A Discriminant Model of Network Anomaly Behavior Based on Fuzzy Temporal Inference

The aim of this paper is to provide an active inference algorithm for anomalous behavior. As a main concept we introduce fuzzy temporal consistency covering set, and put forward a fuzzy temporal selection model based on temporal inference and covering technology. Fuzzy set is used to describe network anomaly behavior omen and character, as well as the relations between behavior omen and character. We set up a basic monitoring framework of anomalous behaviors by using causality inference of network behaviors, and then provide a recognition method of network anomaly behavior character based on hypothesis graph search. As shown in the example, the monitoring algorithm has certain reliability and operability.


INTRODUCTION
Network anomaly behavior monitoring is a hotspot in reaches of network security.Up till now the basic idea of network anomaly discriminant lies in anomaly detection method, provided by Denning in 1987 [1].That is to say, according to abnormality situations of audit statement in monitoring system, the bad behaviors (i.e.events of violating safety norms) in network can be detected.The most study on network anomaly detection is based on the theory of data analysis.For example, probability and statistical method [2], data mining method [3], artificial immune algorithm [4], and corresponding artificial intelligence method [5] and so on.But the above methods have common constraint condition-data completeness.
To a certain extent, this condition is implementable.Meanwhile, a superior false alarm rate exists relatively.So it can not satisfy the requirement about reliability of network monitor.Literature [5] introduced an analysis method based on knowledge diagnosis.Literature [6] put forward a method for anomaly detection based on direct inference.Literature [7] brought forward an extrapolation inference diagnosis model based on set covering (GSC).It is one of knowledge diagnosis models with many advantages, such as intuition, parallel, leading into heuristic algorithm easily.Probability causality was led into the model by Peng in literature [7，8].
In order to solve problems about anomaly detection for fuzzy network behavior, literature [9] combined intrusion detection model with fuzzy theory.Among the above mentioned methods, it had no consideration of causality between anomalous behaviors and data in network, as well as temporal constraint relationship with each other.Because data features come into being with network anomaly behaviors, the interaction discriminant method based on anomalous behavior-data is an active network monitor and defensive strategy.
In this paper, we propose a fuzzy temporal inference method, and describe inaccuracy for network temporal knowledge by using of fuzzy set, and then constitute a model of network temporal generalized behaviors covering (NTGSBC).Finally, discriminant results are satisfactory.

II. NETWORK TEMPORAL GENERALIZED BEHAVIORS COVERING (NTGSBC)
A. Fuzzy Temporal of Network Behaviors Fuzzy temporal analysis method has reached satisfied result in the research of fault diagnosis [3,4].In this section, we will set up an inference method for network anomaly behavior by using the analysis method in literature [4].As we know, the main character of complexity in network behaviors is time fuzziness of its behavior state.In fact, occurring temporal of network behavior is an uncertain time based on interval transition.
It is a fuzzy period of time, so definition is as follows: Definition 2.1 [4].Network behavior happened in a network fuzzy time interval (N.F.T.I), suppose I be a trapezoid fuzzy number (T.F.N) defined on the network behavior time axis T， t ( , , , ) The start time in I is expressed by start ( I ), and it is defined as: www.ijacsa.thesai.org The end time in I is expressed by end ( I ), and it is defined as:   (2)  A " between "the beginning of anomalous behavior" and "the beginning of data j D "; for , ij a D R   ， DEL (i , j ) has no definition.
(5) DD   expresses a known anomalous data set of the discriminent target P. DOCT expresses |D| dimensional vector.( ) { | , , } 01   is a threshold constant with temporal consistency, Ĩ expresses intersection of fuzzy sets.

B. Operating process of the discriminant system
According to theorem 3.1and 3.2, the operating of monitor system is based on the search of hypothesis graph.If it exists complete end nodes in the final hypothesis graph G(P), then the complete explanation   (iv) Otherwise, j n is put into the table OPEN.
In afore-mentioned algorithm, the table OPEN is using to deposit expanding nodes, and the table CLOSE is using to deposit expanded nodes.In the process of constructing G(P), successor nodes is generated in basis of causality and temporal constraint(temporal consistency) between anomalous behavior and anomalous omen.Suppose the graph is acyclic graph, and the number of nodes is limited.The complete or partial nodes can be obtained through successor expanded ( , ) 1 Based on the theorem 3.1 and 3.   ) ii I AD  for short.In the beginning of algorithm, it is

V. CONCLUSION
The solution for network anomaly detection in this paper is a further development based on literature [5，6].Actually, it is breadth-first search method.So the search cost is still greater, especially for a large amount of data, though the method presented in this paper makes pruning, in order to decrease the number of network nodes, by using of temporal consistency in the step of SUB, INSERT etc. Trying to resolve this conflict, a possible method is to convert the original method into depth-first search method by introducing node evaluation function, such as literature [7，8，9].But in the model of NTGSBC, node evaluation function must reflect causality and temporal constraint between anomalous behavior and data at the same time.It is more complex than pure probability causality in literature [2,3].It is yet to be further studied about how to seek appropriate node evaluation function in the model of NTGSBC.The other possible solution is problem decomposition.For example, in total behavior detection system modeling of a large website, we will divide the total detection process into many subsystems according to structure and function of website system.And define the causality among subsystems.Moreover the subsystem itself is defined by the model of NTGSBC.Anomaly behavior detection process is separated into inner inference for NTGSBC monitor system and anomaly causality among subsystems.The advantage of this method is as follows: (1) the detection scale of subsystems, obtained after decomposition, is smaller.It is fit for NTGSBC modeling and problem solving.(2) Through problem decomposition and defining the diffusion causality among subsystems, multi-layered causality model about total monitor targets will be built up, based on two layer causality from anomalous behavior to data.Multi-layered causality model is more suitable for detection target describing and problem solving.
Temporal consistency set covering is defined in this paper.And based on this definition, we described the basic framework of NTGSBC and the method of problem solving.Fuzzy temporal information is introduced in the model of NTGSBC, it makes generalized inference detection model and method more fitting for practical problems in other fields.Certainly, more detailed studies should be continued in the further.
(3) As Co-ps is a Co-exp (P) of the problem P, according to definition 2.4, a fault set is as follows: Resembling the proof of the expression (A.2) in the step (2), a proof by mathematical induction is adopted.So the set of anomalous behavior explanation exp( ) Co P  is as follow: According to the conclusions in step (1) and (2), and definition 2.5, Pa-ps is a partial explanation of the problem P, namely theorem 3.2 can be established.
I can be reduced to a network fuzzy time point(F.T.P), turns into a triangular fuzzy numbers(T.F.N).When 0 lh   , I can be reduced to an accurate time.F.T.I and F.T.P are shown as Figure 1.

Figure 1 .
Figure 1.F.T.I and F.T.P Fuzzy difference between two (T.F.N) reflect a kind of fuzzy temporal in the real network, and it exits

4 )B
. Detection model for Anomalous Behavior Definition 2.2 A discriminant model of network anomaly behavior is a relation mapping inversion space of databehavior with fuzzy temporal, the formal representation can be shown a non-empty finite set with anomalous behavior;

2
Suppose a path in hypothesis graph G(P), from an initial node 0 ( , , ) above two theorems is shown in appendix.

2 S
only exits partial end nodes in G(P), then the partial explanation exp( ) Pa P  of the target P can be obtained.And then a minimum in 2 || S  is taken for a partial solution exp( ) Pa P  of the target P, where  is a set of non-covering anomaly omen exp( ) Pa P  .procedure is as follows: (1) Algorithm Solve-TGSC(A, D, R, DEL, D  , MOCT)

(
after undergoing limited steps (no more than |D|).Therefore termination of algorithm is quite obvious.IV.INSTANCE ANALYSISA discriminant target of network behaviors

Figure 2 .
Figure 2. Hypothesis graph of discriminant target P

13 {{
nn in the basis of 0 n , then put it into table OPEN.In the same way, based on 3 a , it can construct sub-set

3 m
in 1 n , according to principle of INSERT in the step (ii), the node 9 n could be abandoned, namely it may be pruning correspondingly.Based on INSERT principle, 10 n and 12 n are treated in the same way.The corresponding complete solution of paths 0 does not explain.The occurrence time of each known omen and corresponding anomalous behavior is shown in Figure1.

2 ) 1 )
it is similar to the step (1) in theorem 3.1, it exists ( , ( )) For the set Pa-ps, resembling the proof of step (2) in theorem 3.1, it can be obtained Resembling the proof of step (3) in theorem 3.1, for Pa-ps, Then combining with the expression (B.1) and (B.2 covering of the whole known anomalous data set   in G(P) is divided into three types: 1) Complete end node: for node, until to the expansion node translated into non-expansion complete nodes or partial nodes.The following two theorems point out corresponding relationship in G (P) between a path and discriminant targets.
.When constructed G (P), it began from an initial node 0 ( , , ) nD    , then continually expanded nodes and www.ijacsa.thesai.orggenerated its successor is abandoned, the table OPEN is not change.table OPEN, and put into the table CLOSE, meanwhile j n is put into the table OPEN.
j n is a complete or partial end node, j n will be put into the table OPEN directly.Otherwise j n is a non-end node, and taken by the following steps: www.ijacsa.thesai.org(ii) If it has   in the table OPEN and CLOSE, such that n