Artificial Neural Networks for Misuse Detection
By: Artur • Research Paper • 3,129 Words • January 5, 2010 • 1,321 Views
Join now to read essay Artificial Neural Networks for Misuse Detection
Abstract:
Misuse detection is the process of attempting to identify instances of network attacks by
comparing current activity against the expected actions of an intruder. Most current approaches
to misuse detection involve the use of rule-based expert systems to identify indications of known
attacks. However, these techniques are less successful in identifying attacks which vary from
expected patterns. Artificial neural networks provide the potential to identify and classify
network activity based on limited, incomplete, and nonlinear data sources. We present an
approach to the process of misuse detection that utilizes the analytical strengths of neural
networks, and we provide the results from our preliminary analysis of this approach.
Keywords: Intrusion detection, misuse detection, neural networks, computer security.
1. Introduction
Because of the increasing dependence which companies and government agencies have on their
computer networks the importance of protecting these systems from attack is critical. A single
intrusion of a computer network can result in the loss or unauthorized utilization or modification
of large amounts of data and cause users to question the reliability of all of the information on the
network. There are numerous methods of responding to a network intrusion, but they all require
the accurate and timely identification of the attack.
This paper presents an analysis of the applicability of neural networks in the identification of
instances of external attacks against a network. The results of tests conducted on a neural
network, which was designed as a proof-of-concept, are also presented. Finally, the areas of
future research that are being conducted in this area are discussed.
1.1 Intrusion Detection Systems
1.1.1 Background
The timely and accurate detection of computer and network system intrusions has always been
an elusive goal for system administrators and information security researchers. The individual
creativity of attackers, the wide range of computer hardware and operating systems, and the ever-
changing nature of the overall threat to target systems have contributed to the difficulty in
effectively identifying intrusions. While the complexities of host computers already made
intrusion detection a difficult endeavor, the increasing prevalence of distributed network-based
systems and insecure networks such as the Internet has greatly increased the need for intrusion
detection [20].
There are two general categories of attacks which intrusion detection technologies attempt to
identify - anomaly detection and misuse detection [1,13]. Anomaly detection identifies activities
that vary from established patterns for users, or groups of users. Anomaly detection typically
involves the creation of knowledge bases that contain the profiles of the monitored activities.
The second general approach to intrusion detection is misuse detection. This technique involves
the comparison of a user’s activities with the known behaviors of attackers attempting to
penetrate a system [17,18]. While anomaly detection typically utilizes threshold monitoring to
indicate when a certain established metric has been reached, misuse detection techniques
frequently utilize a rule-based approach. When applied to misuse detection, the rules become
scenarios for network attacks. The intrusion detection mechanism identifies a potential attack if a user’s activities are found to be consistent with the established rules.