Neural Networks
An artificial neural
network consists of a collection of processing elements that are highly
interconnected and transform a set of inputs to a set of desired outputs. The
result of the transformation is determined by the characteristics of the
elements and the weights associated with the interconnections among them. By
modifying the connections between the nodes the network is able to adapt to the
desired outputs.
The neural network gains
the experience initially by training the system to correctly identify
preselected examples of the problem. The response of the neural network is
reviewed and the configuration of the system is refined until the neural
network’s analysis of the training data reaches a satisfactory level. In
addition to the initial training period, the neural network also gains
experience over time as it conducts analyses on data related to the problem.
About
Because of the
increasing dependence which companies and government agencies have on their
computer networks the importance of protecting these systems from attack is
critical. A single intrusion of a computer network can result in the loss or
unauthorized utilization or modification of large amounts of data and cause
users to question the reliability of all of the information on the network.
The second general approach
to intrusion detection is misuse detection. This technique involves the
comparison of a user’s activities with the known behaviors of attackers
attempting to penetrate a system. While
anomaly detection typically utilizes threshold monitoring to indicate when a
certain established metric has been reached, misuse detection techniques
frequently utilize a rule-based approach. When applied to misuse detection, the
rules become scenarios for network attacks. The intrusion detection mechanism
identifies a potential attack if a user’s activities are found to be consistent
with the established rules.
Current Approaches To Intrusion
Detection Systems
Most current approaches
to the process of detecting intrusions utilize some form of rule-based
analysis. Rule-Based analysis relies on sets of predefined rules that are
provided by an administrator, automatically created by the system, or both.
Expert systems are the most common form of rule-based intrusion detection
approaches. The early intrusion detection research efforts realized the
inefficiency of any approach that required a manual review of a system audit
trail. While the information necessary to identify attacks was believed to be
present within the voluminous audit data, an effective review of the material
required the use of an automated system.
Mlp Prototype
The first prototype
neural network was designed to determine if a neural network was capable of
identifying specific events that are indications of misuse. The prototype
utilized a MLP architecture that consisted of four fully connected layers with
nine input nodes and two output nodes. The number of hidden layers, and the
number of nodes in the hidden layers, was determined based on the process of
trial and error. Each of the hidden nodes and the output node applied a Sigmoid
transfer function (1/ (1 + exp (-x))) to the various connection weights. The
neural network was designed to provide an output value of 0.0 and 1.0 in the
two output nodes when the analysis indicated no attack and 1.0 and 0.0 in the
two output nodes in the event of an attack.
Potential Implementations
There are two general
implementations of neural networks in misuse detection systems. The first
involves incorporating them into existing or modified expert systems. Unlike
the previous attempts to use neural networks in anomaly detection by using them
as replacements for existing statistical analysis components, this proposal
involves using the neural network to filter the incoming data for suspicious
events which may be indicative of misuse and forward these events to the expert
system. This configuration should improve the effectiveness of the detection
system by reducing the false alarm rate of the expert system. Because the
neural network will determine a probability that a particular event is
indicative of an attack, a threshold can be established where the event is
forwarded to the expert system for additional analysis.
Abstract
Misuse detection is the process of attempting to identify
instances of network attacks by comparing current activity against the expected
actions of an intruder. Most current approaches to misuse detection involve the
use of rule-based expert systems to identify indications of known attacks.
Conclusion
Research and
development of intrusion detection systems has been ongoing since the early
1980’s and the challenges faced by designers increase as the targeted systems
because more diverse and complex. Misuse detection is a particularly difficult
problem because of the extensive number of vulnerabilities in computer systems
and the creativity of the attackers.
No comments:
Post a Comment