Training a neural-network based intrusion detector to recognize novel attacks

Citation
Sc. Lee et Dv. Heinbuch, Training a neural-network based intrusion detector to recognize novel attacks, IEEE SYST A, 31(4), 2001, pp. 294-299
Citations number
7
Language
INGLESE
art.tipo
Article
Categorie Soggetti
AI Robotics and Automatic Control
Journal title
IEEE TRANSACTIONS ON SYSTEMS MAN AND CYBERNETICS PART A-SYSTEMS AND HUMANS
ISSN journal
1083-4427 → ACNP
Volume
31
Issue
4
Year of publication
2001
Pages
294 - 299
Database
ISI
SICI code
1083-4427(200107)31:4<294:TANBID>2.0.ZU;2-W
Abstract
While many commercial intrusion detection systems (IDS) are deployed, the p rotection they afford is modest. At the state-of-the-art, IDS produce volum inous alerts, most false alarms, and function mainly by recognizing the sig natures of known attacks so that novel attacks slip past them, Attempts hav e been made to create systems that recognize the signature of "normal," in the hopes that they will then detect attacks, known or novel. These systems are often confounded by the extreme variability of nominal behavior. This paper describes an experiment with an IDS composed of a hierarchy of n eural networks (NN) that functions as a true anomaly detector. This result is achieved by monitoring selected areas of network behavior, such as proto cols, that are predictable in advance. While this does not cover the entire attack space, a considerable number of attacks are carried out by violatin g the expectations of the protocol/operating system designer. Within this f ocus, the NNs are trained using data that spans the entire normal space, Th ese detectors are able to recognize attacks that were not specifically pres ented during training, We show that using small detectors in a hierarchy gi ves a better result than a single large detector, Some techniques can be us ed not only to detect anomalies, but to distinguish among them.