LR-HIDS: logistic regression host-based intrusion detection system for cloud environments

Abstract

Cloud computing is an Internet based computing environment, where storage and computing resources are assigned dynamically among users according to their needs, using the virtualization technology. Virtualization is an underlying infrastructure of cloud computing, and has led to certain security problems during the development of cloud computing. One essential but formidable task in cloud computing is to detect malicious attacks and their types. Due to increasing incidents of cyber-attacks, design and implementation of effective intrusion detection systems to protect the security of information systems is crucial. In this paper, a host-based intrusion detection system (H-IDS) for protecting virtual machines in the cloud environment is proposed. To this end, first, important features of each class are selected using logistic regression and next, these values are improved using the regularization technique. Then, various attacks are classified using a combination of three different classifiers: neural network, decision tree and linear discriminate analysis with the bagging algorithm for each class. The proposed model has been trained and tested using the NSL-KDD data set with an implementation in the Cloudsim software. Simulation results compared to other methods shows acceptable accuracy of about 97.51 for detecting attacks against normal states.

Appendices

Appendix 1

To prove the convexity of the cost function of logistic regression, we need to first define the following preliminaries (Precup 2018):

A function f:R^d→R is convex if for all a, b ∈ R^d, λ ∈ [0, 1]:

$${\text{f}}\left( {\lambda {\text{a}}+\left( {{\text{1}} - \lambda } \right){\text{b}}} \right) \leq \lambda {\text{f}}\left( {\text{a}} \right)+\left( {{\text{1}} - \lambda } \right){\text{f}}\left( {\text{b}} \right)$$

If f and g are convex functions, αf + βg is also convex for any real numbers α and β.

In terms of convexity characterization, there are two types of convexity:

• First-order characterization:

F is convex ⇔ for all a, b: f(a) ≥ f(b) + ∇f(b)^T(a − b)

(the function is globally above the tangent at b).

• Second-order characterization:

F is convex ⇔ the Hessian of f is positive semi-definite.

The Hessian contains the second-order derivatives of f: H_i,j = ∂²f/∂x_i∂x_j.

It is positive semi-definite if a^THa ≥ 0 for all a ∈ R^d.

According to these definitions we can now prove the convexity of the cost function. The cost function of logistic regression is:

$${\text{J}}\left( {\text{w}} \right)= - \left( {{\sum _{{\text{i}}={\text{1}}}}^{{\text{m}}}{{\text{y}}_{\text{i}}}{\text{log }}\sigma \left( {{{\text{w}}^{\text{T}}}{{\text{x}}_{\text{i}}}} \right)+\left( {{\text{1}} - {{\text{y}}_{\text{i}}}} \right){\text{ log}}\left( {{\text{1}} - \sigma \left( {{{\text{w}}^{\text{T}}}{{\text{x}}_{\text{i}}}} \right)} \right)} \right)$$

where σ(z) = 1/(1 + e^− z) (check that σ′(z) = σ(z)(1 − σ(z))).

We show that –log σ(w^Tx) and − log(1 − σ(w^Tx)) are convex in w:

$$\begin{aligned} \nabla {\text{w}}\left( { - {\text{log }}\sigma \left( {{{\text{w}}^{\text{T}}}{\text{x}}} \right)} \right) & ~= - \nabla {\text{w}}\left( {\sigma \left( {{{\text{w}}^{\text{T}}}{\text{x}}} \right)} \right)/\sigma \left( {{{\text{w}}^{\text{T}}}{\text{x}}} \right)~~~ \\ ~~ & = - \sigma \prime \left( {{{\text{w}}^{\text{T}}}{\text{x}}} \right)\nabla {\text{w}}\left( {{{\text{w}}^{\text{T}}}{\text{x}}} \right)/\sigma \left( {{{\text{w}}^{\text{T}}}{\text{x}}} \right)~~~ \\ ~~ & =\left( {\sigma \left( {{{\text{w}}^{\text{T}}}{\text{x}}} \right) - {\text{1}}} \right){\text{x}} \\ {\nabla ^{\text{2}}}_{{\text{w}}}\left( { - {\text{log }}\sigma \left( {{{\text{w}}^{\text{T}}}{\text{x}}} \right)} \right)~\, & ={\nabla _{\text{w}}}\left( {\sigma \left( {{{\text{w}}^{\text{T}}}{\text{x}}} \right){\text{x}}} \right)~~~~ \\ ~ & =\sigma \left( {{{\text{w}}^{\text{T}}}{\text{x}}} \right)\left( {{\text{1}} - \sigma \left( {{{\text{w}}^{\text{T}}}{\text{x}}} \right)} \right){\text{x}}{{\text{x}}^{\text{T}}} \\ \end{aligned}$$

⇒ It is easy to check that this matrix is positive semi-definite for any x.

Similarly you can show that:

$$\begin{aligned} {\nabla _{\text{w}}}\left( { - {\text{log}}\left( {{\text{1}} - \sigma \left( {{{\text{w}}^{\text{T}}}{\text{x}}} \right)} \right)} \right) & =\sigma \left( {{{\text{w}}^{\text{T}}}{\text{x}}} \right){\text{x}} \\ {\nabla ^{\text{2}}}_{{\text{w}}}\left( { - {\text{log}}\left( {{\text{1}} - \sigma \left( {{{\text{w}}^{\text{T}}}{\text{x}}} \right)} \right)} \right) & =\sigma \left( {{{\text{w}}^{\text{T}}}{\text{x}}} \right)\left( {{\text{1}} - \sigma \left( {{{\text{w}}^{\text{T}}}{\text{x}}} \right)} \right){\text{x}}{{\text{x}}^{\text{T}}} \\ \end{aligned}$$

⇒ J(w) is convex in w.

⇒ The gradient of J is X^T(ˆy − y) where ˆy_i = σ(w^Tx_i) = h(x_i).

⇒ The Hessian of J is X^TRX where R is diagonal with entries R_i,i = h(x_i)(1 − h(x_i)).

Appendix 2

Diagrams of the Gaussian normal function of all 41 features of the NSL-KDD data set.