ArticlePDF Available

Hybrid Neural Networks for Intrusion Detection System

Authors:

Abstract and Figures

Network based intrusion detection system is a computer network security tool. In this paper, we present an intrusion detection system based on Self-Organizing Maps (SOM) and Resilient Propagation Neural Network (RPROP) for visualizing and classifying intrusion and normal patterns. We introduce a cluster matching equation for finding principal associated components in component planes. We apply data from The Third International Knowledge Discovery and Data Mining Tools Competition (KDD cup'99) for training and testing our prototype. From our experimental results with different network data, our scheme archives more than 90 percent detection rate, and less than 5 percent false alarm rate in one SYN flooding and two port scanning attack types.
Content may be subject to copyright.
Hybrid Neural Networks for Intrusion Detection System
Chaivat Jirapummin1, Naruemon Wattanapongsakorn1 and Prasert Kanthamanon2
1Department of Computer Engineering, Faculty of Engineering,
King Mongkut’s University of Technology Thonburi,
91 Prach-Uthit Road, Bangkok 10140, Thailand
Tel. +66-2-470-9089, Fax.: +66-2-872-5050
2School of Information Technology
King Mongkut’s University of Technology Thonburi,
91 Prach-Uthit Road, Bangkok 10140, Thailand
e-mails : naruemon@cpe.kmutt.ac.th, prasert@it.kmutt.ac.th
Abstract: Network based intrusion detection system is a
computer network security tool. In this paper, we present an
intrusion detection system based on Self-Organizing Maps
(SOM) and Resilient Propagation Neural Network (RPROP)
for visualizing and classifying intrusion and normal
patterns. We introduce a cluster matching equation for
finding principal associated components in component
planes. We apply data from The Third International
Knowledge Discovery and Data Mining Tools Competition
(KDD cup’99) for training and testing our prototype. From
our experimental results with different network data, our
scheme archives more than 90 percent detection rate, and
less than 5 percent false alarm rate in one SYN flooding and
two port scanning attack types.
Keywords: Intrusion Detection System (IDS), Network
Security, Self-Organizing Maps (SOM), Visualization,
Cluster Matching, Resilient Propagation Neural Network
(RPROP)
1. Introduction
Intrusion detection system (IDS) is used as a
second line of defense in computer security measures. It can
alert a network administrator when the network is attacked.
Typically, data in network audit log is displayed in text
format. In order to check for network intrusion activities, a
network security officer may have to look for all data during
the suspicious attack time, which is cumbersome and error
prone. In this paper, we present an alternative
methodology for both visualizing intrusions by using the
Kohonen’s Self-Organizing Map (SOM), and classifying
intrusions using Resilient Propagation Neural Network
(RPROP). We gather major beneficial characteristics of
both neural network models into our hybrid IDS, consisting
of both unsupervised and supervised learning algorithms.
The rest of this paper is organized as follows.
Section 2 discusses related works in IDS. Section 3 explains
the concepts of SOM, RPROP and our cluster matching
algorithms. Section 4 presents our experimental results and
analysis. Lastly, section 5 provides a conclusion.
2. Related Works
SOM approach is a relatively new choice for
anomaly detection. Concerning intrusion detection, SOM is
used as a postmortem or off-line analysis. Girardin [1] used
SOM to visualize the network data and let the operator
judge for anomaly packets. Hoglund et al. [2] used SOM as
an anomaly detector to UNIX audit data. In addition, our
previous work [3] introduced self- organizing map
application for an IDS with visualization.
Lee and Heinbuch [4] used hierarchical
backpropagation neural network to detect TCP SYN
flooding and port scanning intrusions. There is also a
combinational approach using backpropagation and expert
system for an IDS [5]. Nevetheless, visualizing together
with classifying intrusion data has not been introduced in
any network IDS.
3. TCP SYN Flooding and Port Scanning
Attacks
In our IDS, we focus on detection of network
protocol attacks; TCP SYN flooding and port scanning
which are probably the most common attacks. TCP SYN
flooding is one of denial of service attacks. First, an
attacker sends a large set of SYN packets to a server using
unused IP address. Then, the server acknowledges these
packets and waits for response which never arrives. Finally,
the memory of the server becomes exhausted. We can
compare a normal TCP 3-way handshake with a TCP SYN
flooding handshake presented in Figures 1a and 1b. Readers
can find more details of the TCP handshakes in Scuba et al
[6]. Port scanning attack is a kind of probing or
surveillance attacks. It does not intend to damage a system.
However, it tries to gather information from a target
network. There are many variants of scanning attacks in
many protocols. We study TCP scanning attacks, which are
depicted in Figures 2a and 2b. If the target ports are closed,
the server sends reset packets. TCP connect differs from
TCP half-connect in the third packet. In TCP connect, the
attacker acknowledge the server response in third packet.
For more information, Kanlayasiri et., al. [7] provides a
good review in port scanning attacks.
(a) (b)
Figure 1. a) The Normal TCP 3-Way Handshake. b) TCP SYN Flooding .
Attacker X Server B
Spoofed Non
Existance Address,
SYN
x
SYN
a
, ACK
x+1
Port Flooding
Occur
Client A Server B
SYN
a
SYN
b
, ACK
a+1
ACK
b+1
(a) (b)
Fi
g
ure 2. a
)
TCP Connect Scannin
g
. b
)
TCP Hal
f
-Connect Scannin
g
.
Attacker X Server B
SYN
x
If port is listening:
SYN
b
, ACK
x+1
If port is closed:
RST, ACK
x+1
RST
Attacker X Server B
SYN
x
If port is listening:
SYN
b
, ACK
x+1
If port is closed:
RST, ACK
x+1
ACK
b+1
4. Self-Organizing Map, RPROP Neural
Network and Cluster Matching
Self-organizing map (SOM) [8] is an unsupervised
neural network algorithm. In our experiments, we employ a
batch version of SOM to cluster and visualize data. A SOM
weight is adapted according to an average of input data in a
Voronoi region, i.e. the data x(t) which has the same best
matching unit in SOM feature map, as presented in Eq(1)
and Eq(2).
From Eq(1) i
x and ni are mean value of data and
number of data in each map unit according to the Voronoi
set i
V
, respectively. *
i
m denotes an equilibrium state of a
map vector. Neighborhood function hji is gaussian.
Distances of each map unit to each of its immediate
neighbors are calculated and visualized by using gray scales
of Unified Distance Matrix (U-Matrix) [9].
We use Resilient Propagation algorithm (RPROP)
[10] as an intrusion classifier. It is an accelerated version of
supervised Back-propagation neural network algorithm with
the following weight updating rule, shown in Eq(3).
In our hybrid scheme, output weight information
from SOM is fed into the RPROP network, as shown in
Figure 3. In this paper, we propose a cluster matching
equation, Eq(4), to facilitate the interpretation of SOM. Our
scheme is similar to the SOM adaptation rule in Eq(2).
where Li is the ith labeled unit located in a component plane
according to a U-Matrix. ji
his the neighborhood function
of jth unit in the component plane around ith labeled unit. nj
is the number of neighborhood and kernel units, which are
bounded by the threshold value of the component plane.
Matching surface from Eq(4) is depicted in Figure 4. The
peak of the gaussian function represents the exact matching
unit, where the labeled unit in a component plane is located
exactly at the same place as the one in the U-Matrix.
)1(
)(
,)(
i
Vtx
in
tx
xi i
=
)2(
*
=
jjij
jjjij
ihn
xhn
m
)3(
,0
0)(,)(
0)(,)(
)(
<
+
>
=
otherwise
t
w
E
ift
t
w
E
ift
tw
ij
ij
ij
ij
ij
)4(100% ×=
Ncj jji
Ncj iji
inh
Lh
matching
Figure 3. Hybrid Neural Network IDS.
Neptune
Normal
Portsweep
Satan
70 12
4
. . .
. . .
Wei
g
hts from
8
SOMs
Matching percentage is decreased if the founded units
located far away from the exact matching unit.
5. Experimental Result
We select normal dataset, Neptune attack (SYN
flooding), Portsweep attack (port scanning) and Satan attack
(port scanning) datasets from [11] to train and test our IDS
prototype. The datasets were already preprocessed by Lee
et., al. [12] where readers can find the complete description
of features. We divide 121,820 training data patterns
equally into 8 sets. Each set is then clustered by a 1,234-unit
SOM network. In RPROP setting, we use a 3-layer network,
consisting of 70 neurons in the first hidden layer, 12
neurons in the second hidden layer and 4 neurons in the
output layer, resulting to a 70-12-4 feed-forward neural
network, as shown in Figure 3. The transfer functions for
the first hidden layer, the second hidden layer and the
output layer of RPROP are tan-sigmoidal, log-sigmoidal
and log-sigmoidal, respectively. To achieve a reliable result,
we perform 20 different trainings & testings.
There are two main testing datasets used in our
experiment. Testset 1 contains 98,648 data, which was
captured from the same network as the training data. Testset
2 includes 126,373 unseen normal and attack data from a
different network. The average detection accuracy resulted
from testset 2 is illustrated in Table 1. Nearly all Neptune
attacks can be detected by our IDS system with very low
false alarm rate. Portsweep and Satan attacks can be
detected and correctly identified less than those from the
Neptune attacks, more likely due to the insufficient datasets
available for training and testing our IDS system. Testset 1
has a bit better detection accuracy when compared to testset
2, since the testing and training datasets were captured from
the same network; more likely with some similar or routine
network activities.
After tested, we use SOM to visualize the testing
results in both Testset 1 and Testset 2. Figure 5 shows a U-
Matrix of four labels. Shaded color in the vertical bar
denotes a cluster border where features of a map unit are
differentiated from their neighbors, while white color
indicates a cluster center.
Positions in every component plane and U-Matrix
are associated with each other. Vertical bar in the
component plane indicates approximated value of features
in a SOM unit. Figures 6-9 display principle associated
component planes in each class. The four most matching
components are founded by sorting % matching in Eq(4), in
descending order. Interpretation of each class
characteristics is performed by the definition of principal
associated components. Normal activities can be described
as connections that use relevant services (same_srv_rate,
dhst_same_srv_rate and dhst_count). They are fully opened
and closed connections (SF), as shown in Figure 6. Neptune
attacks are visualized as flooding activities (dhst_count),
half-opened (S0) and SYN error connections
(dhst_serror_rate and dhst_srv_serror_rate), shown in
Figure 7. Portsweep attacks are illustrated as rejected
connections (rerror_rate and REJ). They come from the
same source port (dhst_same_src_port_rate), with the
destination port scan slowly (dhst_diff_srv_rate), as shown
in Figure 8. Satan attacks are portrayed as connections
trying to scan a computer (dhst_diff_srv_rate and
diff_srv_rate) rapidly (count), as shown in Figure 9.
Table 1. IDS Simulation Results.
In our experiments, we perform both quantitative
and qualitative analysis. The quantitative analysis is done
by evaluating detection accuracies. From our IDS
simulation results, as shown in Table 1, we achieves more
than 90 % detection rate and less than 5 % false alarm rate
in three selected attack programs.
Furthermore, we perform qualitative analysis by
interpreting principal associated components of each attack
using cluster matching. The knowledge that we gain from
analyzing principal associated components can facilitate
verification process of intrusion detection system.
Attacks Detection Rate False Alarm Rate
Neptune 99.7181 0.0591
Port Sweep 97.9123 4.1917
Satan 90.2811 4.4988
Figure 4. Matching Surface in SOM Component Plane.
Figure 5. U-Matrix of Testset 1 Map 2.
6. Conclusion
In this paper, we proposed a hybrid neural network
approach for IDS. We offered insightful visualization for
network intrusion, using the clustering SOM approach.
Then, we applied RPROP to classify suspicious network
activities visualized initially by our SOM. Our IDS scheme
is based on divide and conquer approach. We cover both
qualitative analysis (by SOM) and quantitative analysis (by
RPROP).
References
[1] L. Girardin, “An eye for Network Intruder-Administator
Shootouts,” Proc. of the 1st USENIX Workshop on Intrusion
Detection and Network Monitoring, 1999.
[2] A.J. Hoglund et al.“A Computer Host-based User
Anomaly Detection System using Self-Organizing Map,”
Proc. of the IEEE-INNS-ENNS International Joint
Conference on Neural Networks, Vol. 5, pp. 411-416, 2000.
[3] C. Jirapummin and N. Wattanapongsakorn, “Visual
Intrusion Detection using Self-Organizing Maps”, Proc. of
Electrical and Electronic Conference (EECON-24),
Thailand, Vol. 2, pp. 1343-1349, 2001.
[4] S.C. Lee and D.V. Heinbuch, “Training a Neural-
Network Based Intrusion Detector to Recognize Novel
Attacks,” Information Assurance and Security, pp.40-46,
2000.
[5] J.M. Bonifacio et al., “Neural Networks Applied in
Intrusion Detection Systems,” Proc of IEEE Joint
Conference on Neural Network, Vol. 1, pp. 205-210, 1998.
[6] C.L. Schuba, et al. “Analysis of Denial of Service
Attack on TCP,” Proc. of IEEE Symposium on Security and
Privacy, pp 208-223, 1997.
[7] U. Kanlayasiri, “A Rule-based Approach for Port
Scanning Detection,” Electrical and Electronic Engineering
Conference (EECON-23), Thailand, pp.148-153, 2000.
[8] T. Kohonen, Self-Organizing Map, 3rd edition , Springer
Springer-Verlag, 501 2001.
[9] A. Ultsch and H.P. Siemon, “Kohonen’s Self-
Organizing Feature Maps for Exploratory Data Analysis,”
Proc. of International Neural Network Conference, pp. 305-
308, 1990.
[10] M. Reidmiller et al. “A Direct Adaptive Method for
Faster Backpropagation Learning: The RPROP algorithm,”
IEEE Inter Conf. on Neural Network, pp.586-591, 1993.
[11] S.J. Stolfo, et al., “KDD cup 1999 dataset,” UCI KDD
repository, http://kdd.ics.uci.edu
[12] W. Lee and S.J. Stolfo, “A Framework for Buliding
Intrusion Detection Systems”, Proceedings of the IEEE
Symposium on Security and Privacy, p.120 –132, 1999.
Figure 6 Principle Associated Component
Planes of Normal Activities
Figure 9 Principle Associated Component
Planes of Satan Attacks
Figure 7 Principle Associated Component
Planes of Portsweep Attacks
Figure 8 Principle Associated Component
Planes of Neptune Attacks
... Another technique introduced by C Jirapummin et al. in 2002 [40]. They used KDD cup 1999 [41] dataset. ...
Preprint
Full-text available
Focus on Deep Neural Network based malicious and normal computer Network Traffic classification. (such as attacks, phishing, any other illegal activity and normal traffic identification). In this paper, the main idea is to review, existed Neural Network based network traffic classification. Which indicates intrusion activity classification and detection. It is very important to classify network traffic to safeguard any system, connected to computer network. There are a variety of NN architecture for it, with different rate of accuracy. On this paper we will do relative compression among them. Index Terms-Computer Network, Network traffic, Packet, Intrusion, DOS (Denial-of-service), unauthorized access, IDS (Intrusion Detection System), IPS (Intrusion Prevention Systems), R2L (Remote to Local Attack), Probing, U2R (User to Root Attack), DNN (Deep Neural Network), CRNN (Convolutional Recurrent Neural Network), RPROP (Resilient propagation).
... NCA performs feature selection by utilizing the labels and replications of standard dataset NSL-KDD training dataset [19]. In the process Neighbourhood component analysis starts with selecting features utilizing their weights and a relative threshold [20]. After the implementation we get the different class predicated data models as in Table 1. ...
Article
Full-text available
The study of Intrusion detection system plays a vital role in research due to the increasing amount of security threats. In our proposed study, the training and testing process is executed on standard dataset NSL-KDD based on neighbourhood component analysis and neural network technique, where neural network used as a classification strategy and NCA as a feature selection technique to finalize dataset features. We have used neural network to classify the network traffic in attacks and normal conditions. The objective of this paper is to study the combined impact of feature selection and classification techniques. The study aims to improve the efficiency, recognition of malicious traffic exploratory assessment performed using the parameters, viz. false positive rate, detection rate & accuracy. The experimental results of proposed method show the improvement in the detection rate, accuracy as well as false positive rate.
... This technique has been tested using the DNS and HTTP services, and the limit of this research work is that the infrequently occurring corner-case behavior might be identified as malicious. Some other ANN-based anomaly detection approaches have been conducted in [80][81][82][83][84][85]. ...
Article
Full-text available
Network anomaly detection systems (NADSs) play a significant role in every network defense system as they detect and prevent malicious activities. Therefore, this paper offers an exhaustive overview of different aspects of anomaly-based network intrusion detection systems (NIDSs). Additionally, contemporary malicious activities in network systems and the important properties of intrusion detection systems are discussed as well. The present survey explains important phases of NADSs, such as pre-processing, feature extraction and malicious behavior detection and recognition. In addition, with regard to the detection and recognition phase, recent machine learning approaches including supervised, unsupervised, new deep and ensemble learning techniques have been comprehensively discussed; moreover, some details about currently available benchmark datasets for training and evaluating machine learning techniques are provided by the researchers. In the end, potential challenges together with some future directions for machine learning-based NADSs are specified.
Article
This paper addresses the problem of an accurate and interpretable intrusion detection in Internet-of-Things (IoT) systems using the knowledge-discovery data-mining/machine-learning approach proposed by us. This approach – implemented as a fuzzy rule-based classifier – employs our generalization of the well-known multi-objective evolutionary optimization algorithm to optimize the accuracy-interpretability trade-off of the IoT intrusion detection systems (IoT IDSs). The main contribution of this work is the design of accurate and interpretable IoT IDSs from the most recently published data – referred to as MQTT-IOT-IDS2020 data sets – describing the behavior of a MQTT-protocol-based IoT system. A comparison with seven available alternative approaches was also performed demonstrating that the approach proposed by us significantly outperforms alternative methods in terms of interpretability of intrusion-detection decisions made while remaining competitive or superior in terms of the accuracy of those decisions.
Article
Full-text available
Although conventional network security measures have been effective up until now, machine learning techniques are a strong contender in the present network environment due to their flexibility. In this study, we evaluate how well the latter can identify security issues in a corporative setting Network. In order to do so, we configure and contrast a number of models to determine which one best our demands. In addition, we spread the computational load and storage to support large quantities of data. Our model-building methods, Random Forest and Naive Bayes.
Chapter
With the increasing worldwide network attacks, intrusion detection (ID) has become a popular research topic in the last decade. Several artificial intelligence techniques such as neural networks and artificial immune system have been applied in ID. The results are varied. The intrusion detection accuracy is the main focus for intrusion detection system (IDS). Most research activities in the area are aiming to improve the ID accuracy. This chapter begins with a review of the different categories of intrusion detection systems, especially when they run in cloud computing environments. Then, we present a description of the most used approach in IDS: artificial immune system and artificial neural network and their application.KeywordsIntrusion detection systemCloud computing environmentArtificial immune systemArtificial neural network
Chapter
We live in a digital era, where everything is digital and online, ranging from private data to information on any topic. As this advancement in information technology is a boon, there is nothing stopping it from becoming a big thing for everyone. Day-by-day cybercrimes are increasing, and every other day, we hear about major data breaches and data leaks of million and millions of individuals. Hence, it is a necessary to protect our digital self. A sure and dependable way to do so is by using an IDS. This paper provides an insight on IDS, its working and functions. So, in this paper, we will provide all necessary information regarding IDS, and this can also help us to create our very rule set to protect our network environment.KeywordsIDSIPSFirewall and machine learning
Conference Paper
Full-text available
A lack of diversity and representativeness within training data causes bias in the machine learning pipeline by influencing the performance of many machine learning models to favor the majority of samples that are most similar. It is necessary to have diverse and representative training data, especially for application domains in which people of varying demographics will be impacted by the outcomes produced by the machine learning model. Therefore, we propose the use of Applications Quest (AQ), an algorithm originally used for increasing diversity within college admissions to mitigate sample bias, as an under-sampling technique to combat the challenge of non-diverse and non- representative training data. AQ leverages the class distribution as well as the features of each sample in the dataset during the sampling procedure. We compare AQ with common under-sampling techniques such as random under-sampling, Edited Nearest Neighbor (ENN), Tomek Links, and Instance Hardness Threshold (IHT) on three imbalanced datasets: (1) Students’ Academic Performance; (2) Pima Indians Diabetes; and (3) Online Shoppers’ Purchasing Intention. Results indicate that applying AQ achieves comparable classification performance while also maintaining diversity and representativeness within the majority class of the datasets.
Article
This paper aims to extend collective interpretation to networks with complicated components. The collective interpretation is used to generate an internally interpretable model independently of specific inputs and learning conditions. The internally interpretable model is obtained by network compression where multi-layers are sequentially compressed, taking into account all possible routes from inputs to outputs. The network compression is easily applied to fully connected networks, but it cannot be applied to some networks with complicated components. Thus, to make the compression possible, we black-box partially and minimally these components to be replaced by the ordinary components. For demonstrating the effectiveness of this technique, we use here a new model based on the self-organizing map (SOM). Then, we introduce the convolutional neural networks (CNN) for dealing with SOM knowledge, usually represented in two-dimensional lattices. Because our network compression cannot deal with those convolutional components, we temporarily black-box the CNN components. Fixing the other connection weights, we re-train the partially black-boxed network to obtain the simplest prototype model for interpretation. The method was applied to two well-known data sets, and we demonstrated that the present method could compress the networks to get the simplest and interpretable ones. In addition, very stable compressed weights for interpretation could be obtained for easy interpretation. The results suggest that the main mechanism of multi-layered neural networks is based on linear relations between individual inputs and targets, to which peripheral non-linear ones are added.
Preprint
Full-text available
With the continuous development of tools such as TensorFlow and PyTorch, Neural Networks are becoming easier to develop and train. With the expansion of these tools, however, neural networks have also become more black boxed. A neural network trained to classify fruit may classify a picture of a giraffe as a banana. A neural network watchdog may be implemented to identify such out-of-distribution inputs, allowing a classifier to disregard such data. By building a hybrid generator/classifier network, we can easily implement a watchdog while improving training and evaluation efficiency.
Conference Paper
Full-text available
Carefully logging network activity is essential to meet the requirements of high security and optimal resource availability. However, detecting break-in attempts within this activity is a difficult task. Making the distinction between misuse and normal use is hard, and identifying intrusions that use novel attacks is fundamentally difficult. In this paper, we introduce a visual approach for analyzing network activity. This approach differs from anomaly and misuse detection because it considers...
Conference Paper
Full-text available
Information is one of the most valuable possessions today. As the Internet expands both in number of hosts connected and number of services provided, security has become a key issue for the technology developers. This work presents a prototype of an intrusion detection system for TCP/IP networks. The system works by capturing packets and using a neural network to identify an intrusive behavior within the analyzed data stream. The identification is based on previous well know intrusion profiles. The system is adaptive, since new profiles can be added to the data base and the neural network retrained to consider them. We present the proposed model, the results achieved and the analysis of an implemented prototype
Conference Paper
Full-text available
The paper analyzes a network based denial of service attack for IP (Internet Protocol) based networks. It is popularly called SYN flooding. It works by an attacker sending many TCP (Transmission Control Protocol) connection requests with spoofed source addresses to a victim's machine. Each request causes the targeted host to instantiate data structures out of a limited pool of resources. Once the target host's resources are exhausted, no more incoming TCP connections can be established, thus denying further legitimate access. The paper contributes a detailed analysis of the SYN flooding attack and a discussion of existing and proposed countermeasures. Furthermore, we introduce a new solution approach, explain its design, and evaluate its performance. Our approach offers protection against SYN flooding for all hosts connected to the same local area network, independent of their operating system or networking stack implementation. It is highly portable, configurable, extensible, and requires neither special hardware, nor modifications in routers or protected end systems
Article
Full-text available
This paper analyzes a network-based denial of service attack for IP (Internet Protocol) based networks. It is popularly called SYN flooding. It works by an attacker sending many TCP (Transmission Control Protocol) connection requests with spoofed source addresses to a victim's machine. Each request causes the targeted host to instantiate data structures out of a limited pool of resources. Once the target host's resources are exhausted, no more incoming TCP connections can be established, thus denying further legitimate access. The paper contributes a detailed analysis of the SYN flooding attack and a discussion of existing and proposed countermeasures. Furthermore, we introduce a new solution approach, explain its design, and evaluate its performance. Our approach offers protection against SYN flooding for all hosts connected to the same local area network, independent of their operating system or networking stack implementation. It is highly portable, configurable, extensible, and req...
Conference Paper
Computer systems are vulnerable to abuse by insiders and to penetration by outsiders. The amount of monitoring data generated in computer networks is enormous. Tools are needed to ease the work of system operators. Anomaly detection attempts to recognize abnormal behavior to detect intrusions. A prototype UNIX anomaly detection system has been constructed. The system is host-based and monitors computer network host users. The system contains an automatic anomaly detection component. This component uses a test based on the self-organizing map to test if user behavior is anomalous. Both the test and the application are presented
Conference Paper
A learning algorithm for multilayer feedforward networks, RPROP (resilient propagation), is proposed. To overcome the inherent disadvantages of pure gradient-descent, RPROP performs a local adaptation of the weight-updates according to the behavior of the error function. Contrary to other adaptive techniques, the effect of the RPROP adaptation process is not blurred by the unforeseeable influence of the size of the derivative, but only dependent on the temporal behavior of its sign. This leads to an efficient and transparent adaptation process. The capabilities of RPROP are shown in comparison to other adaptive techniques
Article
While many commercial intrusion detection systems (IDS) are deployed, the protection they afford is modest. State-of-the-art IDS produce voluminous alerts, most false alarms, and function mainly by recognizing the signatures of known attacks so that novel attacks slip past them. Attempts have been made to create systems that recognize the signature of “normal,” in the hope that they will then detect attacks, known or novel. These systems are often confounded by the extreme variability of nominal behavior. The paper describes an experiment with an IDS composed of a hierarchy of neural networks (NN) that functions as a true anomaly detector. This result is achieved by monitoring selected areas of network behavior, such as protocols, that are predictable in advance. While this does not cover the entire attack space, a considerable number of attacks are carried out by violating the expectations of the protocol/operating system designer. Within this focus, the NNs are trained using data that spans the entire normal space. These detectors are able to recognize attacks that were not specifically presented during training. We show that using small detectors in a hierarchy gives a better result than a single large detector. Some techniques can be used not only to detect anomalies, but to distinguish among them
Article
Intrusion detection has been performed at network and host level for detecting various attacks. Port scanning could be classified as one of the network intrusions. This paper presents a method for detecting port scanning attacks using rule-based state diagram techniques. A set of rules corresponding with the appropriate thresholds was designed for intrusion decision. Experiment results under real environment show that port scanning patterns are successfully detected in real-time.