CS6262 Lecture 16 - Machine Learning for Security

What is the primary goal of applying machine learning to intrusion detection?

To automatically and quickly identify new attacks and stop bad behavior early

Which type of analytics models normal network behavior and identifies deviations?

Anomaly detection

Which analytics approach combines misuse and anomaly detection?

Hybrid detection

Which type of analytics detects known attacks using signatures?

Misuse detection

Which type of analytics is capable of detecting zero-day attacks?

Anomaly detection

What is the main objective of machine learning given training examples?

To learn a function that can predict outputs from inputs

What occurs during the training phase of machine learning?

The algorithm learns a function by minimizing prediction error using labeled examples

What happens during the testing phase of machine learning?

The learned function is applied to new, unseen data to predict output values

Why should data used in machine learning be drawn from real-world applications?

To ensure that training and test data reflect realistic conditions

How is real-world data typically prepared for machine learning?

It is randomly split into training and test datasets

What is used as input for learning a predictive function in supervised machine learning?

Feature vectors with associated labels

What is a feature vector in the context of object recognition?

A numerical representation of an object based on extracted characteristics

What is the purpose of labeling feature vectors during training?

To provide correct outputs for learning the predictive function

What determines which features are useful in a machine learning model?

Features depend on the specific application being analyzed

What is the most important property of a good machine learning model?

The ability to generalize from training data to unseen test data

What does generalization mean in machine learning?

Correctly predicting outputs for new examples not seen during training

Which type of machine learning finds patterns or structure in unlabeled data?

Unsupervised learning

Which type of machine learning uses labeled data to learn a model that maps inputs to outputs?

Supervised learning

Which type of machine learning uses datasets where only some examples are labeled?

Semi-supervised learning

What is error rate in machine learning performance metrics?

The fraction of false predictions

What is accuracy in machine learning performance metrics?

The fraction of correct predictions

What is precision in machine learning metrics?

The fraction of correct positive predictions among all predicted positives

What is recall in machine learning metrics?

The fraction of correct positive predictions among all actual positives

Can precision and recall be used beyond binary classification?

Yes, they can be generalized to multi-class applications

What type of problems involve training datasets with attributes and class labels?

Classification problems

What is the goal of a machine learning classification model?

To output a class label based on a set of input attributes or features

How is a decision tree constructed in the training process?

By repeatedly partitioning data until each partition contains examples from only one class

What alternative perspective can a decision tree be viewed as?

A set of rules describing the decision logic

What is the first step in building a decision tree?

Find the best attribute to use as the root

What metrics are used to determine which attribute best partitions a dataset into subsets?

Entropy and information gain

What does entropy measure in the context of decision trees?

The purity of examples in a dataset based on class label distribution

When is entropy at its maximum?

When examples are evenly distributed among different classes

When is entropy at its minimum?

When all examples in a dataset belong to a single class

What does high information gain for an attribute indicate?

The attribute produces purer subsets when partitioning the dataset

What is the purpose of information gain in decision tree construction?

To evaluate how well an attribute separates samples according to their classifications

What does clustering do with training examples?

Assigns them into different clusters based on a distance measure

What is commonly used to measure similarity between examples in clustering?

A distance function

What is typically predetermined before beginning clustering?

The number of clusters

How is cluster membership determined?

By assigning samples to the cluster with the closest centroid

When does the clustering process stop?

When clusters converge and membership no longer changes

For detecting botnet command-and-control using supervised learning, what type of data is needed?

Labeled data with known C&C communication examples

What makes classifiers effective in machine learning security applications?

Smart features that capture domain knowledge

How can intrusion detection be viewed in machine learning terms?

As a classification problem distinguishing normal traffic from attack traffic

What is the goal when applying machine learning to intrusion detection?

To partition mixed traffic into pure-class subsets such as normal or specific attack types

What type of features are useful when partitioning traffic for intrusion detection?

Features with high information gain

What does raw network data need to be summarized into for machine learning processing?

Connection records

What types of attributes are typically included in a connection record?

Timestamp, duration, source IP, destination IP, bytes, service, and flag

What does the connection flag SF indicate?

That the connection completed both SYN and FIN

What does the connection flag REJ indicate?

That the connection request was rejected

What is one method for constructing useful intrusion detection features?

Using temporal and statistical patterns associated with attacks

What is an example of a temporal/statistical pattern useful for detecting intrusions?

Many S0 connections to the same service or host in a short time period

What is the first step in the high-level process of building intrusion detection models from network data?

Collect raw audit data such as packets

After capturing raw data, what is the next step in preparing it for machine learning?

Summarize data into connection records

What do we search for in connection records to help build intrusion detection features?

Frequent patterns

How do we identify unique intrusion-related behaviors from discovered patterns?

Compare frequent patterns to determine those associated specifically with intrusions

What do we construct after identifying unique intrusion-related patterns?

Features used to train classification models

How is the machine learning feature construction and improvement process described?

Iterative, with each step repeated to improve performance

What approach is used to discover patterns within the data?

Data mining algorithms

What is the purpose of association rule mining in this context?

To find associations among features, such as many S0 HTTP connections

Why may basic association rule and frequent episode algorithms produce useless patterns?

They can include irrelevant attributes not useful for intrusion detection

What modification is applied to basic pattern-finding algorithms for intrusion detection?

Restricting results to patterns involving essential or reference attributes

What is an axis attribute in the context of intrusion detection pattern mining?

The most important attribute, such as the service, that must appear in any association

Why is the axis attribute required in computed associations?

To eliminate patterns that involve only non-essential attributes

After computing associations involving axis attributes, what is the next step?

Compute sequential patterns involving the associations

What is the purpose of constructing features from intrusion-specific patterns?

To build classifiers that detect intrusions

Why is dataset selection challenging in intrusion detection?

Because there is no perfect way to label data and thus no perfect IDS dataset

What evaluation dataset is used to assess the intrusion detection approach?

The DARPA evaluation dataset

How many attack types are included in the DARPA dataset used for evaluation?

38 attack types

What are the four categories of attack types in the DARPA dataset?

Denial-of-Service, probing, remote-to-local, and user-to-root