone and tablet. Thus, by carrying this small gadget alone, most of our tasks are able to be settled efficiently and fast. Until the end of 20th century, mobile phones are only used to call and to send short message service (sms). However, in early 21st century, a rapid revolution of communi�cation technology from mobile phone into smart phone has been seen in which the smart phone is equipped by 4G Internet line along with the telephone service provider line. Thus, the users are able to make a phone call, send messages using variety of application such as Whatsapp and Line, send email, serving websites, accessing maps and handling some daily tasks via online using online banking, online shopping and online meetings via video conferences. In previous years, if there are cases of missing children or missing cars, the victims would rely on the police investigation. But now, as easy as uploading a notification about the loss on Facebook and spread the news among Facebook users, there are more people are able to help in the search. Despite the advantages that can be obtained using these technologies, there are a group of irresponsible people who take advan�tage of current technologies for their own self-interest. Among the applications that are usually being used by almost Internet users and also are often misused by cyber criminals are email and websites. Therefore, we take this initiative to make enhancement in cyber security application to avoid the Internet users from being trapped and deceived by the trick of cyber criminals by developing detec�tion system of malicious spam email and Distributed Denial of Services (DDoS) 377$ 3(53867$.$$1781.8781$0,1$+ iii backscatter. Imagine that a notice with a logo of Mobile Phone company is received by an email informing that the customer had recently run up a large mobile phone bill. A link regarding the bill is attached for him/her to find out the details. Since, the customer thinks that the billing might be wrong, thus the link is clicked. However, the link is directed to a webpage which displays a status that currently the webpage is under construction. Then the customer closes the page and thinking of to visit the website again at other time. Unfortunately, after a single click actually a malicious file is downloaded and installed without the customer aware of it. That malicious file most probably is a Trojan that capable to steal confidential information from victim’s computer. On the next day, when the same person is using the same computer to log in the online banking, all of a sudden find out that his/her money is lost totally. This is one of a worst case scenario of malicious spam email which is usually handled by cybersecurity field. Another different case of cybersecurity is the Distributed Denial of Services (DDoS) attack. Let say, Company X is selling flowers via online in which the market is from the local and international customer. The online business of Company X is running normally as usual, until a day before mother’s day, the webpage of Company X is totally down and the prospective customers could not open the webpage to make order to be sent specially for their beloved mother. Thus, the customers would search another company that sells the same item. The Company X server is down, most probably because of the DDoS attack where a junk traffic is sent to that company server which makes that server could not serve the request by the legitimate customers. This attack effect not only the profit of the company, but also reputation damage, regular customer turnover and productivity decline. Unfortunately, it is difficult for a normal user like us to detect malicious spam 377$ 3(53867$.$$1781.8781$0,1$+ email or DDoS attack with naked eyes. It is because recently the spammers and attacker had improved their strategy so that the malicious email and the DDoS packets are hardly able to be differentiated with the normal email and data packets. Once the Social Engineering is used by the spammers to create relevant email content in the malicious spam email and when a new campaign of DDoS attack is launched by the attacker, no normal users are capable to distinguish the benign and malicious email or data packets. This is where my Ph.D project comes in handy. My Ph.d is focusing on constructing a detection system of malicious spam email and DDoS attack using a large number of dataset which are obtained by a server that collect double-bounce email and darknet for malicious spam email detection system and DDoS backscatter detection system, respectively. As many up-to-date data are used during the learning, the detection system would become more robust to the latest strategy of the cybercriminal. Therefore, the scenario mentioned above can be avoided by assisting the user with important information at the user-end such as malicious spam email filter or at the server firewall. First of all, the method to learn large-scale stream data must be solved before implementing it in the detection system. Therefore, in Chapter 2, the general learning strategy of large-scale data is introduced to be used in the cybersecurity applications which are discussed in Chapter 3 and Chapter 4, respectively. One of a critical criterion of the detection system is capable to learn fast because after the learning, the updated information needs to be passed to user to avoid the user from being deceived by the cybercriminal. To process large-scale data sequences, it is important to choose a suitable learning algorithm that is capable to learn in real time. Incremental learning has an ability to process large data in chunk and update the parameters after learning each chunk. Such type of learning keep and update only the minimum information on a classifier model. 377$ 3(53867$.$$1781.8781$0,1$+ Therefore, it requires relatively small memory and short learning time. On the other hand, batch learning is not suitable because it needs to store all training data, which consume a large memory capacity. Due to the limited memory, it is certainly impossible to process online large-scale data sequences using the batch learning. Therefore, the learning of large-scale stream data should be conducted incrementally. This dissertation contains of five chapters. In Chapter 1, the concept of in�cremental learning is briefly described and basic theories on Resource Allocating Network (RAN) and conventional data selection method are discussed in this chapter. Besides that, the overview of this dissertation is also elaborated in this chapter. In Chapter 2, we propose a new algorithm based on incremental Radial Basis Function Network (RBFN) to accelerate the learning in stream data. The data sequences are represented as a large chunk size of data given continuously within a short time. In order to learn such data, the learning should be carried out incrementally. Since it is certainly impossible to learn all data in a short pe�riod, selecting essential data from a given chunk can shorten the learning time. In our method, we select data that are located in untrained or “not well-learned” region and discard data at trained or “well-learned” region. These regions are represented by margin flag. Each region is consisted of similar data which are near to each other. To search the similar data, the well-known LSH method pro�posed by Andoni et al. is used. The LSH method indeed has proven be able to quickly find similar objects in a large database. Moreover, we utilize the LSH ʼs properties; hash value and Hash Table to further reduced the processing time. A flag as a criterion to decide whether to choose or not the training data is added in the Hash Table and is updated in each chunk sequence. Whereas, the hash value of RBF bases that is identical with the hash value of the training data is used to select the RBF bases that is near to the training data. The performance results of 377$ 3(53867$.$$1781.8781$0,1$+ vi the numerical simulation on nine UC Irvine (UCI) Machine Learning Repository datasets indicate that the proposed method can reduce the learning time, while keeping the similar accuracy rate to the conventional method. These results indi�cate that the proposed method can improve the RAN learning algorithm towards the large-scale stream data processing. In Chapter 3, we propose a new online system to detect malicious spam emails and to adapt to the changes of malicious URLs in the body of spam emails by updating the system daily. For this purpose, we develop an autonomous system that learns from double-bounce emails collected at a mail server. To adapt to new malicious campaigns, only new types of spam emails are learned by introducing an active learning scheme into a classifier model. Here, we adopt Resource Allocating Network with Locality Sensitive Hashing (RAN-LSH) as a classifier model with data selection. In this data selection, the same or similar spam emails that have already been learned are quickly searched for a hash table using Locally Sensitive Hashing, and such spam emails are discarded without learning. On the other hand, malicious spam emails are sometimes drastically changed along with a new arrival of malicious campaign. In this case, it is not appropriate to classify such spam emails into malicious or benign by a classifier. It should be analyzed by using a more reliable method such as a malware analyzer. In order to find new types of spam emails, an outlier detection mechanism is implemented in RAN-LSH. To analyze email contents, we adopt the Bag-of-Words (BoW) approach and generate feature vectors whose attributes are transformed based on the normalized term frequency-inverse document frequency. To evaluate the developed system, we use a dataset of double-bounce spam emails which are collected from March 1, 2013 to May 10, 2013. In the experiment, we study the effect of introducing the outlier detection in RAN-LSH. As a result, by introducing the outlier detection, we confirm that the detection accuracy is enhanced on 377$ 3(53867$.$$1781.8781$0,1$+ average over the testing period. In Chapter 4, we propose a fast Distributed Denial of Service (DDoS) backscat�ter detection system to detect DDoS backscatter from a combination of protocols and ports other than the following two labeled packets: Transmission Control Protocol (TCP) Port 80 (80/TCP) and User datagram Protocol (UDP) Port 53 (53/UDP). Usually, it is hard to detect DDoS backscatter from the unlabeled packets, where an expert is needed to analyze every packet manually. Since it is a costly approach, we propose a detection system using Resource Allocating Network (RAN) with data selection to select essential data. Using this method, the learning time is shorten, and thus, the DDoS backscatter can be detected fast. This detection system consists of two modules which are pre-processing and classifier. With the former module, the packets information are transformed into 17 feature-vectors. With the latter module, the RAN-LSH classifier is used, where only data located at untrained region are selected. The performance of the proposed detection system is evaluated using 9,968 training data from 80/TCP and 53/UDP, whereas 5,933 test data are from unlabeled packets which are col�lected from January 1st, 2013 until January 20th, 2014 at National Institute of Information and Communications Technology (NICT), Japan. The results indi�cate that detection system can detect the DDoS backscatter from both labeled and unlabeled packets with high recall and precision rate within a short time. Finally, in Chapter 5, we discussed the conclusions and the future work of our study: RAN-LSH classifier, malicious spam email detection system and DDoS backscatter detection system.