ArticlePDF Available

Network Forensics: Application of Fuzzy TOPSIS Method for Rating Network Intrusion Evidence to Prioritize Investigation

Authors:
  • Edo State University Iyamho

Abstract and Figures

Network forensics have emerged as important procedures for collecting, analyzing, reporting, and documenting of critical situations that requires real-time investigation of network attack and evidence acquisition for decision making processes. Investigating network attack is a contemporary challenging issue. A vital number of several network attacks have been identified against numerous security tools and techniques in recent time. Finding the best option among feasible alternatives of network attacks, rating and prioritizing them for further investigation remains a fundamental issues for network forensics investigators. The nature of prioritizing network attack and risk selection can be treated as multiple criteria decision making (MCDM) problem. This paper proposes a technique for order preference by similarity to ideal solution (TOPSIS) method under the fuzzy environment for network forensics to address the MCDM problem. A set of predefined parameterized fuzzy triangular linguistic terms are used to evaluate the weights of various criteria and the ratings of individual alternative network attack. With this, the presented alternative network attacks can be prioritize according to Decision Makers (DMs) preference. An experimental examples are presented to determine the computation efficiency and feasibility of the proposed fuzzy TOPSIS method. To achieve the trustworthiness of the prioritize network attacks, we combine attack alternatives through the degree of belief derived from independent elements of attack using Dempster-Shafer theory.
Content may be subject to copyright.
Procedia Computer Science 00 (2015) 1–14
Procedia
Computer
Science
www.elsevier.com/locate/procedia
Network Forensics: Application of Fuzzy TOPSIS Method for
Rating Network Intrusion Evidence to Prioritize Investigation.
Omaji Samuel, Abid Khan, Amir Hayat, Akogwu Blessing Omojoa
Comsats Institute of Information Technology Islamabad
aSheda Science and Technology, SHESTCO, Kwali, Abuja, Nigeria
Abstract
Network forensics have emerged as important procedures for collecting, analyzing, reporting, and documenting of
critical situations that requires real-time investigation of network attack and evidence acquisition for decision making
processes. Investigating network attack is a contemporary challenging issue. A vital number of several network attacks
have been identified against numerous security tools and techniques in recent time. Finding the best option among
feasible alternatives of network attacks, rating and prioritizing them for further investigation remains a fundamental
issues for network forensics investigators. The nature of prioritizing network attack and risk selection can be treated as
multiple criteria decision making (MCDM) problem. This paper proposes a technique for order preference by similarity
to ideal solution (TOPSIS) method under the fuzzy environment for network forensics to address the MCDM problem. A
set of predefined parameterized fuzzy triangular linguistic terms are used to evaluate the weights of various criteria and
the ratings of individual alternative network attack. With this, the presented alternative network attacks can be prioritize
according to Decision Makers (DMs) preference. An experimental examples are presented to determine the computation
eciency and feasibility of the proposed fuzzy TOPSIS method. To achieve the trustworthiness of the prioritize network
attacks, we combine attack alternatives through the degree of belief derived from independent elements of attack using
Dempster–Shafer theory.
c
2015 Published by Elsevier Ltd.
Keywords:
Network forensics, Multi-criteria decision making, Intrusion evidence, TOPSIS, Dempster–Shafer theory.
1. Introduction
Network security is becoming popular in modern societies with the emergent of internet as the major
means of communication, information sharing and online transactions. As a result of this huge success,
threats is increasing daily which required urgent responses using precocious security solution that is not
supported with traditional tools. Investigating such threats is an ambitious task [7], since attacker knowledge
of the network is increasingly crafty. To handle this, we need network forensics, thus network forensics is
aimed at introducing a capability that the investigator must have in the current network. It is also refers to
the investigative processes through which analyzing network data and events for the purpose of owning the
Corresponding Email Address:abidkhan@comsats.edu.pk
1Tel:
2/Procedia Computer Science 00 (2015) 1–14
attacker responsible for his/her actions[7]. Network forensics is vitally important to dig into attacks and
intrusion from in and out of the network to ascertain the existence of threat and ameliorate the system[2].
Capturing network trac over a network is easy in theory, but relatively dicult in normal situation. This
is because of the huge number of data that flow through the network and the complex nature of the protocol
address. Archiving network trac required a lot of resources, it is often tedious to archive every data that
flow through the network. An investigator needs to backup these records to make space for recording media
and to preserve the data for further analysis [2].
Forensics investigators must locate and retrieve evidence across many distinct events and packets(trac),
they urge to prioritize the evidence and establish those that cause the greatest risk. Otherwise, when there
is so many investigation, with each is being scores using dierent scales. How can forensics investigator
convert this voluminous of evidence data into an aordable grounds for legal actions. We need a common
framework to standardized evidence scores and to prioritize risk, which represent the actual risk [2].
Obviously, there are no known evidence scores that exist, since the severity of risk depends on human
judgment and with certain jurisdiction(what might seems to be a high depend on who is carrying out the
investigation). Microsoft provides a threat risk modeling techniques known as DREAD which is a classifi-
cation schemes for comparing, determining the value and prioritizing the number of risk derived from each
computed threat risk. The setting behind risk rating is influenced by DREAD Modeling [4, 5], and also used
to sort directly the risks evaluated. To compute the risk value, the DREAD algorithm required the average,
Risk of all the five categories.
β=(DAM AGE +RE PRODUC T I VI T Y
+EX PLO IT AB ILI T Y
+AF FEC T EDU S ER
+DI S COV ER ABI LIT Y )
Risk =β
5·
The risk calculated falls between 0 to 10. The higher the value, the more critical the risk [3, 5].
Several automated tools exist for analyzing, reporting and discovering network attacks. However they
do not take into account the risk assessment preference and prioritizing the risks for further evaluation and
investigation. In this article, we extend the Technique for Order of Preference by Similarity to Ideal solution
(TOPSIS) method which can reduce the computational complexity in the decision making processes.
The remainder of this paper is structured as follows; Section 2 reviews of the related literature based
on network forensics and MCDM problems. Thereafter, in Section 3, preliminaries, over views of fuzzy
theorem and description of the problems. Section 4, presents the fuzzy TOPSIS method and we provides a
working example to clarify the application of fuzzy TOPSIS method in the problem of prioritizing network
attack risk. We Evaluate our method with the Dempster–Shafer theory in Section 5. In Section 6, We
presents the conclusion and discussion of the work with a concluding remarks.
2. Literature review
The literature has been review from the prospective of network forensics and the application of MCDM
method.
2.1. Literature review based on network forensics
Network forensics have emerged from a larger domain known as computer forensics. Computer foren-
sics is the legal procedure to catch and prosecute perpetrators of digital crimes and it can also be a well-
defined investigative procedure for collection and preservation of evidence that must be strictly adhered to in
a consisted manner [7]. Furthermore, computer forensics is widely known to be a new area of study. Since
in the past, the intruders have little knowledge about the network environment. To inquire and explain the
cause of events that surface on a computer required the use of computer forensics techniques.
/Procedia Computer Science 00 (2015) 1–14 3
The name network forensics was early introduced by computer security expert Marcus Ranum in the early
90s. He described it in [8] as a forensics method to analyze packet traces and network connectivity graph.
Network forensics examination constitutes an innumerable challenges, from inconclusive evidence to
internal politics to the questions of evidence worthy of admission. To meet these challenges, investigators
must carefully assess each examination and develop an obtainable strategy that takes into account both the
examination goals and present resources [10].
Network forensics are classified into various types based on their characteristics, this classification is
vital for identifying the requirement with the assumption that the context of data that are to be analyzed
for network forensics evidence. This classification includes firstly: for what purpose analyzing the network
trac is achieved to discover the intruder’s pattern that will be admissible in the court. Secondly, the
packet capture which entails catch-it as you can [9], which could also capture and store packets passing
through a particular node. Similarly, stop look and listen classification mainly analyze packets in memory
as they pass and stored. This approach can only give scarce or limited information about the packets.
Thirdly, the platform for which network forensics system can handle hardware appliances and software
system installed on the victim device to analyze and store the capture packets. Fourthly, the timestamps of
network trac analysis which involves real time network surveillance, mostly used by commercial network
forensics system and lastly, the network flow based system collected through the data source for performing
statistical analysis of the network trac as it passes through a capture platform.
Anatomy of collected data is the most crucial and time demanding task. Although there are numerous
automated analysis tools that an investigator can lay hands on for forensics intend, they are insucient
since there is no infallible way for actually dierentiating between when intruders generate a bogus network
trac and when a legitimate or genuine trac is generated. Making human judgments is also indispensable
because with the real time trac analysis tools, it always create room for false positive. An investigator
carried out network forensics to determine the kind of attacks over the network and to trace the culprits.
Proper procedures is followed so that evidence recorded during investigation can be used in a law court.
Network forensic can reveal the information of how an intruder get into the network, the route of intrusion,
the techniques used and also to trace the evidence. Network forensics cannot solve the case alone, it’s
required skills, tools, good human judgment and also the investigator cannot link a suspect to an attack, he
should be able to dierential between false positive and false negative and must be infallible to justified his
claim that the intrusion was carried out by the said intruder. The phrase network forensics have been used
in a variety of ways without formal definition. However, it is globally refers to the investigation of data
collected from active network devices such as firewall logs, network trac, intrusion detection systems IDS
logs which is essential for investigating a security breach such as a system compromise [6].
In literature, forensics of network isn’t a protection practice scheme or access control policy, and it isn’t
thought to be a substitute to firewalls and IDS. Hence, it is a process of aggregating evidence, exploring
tools, techniques and mans’ eort for the sake of examination. Generally, network forensics is of great
interest and importance to the law enforcement agency because they need network forensics in investigating
network related crime[6]. In ordinary application, network forensics is necessary for investigating anoma-
lous activities and ensure service availability. For example, we use the set of filter rules of firewalls and
update intrusion signature in IDS systems.
2.2. Literature review on MCDM problems
Making decision is the process of deriving the most important scale of preference among the feasible
alternatives. Multiple attributes decision making (MADM) is usually used to handle several decision mak-
ing and problem of selection, since human judgment involving preference are ambiguous and cannot be
expressible with exact numeric values. The application of fuzzy concepts in decision making is deemed
necessary. We make use of TOPSIS for fuzzy set of variables and their value with the introduction of appro-
priate negation for deriving ideal solution. We also apply a new measurement of fuzzy distance value with
a lower bound of alternative. Then the similarity degree is used for ranking of alternatives.
A survey method has been presented by Hwang and Yoon[11] on multi criteria decision making (MCDM)
and the technique for order of preference by similarity to ideal solution (TOPSIS) one of the known clas-
sical MCDM method. It is based upon the notion of choosing an alternative which have the close distance
4/Procedia Computer Science 00 (2015) 1–14
from the Positive Ideal Solution (PIS), this implies that the solution will maximize the benefit criteria and
minimise the cost criteria and also the farther away from the Negative Ideal Solution (NIS). In this, NIS
solution will maximize the cost criteria and invariably minimize the benefit criteria.
In classical MCDM method, including TOPSIS, the rating and weighting of each criterion is precisely
known. There are numerous application of fuzzy topsis in literature. For examples, Chang et al[12] de-
veloped a fuzzy topsis model to choose the optimal initial training aircraft for Taiwan airforce academy.
Golam et al [19] exploits the MCDM approaches for evaluation of travel website service quality(TWSQ).
Others includes: evaluation of service quality [12], inter company comparison [13], the application in ag-
gregate production planning [14], facility location selection [15], and large scale non linear programming
[16], quality of service (QoS) selection for web services [20], evaluation of bunkering ports’ performance
with regular linear routes in order to chose optimal ones [21].
Satar at el [22], propose assess to risk associated with human health in order to manage control mea-
sures and support decision making which could provide the right balance between dierent concerns such
as safety and costs, Dewangan et al [23] evaluate the study and sensitivity analysis of surface integrity and
dimensional accuracy in electrical discharge machinining(EDM),Ksenija et al[24] evaluate and facilitate the
assessment of the financial performance of Sebia banks, Devika et al [25] evaluate the selection of green
suppliers based on GSCM practices for a Brazilian electronic company , Roszkowska et al [26] analyze the
application of fuzzy TOPSIS method to support the process of building the scoring system for negotiation
oers in ill-structured negations, Yeonjoo et al [27] develop a new framework that prioritized the best sites
for treated wastewater(TWW), Gyumin et al [28] aim to improve general flood vulnerability using fuzzy
TOPSIS based on α-cut level sets which can reduce the uncertainty in every fuzzy MCDM processes, Chun-
guang et al [29] evaluate the performance or organization which include both strategic and performance as
well as financial and other loses, Sengail et al [30] aim at developing a MCDM support framework for rank-
ing renewable energy supply system in Turkey, Osman et al [31] evaluates the construction projects and their
over all risks under incomplete and uncertain situations, Tabassam et al [32] propose a method to aggregate
the opinion of several decision in Robot selection using generalized interval-valued fuzzy numbers with
TOPSIS, Xiaolu and Zeshui [33] develops a soft computing techniques based on maximizing consensus and
fuzzy TOPSIS in order to solve interval intuitionistic fuzzy MAGDM from such two aspect of decision data.
Finally, Xiuzhi et al [34] develop an analytical solution to fuzzy TOPSIS and its application in personnel
selection for knowledge-intensive enterprise .
2.3. Research gap
Based on the literature review, all these applications exist in other domain, but no known application
of fuzzy TOPSIS method exist in network forensics for evaluating and prioritizing the risk assessment in
network attack. In this research, we employ the fuzzy TOPSIS method proposed by Hwang and Yoong [11]
to evaluate forensics investigation for the network attack risk selection. Since a single method is not su-
cient in providing the accurate decision, we solve this problem by introducing the Dempster–Shafer theory
to combine the attack alternatives through the degree of belief gotten from independent items of attacks.
3. Preliminaries
Investigating and evaluating intrusion evidence, selection process requires that the forensics examiner
should find the right judgment and at the right time. Owning to the impreciseness of the decision data, crisps
data are insucient for real life situations. Since human judgment involving preferences are often unclear
and cannot be evaluated with exact numerical values. The application of fuzzy concepts in decision making
is feasible. On the other hand, it is a hard problem since decision of prioritizing the risk of network attacks
and determining the best preference is imprecise.
3.1. The overview Fuzzy Theorem
A comprehensive introduction and application of fuzzy set theory is found in [35, 36]. The definition
of fuzzy concepts that provide clearer understanding of TOPSIS have been chosen from these sources. We
presents these definition as follows:
/Procedia Computer Science 00 (2015) 1–14 5
Definition 1. A fuzzy set is in a universe of discourse X is characterized by a membership function µ˜a(x)
that maps each element x in X to a real number in the interval[0,1]. The function value µ˜a(x)is termed the
grade of membership of x in ˜a. The nearer the value of ˜a to unity, the higher the grade of member of x in ˜a
[35].
Definition 2. The triangular fuzzy number is presented as a triplet ˜a=(a1,a2,a3). The membership func-
tion µ˜a(x)of triangular fuzzy number ˜a is given as[35]:
µ˜a(x)=
xa1
a2a1,if a1xa2;
a3x
a3a2,if a2xa3;
0,otherwise.
(1)
where a1,a2,a3are real numbers and a1|a2|a3. The value of xat a2gives the maximum grade of µ˜a(x).
For example µ˜a(x)=1, it is the most probable value of the evaluation data. The value of xat a1gives the
minimal grade of µ˜a(x). For example µ˜a(x)=0, It is the smallest probable value of the evaluation data.
The constants a1and a3are the boundary of the present area for the evaluation data. These constant agree
with the fuzziness of the evaluation data. The narrower the interval [a1,a3] the lower of the fuzziness of the
evaluation [36].
A. The distance between fuzzy triangular numbers.
Let ˙a=(a1,a2,a3) and ˙
b=(b1,b2,b3) be two triangular fuzzy numbers, the distance between them can be
calculated as:
d(˙a,˙
b)=r1
3[(a1b1)2+(a2b2)2+(a3b3)2] (2)
B. Linguistic variables.
Linguistic variable is a variable that is expressed in a linguistic terms whose fuzzy number are represented
in a triangular form.
In fuzzy set theory, conversion scales are applied to transform the linguistic terms into fuzzy number.
In this article, we will apply a scale of 0-10 for rating the criteria and the alternatives. Following are the
linguistic variable ratings for the criteria and the alternatives.
The triangular fuzzy number values that we have selected for the linguistic variables take into account the
fuzziness and from the above Equation 2, defines the distance among the variables. The interval are selected
so as to have a uniform representation from 0 to 10 for the fuzzy triangular numbers used for five linguistic
ratings. For instance, we can use (0.0-3.9) to represents Low, (4.0-6.9) Medium and (7.0-10.0)High. It must
not necessarily be that the rating will begin from 0, it might probably start from 5. Normalization step take
care of such shifting of the rating scale. The accepted practice in literature is to begin the rating scales from
1.
3.2. Description of the Problem
Given Poptions (Alternatives) Aieach of which depends on mcriteria. Xjvalues are expressed with
positive real numbers xi j. The best option should be selected.
x1x2. . . xj+1
criteria cr1cr2. . . crm+1
weights w1w2. . . wj+1
A1x11 x12 . . . x1j+1
A2x21 x22 . . . x2j+1
. . . . . . . . . . . . . . .
Ai+1xj1xj2. . . xj+1i+1
6/Procedia Computer Science 00 (2015) 1–14
4. Proposed Fuzzy TOPSIS Method for Network Forensics
1. Five panelist of Decision Makers(DMs) were created to identify the evaluation criteria.
2. Every DMs point out the important level (weights) of each criteria using linguistic variables.
3. We evaluate the ratings of alternatives with respect to each criterion linguistic rating variables.
4. We construct a fuzzy multi-criteria group decision making matrix which consists of crips values of
alternatives and criteria. The crips value Cval is computed as:
Cval =z+(4 ×x)+y
6(3)
where the triangular fuzzy elements are x, y and z.
5. We construct the normalization decision matrix. the normalization value Nval is computed as:
Nval =fj
qPn
j=1f2
(4)
6. We construct weighted normalized decision matrix. The weighted normalize Vjis computed as:
Vj=wj×Nval (5)
7. We determine Positive Ideal Solution (maximum value on each criterion) and the Negative Ideal
Solution(Minimum value on each criterion)from the weighted normalized decision matrix. In the
below equation, f1is the benefit set of criteria and f2is the cost set of criteria.
P+=max1jn(fjF1)
min1jn(fjF2)(6)
P∗− =max1jn(fjF1)
min1jn(fjF2)(7)
Calculate the Euclidean distance between the positive ideal solution and negative ideal solution for
each alternatives.
α+(xj)=v
tm
X
j=1
(PjP+)2(8)
α(xj)=v
tm
X
j=1
(PjP∗−)2(9)
8. The closeness coecient of each alternatives is computed as:
RCCR(xj)=α(xj)
α+(xj)+α(xj)(10)
/Procedia Computer Science 00 (2015) 1–14 7
4.1. Working example
Fig. 1. Methodology of the working example
In recent time, the Advanced Security Engineering Group (ASERG) lab of the COMSATS Institute of
Information Technology, Islamabad conducted forensics investigation of certain network attacks.
There are three attacks as alternatives to be assessed here, namely, the Distributed Computing Envi-
ronment Remote Procedural Call (DCERPC) attack, Microsoft Structural Query language (MSSQL) attack
and the Server Side (Local file inclusion (LFI) and Remote file inclusion(RFI) ) attacks. For convenience,
let A={A1,A2,A3}be the set of the three alternatives, in which A1represents DCERPC attack, A2and
A3represents MSSQL attack and Local and remote file inclusion attack respectively. Four experts team
were formed and we call them DMs and they are responsible for rating or grading the attacks, namely:
DM ={d1,d2,d3,d4}. Suppose a network forensics examiner wants to select the best member from the three
alternatives A, the network forensics examiner decision is based on five main attributes criteria includes the
potential damage, reproducibility, expliotability, aected users, and discoverability are used in this process
of rating the attacks. The DM can evaluate their alternatives group by using a self-designed questionnaire
survey on which only one of the linguistic variable, L, M, H can be marked on each evaluation index. Most
especially, 0.0-3.9-Low(L), 4.0-6.9-Meduim (M) and 7.0-10.0-High (H). Table 1 shows the descriptions of
the rating.
A. Description of alternative A1(DCERPC Vulnerability MS08-67, Buer Overflow)
This vulnerability could permit remote code execution if an aected victim received a directly design RPC
request. On Microsoft Windows Server systems, an attacker without authentication can exploit this vulner-
ability by running arbitrary code. The possibility of the vulnerability can be use in a wormable exploit[38].
B. Description of alternative A2(MSSQL Vulnerability OSQL-32)
In our forensics investigation, the attacker sends along the payload a script with a new OSQL job ”cook.exe”.
Cook.exe is a trojan, it attack any kind of window and it can spread rapidly over the Internet, it can also
encrypt some file on the aected file. It can deceived the victim through scams and it has the ability to
change the victim settings and provide remote access to the attacker.
C. Description of alternative A3(RFI and LFI Vulnerability)
Remote File Inclusion (RFI) is an attack that is targeted on the computer servers that run web sites and their
applications. It has functions that is used to include a file and uses the HTTP GET variable to take input
from user by navigating the user to a malicious site. In local file inclusion vulnerability, the executed code
by attacker is not on the remote server but on the victim server itself.
D. Description of the Attribute criteria.
The details for these criteria are listed in as follows [5]:
8/Procedia Computer Science 00 (2015) 1–14
D1.Potential Damage(C1): If the threat occur, how much damage will be cause.
C1contains the following: C11 -Nothing was done, C12-Individual user data is compromise or aected and
C13-Complete system or data destruction.
D2.Reproducibility(C2): Reproducibility(C2): How easy is it to reproduce this threat.
C2contains the following: C21 -Very hard or impossible even if for administrative of the application, C22-
One or two steps require may need to be authorized user and C23-Just a web browser and the address bar is
sucient with authentication.
D3.Exploitability(C3): What is needed to exploit this threat.
C3contains the following: C31-Advanced programming and networking knowledge with custom or ad-
vanced attack tools, C32-Malware exists on the internet or an exploit is easily performed using available
attack tools and C33-Just a web browser.
D4.Aected Users(C4): How many user will be aected.
C4contains the following: C41-None , C42-Some users but not all and C43-All users.
D5.Discovery(C5): How easy is it to discover this threat.
C5contains the following: C51-Very hard to impossible, requires source code or administrative access , C52-
Can figure it out by guessing or by monitoring network traces, C53-Details of fault like this are already in
public domain and can be easily discovered using search engine and C54-The information is visible in web
browser address bar or in a form.
The attributes C1,C3and C4are the benefit type attributes, while C2and C5are the cost type attributes.
Linguistic Variables Definition
High Vulnerability will be labelled ”High” severity if they have a CVSS base score of 7.0-10.0.
Medium Vulnerability will be labelled ”Medium” severity if they have a CVSS base of 4.0-6.9.
Low Vulnerability will be labelled ”Low” severity if they have a CVSS base of 0.0-3.9
Table 1. Vulnerability Rating System of NVD[37]
Linguistic Expression Fuzzy Numbers
Low (L) (0.0, 1.8, 3.9)
Medium (M) (4.0, 5.5, 6.9)
High (H) (7.0, 8.5, 10.0)
Table 2. Linguistic Variable Ratings.
Linguistic Expression Fuzzy Numbers
Low (L) (0.0, 0.18, 0.39)
Medium (M) (0.40, 0.55, 0.69)
High (H) (0.70, 0.85, 1.0)
Table 3. Linguistic Variables for Importance Weights of each Criteria.
Then fuzzy TOPSIS method is then applied using the steps described in subsection 4.
Step 1. The DMs use the linguistic variable to evaluate the important of each criterion. The weights of each
criterion are w1=0.5 ,w2=0.1 , w3=0.2, w4=0.1 and w5=0.1. Hence Pn
j=1wj=1 , for j=1. . . n
/Procedia Computer Science 00 (2015) 1–14 9
Step 2. For each network attack, the DMs use the linguistic variables as shown in the table to produce fuzzy
or crips performance rating against each criterion.
Criteria Attributes Decision Makers DMs
D1D2D3D4
C1
A1HHHL
A2HHHH
A3HHHM
C2
A1L M M M
A2M H H H
A3M M H L
C3
A1L M H H
A2L H H H
A3HHHH
C4
A1H M M M
A2HHHH
A3MMMM
C5
A1HHHH
A2HHHH
A3HHHM
Table 4. Ratings by DMs with Respect to Criteria.
Step 3. By applying equation 2, the aggregate ratings of the network attacks with respect to the five criteria
can be computed and shown as:
Criteria
C1C2C3C4C5
A1(0.39,0.33, 0.28) (0.95, 0.00 ,0.05) (0.11, 0.35, 0.54) (0.91, 0.08 ,0.01) (0.36, 0.16, 0.48)
A2(0.54, 0.34,0.12) (0.70, 0.10, 0.20) (0.47, 0.02, 0.51) (0.22, 0.27, 0.51) (0.19, 0.02, 0.79)
A3(0.13, 0.58,0.29) (0.27, 0.49, 0.24) (0.31, 0.68, 0.01) (0.04, 0.72, 0.24) (0.08, 0.46, 0.46)
Table 5. Aggregate Decision Matrix.
Step 4. Using equation 3 to calculate the fuzzy MCDM group matrix which consists of the crips values of
criteria and alternatives .
Criteria
C1C2C3C4C5
A10.36 0.64 0.22 0.62 0.35
A20.44 0.52 0.40 0.28 0.27
A30.23 0.30 0.32 0.19 0.21
Table 6. CRIPS Values of the Criteria and Alternatives.
Step 5. Construct the normalized decision matrix. The normalized Decision matrix as shown below can be
calculated using the formula in equation 4.
10 /Procedia Computer Science 00 (2015) 1–14
Criteria
C1C2C3C4C5
A10.5869 0.7293 0.3946 0.8778 0.7153
A20.7174 0.5926 0.7175 0.3964 0.5518
A30.3750 0.3419 0.5739 0.2690 0.4292
Table 7. Normalized Decision Matrix.
Step 6. Construct the weighted normalized decision matrix, which is calculated from equation 5 as shown:
Criteria
C1C2C3C4C5
A10.29345 0.07293 0.07892 0.08778 0.07153
A20.35870 0.05926 0.14350 0.03964 0.05518
A30.18750 0.03419 0.11478 0.02690 0.04292
Table 8. Weighted Normalized Decision Matrix.
Step 7. Using the equations 6 and 7, we obtain the PIS maximum values of each criteria and NIS minimum
values of each criteria as shown:
max
1j5
=(0.35870,0.07293,0.14350,0.08778,0.07153)
min
1j5
=(0.18750,0.03419,0.07892,0.02690,0.04292)
we also calculate the Euclidean distance between the PIS and NIS for each alternatives using the
equations 8 and 9 to be:
Alternatives α+(xj)α(xj)
A1 0.092 0.131
A2 0.053 0.185
A3 0.190 0.036
Table 9. Determining the Euclidean Distance of PIS and NIS Solutions Respectively.
Step 8. Obtain the relative closeness coecient RCCRjusing equation 10 to rank the order of network
attack intrusion.
RCCR1=0.5874 , RCCR2=0.7773 and RCCR3=0.1593.
5. Evaluation
5.1. Prioritizing Network Attacks using Dempster Shafer Theory
Our second objectives after implementing the fuzzy TOPSIS method, is to use relative belief values
to prioritize network attacks from the Dempster–Shafer theory. Dempster Shafer theory is an approach
for combining evidence through the degree of belief derived from independent elements of evidence[39].
Related works of DS can be found in [40, 41, 42, 43, 44, 45, 46, 47].
/Procedia Computer Science 00 (2015) 1–14 11
Fig. 2. Experimental results of Dempster Shafer Theory
Mass function m[A] is the proportion of all evidence that supports this element of the power set: The
interpretation of m[a,b] means there is evidence for AvB that cannot be divided among more specific beliefs
for A or B. Each m[A] is between 0 and 1 and all m[A] sum to 1. if m[A] is empty, atleast one must be
true.
The belief in an element A of the Power set is the sum of the masses of elements which are subsets of
A (including A itself). The plausability of an element A, pl(A), is the sum of all the masses of the sets that
intersect with the set A. The ”frame of discernment” (or ”Power set”) of θis the set of all possible subsets
of θ
Fig. 3. Graph of the prioritize Alternatives
12 /Procedia Computer Science 00 (2015) 1–14
Fig. 4. Prioritizing eect in Network Attacks.
In Fig. 4, the highest belief value for the Alternatives bc =0.5 representing the A2and A3Alternatives
respectively followed by the abc =0.3 representing the three Alternatives. When one start with threats with
high belief value, the precision is high meaning more of the eort is devoted on that threats.
Results of various TOPSIS calculation steps as shown in table ( 5- 9). Closeness coecients, RCCR jof
the three alternative A1,A2and A3comes out to be 0.5874, 0.7773 and 0.1593 as shown in Fig. 3 respec-
tively. Thus this ranking order for the alternatives is A2>A1>A3. That is A2is the best choice considering
the given criteria to prioritize further investigation. The closeness coecient scores for alternatives are nu-
meric values and can be further utilized to indicate the degree of priority of alternative to facilitate further
investigation and to make certain human judgement about who was the perpetrator of the attacks and what
potential damages and loses incurred by the organization and what level of security measures need to be in
place to avoid future reoccurrence.
6. Conclusion and Discussion
The aim of the computation is to obtain a similarity computation measures of the alternatives. Comput-
ing the similarity measures and constructing the aggregate matrix would be done in O(m2) [20]. The criteria
values also denote the crips values can be obtained from graded mean integration representation method.
So there is a significant decrease in the crips values compare to that of the fuzzy’s values which can be
completed in O(m.n) [20]. Thus considering the decision makers’ dierent risk preferences in the proposed
TOPSIS model would be an interesting point to be investigated in the future.
In order to solve the imprecise and incomplete information in MCDM problem, In this research fuzzy
TOPSIS method is employ to deal with the network attack risk selection problem when a network forensics
examiners have several opinion on evaluation. Several application of fuzzy TOPSIS method exists in liter-
ature for other domain. However the existing fuzzy TOPSIS method did not consider the decision making
risk under the network attack platform. In this research we proposed a fuzzy TOPSIS method for network
forensics investigation.
The linguistic terms represented by triangular fuzzy numbers are used for evaluating the weights of
criteria and rating or ranking of each alternatives of the network attacks with respect to the various criteria.
We converted the decision matrix into a fuzzy decision matrix and constructed a weighted fuzzy decision
once the decision makers’ fuzzy rating have been pooled. The fuzzy distance value was applied for obtaining
the PIS and NIS as the crips values. Using the fuzzy TOPSIS approach, we computed the similarity of each
alternative from the PIS and NIS respectively.
/Procedia Computer Science 00 (2015) 1–14 13
Finally, the closeness coecient for each alternative was defined to determine the priority of all the
alternatives. The higher value of the closeness coecient indicates that an alternative is close to the positive
ideal solution and is distanced from the negative ideal solution concurrently. A numerical experimental
illustration was used to examine the applicability of the proposed approach. The results of the evaluation
significantly indicate that the high belief value provided by Dempster–Shafer gives honest prioritization on
the network attack Alternatives, and in the future, we shall compare our method with other existing MCDM
techniques for more evaulation.
References
[1] Al-mousa, Z. A.” Honeypots Aiding Network Forensics : Challenges and Notions, Journal. Communication., vol. 8, no. 11, pp.
700707,(2013).
[2] Omaji Samuel, Amir Hayat, Sidra Malik, Ali Hur, Masoom Alam ,”Correlating Evidence from Honeypot and NIDS for Improved
Network Forensics”, Unpublished Article, (2015).
[3] http://www.owasp.org/index.php/ThreatRiskModeling.Accessedonline,(2015).
[4] Bruni Romero, Marianella Villegas, Marina Meza, ”Simon’s Intelligence phase for security risk assessment in web application”,
IEEE fifth Internation Comference on Information Technology, New Generations, (2008).
[5] Ram Mohan R.K, Durgest Pant, ”A Threat Risk Modelling Framework for Geospatial Weather Information System (GWIS): A
DREAD Based Study”, (IJACSA) International Journal of advnaced Computer Science and Application, 3,(2010).
[6] Almulhem, Ahmad , ”Network forensics: Notions and challenges”, Signal Processing and Information Technology (ISSPIT),
2009 IEEE International Symposium on, pp.463–466, (2009).
[7] Nasir, Qassim and Al-Mousa, Zahraa A,”Honeypots Aiding Network Forensics: Challenges and Notions”,Journal of Communi-
cations, Vol.8,pp.11,(2013).
[8] Marcus Ranan ,” Network Forensic: Network Trac Monitoring Technical Report ” , Network Flight Recorder Inc, (1998).
[9] Simson Garfinke,”Web Security, Privacy and Commerce 2nd Edition”, http://www.oreillynet.com/pub/a/network/
2002/04/26/nettap.html,AccessedOnline(2015).
[10] Davido, Sherri and Ham, Jonathan, ”Network forensics: tracking hackers through cyberspace”,Prentice hall,(2012).
[11] Hwang C.L, Yoon,K. ”Multiple Attributes Decision Making Method and Application”,Springer, Berlin Heideberg,(1981).
[12] Tsuar, S.H, Chang, T.Y, Yen, C.H. ”The Evaluation of Airline Service Quantity by Fuzzy MCDM”,Tourism Management, 23,
pp.107-115.(2002).
[13] Deng,H, yeh, C.H, Willis, R.J. ”Inter Company Comparison using Modified TOPSIS with Objective Weights”,Computer and
Operation Research, 22, pp. 963-973, (2000).
[14] Wang, R.C, Liang, T.F, ”Application of Fuzzy Multi-Objective Linear Programming to Aggregate production Plan-
ning”,Computer and Industrial Engineering, 46, pp. 17-41, (2004).
[15] Chu, T.C, ”Facility Location Selection using Fuzzy TOPSIS under Group Decisions”,Journal of Uncertainty Fuzziness and
Knowledge-Based systems, 10(6), pp. 687-701, (2002).
[16] Abo-Sina, M.A , Amer , A.H ”Extension of TOPSIS for Multi-Objective Large Scale Nonlinear Programming Problems”, Applied
Mathematics and Computation, (2004).
[17] Soroush Saghatian, S. Reza Hejazi ”Multi-Criteria Group Decision Making using A Modified Fuzzy TOPSIS Procedure”, pro-
ceedings of 2005, International Comference on Computational Intelligence for Modellings, Controls and Automation,(2005).
[18] Deepa Joshi, Sanjay Kumar, ”Intuitionistic Fuzzy Entropy and distance Measure Based TOPSIS Method for Multi-Criteria De-
cision Making”,Egyptian Informatic Journal,(2014).
[19] Golam Kabir, Ahsan Akhtar Hasin, M, ”Comparative Analysis of TOPSIS and Fuzzy TOPSIS for the Evaluation of Travel
Website Service Quality”,International Journal for Quality Research,(2012).
[20] Chi-Chun, L, Ding-Yuan C, Chen-Fang, T, Kuo-Ming C ”Service selection based on fuzzy TOPSIS method”,24th International
comference on Advanced Information Networking and Applications Workshop,(2010).
[21] Yin Wang, Gi-Tae Yeo, Adolf, K.Y, ”Choosing optimal bunkering ports for linear shipping companies: A hybrid Fuzzy-Dephi-
TOPSIS approach.”Elsevier Journal of Transport Policy , pp. 358-365, (2014).
[22] Satar M, Kourosh S, Akbar E. ”Human health and safety risk management in underground coal mines using fuzzy TOPSIS”,
Elsevier Journal of Science of the Total Envriornment, pp. 85-99, (2014).
[23] Dewangan S, Gangopadhyay S, Biswas , C.K ”Study of surface integrity and dimensional accuracy in EDM using fuzzy TOPSIS
and sensitivity analysis”, Elsevier Journal of measurement, pp. 364-376, (2015).
[24] Ksenija Mandic, Boris Delibasic, Snezana Knezevic and Sladjana Benkovic,””Analysis of financial parameters of Serbia banks
through the application of fuzzy AHP and TOPSIS method”, Elsevier Journal of Economic Modelling, pp. 30-37,(2014).
[25] Devika Kannan, Ana Beatriz Lopes de Sousa Jabbour, Charbel Jose Chiappetha, Jabbourb ”Selecting green suppliers based on
GSCM practices:using fuzzy TOPSIS applied to a Brazilian electronic company”,ELsevier European Journal of Operational
Research, 233, pp. 432-447, (2014).
[26] Ewa Roszkowska, Tomasz Wachowicz, ”Application of fuzzy TOPSIS to scoring the negotiation oers in ill-structured negation
problems”ELsevier European Journal of Operational Research 242, pp. 920-932, (2015).
[27] Yeonjoo Kim, Eun-Sung Chung, Sung-mook Jun and Sang Ug Kim, ”Prioritizing the best sites for treated wastewater instream
use in an urban watershed using fuzzy TOPSIS”,Elsevier Journal of Resources Construction and Recyclic, 73, pp. 23-32, (2013).
[28] Gyumin Lee, Kyung Soo Jun and Eun-Sung Chung , ”Robust Spatial flood vulnerability assessment for Han river using fuzzy
TOPSIS with α-cut level sets”, Elsevier Journal of Expert System with Applications, 41, pp.644-654,(2014).
14 /Procedia Computer Science 00 (2015) 1–14
[29] Chunguang Bai, Dileep Dhovale and Joseph Sarkis,”Integrating C-means and TOPSIS for performance evaluation: An application
and comparative analysis”, ELsevier Journal of Expert System with Applications, 41, pp. 4186-4196, (2014).
[30] Umran Sengail, Mirac Eren, Seyed Hadi, Eslamsan Shiraz, Volkan Gezder and Ahmet Bilal Sengail, ”Fuzzy TOPSIS method for
ranking renewable energy supply system in Turkey”, Elsevier Journal of Renewable Energy, 75, pp. 617-625, (2015).
[31] Osman Taylan, Abdallah O.B, Reda ,M.S.A, Mohammed, R. K, ”Construction projects selection and risk assessment by fuzzy
AHP and fuzzy TOPSIS methodologies”, ELsevier Journal of Applied Soft Computing, 17, pp. 105-116,(2014).
[32] Tabassam Pashid, Ismat Beg, Syed, M. H, ”Robot selection by using generalized interval-value fuzzy numbers with TOPSIS”,
ELsevier Journal of Applied Soft Computing, 21,pp. 462-468, (2014).
[33] Xiaolu Zhang, Zeshui Xu, ”Soft computing based on maximizing consensus and fuzzy TOPSIS approach to interval-valued
intuitionistic fuzzy group decision”, Elsevier Journal of Applied Soft Computing, 26, pp. 42-56, (2015).
[34] Xiuzhi Sans, Xin Wang Liu, Jindong Qin, ”An analystical solution to fuzzy TOPSIS and its application in personnel selection for
knowledge-intensive enterprise”, ELsevier Journal of Applied Computing, 30, pp. 190-204, (2015).
[35] Fei Ye, Yina Li,”An Extended TOPSIS model-based on the possibility theory under fuzzy environment”, Elsevier Journal of
Knowledge-Based System, 67, pp.263-269, (2014).
[36] Iraj Mahdavi, Nazam Mahdavi-Amiri, Armaghan Heidarzade , Rahele Nourifar, ”Designing a model of fuzzy TOPSIS in multiple
criteria decision making”, Elsevier Journal of Applied Mathematics and Computation, 206, pp. 607-617, (2008).
[37] Qixu Liu, Yuqing Zhang ,”VRSS: A new system for rating and scoring vulnerabilties”, Elsevier Journal of Computer Communi-
cations,34, pp.264-273, (2011).
[38] MS-RPCE: Remote Procedure Call Protocol Extensions https://msdn.microsoft.com/en-us/library/cc243560.aspx Accessed on-
line, (2015).
[39] Yager, Ronald R ,”On the Dempster-Shafer framework and new combination rules”, Elsevier journal Information sciences,Vol.41,
No.,pp.93–137,(1987).
[40] Zomlot, Loai and Sundaramurthy, Sathya Chandran and Luo, Kui and Ou, Xinming and Rajagopalan, S Raj, ”Prioritizing in-
trusion analysis using Dempster-Shafer theory”, Proceedings of the 4th ACM workshop on Security and artificial intelligence,
pp.59–70, (2011).
[41] Tang, Hongxiang,”A novel fuzzy soft set approach in decision making based on grey relational analysis and Dempster–Shafer
theory of evidence”,Applied Soft Computing, Elsevier, Vol.31, pp.317–325,(2015).
[42] Yue, Feng and Zhang, Guofu and Su, Zhaopin and Lu, Yang and Zhang, Ting, ”Multi-software reliability allocation in multimedia
system with budget constraints using Dempster-Shafer theory and improved dierential evolution”, Neurocomputing, Elsevier,
(2015).
[43] Mond´
ejar-Guerra, VM and Mu˜
noz-Salinas, R and Mar´
ın-Jim´
enez, MJ and Carmona-Poyato, A and Medina-Carnicer, R, ”Key-
point descriptor fusion with Dempster–Shafer theory”, International Journal of Approximate Reasoning, Elsevier,Vol.60, pp.57–
70, (2015).
[44] Dutta, Palash, ”Uncertainty Modeling in Risk Assessment Based on Dempster–Shafer Theory of Evidence with Generalized
Fuzzy Focal Elements”, Fuzzy Information and Engineering, Elsevier, Vol. 7, No.1,pp. 15–30, (2015).
[45] Li, Zhaowen and Wen, Guoqiu and Xie, Ningxin, ”An approach to fuzzy soft sets in decision making based ongrey relational
analysis and Dempster-Shafer theory of evidence: An application in medical diagnosis”, Artificial Intelligence in Medicine,
Elsevier,(2015).
[46] Sevastjanov, Pavel and Dymova, Ludmila, ”Generalised operations on hesitant fuzzy values in the framework of Dempster–Shafer
theory”,Information Sciences, Elsevier,Vol. 311, pp.39–58, (2015),
[47] Coppolino, Luigi and DAntonio, Salvatore and Formicola, Valerio and Massei, Carmine and Romano, Luigi, ”Use of the
Dempster-Shafer Theory for Fraud Detection: The Mobile Money Transfer Case Study”,Intelligent Distributed Computing VIII,
Springer, pp. 465–474, (2015).
ResearchGate has not been able to resolve any citations for this publication.
Article
Full-text available
Dempster–Shafer theory of evidence is one of the important tools for decision making under uncertainty. It is more useful in situations when cost of technical difficulties is involved or uniqueness of the situation under study makes it difficult/impossible to cover enough observations to quantify the models with real data. Consequently, experts provide opinions in terms of basic probability assignment for focal elements. Usually, it is seen that experts provide basic probability assignment for interval (or crisp) focal elements. However, due to presence of uncertainty focal elements can sometimes be treated as normal/generalized triangular fuzzy number (TFN in short) instead of intervals or crisp sets. TFN encodes only most likely value (mode) and the spread. This paper presents an attempt to combine Dempster–Shafer structures (DSS in short) with generalized/normal fuzzy focal elements using possibilistic sampling technique. To this end, human health risk assessment is carried out under such setting.
Article
Full-text available
Keypoint matching is the task of accurately finding the location of a scene point in two images. Many keypoint descriptors have been proposed in the literature aiming at providing robustness against scale, translation and rotation transformations, each having advantages and disadvantages. This paper proposes a novel approach to fuse the information from multiple keypoint descriptors using Dempster–Shafer Theory of evidence [1], which has proven particularly efficient in combining sources of information providing incomplete, imprecise, biased, and conflictive knowledge. The matching results of each descriptor are transformed into an evidence distribution on which a confidence factor is computed making use of its entropy. Then, the evidence distributions are fused using Dempster–Shafer Theory (DST), considering its confidence. As result of the fusion, a new evidence distribution that improves the result of the best descriptor is obtained. Our method has been tested with SIFT, SURF, ORB, BRISK and FREAK descriptors using all possible combinations of them. Results on the Oxford keypoint dataset [2] shows that the proposed approach obtains an improvement of up to compared to the best one (FREAK).
Chapter
Security Information and Event Management (SIEM) systems are largely used to process logs generated by both hardware and software devices to assess the security level of service infrastructures. This log-based security analysis consists in correlating massive amounts of information in order to detect attacks and intrusions. In order to make this analysis more accurate and effective we propose an approach based on the Dempster-Shafer theory, that allows for combining evidence from multiple and heterogeneous data sources and get to a degree of belief that takes into account all the available evidence. The proposed approach has been validated with the respect to a challenging demonstration case, namely the detection of frauds performed against a Mobile Money Transfer service. An extensive simulation campaign has been executed to assess the performance of the proposed approach and the experimental results are presented in this paper.
Article
In multimedia platform with many applications, reliability allocation plays an important role in the design of a software and has attracted increasing attention in recent years. Thus far, the issues of software reliability allocation have been discussed from many aspects, such as mathematical models and solutions to maximize the reliability. However, most of this research has concentrated on single software. The goal of this work is to investigate the possibility of solving multi-software reliability allocation in multimedia systems with budget constraints. For this purpose, we first develop an architecture-based multi-software Budget-Constrained Reliability-maximization model. In addition, we introduce Dempster-Shafer theory to identify the relative reliability weights of each element in the proposed model and present a searching algorithm based on differential evolution and encoding repair. Finally, contrast experiments are illustrated to demonstrate the proposed methods.
Article
The existing methods of fuzzy soft sets in decision making are mainly based on different kinds of level soft sets, and it is very difficult for decision makers to select a suitable level soft set in most instances. The goal of this paper is to present an approach to fuzzy soft sets in decision making to avoid selecting a suitable level soft set and to apply this approach to solve medical diagnosis problems. This approach combines grey relational analysis with the Dempster-Shafer theory of evidence. It first utilizes grey relational analysis to calculate the grey mean relational degree, by which we calculate the uncertain degree of various parameters. Then, on the basis of the uncertain degree, the suitable basic probability assignment function of each independent alternative with each parameter can be obtained. Next, we apply Dempster-Shafer rule of evidence fusion to aggregate these alternatives into a collective alternative, by which these alternatives are ranked and the best alternative is obtained. Finally, we compare this approach with the mean potentiality approach. The results demonstrate the effectiveness and feasibility of this approach vis-a-vis the mean potentiality approach, Feng's method, Analytical Hierarchy Process and Naive Bayes' classification method because the measure of performance of this approach is the same as that of the mean potentiality approach, and the belief measure of the whole uncertainty falls from the initial mean 0.3821 to 0.0069 in an application of medical diagnosis. An approach to fuzzy soft sets in decision making by combining grey relational analysis with Dempster-Shafer theory of evidence is introduced. The advantages of this approach are discussed. A practical application to medical diagnosis problems is given. Copyright © 2015. Published by Elsevier B.V.
Article
The hesitant fuzzy sets theory (HFS) is probably the latest generalisation of fuzzy sets theory and seems to be especially useful in the solution of multiple criteria group decision making (MCGDM) problems, where it enables us to avoid some specific problems concerned with the aggregation of expert’s opinions. Currently there are only few different definitions and generalisations of HFS proposed in the literature. The key issue of hesitant fuzzy sets theory is the formulation of operation laws on the hesitant fuzzy elements (HFE), as they make it possible to use HFS for the solution of real-world problems. This paper presents a critical analysis of conventional operations on HFE and their applicability to the solution of multiple criteria decision making (MCDM) problems. It is shown that the known approaches to the definitions of HFS and corresponding operation laws have some important limitations and drawbacks. Therefore, a new generalised definition of HFS and operation laws based on the interpretation of intuitionistic fuzzy sets in the framework of the Dempster–Shafer theory of evidence (DST) are proposed and analysed. With the use of corresponding theorems it is proved that the proposed approach is free of limitations and drawbacks of known methods. The corresponding methods for aggregation of local criteria presented by HFEs in the framework of DST are proposed and analysed. The proposed approach allows us to solve MCDM and MCGDM problems without intermediate defuzzification when not only criteria, but their weights are HFEs. The advantages of the proposed approach are illustrated with numerical examples and the case study.
Article
This paper proposes a novel fuzzy soft set approach in decision making based on grey relational analysis and Dempster–Shafer theory of evidence. First, the uncertain degrees of various parameters are determined via grey relational analysis, which is applied to calculate the grey mean relational degree. Second, suitable mass functions of different independent alternatives with different parameters are given according to the uncertain degree. Third, to aggregate the alternatives into a collective alternative, Dempster's rule of evidence combination is applied. Finally, the alternatives are ranked and the best alternatives are obtained. The effectiveness and feasibility of this approach are demonstrated by comparing with the mean potentiality approach because the measure of performance of this approach is the same as the mean potentiality approach's, the belief measure of the whole uncertainty falls from 0.4723 to 0.0782 (resp. 0.3821 to 0.0069) in the example of Section 5 (resp. Section 6).