Misuse detection is the process of attempting to identify instances of network attacks by comparing current activity against the expected actions of an intruder. Most current approaches to misuse detection involve the use of rule-based expert systems to identify indications of known attacks. However, these techniques are less successful in identifying attacks which vary from expected patterns. Artificial neural networks provide the potential to identify and classify network activity based on limited, incomplete, and nonlinear data sources. We present an approach to the process of misuse detection that utilizes the analytical strengths of neural networks, and we provide the results from our preliminary analysis of this approach. Keywords: Intrusion detection, misuse detection, neural networks, computer security.
Because of the increasing dependence which companies and government agencies have on their computer networks the importance of protecting these systems from attack is critical. A single intrusion of a computer network can result in the loss or unauthorized utilization or modification of large amounts of data and cause users to question the reliability of all of the information on the network. There are numerous methods of responding to a network intrusion, but they all require the accurate and timely identification of the attack.
This paper presents an analysis of the applicability of neural networks in the identification of instances of external attacks against a network. The results of tests conducted on a neural network, which was designed as a proof-of-concept, are also presented. Finally, the areas of future research that are being conducted in this area are discussed.
1.1 Intrusion Detection Systems
The timely and accurate detection of computer and network system intrusions has always been an elusive goal for system administrators and information security researchers. The individual creativity of attackers, the wide range of computer hardware and operating systems, and the ever- changing nature of the overall threat to target systems have contributed to the difficulty in effectively identifying intrusions. While the complexities of host computers already made intrusion detection a difficult endeavor, the increasing prevalence of distributed network-based systems and insecure networks such as the Internet has greatly increased the need for intrusion detection .
There are two general categories of attacks which intrusion detection technologies attempt to identify - anomaly detection and misuse detection [1,13]. Anomaly detection identifies activities that vary from established patterns for users, or groups of users. Anomaly detection typically involves the creation of knowledge bases that contain the profiles of the monitored activities. The second general approach to intrusion detection is misuse detection. This technique involves the comparison of a user's activities with the known behaviors of attackers attempting to penetrate a system [17,18]. While anomaly detection typically utilizes threshold monitoring to indicate when a certain established metric has been reached, misuse detection techniques frequently utilize a rule-based approach. When applied to misuse detection, the rules become scenarios for network attacks. The intrusion detection mechanism identifies a potential attack if a user's activities are found to be consistent with the established rules. The use of comprehensive rules is critical in the application of expert systems for intrusion detection. 1.1.2 Current Approaches to Intrusion Detection
Most current approaches to the process of detecting intrusions utilize some form of rule-based analysis. Rule-Based analysis relies on sets of predefined rules that are provided by an administrator, automatically created by the system, or both. Expert systems are the most common form of rule-based intrusion detection approaches [8, 24]. The...
References:  Anderson, D., Frivold, T. & Valdes, A (May, 1995). Next-generation Intrusion Detection
Expert System (NIDES): A Summary
 Carpenter, G.A. & Grossberg, S. (1987). A Massively Parallel Architecture for a Self-
Organizing Neural pattern Recognition Machine
 Chung, M., Puketza, N., Olsson, R.A., & Mukherjee, B. (1995) Simulating Concurrent
Intrusions for Testing Intrusion Detection Systems:Parallelizing
 Cramer, M., et. al. (1995). New Methods of Intrusion Detection using Control-Loop
 Debar, H., Becke, M., & Siboni, D. (1992). A Neural Network Component for an Intrusion
 Debar, H. & Dorizzi, B. (1992). An Application of a Recurrent Network to an Intrusion
 Denault, M., Gritzalis, D., Karagiannis, D., and Spirakis, P. (1994). Intrusion Detection:
Approach and Performance Issues of the SECURENET System
 Fox, Kevin L., Henning, Rhonda R., and Reed, Jonathan H. (1990). A Neural Network
Approach Towards Intrusion Detection
 Frank, Jeremy. (1994). Artificial Intelligence and Intrusion Detection: Current and Future
 Fu, L. (1992). A Neural Network Model for Learning Rule-Based Systems. In
Proceedings of the International Joint Conference on Neural Networks
 Hammerstrom, Dan. (June, 1993). Neural Networks At Work. IEEE Spectrum. pp. 26-
 Helman, P., Liepins, G., and Richards, W. (1992). Foundations of Intrusion Detection. In
Proceedings of the Fifth Computer Security Foundations Workshop pp
 Helman, P. and Liepins, G., (1993). Statistical foundations of audit trail analysis for the
detection of computer misuse, IEEE Trans
 Ilgun, K. (1993). USTAT: A Real-time Intrusion Detection System for UNIX. In
Proceedings of the IEEE Symposium on Research in Security and Privacy
 Kohonen, T. (1995) Self-Organizing Maps. Berlin: Springer.
 Kumar, S. & Spafford, E. (1994) A Pattern Matching Model for Misuse Intrusion
 Kumar, S. & Spafford, E. (1995) A Software Architecture to Support Misuse Intrusion
 Lunt, T.F. (1989). Real-Time Intrusion Detection. Computer Security Journal Vol. VI,
 Mukherjee, B., Heberlein, L.T., Levitt, K.N. (May/June, 1994). Network Intrusion
 Porras, P. & Neumann, P. (1997). EMERALD: Event Monitoring Enabling Responses to
Anomalous Live Disturbances
 Puketza, N., Chung, M., Olsson, R.A. & Mukherjee, B. (September/October, 1997). A
Software Platform for Testing Intrusion Detection Systems
 Ryan, J., Lin, M., and Miikkulainen, R. (1997). Intrusion Detection with Neural Networks.
 Sebring, M., Shellhouse, E., Hanna, M. & Whitehurst, R. (1988) Expert Systems in
Intrusion Detection: A Case Study
 Staniford-Chen, S. (1995, May 7). Using Thumbprints to Trace Intruders. UC Davis.
 Tan, K. (1995). The Application of Neural Networks to UNIX Computer Security. In
Proceedings of the IEEE International Conference on Neural Networks, Vol.1 pp
 Tan, K.M.C & Collie, B.S. (1997). Detection and Classification of TCP/IP Network
 White, G.B., Fisch, E.A., and Pooch, U.W. (January/February 1996).Cooperating Security
Managers : A Peer-Based Intrusion Detection System
Please join StudyMode to read the full document