WUJNS

Wuhan University Journal of Natural Sciences

Vol. 10 No. 1 2005 115-118

Article ID: 1007-1202(2005)01 0115-04

A Neural Network Approach for Misuse

and Anomaly Intrusion Detection

0 Introduction
[] YAO Yu, YU Get, GAO Fu-xiang
Faculty of Information Science and Engineering,
he security of network systems has drawn close atten-
Northeastern University, Shenyang 11000/1, Liaoning, China
T tions from both academia and industry with the increas-
ing number of computers being connected to the Internet now-
Abstract: An Ml.P(Multi l.ayer Perccptron)/Elman neu adays. Intrusion Detection is devoted to detecting hacker's ac-
ral network is proposed in this paper, which realizes classifi-
cation with memory of past events using the real-time classifi-
tivityEtj.
cation of MLP and the memorial functionality of Elman. The By building profiles of authorized computer users, the neu-
system's sensitivity for the memory of past events can be eas- ral network can be trained to classify the incoming computer
ily reconfigured without retraining the whole network. This
approach can be used for both misuse and anomaly detection traffic into authorized traffic or not authorized traffic (i. e. intru-
system. The intrusion detection systems(II)Ss) using the hy- sive traffic) E2?. Current research in the area of Intrusion Detec-
brid MI.P/Elnmn neural network are evaluated by the intru-
tion based on Neural Networks shows encouraging results F3?.
sion detection evaluation data sponsored By U. S. Defense Ad-
vanced Research Projects Agency (I)ARPA). The results of One of the largest challenges for current intrusion detec-
experiment are presented in Receiver ()perating Characteristic tion systems using neural networks is being able to provide
(R()C) curves. The capabilites of these ll)Ss to identify Deny
of Service(IX)S) and probing attacks are enhanced.
some memory of past events. This problem not only acute for
Key words: intrusion detection system; hybrid MI.P/E1 signature-based misuse detection approaches, but also plague
man neural network; memory of past events; recurrent neural anomaly detection tools, to reduce false positive rates E4].
network
To address this shortcoming, an Elman neural network is
CLC number: TP 30,~
utilized in this paper, which can keep a memory of past
events. In the past, backpropagation have been applied addi
tion to other neural networks with good performance to the
problem of misuse detectionEsl. Here a hybrid neural network
is presented for both misuse and anomaly detection. The ap-
proach is evalualed against the Defense Advanced Research
Received date: 2004 05 25 Projects Agency(DARPA) intrusion detection evaluation data-
Foundation item: Supported by Ihe National Natural Science Foun
dation of China (60173051), the National High "I~chnology 863 Pro
base ~< .
gram of China (2003AA414210), the National Research Foundation
for the Docloral Program of Higher Education of China
(20030145029) and the Award Foundation for Young Teachers from 1 Sensitivity to the Memory of Past
Ministry of Education
Biography= YA() Yu( 1976 ), male, Ph. 1) candidate, research direc
Events(SMPE)
tion: in[orrna6ot~ security, E mail: yaoyu(Gmail, neu. cdu. cn
{ "Ib whom corresponding should be addressed. E mail: yuge (as
With their ability to generalize from learned data and to
rnail, neu. cdu. cn

115
classify online data, Neural Networks become an appro-
priate approach to Intrusion Detection. Current resear-
ches in the area of Intrusion Detection based on Neural
Networks are shown below.
An Multi-Layer Perceptron (MLP) neural net-
workEs] demonstrates the potential of its detecting indi-
vidual instances of possible misuse. However, most of
attacks are composed of a series of misuse events. New
prototypes must be designed to identify temporally dis-
persed and possibly collaborative attacks, such as deny of
service(IX)S) or probing. In order to improve detection
rates, a hybrid SOM/MLP neural network for misuse
detection is proposedE72. The hybrid neural network is
trained to recognize patterns of 9 or more unsuccessful
FTP login attempts in 3 minutes to be an FTP brute
force attack. In other words, if attacker does 9 unsuc-
cessful FTP login attempts in every 3 minutes, the hy-
brid neural network will fail to detect the intrusion.
In fact, in order to bypass the intrusion detection
systems(IDSs), few probe and DOS attack traffic did not
include extremely stealthy data that span many days or
hours. These types of attacks can be detected not only by
current event, but also by previously observed events. I-
dentification of DOS and probing always depends on
keeping memory of past events. Because of the complica-
cy of intrusive behaviors, the sensitivity to the memory of
past events (SMPE) will affect the performance of an in-
trusion detection system. If the SMPE of a system is
higher, the system can detect more attacks at higher false
alarm rates. If the SMPE of a system is lower, the sys-
tem can detect fewer attacks at lower false alarm rates.
Other hybrid SOM/MLP neural networksE8lol have
been presented in recent years, trying to detect intrusion
happened over a long time interval. These neural net-
works still have two weaknesses. @ There are too many
nodes in the network. ~ The SMPE of the systems is
unchangeable if the weights are frozen after training. If
users want to modify the SMPE of these systems in order
to get higher or lower false positives, all of the weights
must be changed by another training process.
A neural network approach is presented which can
be used for both misuse detection and anomaly detection
in order to detect novel attacks E4~.
2 Neural Network Intrusion Detection
Research in using a complete neural network ap-
116
proach to intrusion detection is conducted, which can
modify the SMPE of neural network IDSs easier. In this
work, a feed-forward MLP with backpropagation (BP)
learning is implemented at first. The BP network has
been used successfully inES~, which has the capacity of i-
dentifying single misuse events.
A BP neural network can be constructed to compute
any arbitrarily complex function. According to data traf-
fic, the network utilizes 10 input nodes. The number of
hidden nodes is based on the performance of each trained
network, while that of output is based on the number of
intrusion types. Discrete valued output nodes are used to
represent the extent to which the network believes the in-
put even is normal or misuse. It is designed to provide an
output value of 1.0 when the analysis indicated a misuse
and 0.0 in the event of normal.
2.1 Elman Networks
As shown above, the neural network intrusion detec-
tion systems must have the ability of keep memory of re-
cent events in order to identify dispersed and collaborative
attacks. The Elman neural network fits this purpose well.
Elman recurrent network is a well-known recurrent
topology, developed by Jeffrrey Elman. An Elman network
has a set of context nodes. Each context node receives in-
put from a single hidden node and sends its output to each
node in the layer of its corresponding hidden node. Since
the context nodes depend only on the activations of the hid-
den nodes from the previous input, the context nodes retain
state information between inputs Ell].
2.2 Hybrid MLP/Elman Neural Network
Elman nets are employed to keep memory of events as
they occur in a large stream of events. The hybrid MLP/
Elman neural network model takes an output of MLP as
input of an Elman, so that the number of Elman networks
must be equivalent to the number of output nods of MLP.
An Elman can keep memory of past misuse events. There-
fore, each output of MLP can be retained using one El-
man. When a classification result of an input is analyzed by
MLP, it can be forwarded and be retained by the Elman
connected to the output nod of MI.P. It realizes classifica-
tion with memory of recent events using the real-time clas-
sification of MI.P and the memorial functionality of Elman.
The topology of the hybrid MLP/Elman neural network is
shown in Fig. 1. The illustration of the Elman is shown in
Fig. 2. The nodes of the Elmans are labeled as input nodes
(I), hidden nodes ( n ) , output nodes (O), or context
nodes (C).

Fig. 1 The topology of the hybrid MLP/EIman
neural network
Fig. 2 The Elman neural network
I:input nodes; H:hidden nodes;():outpm nodes;C:context nodes
2.3 Performanceof the MLP/Elman Model
In performance, the context nodes of Elman are ini-
tially set to 0. Recurrent connection weights, which are
from context nodes to hidden nodes, are fixed values
from 0 to 1. Processing consists of the following se
quence of events. Both the input nodes and context nodes
activate the hidden nodes; and then the hidden nodes feed
forward to activate the output nodes. At time t, the in-
put nodes receive the first input in the sequence. The
hidden nodes also feed back to activate the context nodes.
This constitutes the forward activation~e~. At the next
time step t@l the above sequence is repeated. This time
the context nodes contain values, which provide the net
work with memory.
The hybrid MLP/Elman neural network keeps a
memory of recent events by incrementing the value of the
context node of Elman, while slowly decreasing its value.
When the MLP identifies a misuse intrusion, the Elman
will quickly accumulate a large value in its context node.
Similarly, when the MLP identifies a normal output, the
Elman will decrease the value of its context back down to
zero. As a result, the hybrid neural network emphasizes
misuse intrusions thai are closely temporally co-located and
diminishes the values of those that are sparsely located. If
the value of the context node rises above the threshold, an
attack is considered to be appearance.
The advantage of using an Elman is that it allows
occasional misuse behavior, which is to be expected dur-
ing normal system operation, but it is sensitive to large
numbers of temporally co-located misuse events, which
one would expect if an attack really happens. The MLP/
Elman approach is similar to the functionality of leaky
bucket algorithm used in Ref. ~-4~, while the difference
between theses two approaches is that the prior one is a
complete neural network approach, but leaky bucket al-
gorithm is not.
2.4 Anomaly Intrusion Detection
Since the leaky bucket algorithm has successful been
used in anomaly detection system in Ref. E4~, the hybrid
neural network could be also applied to anomaly detec-
tion. The anomaly detection system is designed to flag
sessions to be anomalous by monitoring process behavior.
The MLP/Elman network doesn't need any modification
to perform anomaly detection.
3 Experimental Results
The data sets of the DARPA Intrusion Detection
Evaluations (1999 DARPA Intrusion Detection Evalua-
tion Data Sets) are used to evaluate the performance of
the hybrid MLP/Elman neural network. The system is
trained by training data given by DARPA Intrusion De-
tection EvaluationsE~3~].
The sensitivity of the system can be easily changed,
when the recurrent connection weight and the threshold of
the output nodes are varied. A recurrent connection weight
of 1 results in all prior events being retained in memory. A
recurrent connection weight of 0 results in all of the past e-
vents but the current one being forgotten. The recurrent
connection weight can be varied from 0 to 1.
The receiver operating characteristic (R()C) curves
can be used to compare intrusion detection ability to false
positives. The curve used in the paper is a plot of detec-
tion rates against false positive rates for the threshold of
output nodesI~ .
Figure 3 (a) shows two R()C curves of misuse de-
tection. When the recurrent connection weight is 0.75, a
detection rate of 78.4 ~ can be achieved with a false posi-
tive rate of only 5. 2~ For the recurrent connection
weight of 0.25, the false positive rate is only 4. 1% at
79.4% detection. It shows very high detection abilities.
ROC curves of anomaly detection are also produced
as illustrated in Fig. 3 (b). When the recurrent connec-
tion weight is 0. 75, a detection rate of 87.9% can be
achieved with a false positive rate of 22. 4%. For the
117
recurrent connection weight of 0. 25, the false positive References
rate is 19.1% at 91.2~ detection.
[1] BivensA, Palagiri C, Smith R, et al. Network-Based lnlru-
I00 sion Detection Using Neural Networks. Proceeding < / A N
(a) NIE-2002. New York: ASME Press, 2002. 579-584.
80 f ......................................... [2] Dao V N. A Performance Comparison of Different Back-
propagation Neural Networks Methods in Computer Network
60 Intrusion Detection. k t t p : / / z r das. ucdavis, edu, April
20O2.
40 [3] Horeis T. Intrusion Detection with Neural Networks - Corn
bination of Self-Organizing Maps and Radial Basis Function
20 Networks for Human Expert Integration. http://ieee~nns.
org, June 2003.
0
0 0.1 0.2 0.3 0.4 [41 Ghosh A K, Sehwartzbard A. A Study in Using Neural Net
False positive probability works for Anomaly and Misuse Detection. Proceedings o f
100 the 8th USENIX Security Symposium. Washington I) C:
(b) ~.f ....................... ASME Press, 1999. 23 26.
S 80 [5] Cannady J. Artificial Neural Networks for Misuse Detection.
Pruceedings o f 1998 National InJk)rmation Systems Security
60 Conference (NISS("98). Arlington: Virginia Press, 1998.
443 456.
40 ~67 Kendall K. A 1)atahase of Computer Attacks for the Evalua-
tion of Intrusion Detection Systems~Master's Thesis~. tk)s
20 ton: Massachusetts Institute of Technology, 1998.
[-7~ Canna@ J. Neural Networks for Misuse Detection: Initial Re-
0 I L I
0 0.1 0.2 0.3 0.4 subs. Proceedings o f Recent Advam'es in Inlrusion Detection '
False positiveprobability 98 Con/erence. Belgium: Louvain-l>Neuve, 1998. 31-47.
[8~ Jirapummin C, Wattanapongsakorn N, Kanthamanon P. Hy-
Fig. 3 Misuse and anomaly detection results brid Neural Networks for Intrusion Detection System. Pro-
(a) Misusedetection results;(b) Anomalydetection results ceedings o f the 2002 International Technical Conference on
Circuits~Systems, Computers and Communications. Arling-
ton: IEE Press, 2002. 928-931.
4 Conclusion [9~ l.abih K, Vemur[ R. NS(JM= A Real-Time Network-Based
Intrusion Detection System Using Self-Organizing Maps.
hlt p :/ / wTz~,, cal i./brnia, edu, July 2002.
In this paper, a hybrid MLP/Elman neural network [10~ Rhodes B, Mahaffey J, Canna@ J. Multiple Self-Organizing
is presented, which has three characteristics. Maps for Intrusion Detection. Proceedings o f the 23rd Na-
@ It realizes classification with memory of recent e- tional Injormation Systems Security Con./erence. Bahimore:
vents using the real-time classification of MLP and the MI) Press, 2000. 32 - 42.
~11~ Ghosh A K, Michael C, Schatz M. A Real-Time Intrusion
memorial functionality of Elman. Detection System Based on Learning Program Behavior.
It is a complete neural network approach, which Proceedings o[" Recent Advances in lntrusim~ Detecti(m. "[bu-
is different with leaky bucket algorithm. louse: Spinger-Verlag, 2000. 93-109.
[12~ Elman, J L. Finding Structure in Time. Cognitive Sciem'e,
@ The sensitivity of the system can be easily con-
1990, 14(2): 179-211.
figured, which allows end users to tune the system for [13~ Cunningham R K, I.ippmann R P, Fried I)J, et al. Evalua-
acceptable tolerances without having to retrain the neural ting Intrusion Detection Systems without Attacking Your
network. Friends: The 1998 I)ARPA Intrusion Detection Evaluation.
Proceedings o f Third (Jon./erence and Workshop on Intru-
The capability of IDSs to identify DOS and probing
sion Detection and Response. San Diego: Computer Associ-
attacks is enhanced. The results from evaluating hybrid ates Press, 1999. 10-21.
MLP/Elman neural network intrusion detection approa- [i4~ 1.ippmann R, Haines J W, Fried I) J, et al. The I999
ches in the Lincoln Laboratory/DARPA Intrusion Detec- DARPA ()ff-ISne Intrusion Detection Evaluation. Computer
Netzg~mks, 2000,30(2) : 14-26.
tion evaluation are shown in this paper. The results dem-
~15~ Haines J, Rossey L, Lippmann R, eta& Extending the 1999
onstrate that the hybrid neural network can detect intru- Evaluatkm. Pr, ceedings o f DISCEX 2001. Anaheim: (;om-
sions with higher detection rates and lower false alarm puter Associates Press, 2002.11 18.
rates than current neural network IDSs. []