Training the SOFM Efficiently: An Example from Intrusion Detection - PowerPoint PPT Presentation

About This Presentation
Title:

Training the SOFM Efficiently: An Example from Intrusion Detection

Description:

Leigh Wetmore, Nur Zincir-Heywood, Malcolm Heywood. Dalhousie University. 11/3/09. IJCNN'05 ... All exemplars are not created equal; Concentrate on the most ... – PowerPoint PPT presentation

Number of Views:17
Avg rating:3.0/5.0
Slides: 18
Provided by: malcolm54
Category:

less

Transcript and Presenter's Notes

Title: Training the SOFM Efficiently: An Example from Intrusion Detection


1
Training the SOFM Efficiently An Example from
Intrusion Detection
  • Leigh Wetmore, Nur Zincir-Heywood, Malcolm
    Heywood
  • Dalhousie University

2
Basic SOM learning algorithm
  1. Initialize SOM
  2. Select training exemplar
  3. Identify BMU
  4. Weight update
  5. Update neighborhood (h) or learning rate (?)
    functions?
  6. Stop?

3
Current Speedups
  • Special purpose hardware
  • Kohonen
  • Smoothing, Estimation, Short cut search
  • Preclustering

4
Active Learning
  • All exemplars are not created equal
  • Concentrate on the most informative
  • Dynamic Subset Selection (DSS)
  • Exemplar difficulty
  • Exemplar age
  • Sample data hierarchically
  • Cache friendly.

5
Basic DSS Hierarchy
  • Subset selection
  • EXEMPLAR age,
  • difficulty
  • Block selection
  • BLOCK age,
  • difficulty

Original Data (b blocks)
6
Age and Difficulty
  • Difficulty
  • BMU close to exemplar ? easy exemplar
  • BMU distant from exemplar ? difficult exemplar
  • D(t) alpha ? (exemplar to BMU distance)
  • (1 - alpha) D(t - 1)
  • Age
  • IF (exemplar(i) ? Subset)
  • THEN (exemplar(i).AGE)

7
SOM Parameterization
  • Learning rate (?) and Neighborhood size (h)
  • Previously a function of a predefined number of
    epochs
  • Now a linear function of block difficulty
  • Block difficulty average diff. Of exemplars in
    same block
  • Learning rate and neighborhood size may increase
    as well as decrease

8
Basic DSS SOM algorithm
  • While (? gt ?.fine-tune)
  • Select block(t) ? P(age), P(diff)
  • For (n subset selections)
  • Construct Subset
  • Train SOM
  • Update EXEMPLAR.(difficulty age)
  • Update BLOCK.(difficulty age)
  • Update SOM.(? h)

9
IDS example
  • KDD-99 Competition dataset
  • 500,000 training exemplars
  • 310,000 test exemplars
  • 41 features
  • Test set
  • Different category freq.
  • 14 Unseen attacks
  • Features describe connection properties,
  • Basic session information
  • Content based features
  • Time-based Traffic features
  • Host-based Traffic features

10
Distribution of Connection Category Exemplars
Category Training Test
Normal 97,278 60,593
DoS 391,458 229,853
Probe 4,107 4,166
R2L 1,126 16,347
U2R 52 70
11
Evaluation
  • Detection Rate
  • 1 - (False Negatives Total Attacks)
  • False Positives
  • False Positives Total Normal
  • Category specific classification
  • CPU time
  • Expressed with respect to Std SOM baseline of 33
    hours for same architecture,

12
Category Classification
13
Detection on Test Data
14
FP on Test Data
15
CPU training time
16
Training Category Selection Frequency
17
Conclusions
  • (DSS) Active learning algorithm
  • Unsupervised learning
  • Provides alternative stop criterion
  • Speedup independent of,
  • Hardware platform
  • Does not detract from SOM classification
    performance
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Training the SOFM Efficiently: An Example from Intrusion Detection" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!