10 1 1 107

A Neural Network Based
Intelligent Intrusion Detection System
Robert Birkely, Bachelor of IT
School of Information Technology

Faculty of Engineering and
Information Technology
Griffith University – Gold Coast Campus
Submitted in partial fulfilment of the requirements of the

degree of Masters in Information Technology
June 2003
Abstract
This research addresses some of the e-security threats we have today. It is

known that a totally safe system is impossible to achieve when we have
access to the Internet. Therefore, we have to stay alert for attacks, and most
likely they will happen sooner or later. The aim of this research is to propose
and investigate a neural network based intelligent Intrusion Detection System
that can promptly detect attacks, either they are known or never seen before.
Anomaly based Intrusion Detection Systems are the type of system with the
biggest potential within intrusion detection. An anomaly based Intrusion
Detection System needs to be able to learn users’ or system behaviour
because users and system behaviour changes over time in today’s dynamic
environment. In this research we are experimenting with user behaviour as
parameters in anomaly intrusion detection. There are several methods to
assist an Intrusion Detection System to learn users’ behaviour. The proposed
Intrusion Detection System in this research uses a backpropagation neural
network to learn users’ behaviour. Neural networks have earlier been
successfully applied to different areas such as pattern recognition, speech
recognition, computer vision, control, prediction and other real world
problems.
The training of a neural network takes a lot of time and resources. In this
research, we wanted to see if a neural network was able to classify normal
traffic correctly, and detect known and unknown attacks without using a huge
amount of training data. For the training and testing of the neural network, we
used the 1998 DARPA Intrusion Detection Evaluation data sets. We used
197 sessions of traffic for the training of the neural network. Out of these
there were 99 sessions with normal traffic and 98 sessions with attacks.
The experiments were separated into three parts. The first preliminary
experiment was conducted to see when the neural network was properly
ii
trained to classify sessions correctly and when it did not classify any sessions
at all. In this preliminary experiment we used both known and unknown
attacks. The next experiment was conducted to test the neural network with a
small amount of traffic to see how the classification rate was. Here we tested
with both normal traffic, known attacks and unknown attacks. In the final
experiment we tested with a higher amount of traffic.
Unknown attacks are the most threatening attacks, because we do not know
what to expect from these attacks. In the final experiments, we got a
classification rate of 86% on known and unknown attacks. Compared with
two other researches where they got classification rates of 77.3% and 80%,
the results we got in our experiments are very promising.
iii
Table of Content
Abstract ........................................................................................................ ii
Table of Content.......................................................................................... iv
List of Figures ............................................................................................. vi
List of Tables............................................................................................... vi
Acknowledgements ................................................................................... vii
Statement of Originality ........................................................................... viii
List of Abbreviations .................................................................................. ix
Chapter 1: Introduction ............................................................................... 1

1.1 History .................................................................................................. 1
1.2 Motivations and Aims ........................................................................... 3
1.3 Organization of the Dissertation ........................................................... 4
Chapter 2: Literature Review ...................................................................... 5

2.1 Introduction........................................................................................... 5
2.2 Background .......................................................................................... 5
2.3 Firewall ................................................................................................. 8
2.4 Intrusion Detection System................................................................. 10
2.4.1 What is an intrusion? ................................................................... 13
2.4.2 History.......................................................................................... 14
2.4.3 Today’s system............................................................................ 15
2.4.4 Anomaly Intrusion Detection Systems ......................................... 17
2.4.5 Misuse Intrusion Detection Systems ............................................ 20
2.4.6 Hybrid of misuse and anomaly Intrusion Detection System ......... 21
2.4.7 Common Intrusion Detection Framework..................................... 21
2.4.8 Misuse versus Anomaly Detection............................................... 23
2.4.9 Earlier research on Intrusion Detection........................................ 24
2.4.10 What can be better in today’s systems? .................................... 25
2.5 Why use several security components? ............................................. 26
2.6 Intrusion Prevention System............................................................... 28
2.7 Characterizing normal behaviour........................................................ 28
2.8 Neural Networks................................................................................. 30
2.8.1 Backpropagation Neural Network ................................................ 32
2.8.2 Why use Neural Networks? ......................................................... 32
2.9 DARPA Intrusion Detection Evaluation .............................................. 33
2.10 Attack methods................................................................................. 35
2.10.1 Denial of Service (DoS) ............................................................. 37
2.10.2 Trojan Horses ............................................................................ 39
2.10.3 Viruses and worms .................................................................... 40
2.11 Honeynets ........................................................................................ 41
2.12 Visualization of the log files .............................................................. 43
iv
Chapter 3: Research Methodology........................................................... 46
3.1 Introduction......................................................................................... 46
3.2 Outline ................................................................................................ 46
3.3 Input files to the Neural Network ........................................................ 48
3.3.1 Log file format .............................................................................. 48
3.3.2 Making the input files ................................................................... 49
3.4 Testing environment ........................................................................... 51
3.4.1 Training Pair ................................................................................ 51
3.4.2 Parameters for the Neural Network ............................................. 51
3.4.3 Criteria for training termination..................................................... 52
3.4.4 Different tests............................................................................... 53
3.4.5 Attacks in different files ................................................................ 54
Chapter 4: Experimental Results.............................................................. 55

4.1 Introduction......................................................................................... 55
4.2 Testing the Neural Network ................................................................ 55
4.3 Preliminary experiment....................................................................... 55
4.4 Second experiment ............................................................................ 57
4.4.1 Normal traffic ............................................................................... 58
4.4.2 Known attacks ............................................................................. 59
4.4.3 Unknown attacks ......................................................................... 60
4.5 Final experiment................................................................................. 60
4.5.1 Normal traffic ............................................................................... 61
4.5.2 Known attacks ............................................................................. 62
4.5.3 Unknown attacks ......................................................................... 63
Chapter 5: Analysis and Comparison ...................................................... 64

5.1 Introduction......................................................................................... 64
5.2 RMS-error Comparison ...................................................................... 64
5.3 Sessions not detected ........................................................................ 65
5.3.1 Known attacks ............................................................................. 65
5.3.2 Unknown attacks ......................................................................... 66
5.4 False positives.................................................................................... 66
5.5 Comparison with other research......................................................... 67
Chapter 6: Conclusion............................................................................... 69
6.1 Introduction......................................................................................... 69
6.2 Intrusion Detection with Neural Networks........................................... 69
6.3 Suggestions for further research ........................................................ 70
Appendix .................................................................................................... 72
Appendix 1:Training data ......................................................................... 72
Appendix 2: Testing data.......................................................................... 78
Appendix 3: Attacks used in this research................................................ 82
References.................................................................................................. 83
v
List of Figures
Figure 2-1 CERT Reported incidents per Year .............................................. 7

Figure 2-2 Firewall protecting a LAN.............................................................. 9
Figure 2-3 Host and Network based Intrusion Detection System................. 12
Figure 2-4 The Common Intrusion Detection Framework ............................ 22
Figure 2-5 Firewall, IDS and Honeynet protecting a LAN ............................ 26
Figure 2-6 Neural Network model ................................................................ 31
Figure 2-7 The evolution of attack sophistication ......................................... 36
Figure 2-8 Distributed Denial of Service attack ............................................ 38
Figure 2-9 Honeynet .................................................................................... 42
Figure 2-10 Visualization of the log files ...................................................... 44
Figure 3-1 Block Diagram of Research Methodology................................... 47
Figure 3-2 Training the Neural Network ....................................................... 53
Figure 4-1 RMS-error for the preliminary experiment................................... 57
Figure 5-1 RMS-error comparison ............................................................... 64
Figure 5-2 Comparison with other research................................................. 67
List of Tables
Table 2-1 Key findings from the two security surveys .................................... 6
Table 2-2 Misuse vs. Anomaly intrusion detection ....................................... 23
Table 3-1 Original parameters in the DARPA Data Sets.............................. 48
Table 3-2 Parameters used in this experiment ............................................ 49
Table 3-3 Example of the parameters for the Neural Network ..................... 52
Table 3-4 Separated attacks ........................................................................ 54
Table 4-1 The preliminary experiment results .............................................. 56
Table 4-2 Second experiment results for normal traffic................................ 58
Table 4-3 Second experiment results for known attacks.............................. 59
Table 4-4 Second experiment results for unknown attacks.......................... 60
Table 4-5 Final experiment results for normal traffic .................................... 61
Table 4-6 Final experiment results for known attacks .................................. 62
Table 4-7 Final experiment results for unknown attacks .............................. 63
Table 5-1 Known attacks not detected......................................................... 65
Table 5-2 Unknown attacks not detected..................................................... 66
vi
Acknowledgements
First and foremost I would like to thank my supervisor Dr. V.

Muthukkumarasamy and my associate supervisor Brijesh Verma for their
guidance and expertise. I would also like to thank Associate Professor Peter
Deer for his enthusiasm and for encouraging me to continue with my
research.
I would also like to give my thanks to my fiancé. Without her encouragement,

help and support, this research would not have been done.
Finally I would like to thank all academic, administrative and technical staff
from the School of Information Technology for their assistance throughout my
research.
vii
Statement of Originality
This work has not previously been submitted for a degree or diploma in any
university. To the best of my knowledge and belief, this thesis contains no
material previously published or written by another person except where due
reference is made in the thesis itself.
Signature:………………………….………………
Date: ………………………………………………
viii
List of Abbreviations
ADSL Asymmetric Digital Subscriber Line

AusCERT Australian Computer Emergency Response Team
CERT Computer Emergency Response Team
CPU Central Processing Unit
CSI Computer Security Institute
DARPA Defence Advanced Research Projects Agency
DDoS Distributed Denial of Service
DoS Denial of Service
FBI Federal Bureau of Investigation
FTP File Transfer Protocol
HTTP Hypertext Transfer Protocol
I/O In/Out
IDS Intrusion Detection System
IP Internet Protocol
IRC Internet Relay Chat
LAN Local Area Network
R2L Remote to Local
RMS Root Mean Square
SMTP Simple Mail Transfer Protocol
TCP/IP Transmission Control Protocol / Internet Protocol
U2R Local to Root
UDP User Datagram Protocol
ix
Chapter 1: Introduction
1.1 History
Internet has almost become a “new world”, and as in the real world the “new
world” has criminals and vandals. The big threat of vandalism and theft has
given users a need for security components to protect themselves.
In 1983 the ARPAnet, and every network attached to the ARPAnet, officially
adopted the TCP/IP networking protocol. The TCP/IP networking protocol
had been under development since 1973, and had been tested in an internet
in 1973 [1]. From 1983, all networks that used TCP/IP were collectively
known as the Internet. The standardization of TCP/IP allows the number of
Internet sites and users to grow exponentially [2, 3]. When Internet started to
be widely used, the users were so exited about connecting systems that
security was forgotten. Everyone just wanted to use the Internet, and did not
think of the dangers it also brought. The first Internet worm was unleashed on
November 2 1988 by Robert T. Morris Jr [3, 4]. Since then, the number of
incidents is growing rapidly each year. In 2002, the number of incidents was
82094 [5].
In 1989, Kevin Mitnick was arrested for invading Digital Equipment

Corporation’s computer system and allegedly stealing software. He had then
been breaking into different computer systems for several years, and is now
known to be the first high profile computer hacker [3].
1
All information systems and computer networks are threaten by electronic
attacks. Computer systems today have a variety of threats, such as [6]:
• Integrity
• Confidentiality
• Denial of Service
• Authentication
A totally safe system is per today impossible to achieve when we have

Internet access. Surveys show that the threat from computer crime and other
information security breaches continues unabated, and that the financial toll
is mounting [7]. Therefore we have to stay alert for attacks and misuse. Most
likely they will happen sooner or later.
We can say that the silver bullet in network security would be to lock the
computers in a bank vault, with no external access at all and armed guards to
guard the vault. But still there would be the threat of inside attacks from for
example the guards. It is of course not possible to have a system like this,
because most systems need access to the outside world. This is why we
have to get the security level up close to the same level as locking the
computers into a bank vault.
Network security can be seen as a chain. It is said that a chain is not stronger
than its weakest link. The same can be said about network security. Your
security levels are not higher than the weakest part in your security
components. And in this occasion a quotation from Babylonian Talmud,
Tractate Baba Metzia [6] is illustrative; “It is not the mouse that is the thief, it
is the hole that lets the mouse in”.
A couple of years ago someone who wanted to break into a computer system
had to have very good computer skills. He had to know the security holes,
and how to exploit these. Today, the intrusion threats are bigger than ever.
This is because of the fact that there are applications available on the
Internet that gives people with almost no computer experience the possibility
2
to break into computer systems. Because of this, attacks against computer
systems and networks have increased significantly in the last years [8].
Today, almost everyone can find tools to use for attacks. Someone who is
interested in this can easily search for such tools at for example Google [9]
and start using them from home. And for someone who for example just want
to attack a small neighbourhood firm, their IP address can easily be hidden
by the use of public proxy servers found on the Internet.
As Kelly Schupp from Guraded-Net noted [10], “We don’t believe there’s one
silver bullet product, nor will there ever be. However, hopefully with the
implementation of newer solutions, life will become a little more manageable
and (at least temporarily) more secure”.
Most of the prevalent Internet attacks today can be stopped or mitigated

proactively with little fear of false attacks. But what about the new and
unknown attacks? Are these attacks not the worst? It is hard to protect
yourself against something you do not know anything about.
1.2 Motivations and Aims
After reading an article that said that the attack methods we see and know
today could look puny and make them look like child’s play, compared to the
next-generation threat that are coming [11], my interest for the network
security area really raised.
The aim of this research is to find out what needs to be done to make a
computer system safer, without having a system that sends out false alarms
that takes up much of the time of an already busy system administrator. The
job for security administrators is almost impossible today. No matter how
many holes the security administrators finds in their network, and no matter
how many bugs they fix to keep intruders out, the intruder just needs to find
one hole to get in.
3
The goal for this research is to develop an Intrusion Detection System that is
able to detect both known and unknown attacks without relying on signatures
or other hard coded updates to stay protected against the latest attacks. For
this we will examine neural networks ability to learn user behaviour, and we
will use this for intrusion detection.
1.3 Organization of the Dissertation
The content of this thesis is divided into seven chapters. Chapter one
introduces the background, motivation and aim for the research. Chapter two
presents the overview of security components, and goes deeper into
Intrusion Detection Systems. Chapter three proposes and describes the
methods that are used in this research. Chapter four lists the results that are
obtained in the experiments in this research. Chapter five analyzes the
results of the experiments, and shows which attacks that was not detected by
the neural network. This chapter also compares the results with other
research. Chapter six draws conclusions from the research undertaken.
4
Chapter 2: Literature Review
2.1 Introduction
The field of network security motivates this research. This chapter provides a
review of the network security components and attack methods that are
mostly used today. The chapter starts with an overview of the threats that
companies connected to the Internet have today. Further it explains some of
the network security components that are used, and goes further into the
Intrusion Detection System technology. It then explains the different types of
Intrusion Detection Systems, and how far the research has come today. This
chapter also gives an explanation of neural networks, and it ends with an
overview of some of the most used attack methods today.
2.2 Background
As mentioned earlier, all Information Systems and networks are threatened to

be attacked or misused. There has been conducted a computer crime and
security survey in USA the last seven years. This 7th annual survey [7] has
been conducted in participation with the Federal Bureau of Investigation with
the aim to raise the level of security awareness. This survey showed that
60% of the companies in USA had unauthorised use of their networks and
38% suffered unauthorized access or misuse on their Web sites the last 12
months. 21% said they did not know if there had been unauthorized access
or misuse. It must also be said that it is only unauthorised usage that has
been detected. The real numbers on unauthorized access or misuse could
be, and are most likely higher. The survey also showed that 89% of the
respondents had a firewall and 60% used Intrusion Detection Systems, but
still 40% of the respondents detected system penetration from the outside.
5
40% of the respondents also detected Denial of Service attacks to their
servers.
A similar survey to the one in USA has been made in Australia [12]. This is
the only survey of its type in Australia, focusing on the actual extent and
nature of security incidents. This survey showed that 67% of the companies
had unauthorised use of their networks the last 12 months. Of these, 65%
had experienced attacks from the inside of their company.
The key findings from the two security surveys [7,12] can be seen in Table
2-1.
USA % Australia %
How many had firewall installed? 89 96
How many had Intrusion Detection System
60 53
installed?
How many had Anti-Virus software installed? 90 99
How many had unauthorized use to their network? 60 67
How many attacks from the outside? 40 89
How many attacks from the inside? 78 65
How many detected Denial of Service attacks? 40 43
How many had security incidents on their web site? 38 30
Table 2-1 Key findings from the two security surveys
In November 2001, two former Cisco Systems, Inc. accountants were

sentenced to 34 months in prison for “exceeding their authorized access to
the computer systems” of Cisco Systems in order to illegally issue almost $8
million in Cisco stock to themselves [7]. This is just an example, and there
are many like this, demonstrating the threat companies have from the inside.
The American survey [7] showed that 38% of the respondents had
unauthorized access by insiders. So the security components must be able to
detect attacks from the inside just as well as attacks from the outside.
6
Annual reports from the Computer Emergency Response Team (CERT)
indicate a significant increase in the number of computer security incidents.
From just 6 incidents reported in 1988 to 82094 incidents reported in 2002
[5].
Incidents
Incidents
90000
80000
70000
60000
50000
40000
30000
20000
10000
0
1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002
Figure 2-1 CERT Reported incidents per Year
A report [13] showed that in 1995 there were approximately 250.000

attempted break-ins into federal computer systems in USA. Of these attacks
there were 64%, about 160.000, which was successful. And it is estimated
that the number of attacks will be doubled every year.
The Internet 10 years ago was not a utility in any sense. It is now supporting
10 – 15 percent of the Gross Domestic Product of the industrialized world
[11]. This makes the needs for better security, and the threats are higher than
ever. Gil Raanan from Sanctum explained why businesses are so in need for
better security [14]: “Companies are using their networks for confidential and
mission critical functions. In addition, businesses today are more vulnerable
than in the past because they are sharing information, such as financial and
sales data, over internal and external networks”. William A. Wulf, president of
7
National Academy of Engineering, explained how important Internet is today
[15]: “We are so dependent on the cyber infrastructure now. We can’t do
financial transactions without it. Even the larger infrastructure – the power
grid, gas pipelines – depends on it”.
But just implementation of security components is not enough. Gene

Spafford, Director of CERIAS at Purdue University said [7]: “Security comes
from understanding systems, goals and methods. Strong tools applied in the
wrong way for the wrong reasons don’t help, and may even confound other
defenses”. The person in charge of the security should not just buy some
security components, implement these, and think that most of the work is
done. An analysis of the system and its need should be done first to find out
what the security components should protect, and how important these data
are. But the most important work is done after implementation. This is to stay
up to date on attack methods, and trim the security components when
needed.
Rebecca Herold, Senior Security Architect of QinetiQ Trusted Information

Management, Inc. says “Sadly, security controls and tools are often the
victims of budget cuts when projects costs must be reduced when
implementing new applications, systems or networks. I’ve heard too many
organizations say that they will add security ‘later’ after implementation so
they can meet their target dates, and then later never comes” [7].
2.3 Firewall
Figuratively speaking, a firewall is like a high fence guarding your house.

Firewalls are simply components that allow the system administrator to
restrict access to other components on a network [16]. It is the first line of
defense on the network. The basic purpose is to block unwanted traffic from
an external network (usually the Internet) to access a protected network. But
it can also be used to separate two internal networks from each other. There
exist both hardware firewalls and software firewalls, but in both cases there
8
are have at least two network interfaces. One interface for the network it is
protecting and another one for the network it is protecting against. A firewall
can not protect a network from attacks from the inside of the network.
A firewall has four main functions [6]:
• Service control: Types of services that can be accessed.

• Direction control: Determines the direction in which particular service
requests may be initiated and allowed through the firewall.
• User control: Controls access to a service according to which user is
attempting to access it.
• Behaviour control: Controls how different services are used.
The firewall is usually placed on the perimeter of the network, but it can also
protect “a corner” of the internal network.
Figure 2-2 Firewall protecting a LAN
All the traffic between the Internet and the local network goes through the
firewall. This gives the system administrator the opportunity to deny specified
services access to certain areas, or give specified services access to certain
areas.
9
There are three different types of firewall technologies:
• Packet filters: Works by filtering traffic based on packet content sent to

and from the protected network. This can for example be protocols or
IP addresses.
• Application layer filtering: Typically a proxy server. Works by breaking
up the connection between the client and the server. The packets are
examined and they are then passed on or rejected. Packets that for
example contain EXE files can be rejected.
• Stateful Inspection: Looks at all communication layers, extract the
relevant data and build connection tables to allow higher performance.
For every request that is allowed by the strategy, stateful inspection
firewalls open up a limited time window to allow response packets, but
only from the same host. And maintaining information about previous
packets, stateful inspection firewalls can quickly verify that packets
meet the criteria for authorized traffic.
2.4 Intrusion Detection System
The goal of intrusion detection is seemingly simple; to detect intrusions. An

Intrusion Detection System is a program that can detect and inform the
Network Administrator about an attack or misuse. The use of Intrusion
Detection Systems is getting more and more common now a days. It is
important to know that an Intrusion Detection System alone is not the silver
bullet in network security. Using an Intrusion Detection System is more an
addition to other security components, as for example firewalls, to make the
protected system more secure.
Intrusion detection is the process of monitoring computer networks and

systems for violations of security policy. The assumptions of Intrusion
Detection Systems are that the intruder has to behave differently from the
normal users.
10
The components of an Intrusion Detection System are [17]:
• Information Source: data utilized by the Intrusion Detection System

• Analysis engine: process by which the intrusion detection is made
• Response: action taken when an intrusion is detected
Intrusion Detection Systems works by gathering information from the

protected system and network and search for information or patterns that can
be an attack or misuse. They can detect intruders by examining parameters
as network traffic, CPU and I/O utilization, user location and file activity for
signs of an attack [18]. Intrusion Detection System can be used to detect
misuse from within the organization and to detect attacks from the outside
world. The major functions for an Intrusion Detection System are [19]:
• Monitoring and analyzing user and system activity.

• Assessing the integrity of critical system and data files.
• Recognizing activity patterns reflecting known attacks.
• Responding automatically to detected activity.
• Reporting the outcome of the detection process.
The main goal of an effective Intrusion Detection System is to provide high

rates of attack detection with very small rates of false alarms [20]. The
Intrusion Detection Systems that are used today are a long way from
achieving this goal. There are two types of errors that are important to know
in intrusion detection [19]:
• False positives: Also known as false alarms. These errors occur

because the Intrusion Detection System misinterprets normal traffic or
activities as an attack.
• False negatives: These errors occur because an attacker is
misclassified as a normal user by the Intrusion Detection System.
11
False positives are those error messages that take much of the system
administrator’s time. A high rate of these errors will degrade the productivity
of the system by invoking unnecessary countermeasures. False negatives
are those errors that are hard to detect because the system sees the attacker
as an ordinary user. These attacks are also the most dangerous and these
errors can cause big losses for a company.
Intrusion Detection Systems differs from on-line to off-line systems [21]. Off-
line systems are run periodically and they detect intrusions after-the-fact
based on system logs. On-line systems are designed to detect intrusions
while they are happening, thereby allowing for quicker intervention. Intrusion
Detection Systems can also be classified according to the kind of audit
source location they analyze [19]:
• Network-based detection: The Intrusion Detection System analyzes

network packets captured in the network.
• Host-based detection: The Intrusion Detection System analyzes
different logs for traces of an attack.
Figure 2-3 Host and Network based Intrusion Detection System
12
The host based Intrusion Detection System looks at communication in and
out of the computer, checks the integrity of the system files and suspicious
processes. The network based Intrusion Detection System looks at packets
on the network as they pass the intrusion detection sensor. The best solution
will be to have a system that combines these two systems.
There are many different vendors making Intrusion Detection Systems to the
strongly needed network security marked. Most of them are commercial
vendors, but there are also some popular open source systems such as
Snort [22].
2.4.1 What is an intrusion?
An intrusion is any set of actions that attempt to compromise a resource’s

integrity, confidentiality, or availability [23]. Barruffi, Milano and Montanari
[24] classify intrusions into the following categories:
• Attempted break-ins: attempts to gain access privileges by exploiting

system vulnerabilities.
• Penetration of the security system: attacks that obtain unauthorized
access to files, programs, or computer system control.
• Leakage: information acquisition from unauthorized recipients.
• Malicious use: resource loss or manipulation.
• Denial of service: attacks aimed at rendering a service unavailable.
System administrators normally use auditing to determine whether and how

an intrusion has occurred. Intrusion Detection Systems provide automatic
auditing analysis. In order to detect intrusions, some source of information in
which the intrusion is manifested must be observed and some analysis that
can reveal the intrusion must be performed [25].
13
2.4.2 History
At the heart of intrusion detection lays the ability to distinguish acceptable,

normal behaviour from behaviour that is abnormal. The first type of intrusion
detection was actually when system administrators were sitting in front of a
computer and monitoring the system. If they saw something suspicious they
could terminate that process. This type of intrusion detection is of course not
in real time and not useful for a big network. An intruder may do big damage
before the system administrator sees the actual intrusion.
In the end of 1970 and beginning of 1980 the system administrators started
to use logs in their intrusion detection [26]. Still they could not do any
intrusion detection in real time so they read the logs to check for trace and
evidence of any type of intrusion. They had to be lucky to catch an attack in
progress.
Some of the earliest work in intrusion detection was performed in the end of
1970 by Jim Anderson [27]. Anderson defined an intrusion as any
unauthorized attempt to access, manipulate, modify, or destroy information,
or to render a system unreliable or unusable.
After a while all logs where stored online and programs where developed to
do the analysis. But these programs used much resource from the computer
and were slow so they had to be run at night time. Still the logs where just
used to check for intrusions and try to get evidence if there had been an
attack, but now the administrator did not have to check all the logs manually.
In the beginning of 1990 real time Intrusion Detection Systems where

developed [26]. These systems had the capability to check data as it came
and even detect attackers at the front door. This again gave the
administrators the opportunity to have countermeasures against the
attackers.
14
D. Denning describes in her report “An Intrusion-Detection Model” [28] four
factors for developing real-time Intrusion Detection System:
• Most existing systems have security flaws that render them

susceptible to intrusions, penetrations, and other forms of abuse;
finding and fixing all these deficiencies is not feasible for technical and
economic reasons.
• Existing systems with known flaws are not easily replaced by systems
that are more secure – mainly because the systems have attractive
features that are missing in the more secure systems, or else they
cannot be replaced for economic reasons.
• Developing systems that are absolutely secure is extremely difficult, if
not generally impossible.
• Even the most secure systems are vulnerable to abuses by insiders
who misuse their privileges.
D. Dennings report was published in the beginning of 1987, but the factors
listed above are still very useful in the development of security components
today.
2.4.3 Today’s system
Intrusion Detection Systems has been a standard approach to network

security the last years. Because of the high rate of false alarms, known as
false positives, anomaly Intrusion Detection Systems gives, most of today’s
Intrusion Detection Systems are based on signatures of known attacks. But
the potential of anomaly Intrusion Detection Systems are much higher, and it
is on this type of intrusion detection most of the research is done today.
15
Today’s Intrusion Detection Systems have many shortcomings [17] such as:
• An inability to analyse large amounts of data

• The propensity to generate many false alarms
• The inability to identify new or evolving adversarial behaviours
Now many companies have up to gigabit networks, and the amount of data
that needs to be checked is huge. Also, the high rate of false alarms is pulling
down the efficiency ratio of the Intrusion Detection Systems. The lack of
ability to detect new attacks is maybe the biggest shortcoming of today’s
Intrusion Detection Systems.
Much of the current effort seems to be aimed at detecting attacks that are
made by relatively unskilled and unfocused attackers that can use tools that
are available for free on the Internet. But the greatest threat lies in narrowly
focused attacks launched by enemies who will make serious attempts to
avoid detection. These attacks are most likely not being detected by misuse
Intrusion Detection Systems.
Current Intrusion Detection Systems have limited response mechanisms that

are inadequate given the current threat [35]. Quick response to an attack is a
crucial factor in whether or not the attack is successful. While Intrusion
Detection System research has focused on better techniques for intrusion
detection, intrusion response remains principally a manual process.
D. Denning said in her report from 1987 [28] that a person could escape
detection through gradual modifications of behaviour. This is something that
is still possible today, and it is one of the biggest, if not the biggest, problem
in anomaly based intrusion detection. She also left several other questions
unsolved, and most of them are still not answered completely today:
• Soundness of approach: Does the approach actually detect

intrusions? Is it possible to distinguish anomalies related to intrusions
from those related to other factors?
16
• Completeness of approach: Does the approach detects most, if not all,
intrusions, or are a significant proportion of intrusions detectable by
this method?
• Timeliness of approach: Can we detect most intrusions before
significant damage is done?
• Choice of metrics, statistical models and profiles: Which metrics,
models, and profiles provide the best discriminating power? Which are
most cost-effective? What are the relationships between certain types
of anomalies and different methods of intrusion?
• System design: How should a system based on the model be
designed and implemented?
• Feedback: What effect should detection of an intrusion have on the
target system? Should Intrusion Detection Expert System
automatically direct the system to take certain actions?
• Social implications: How will an Intrusion Detection System affect the
user community it monitors? Will it deter intrusions? Will the users feel
their data is better protected? Will it be regarded as a step towards
“big brother”? Will its capabilities be misused to that end?
The high rate of false positives (false alarms) characterizes most Intrusion
Detection Systems today. These false alarms can degrade the productivity of
the system by invoking unnecessary countermeasures [19], and they also
take a lot of time to check for a system administrator.
2.4.4 Anomaly Intrusion Detection Systems
Anomaly detection uses models of the intended behaviour of users and

applications, interpreting deviations from the “normal” behaviour as a
problem [26]. Maxion and Tan [29] have expanded this definition: “An
anomaly is an event (or object) that differs from some standard or reference
event, in excess of some threshold, in accordance with some similarity or
distance metric on the event”.
17
The task of anomaly intrusion detection is to determine if an activity is
unusual enough to suspect an intrusion. A basic assumption of anomaly
detection is that attacks differ from normal behaviour [23]. If an organization
implements an anomaly based Intrusion Detection System, they must first
build profiles of normal user and system behaviour to serve as the statistical
base for intrusion detection, and then use deviations from this baseline to
detect possible intrusions [18]. Any activity sufficiently deviant from the
baseline will be reported as anomalous and considered as a possible attack.
Anomaly intrusion detection was the originally type of Intrusion Detection

Systems. It was an anomaly Intrusion Detection System Denning proposed in
her report [28] from 1987. Her Intrusion Detection Expert System model is
based on the assumption that it is possible to establish profiles to
characterize the normal interactions of subjects (typically users) with objects
(typically files or programs).
This type of intrusion detection can detect a variety of abnormal patterns of

system usage. Here are some examples from D. Dennings report [28]:
• Attempted break-in: Someone attempting to break into a system might

generate an abnormally high rate of password failures with respect to
a single account or the system as a whole.
• Masquerading or successful break-in: Someone logging into a system
through an unauthorized account and password might have a different
login time, location, connection type from that of the account’s
legitimate user. In addition, the penetrators behaviour may differ
considerably from that of the legitimate user. In particular, he might
spend most of his time browsing through directories, and executing
system status commands, whereas the legitimate user might
concentrate on editing or compiling and linking programs. Many break-
ins have been discovered by security officers or other users on the
system who have noticed the alleged user behaving strangely.
• Misuse from legitimate users:
18
1. A user attempting to penetrate the security mechanisms in the
operating system might execute different programs or trigger
more protection violations from attempts to access
unauthorized files or programs. If his attempt succeeds, he will
have access to commands and files not normally permitted to
him.
2. A user trying to leak sensitive documents might log into the
system at unusual times or route data to remote printers not
normally used. A user attempting to obtain unauthorized data
from a database through aggregation and inference might
retrieve more records than usual.
• Denial-of-Service attacks: An intruder able to monopolize a resource
might have abnormally high activity with respect to the resource, while
activity for all other users is abnormally low.
The main advantage of anomaly Intrusion Detection Systems is that they can
detect previously unknown attacks. By defining what is normal, they can
identify any violation, whether it is part of the threat model or not. In today’s
system the advantages of detecting previously unknown attacks is paid for in
terms of high false-positive rates [26, 18]. Disgruntled employees, bribery
and coercions make networks vulnerable to attacks from the inside [13].
Anomaly intrusion detection can detect if any employees differs from their
normal routines to make any attempts to an attack.
Disadvantages with anomaly Intrusion Detection Systems are that they are
less effective in dynamic environments, where employees have erratic hours
or switch project resources frequently. Also, inaccurate or incomplete user
and system profiling can lead to false-positives [18]. This type of intrusion
detection also has difficulty with classifying or naming the attacks, since they
just depend on deviations from normal behaviour [30]. When new users are
introduced into the target system, two potential problems occur [28].
• Lack of profile information about the user’s behaviour.

• The user is inexperienced with the system.
19
Both these problems will give a high rate of false positives to the system so it
is hard to know how to deal with these. One way to “solve” those problems is
to ignore anomalies during a short period, or raise the deviation value. Both
of these two solutions will give even more dangerous problems. What if the
new users make an intrusion? And what happens if the system is attacked
during this period?
2.4.5 Misuse Intrusion Detection Systems
Misuse detection contains attack descriptions (or “signatures”) and matches

them against the audit data stream, looking for evidence of known attacks
[26]. These signatures are detailed descriptions of the sequence of actions
performed by a hacker. This is a good method to stop known attacks,
because known attacks can be characterized by a sequence of events.
Originally, and still, anomaly Intrusion Detection Systems has limitations

because of the problems with dynamic environment and high rates of false
positives. Because of this, misuse Intrusion Detection Systems was
introduced [31]. Misuse Intrusion Detection System typically monitors
parameters such as network traffic, CPU and I/O use, and file activity for
activities that match known patterns or attack profiles [14].
The main advantage of misuse Intrusion Detection Systems is that they focus
analysis on the audit data and typically produce few false-positives [18].
Since they rely on signatures, the system knows what kind of attack it is
when it occurs. This way the system can easily assign names to the attacks
when they occur, and the system administrator can see what kind of attack
the system is under. The problem with these systems is that it is script based
and only recognize known scripts (“signatures”), but are unable to detect truly
novel attacks [10, 30]. Since misuse Intrusion Detection Systems have no
capability of autonomous learning they require frequent updates. As new
attacks are discovered, developers must model and add them to the
signature database.
20
A report from 1999 [13] showed that misuse Intrusion Detection Systems can
be very effective in reducing false alarms if they are implemented properly.
The problem is that there can also be small changes in the attack methods
and to detect the changes new signatures has to be written. There are often
written many variations of one signature and over time this will slow down the
system because the signature database grows so big.
Today, nearly all Intrusion Detection Systems are signature based. The
performance of these systems is limited by the signature database they work
from. Many known attacks can be easily modified to present many different
signatures. If the database does not contain all the different variations, even
known attacks may be missed [31]. Attackers can also bypass the signatures
by encrypting the code so that the packets do not match any known attack
signatures [13].
2.4.6 Hybrid of misuse and anomaly Intrusion Detection

System
There are systems out now that combines the two types of Intrusion
Detection Systems. Hybrid systems can use a rules base to check for known
attacks against a system, and an anomaly algorithm to protect against new
types of attacks [18]. This type of Intrusion Detection System takes the
advantages from both systems, but unfortunately it also takes some of the
disadvantages. Misuse detection could be used in combination with anomaly
detection to name the attacks. This will shorten the response time the system
administrator needs as he can see what type of attack the system are under.
2.4.7 Common Intrusion Detection Framework
The Common Intrusion Detection Framework is a general architecture for

Intrusion Detection Systems. This framework, which can be seen in Figure
21
2-4, is made to ease the sharing of information between different Intrusion
Detection Systems [24].
Figure 2-4 The Common Intrusion Detection Framework
This architecture consists of an event generator, data storage, an analysis

engine and a response module. The event generator performs sensing
actions to provide information on the system state. The analysis engine
analyzes and correlates the monitored events and audit trails to detect
suspicious or malicious activity. The analysis engine can use both misuse
and anomaly detection techniques. The data storage stores security
information to make it available later to system administration. The response
module reacts to detected intrusions with countermeasures that block the
current violation as soon as possible.
22
2.4.8 Misuse versus Anomaly Detection
Despite the fact that there has been done a lot of research on intrusion
detection it is pretty clear that anomaly intrusion detection has more potential
because of its ability to catch novel attacks. Here are the advantages and
disadvantages of misuse and anomaly intrusion detection as they are today:
Advantages Disadvantages
Misuse - Can name attacks - The signature database tends to
IDS - System administrators can get big and clustered after a while.
write their own signatures This can slow down the system
- Easy to implement - Can not completely detect novel
- Properly implemented, it attacks
does not give many false - Needs to be updated with new
alarms. signatures to catch newly
discovered attacks
- Unprotected against new attacks
during the time it takes to write
new signatures
Anomaly - Can easily detect attacks - Complex to implement
IDS from the inside - High rate of false alarms
- Hard for an intruder to - Still not satisfying enough in a
know how he should behave dynamic environment
to not raise an alarm since - Can not name attacks.
profiles can be on individual
users
- Can detect previously
unknown attacks
- Can use more
sophisticated rules
Table 2-2 Misuse vs. Anomaly intrusion detection
23
If for example there is an anonymous FTP connection attempts from an
outside IP address this may not cause the system to be suspicious at all. But
if the FTP connection attempt is within a set period of time after a scan from
the same IP, it should become more suspicious. This can be done with the
use of anomaly systems. An anomaly intrusion detection system will not grow
“big and slow” over time, because it learns the pattern of the users over time.
2.4.9 Earlier research on Intrusion Detection
The last 20 years there has been conducted much research on intrusion
detection, starting with James P. Andersons whitepaper “Computer Security
Threat Monitoring and Surveillance” in 1980 [27]. Anderson introduced the
concept of computer threats and detection of misuse. This is the same
concept that is applied to host based Intrusion Detection Systems. Dorothy
Denning wrote a report in 1987 [28]. This report has almost become a
fundamental stone and has inspired many researchers in the intrusion
detection research field. Almost every research paper on intrusion detection
uses this paper as a reference. Denning introduced the first model for
intrusion detection, and most of her work are still of current interest today.
Most of the newer research on intrusion detection focuses on anomaly

detection [32]. This is because the strength in intrusion detection lies in
anomaly detection, where the system does not need to depend on a
signature before it can detect an attack. The use of neural networks in
intrusion detection has been used several times by researches the last
decade. This will be explained further later in the thesis. There has also been
research on other using soft computing techniques in intrusion detection. In
2002 S. B. Cho showed in his report [33] that the use of hidden Markov
models and attempts to detect intrusions by noting significant deviations from
the model can be used with success in anomaly Intrusion Detection Systems.
In this experiment he used systems call, process and file access as
parameters for the intrusion detection. Experiments with the use of Self-
Organizing Maps in intrusion detection have also been done [34]. The
24
parameters that were used in this experiment were username, host, type of
connection and time session started.
A report from late 2000 [30] concluded that all the evaluation performed to
that date indicated that Intrusion Detection Systems where only moderately
successful at identifying known intrusions, and quite a bit worse at identifying
those that had not been seen before.
2.4.10 What can be better in today’s systems?
There are still very much that needs to be done before Intrusion Detection
Systems are working satisfying enough. Here are the biggest issues:
• The biggest problem with Intrusion Detection Systems is that they are
reactive, not proactive.
• In anomaly detection there is a problem when there are small changes
in a user’s behaviour. This happens sometimes, and will the Intrusion
Detection System then alert this as an attack/misuse?
• Anomaly intrusion detection systems are still not working satisfying
enough in a dynamic environment where there are big changes in the
user behaviour.
• We need effective systems that can detect close up to 100% of attack
methods without the high rate of false-positives that we have today.
• We need security components that are resilient, and that can respond
intelligently to attacks and have countermeasures.
• Current intrusion detection systems have limited response
mechanisms that are inadequate given the current threat. While
intrusion detection system research has focused on better techniques
for intrusion detection, intrusion response remains principally a manual
process.
• A major weakness in today’s Intrusion Detection Systems is that they
rely on known attack methods to identify attacks. They lose
25
effectiveness from the time a new attack is discovered to a signature
for this attack is made.
2.5 Why use several security components?
The use of several security components can make a network more secure
because misconfigurations or weaknesses in one component can be
equalised by another component. Both firewalls and Intrusion Detection
Systems deliver functionality that the other component can not deliver. An
Intrusion Detection System complements a firewall by detecting what is going
on in the network. A firewall is only a kind of fence, so it will not detect what’s
happening on the inside. Also, the Intrusion Detection System can catch
attempts against the network that fails. This is important because it shows
how big the threats from the outside are. Even more important, an Intrusion
Detection System can catch attacks that pass the firewall, like for example
Denial of Service attacks.
Honeynet
Figure 2-5 Firewall, IDS and Honeynet protecting a LAN
26
The idea with several security components is to establish a network
perimeter and to identify all possible points of entry to the network. It is also
recommended to protect sensitive servers with intrusion detection sensors on
every server. The square boxes with magnifying glasses in them illustrate
intrusion detection sensors. The Intrusion Detection Systems’ sensors should
be both host based and network based. Host based sensors are more useful
for protecting critical servers, and network sensors are more useful for
detecting abnormal traffic on the local network. The Central Manager
receives reports from both the host based sensors and network based
sensors, and process and correlates these reports to detect intrusions.
The firewall protects the internal network from unwanted and unauthorized
traffic from the outside. Sensors for the Intrusion Detection System should be
placed on strategic places around the network. The first sensor is there to
identify attack on servers in the demilitarized zone and attacks that are
directed on the company’s network. The second sensor is placed right after
the firewall. This sensor serves to confirm secure configuration and operation
of the firewall, and it can also identify attacks that pass the firewall. The third
sensor identifies any attacks from the inside against the local servers. The
fourth and fifth sensors are sensors that protect single servers. These
sensors can protect the servers against attacks from outside and has passed
the firewall and the other sensors and against attacks from inside. All the
sensors should be configured to report to one central Intrusion Detection
System console.
In addition to these security components, the use of Honeynets can also be

very useful for a larger system. Here the system administrator could analyze
the Honeynet and adjust their security components after how the attackers
behave during an intrusion. Use of Honeynet are explained further in section
2.11
27
2.6 Intrusion Prevention System
While Intrusion Detection Systems automatically handle intrusion detection,

the system administrator usually manages intrusion recovery. Intrusion
Prevention Systems was introduced because it was not accomplishing
enough with just passive monitoring of system as today’s Intrusion Detection
System do. Intrusion Prevention Systems work by offering active threat
handling capabilities that stop intruders and attackers before they can enter a
computer system. The difference between Intrusion Detection Systems and
Intrusion Prevention Systems is that when an Intrusion Detection Systems
detects a problem, Intrusion Prevention Systems blocks it. Just like Intrusion
Detection Systems, some of the Intrusion Prevention Systems are host
based, and some are network based.
There are split meanings on whether Intrusion Prevention System is a new

technology, or if it just is a “new way of thinking” where several security
components are combined to collaborate with each other [14].
Newer Intrusion Prevention Systems are beginning to rely on software based

heuristic approaches. But here, as in anomaly Intrusion Detection Systems,
there are problems with dynamic environment and with defining accurate
user profiles.
2.7 Characterizing normal behaviour
Before you implement an anomaly based Intrusion Detection System, you

have to be able to characterize the normal behaviour of the users of the
system. There are several challenges when it comes to classification of user
behaviour. One problem is that only a small fraction of the behaviour is
misuse, another is that often misuse looks like normal use, so it can be
difficult to distinguish between intruders and normal users [36]. One of the
largest challenges for today’s intrusion detection tools is being able to
28
generalize from previously observed behaviour (normal or malicious) in order
to recognize similar future behaviour [37]. The general assumption is that the
normal behaviour of a system can often be characterized by a series of
observations over time. A simple approach is to define thresholds for each
monitored parameter of the system, and if a parameter exceeds this
threshold, it is considered an abnormality [38].
There have been several researches on characterization approaches.

Denning explained the use of a statistical model of the system [28] where it is
assumed that we know everything about the system. The use of Artificial
Intelligence techniques [31, 33, 39] has also experimented with. And an
approach inspired by the human immune system [38] has also been
conducted. There have also been done a research on using a genetic
algorithm called Genetic algorithm Based Intrusion Detector [40].
D. Denning uses a statistical model [28] to calculate the probability of

occurrence of a given value. The lower the probability is, the higher the
possibility of an anomaly is. There are still two important facts that are not
covered in this approach [38]:
• Normalcy depends on time: A value that might be considered normal
at a given time might be abnormal at a different time.
• The notion of normalcy depends on correlations among different
parameters: The independent values of two different parameters might
be considered normal, but their combination might show abnormality.
It is important that the characterizing of users behaviour is not a “one time

setting”. User’s behaviour does change over time. New users will arrive, and
some users may leave. This will affect the characterizing of the system
therefore the characterizing must be done either with set intervals or be done
continuous.
29
2.8 Neural Networks
The work on neural networks was inspired by the human brain. The human
brain consists of neural networks. As a person learns new things, paths
between different parts of the brain are created. If a person does not refresh
his mind from time to time, these paths will eventually vanish.
A neural network is a powerful data modelling tool that is able to capture and
represent complex input/output relationships. This tool can acquire
knowledge through learning of input data. Neural networks are essentially a
network of computational units that jointly implement complex mapping
functions [41]. It consists of a collection of processing elements that are
highly interconnected and transforms a set of inputs to a set of desired
outputs. Here are some of the characteristics of a neural network:
• The handling of data is done by many simple connected elements,

called neurons.
• There is an interconnection between the connected neurons.
• A weight factor is associated to each connection in the network. This
factor weights the signal that is sent from one neuron to another.
• Each neuron has its own task, and does some calculations.
The neural network consists of interconnected neurons. By modifying the

connections between these nodes the network is able to adapt to the desired
outputs [39]. Each neuron can be looked at as being a separate computer
running its own program. The neuron computes the weighted sum of the
inputs it gets from other neurons and gives an output as a single number to
another neuron that performs the same task. The result of the transformation
is determined by the characteristics of the neurons and the weights
associated with the interconnections among them.
30
The neurons in a neural network are organized into layers. This is showed in
Figure 2-6. The layers is divided into an input layer, hidden layer (there can
be several hidden layers) and output layer. The inputs to the input layer are
set by the environment. This layer does not play any significant role to the
computing of the result. It only feeds information into the neural network. The
hidden layers have no external connections; they only have connections with
other layers in the network. The interaction between the hidden layers
continues until some condition is satisfied. The outputs from the output layer
are returned to the environment.
Figure 2-6 Neural Network model
Neural networks can be used to learn an anomaly Intrusion Detection System

normal behaviour. Initially, the neural network is trained with normal system
behaviour traces. Observed event streams are then fed into the network, and
the neural network conducts an analysis of the information and provides a
probability estimate that the data matches with the characteristics that is has
been trained to recognize.
Traditional neural networks are unable to improve its analysis of new data
until it is taken off-line and retrained using representative data that includes
31
the new information. Today, neural networks are widely used in both software
and hardware products around the world.
2.8.1 Backpropagation Neural Network
The ability to learn is the fundamental point of neural networks. The neural
network learns by making systematic changes to the weights in each neuron.
Most neural networks learn by using an algorithm call backpropagation. The
invention of the backpropagation algorithm [42] has played a large part in the
resurgence of the interest in neural networks.
Backpropagation is a systematic method for training multi-layer neural

networks. Here each presentation of the output is compared with the desired
output and an error is computed. This error is then fed back to the neural
network and used to adjust the weights so that the error decreases for each
iteration of the training, and the output gets closer and closer to the desired
output. Training a backpropagation neural network requires the following
steps:
1. Select the next training pair from the training set, and apply input
vector to the network input.
2. Calculate the output of the network.
3. Calculate the error between the network output and the desired
output.
4. Adjust the weights of the network in a way that minimises the error.
5. Repeat steps 1 through 4 for each vector in the training set until the
error for the entire set is acceptable low.
2.8.2 Why use Neural Networks?
There has already been some successful research on using neural networks
to train an anomaly based Intrusion Detection System [31, 37], and also
32
research done already back in 1992 [59]. In the research from 1992 [59],
Debar, Becker and Siboni used user commands on a SUN3 UNIX machine
as input to the neural network. In their paper, Lee and Heinbuch [31] showed
that an Intrusion Detection System can be devised that truly responds to
anomalies, not to signatures of known attacks. To produce this, the normal
behaviour of the network must be specifiable in advance. Neural networks
have also been used to improve misuse intrusion detection [60].
J. Cannady showed in his report [39] that it is possible for neural network to
autonomously learn new attacks rapidly through the use of a modified
reinforcement learning method that uses feedback from the protected
system. His system demonstrated the ability to learn new attack patterns
without the complete retraining required in other traditional neural network
approaches.
After reading about the use of neural networks in intrusion detection, and the
ability neural networks have to learn, it was decided that we wanted to look
further into this area of intrusion detection.
2.9 DARPA Intrusion Detection Evaluation
The Information System Technology Group at Massachusetts Institute of

Technology – Lincoln Laboratory, sponsored by Defence Advanced
Research Project Agency (DARPA) and Air Force Research Laboratory, has
collected and evaluated the first standard corpora for evaluation of computer
network Intrusion Detection Systems. This is called the DARPA Intrusion
Detection Evaluation [43].
The goal for DARPA is to develop Intrusion Detection Systems, or aggregate

of systems, that can detect more than 99% of the attacks with a false alarm
rate less than 1% [25].
33
Over the last years, a large quantity of data has been gathered by the Lincoln
Laboratory for the purpose of testing and comparing Intrusion Detection
Systems. The data sets from Massachusetts Institute of Technology’s Lincoln
Laboratory are the most well-known and used data sets for Intrusion
Detection System research. These data sets include BSM audit files, and
tcpdump files from a variety of UNIX systems, as well as Microsoft Windows
NT audit files [17].
These evaluations measure probability of detection and probability of false-

alarm for each system under test. These evaluations are contributing
significantly to the intrusion detection research field by providing direction for
research efforts and an objective calibration of the current technical state-of-
the-art. They are of interest to all researchers working on the general
problem of workstation and network intrusion detection. The evaluation is
designed to be simple, to focus on core technology issues, and to encourage
the widest possible participation by eliminating security and privacy concerns,
and by providing data types that are used commonly by the majority of
intrusion detection systems.
The data sets used in this research are the data sets from the 1998 DARPA
Intrusion Detection Evaluation Program. In the data sets for UNIX operating
system the attacks were categorized into four categories [44]:
• DoS - Denial of Service: Attacks used was Apache2, Back, Mail bomb,
Neptune, Ping of death, Process table, Smurf, Syslogd and UDP
storm.
• R2L - Unauthorized access from a remote machine to a local machine:
Attacks used was Dictionary, FTP-write, Guest, Imap, Named, Phf,
Sendmail, Xlock and Xnsnoop.
• U2R - Unauthorized access to local super user (root) privileges:
Attacks used was Perl and Xterm.
• Probing - Surveillance and scans of networks to find vulnerabilities:
Attacks used was IP sweep, Mscan, Nmap, Saint and Satan.
34
The DARPA Intrusion Detection Evaluation is designed to find the strength
and weaknesses of existing approaches and lead to large performance
improvements and valid assessment of Intrusion Detection Systems. The
concept was to generate a set of realistic attacks, embed them into normal
data, evaluate then false alarms and detection rates of systems with these
data, and the improve systems to correct weaknesses found. The data sets
from DARPA are used by many researchers around the world to test new
Intrusion Detection Systems, either they are anomaly based or misuse based
systems.
2.10 Attack methods
There are numerous attack methods to use against a computer system, and
several different types of each method. A good security administrator should
keep himself updated with attack methods by visiting security websites where
new attack methods are shown.
There are several different attack types, and these will be explained further in
this chapter. The attacks can mainly be sorted into three categories [45]:
• Attacks that deny someone else access to some services or resources

a system provides.
• Attacks that allow an intruder to operate on a system with
unauthorized privileges.
• Attempts to probe a system to find potential weaknesses.
All these and other attacks have been increasing in sophistication and power
to harm. Attack tool developers are using more advanced techniques. It is
more difficult to write signatures for signature-based systems such as anti-
virus software and misuse based Intrusion Detection Systems. We have seen
tools like Code Red and Nimda propagate themselves to a point of global
saturation in less than 18 hours [46].
35
As Figure 2-7 [25] shows, the sophistication of the attacks and attack tools
has grown very much in complexity. And these attack tools has also been
automated, so the skill needed to use these attack tools and to launch
attacks has been reduced.
Figure 2-7 The evolution of attack sophistication
As an example of the difficulties posed by sophisticated attack tools, many

common tools use protocols like IRC or HTTP to send data or commands
from the intruder to compromised hosts [46]. As a result, it has become
increasingly difficult to distinguish attack signatures from normal, legitimate
network traffic.
The level of sophistication and knowledge required to carry out an attack has
been decreasing. This is because there are very many know-how’s available
on Web sites all over the world. Hackers constantly invent new attacks and
disseminate them over the Internet [45, 13]. Young and inexperienced
hackers can use these tools with almost the same power as experienced
hackers can. Some of the newer attack methods also use encrypted signals.
This keeps the signals from being recognized by Intrusion Detection Systems
that scans for bit strings from known commands. The malicious code writers
36
also works with an open source model in which they freely share successive
code improvements, thereby making their attacks more sophisticated.
2.10.1 Denial of Service (DoS)
Denial of Service attacks is attacks where the attacker is not interested in any
information from the network. He just wants to crash the system so that other
users can’t reach the targeted system [47]. In general, denial of service
attacks does little harm besides wasting people’s time and bandwidth [48].
The attacker just wants to deny the legitimate users to use the services
provided by the attacked server.
In the first versions of Denial of Service attacks [49], hackers usually tried to
block access to a Web site by using a single computer to send millions of
phony requests, thereby overloading the site so it could not respond to
legitimate queries, or even causing the host to crash altogether. But it was
pretty easy to stop these attacks. All requests from the attacking computer
were simply blocked, and the attack was stopped.
A newer version of the Denial of Service attack, also called Distributed Denial
of Service attack or DDoS, has evolved. These types of attacks are done by
using other computers on the Internet to attack a system. In most attacks, the
source address is faked [48]. This means that the attacker uses other
people’s computers to run the attack. The users who are used in such attack
normally do not know that they have been used in an attack. The
development of automation in attack tools enables a single attacker to install
their tools and control tens of thousands of compromised systems for use in
attacks [46]. Figure 2-8 shows how Distributed Denial of Service attacks are
done against a single victim.
37
Zombie
Zombie
Attacker/Master
Zombie Victim
Zombie
Figure 2-8 Distributed Denial of Service attack
The attacker uses remotely controlled computers to generate more request

than the victims server can handle. Before the attack is launched, the
attacker has installed a program on each of the remotely controlled
computers, often called zombies. These zombies can be normal Internet
users with ADSL or broadband connection, but often University networks are
used because of their high speed networks.
The first known large scale Distributed Denial of Service attack was seen in
August 1999 [49, 50]. This attack used 227 hosts to bring down the network
of University of Minnesota in USA for three days.
In February 2000 some of the major Internet players as Yahoo!, Amazon,

eBay and other dot-coms were attacked with denial of service attacks that
lasted for three days. [48, 49, 50]. These attacks slowed down the servers to
make them unusable for normal users. And the attacks did actually affect the
whole Internet. The attacks pumped out so much traffic, and so many people
38
browsed the Web for information about the incidents that the entire Internet
slowed down. On the last day of the attacks, the Internet’s performance was
26,8 % worse than the week before [50].
In October 2002 nine of the 13 root-servers around the world were attacked
by a Denial of Service attack. The attacks used commandeered computers to
flood the root servers with Internet control message protocol requests [11].
Distributed Denial of Service attacks are seen as one of the biggest threats
for businesses on the Internet. “Distributed Denial of Service attacks
constitute one of the single greatest threats facing businesses involved in
electronic commerce because an attack can completely shut down a Web
site”, said Morgan Wright from REACT [50]. Others are even more
pessimistic about these attacks. Charles Palmer from IBM [49] had this to
say about Distributed Denial of Service attacks: “You’re not going to be able
to stop denial of service. The best thing you can do is reduce its impact”.
In today’s e-commerce environment, users have a low tolerance for web site
delay or failure. They will simply click their way to another site if the first is
unavailable. There has been conducted a research where they tried to
develop a new and efficient technique for the detection and alleviation of
Denial of Service attacks [51]. Their technique is similar to an Intrusion
Detection System, using anomaly based methods with data mining to detect
attacks.
2.10.2 Trojan Horses
A Trojan Horse is an illegal computer program disguised as legal, or hidden

as part of a legal program. It can be described as a secret defect (or trap)
that is intentionally inserted into legal software [52]. The Trojan Horse can
attack almost all programs, from basic systems software to users’ application
software. When the Trojan Horse is installed on the victims computer, it is
often used to [6]:
39
• Propagate a virus or a worm
• Install a backdoor
• Destroy data
When it is installed, the Trojan Horse gives the intruder access to the data
stored on the victim’s computer. It can also give the attacker access to other
computers if the victim’s computer is in a local network.
2.10.3 Viruses and worms
Even though a virus is not actually an attack method, it causes much damage
and is expensive and time consuming so it should be mentioned. Viruses and
worms are malicious codes made to do some damage on the infected
system. 85% of the respondents in the FBI/CSI survey [7] reported virus and
worm outbreaks. Computer Economics estimated that the worldwide impact
of Code Red was $2.62 billion and the worldwide impact of Nimda was $635
million in 2002 [7].
Viruses and worms exploit vulnerabilities in the system, and large numbers of
systems can be infected within a matter of hours. The Code Red worm
infected more than 250.000 systems in just 9 hours on 19 July 2001 [25].
Computer Viruses started to spread through floppy disks on Apple computers

as early as in 1981 [25]. They started to appear in large number in 1987,
apparently starting in Pakistan, Israel and Germany, and later appearing
through the whole world. This caused thousands of computers to become
unusable for short periods of time, hundreds of thousands computers to
display spurious messages, tens of thousands of users to experience denial
of services and several international networks to experience denial of service
for a short period of time [53].
A decade ago, viruses were relatively easy to find and fix, and they spread
slowly, generally by floppy disks or LANs. Now, however, increasingly
40
creative authors are exploiting the Internet, open-source software, peer-to-
peer technology, and other developments to write viruses and worms that
invade computer systems in new ways, propagate around the world quickly,
and wreak havoc to victims [54].
During a virus’ lifetime, it normally goes through 4 stages [6]. These stages
are:
• Dormant phase: The virus is idle, waiting to be activated.

• Propagation phase: Replicating itself to programs or disk.
• Triggering phase: The virus is activated to do its tasks by some event
such as time, date, number of replications.
• Execution phase: The function in the virus is performed.
The detection of new viruses has become very difficult. Virus writing has
gone to a new level where the viruses are polymorphic, uses changing
encryption and decryption, and can infect both Windows and Linux platforms
[55]. They infect machines not only by using their own code, but also by
linking to and accessing malicious codes from newsgroups and Web sites
[53].
New software from different vendors is out now that requires users to define
which actions they will and will not allow on a computer or network. Joe
Hartman from Trend Micro [53] said: “If a machine suddenly starts to send
hundreds of e-mails, the software will know that something is wrong and
notify the user or system administrator”.
2.11 Honeynets
A non-profit organization called The Honeynet Project [56] has dedicated

them selves to find out more about intruders behaviour and how they work.
They are a security-research group that are dedicated to learn about the
41
tools that are used for attacks, motives and tactics used and the sharing any
knowledge they have learned. The group gathers information by deploying
networks, called honeynets, which are designed to be compromised. These
networks are real networks with all the hardware that are needed. These
honeynets lures the hackers to a system and then analyze their activities.
The intent is for attackers to break into the system and have every action
captured and controlled without them knowing it [57]. Each computer in the
Honeynet is called a Honeypot.
Figure 2-9 Honeynet
The concept of honeynets is pretty simple. A network without any activity or

production is set up. This means that if there is any interaction with the
network, it is most likely a probe, scan or attack. Inbound connections have
valuable information because they are most likely probes, scans or attacks.
Outbound connections are even more important, because this may indicate
that the system has been attacked and the attacker initiates the outgoing
traffic.
42
Honeynets have two critical requirements [57]:
• Data control: To ensure that once an attacker breaks into the

honeynet system, the compromised system cannot be used to attack
or harm other systems.
• Data capture: To ensure that all the attackers’ activities, even if they
are obfuscated or encrypted, are detected and captured.
Honeynets are not a security component that will protect a system against an
attack, but they can be used with other components to learn new attacks, and
to see where the attacker comes from. With distributed honeynets
information can be collected on a global scale. This is the real potential of
honeynets, because it can be used to check for example how fast worms are
working through the Internet.
The use of a honeynet can be very useful for a medium to large company.
They could use the honeynet to tune their own system. By watching what
kind of attacks, when they are attacked and how the attackers work, they
could use this information in for example an Intrusion Detection System.
These extra parameters could be considered when for example a neural
network is used in the Intrusion Detection System. The honeynet can also be
used to track the attacker’s attention away from critical systems other places
in the local network.
2.12 Visualization of the log files
There are huge amounts of log data the system administrators have to go
through if they should do it manually. Log file analysis is becoming the
greatest time consumer for the system administrators. A large network, as for
example a university, can have tens of thousands of connections from
thousands of hosts during a week and an undeterminable number of
unsuccessful connections. The perusal of the textual log files for this system
is totally inadequate. The system administrator will rarely use his time on
43
reading log files. To help the system administrator with this, there has been a
study [58] on the visualization of network traffic, with focus on network
intrusion data. In this study, they present a technique based on a glyph
metaphor where they visually present the textual log information collected
from the system. This is a very good technique to use because the system
administrator gets the opportunity to see the log files almost like a movie,
with different kinds of arrows pointing on one circle. There are different kinds
of arrows depending on the connection to the monitored system. Unusual or
unexpected activity is highlighted in read. The thickness of the circle
represents the load on the system.
Figure 2-10 Visualization of the log files
The system administrator can see all the connections at one time, or see it as
a sort of a “movie” where the connections changes over a time period. This
application also has an interface which almost looks like the control panel on
a VCR. With this, the system administrator can stop, play, play in slow
motion, fast forward, rewind or restart the “movie”. The problem with
analyzing log files is that analyzing textual information is very time
consuming. If the system administrator can see the log files graphical, it will
44
save him very much time. There is a saying that goes like this: “One picture
says more than a thousand words”. This saying explains the visualization of
log files very good.
This can be used effectually in combinations with an Intrusion Detection

System. Distinguishing between intrusions and false alarms normally require
manual investigation [30]. In most cases, the analyst has to examine log files
for supporting evidence. The use of a tool that visually shows the log files as
a “movie” will make the investigation much faster.
45
Chapter 3: Research Methodology
3.1 Introduction
This chapter presents in detail the research methodology. As described in the

Literature Review chapter, the needs for better network security tools are
huge. Response and response time are the critical factors in whether an
attack is successful or not, and the attacks need to be stopped. It is not
enough to just find evidence after the attack. Knowing that someone has
broken into your network is far less valuable than preventing a break-in in the
first place. The trade-off between the ability to detect new attacks and the
ability to generate a low rate of false alarms is the key point to develop an
effective Intrusion Detection System [20].
For our work on intrusion detection we have used a backpropagation neural

network. We are using the data sets from the 1998 DARPA Intrusion
Detection Evaluation [43] for the training and the testing of the neural
network. We randomly collected sessions from these data sets, and used
these for the training and testing of the neural network. The testing was
conducted in three parts. In the preliminary experiment we just wanted to see
when the neural network was properly trained to detect attacks and when it
did not detect any attacks. The next experiment was done with a small
amount of traffic, and in the end we conducted the final experiment where we
used a higher amount of traffic. In these last two experiments we had normal
traffic, known attacks and unknown attacks in three different files.
3.2 Outline
Figure 3-1 on the next page shows the block diagram of the research
methodology for this research.
46
Figure 3-1 Block Diagram of Research Methodology
The neural network was trained several times with different number of
iterations and hidden units to see how this affected the RMS-error and the
classification rate.
47
3.3 Input files to the Neural Network
The input files to the neural network were created from the log files in the
data sets from the DARPA Intrusion Detection Evaluation Web site [43]. The
log files contained more information than we needed, so they had to be
“cleaned”, so they only contained the parameters that were needed for this
experiment.
There are 7 weeks of traffic logs available from the 1998 DARPA Intrusion
Detection Evaluation Data Sets [43]. For the experiments conducted in this
research, only data sets from week 3 were collected. From these log files we
used 12 different attacks. Some of these attacks was used both for training of
the neural network and for testing the neural network with known attacks.
The rest of the attacks were used for the testing of the neural network with
unknown attacks.
3.3.1 Log file format
As mentioned above, we have used the DARPA Intrusion Detection

Evaluation data sets for this research. The different parameters were
separated with a space in the log files. These log files consists of:
• Session ID • Source Port

• Start Date • Destination Port
• Start Time • Source IP
• Duration • Destination IP
• Service • Attack Score
• Attack Name
Table 3-1 Original parameters in the DARPA Data Sets
48
We did not want to use all these parameters in the experiments. We could
not see any use of a session ID, because it has no use for the detection of
any intrusions. Attack name could be useful for naming the attacks, but this
was no something we wanted to look at in this research. The parameters we
wanted were:
• Date • Source Port

• Time • Destination Port
• Duration • Source IP
• Service • Destination IP
Table 3-2 Parameters used in this experiment
Because the DARPA log files had more information than we needed, we had
to “clean” the log files. This was done by writing a Java application that could
delete the parameters we did not want from the log file. The application read
the DARPA logs from a file and wrote the “cleaned” logs out to another file.
To delete the Session ID, the application deleted everything on each line
from the beginning to the first space. And we did not want the Attack Score
and Attack Name either. These fields were deleted by the same application
and deleted everything from the 9th space.
When the DARPA log files were “cleaned” and just containing the parameters
we wanted, they were ready to be converted into binary format.
3.3.2 Making the input files
For the training of the neural network, we collected 197 sessions from the
data sets. Out of these, there were 99 sessions with normal traffic and 98
sessions with attacks. The input files for the neural network had to be in
binary forma, therefore all log files had to be converted to binary format. We
49
decided that each session should be on 132 bits, and each parameter had
the following bits:
• Date: 9 bits – We just used day and month, so 5 bits were for day and
4 bits were for month.
• Time: 18 bits – Hours, minute and seconds. Together maximum of
235959.
• Duration: 18 bits – Same as time.
• Service: 3 bits – We decided to just have a number for the 7 most
used services, and others were set to 000. The services we had a
number for was http, smtp, domain/u, telnet, ftp, eco/i and imap.
• Source Port: 10 bits – A number for each standard port up to 1024.
Other ports where set to 0000000000.
• Destination Port: 10 bits – Same as source port.
• Source IP: 32 bits – From 0 to 255, 8 bits, times four.
• Destination IP: 32 bits – Same as source IP.
We used 8 different files for the experiment: training file, preliminary

experiment file, 3 files for the second experiment and 3 files for the final
experiment. The training file had all the training data (normal traffic and
attacks). The preliminary experiment had 50 sessions, where 25 sessions
where known attacks and 25 sessions were unknown attacks. In the second
experiment we used three different files. One file with normal traffic, one file
with known attacks and one file with unknown attacks. This experiment had
20 sessions with normal traffic, 10 sessions with known attacks and 10
sessions with unknown attacks. In the final experiment we also used three
different files. The difference was that in the normal file we now had 50
sessions with traffic, in the known attack file we had 25 sessions and in the
unknown attacks file we also had 25 sessions.
50
3.4 Testing environment
For testing we used the supercomputer at Griffith University. The operation

system on the supercomputer is UNIX.
3.4.1 Training Pair
The input for the neural network has to be in some standard form. The first
part of the training pair was a 132 bit long representation of one session in
the traffic log from DARPA Intrusion Detection Evaluation data sets. The
second part of the training pair was a 2 bit long output vector. This part tells
the neural network if the representation of the session is an attack or normal
traffic. If it is classified as normal traffic the second part of the training pair
would be 0 1, if it was an attack it would be 1 0.
3.4.2 Parameters for the Neural Network
A backpropagation neural network was used in this research. The parameter

selection of parameters and the parameter settings for the training of the
neural network is of great importance. The neural network was tested with
different parameter settings. Here is an example of the parameter settings for
the neural network.
51
Parameters Value
Number of inputs 132
Number of outputs 2
Number of hidden units 12
Number of Training Pairs 197
Learning rate 0.1
Momentum 0.1
RMS-error 0.0001
Number of iterations 5000
Table 3-3 Example of the parameters for the Neural Network
Number of inputs tells how many bits there are in the first part of the training
pair. Number of outputs tells how many bits there are in the second part of
the training pair. Number of hidden units is used to test how well trained the
neural network can be. We used different numbers here in the testing.
Number of training pairs tells how many sessions we used in the training of
the neural network. We used 197, which was 98 sessions with normal traffic
and 97 sessions with attacks. RMS-error is a value that can be adjusted to
how we want to train the neural network. Number of iterations tells how many
times the neural network should run to learn the input.
3.4.3 Criteria for training termination
When using a backpropagation neural network, the usual criteria for

termination of the training is that the RMS error is reduced to an acceptable
level. There is no standard for the RMS error, but usually the lower it is, the
better the classification rate is. But a too low RMS error could also over train
the neural network. This means that it will just detect things that are exactly
identical to the training data, something which would be too strict criteria.
52
∑
Figure 3-2 Training the Neural Network
Another criterion for training termination is the number of iterations. We

chose to use a fixed number of iterations. When the fixed number of
iterations was reached, the training was stopped.
3.4.4 Different tests
It was made 3 different experiments with the neural network. In the first
preliminary experiment we tried to use as few iterations and hidden units as
possible. This test was done to find out when the neural network was trained
properly to detect attacks. This test also gave the background for choosing
the number of hidden units and iterations for the training of the neural
network for the last two experiments. The second test was with a relatively
small amount of normal traffic and attacks. The final test was with a higher
amount of normal traffic and attacks. The two last experiments were done
with 100, 1000, 5000 and 20000 iterations in the training of the neural
network. For each of these three iterations, we also tested with 4, 6, 12 and
24 hidden units in the neural network.
53
3.4.5 Attacks in different files
In our experiments we used 12 different attack types. 8 different attack types

for the training of the neural network and out of these 8 attack types 4 were
used in the testing of the neural network with known attacks. For the testing
of the neural network with unknown attacks, it was used 4 different attack
types. Out of these 4 attack types we used 3 different Denial of Service
attacks. The different attacks used were separated into the following:
Training Known attacks Unknown attacks

• imap • imap • smurf
• nmap • nmap • ipsweep
• warezmaster • warezmaster • back
• land • land • neptune
• satan
• phf
• ffb
• portsweep
Table 3-4 Separated attacks
When we tested the neural network with known attacks, the same attack type
was used but not exactly the same sessions.
54
Chapter 4: Experimental Results
4.1 Introduction
This chapter presents the experimental results obtained by using the neural
network based research methodology proposed in the previous chapter. The
experiments were conducted in three parts. The preliminary experiment was
conducted to see how many iterations and how many hidden units that was
needed before the neural network was properly trained. The second and the
final experiments were conducted to see how many percent of the normal
traffic and the attacks that were classified correctly. The second experiment
was done with 20 sessions of normal traffic, 10 sessions with known attacks
and 10 sessions with unknown attacks. The final experiment was done with
50 sessions of normal traffic, 25 sessions with known attacks and 25
sessions with unknown attacks.
4.2 Testing the Neural Network
To check if the neural network was trained correctly we used the same traffic
sessions as we used for the training of the neural network. Here we tested
with the same amount of iterations and hidden units as we did in the final
experiment. In all these tests the neural network had a classification rate of
100%, which means that it classified 197 out of 197 sessions correctly.
4.3 Preliminary experiment
In this preliminary experiment we wanted to see how many hidden units that
were needed before the neural network was properly trained, and also how
many iterations the neural network needed. In this experiment we used both
55
known and unknown attacks in the same file. When we used just three
hidden units, no attacks was detected at all. With 4 hidden units, we got a
detection rate on 86 %. The results from this experiment gave the
background for choosing the number of hidden units and iterations used for
the training of the neural network in the last two experiments. This meant that
number of hidden units had to be over 4, and number of iterations had to be
over 100.
Hidden Iterations RMS-error Classification Classification

Units rate for rate (%) for
Training Set Training Set
2 100 0.354452731525 0/50 0
3 100 0.354167226657 0/50 0
4 100 0.021995822141 43/50 86
5 100 0.019539157955 43/50 86
6 100 0.018322100972 43/50 86
Table 4-1 The preliminary experiment results
There is a huge drop in the RMS-error between 3 and 4 hidden units, and
this shows that a lower RMS-error affects the detection rate.
56
RMS-error
0,400000000000
0,350000000000
0,300000000000
0,250000000000
0,200000000000 RMS-error
0,150000000000
0,100000000000
0,050000000000
0,000000000000
2 3 4 5 6
Figure 4-1 RMS-error for the preliminary experiment
This was just a brief testing where we did several tests and for each test
changed the number of iterations for the neural network with 100, and
number of hidden units with one. The results here would probably be different
if we tried to increase/decrease the number of iterations with just one, and
test all iterations with different number of hidden units. But this was just done
to see differences in the RMS-error rate when attacks were not detected and
when attacks were detected.
4.4 Second experiment
The testing was separated into normal traffic, known attacks and unknown
(novel) attacks. In the second experiment we used 40 sessions with traffic. Of
the 40 sessions we had 20 sessions with normal traffic, 10 sessions with
known attacks and 10 sessions with unknown attacks.
57
4.4.1 Normal traffic
For the testing with normal traffic we used sessions that were classified as
normal traffic in the DARPA data sets. Here are the results from the second
experiment with normal traffic:

4 100 0.021995822141 20/20 100
6 100 0.018322100972 20/20 100
12 100 0.018230336374 20/20 100
24 100 0.018132969630 20/20 100
4 1000 0.006137723648 20/20 100
6 1000 0.004811317503 20/20 100
12 1000 0.004608365849 20/20 100
24 1000 0.004337760720 20/20 100
4 5000 0.002656258717 20/20 100
6 5000 0.002035273630 20/20 100
12 5000 0.001919316337 20/20 100
24 5000 0.001778245927 20/20 100
4 20000 0.001305616418 20/20 100
6 20000 0.000985901225 20/20 100
12 20000 0.000917864210 20/20 100
24 20000 0.000841241861 20/20 100
Table 4-2 Second experiment results for normal traffic
58
4.4.2 Known attacks
Known attacks are attack types that the neural network has been trained
with. Here are the results from the second experiment with known attacks:

4 100 0.021995822141 8/10 80
6 100 0.018322100972 8/10 80
12 100 0.018230336374 8/10 80
24 100 0.018132969630 8/10 80
4 1000 0.006137723648 8/10 80
6 1000 0.004811317503 8/10 80
12 1000 0.004608365849 8/10 80
24 1000 0.004337760720 8/10 80
6 5000 0.002035273630 8/10 80
12 5000 0.001919316337 8/10 80
24 5000 0.001778245927 8/10 80
6 20000 0.000985901225 8/10 80
12 20000 0.000917864210 8/10 80
24 20000 0.000841241861 8/10 80
Table 4-3 Second experiment results for known attacks
59
4.4.3 Unknown attacks
Unknown attacks are attack types that the neural network has not seen
before. Here are the results from the second experiment with unknown
attacks:

4 100 0.021995822141 6/10 60
6 100 0.018322100972 6/10 60
12 100 0.018230336374 6/10 60
24 100 0.018132969630 6/10 60
4 1000 0.006137723648 6/10 60
6 1000 0,004811317503 6/10 60
12 1000 0.004608365849 6/10 60
24 1000 0.004337760720 6/10 60
6 5000 0.002035273630 6/10 60
12 5000 0.001919316337 6/10 60
24 5000 0.001778245927 6/10 60
6 20000 0.000985901225 6/10 60
12 20000 0.000917864210 6/10 60
24 20000 0.000841241861 6/10 60
Table 4-4 Second experiment results for unknown attacks
4.5 Final experiment
In the final experiment we also separated the traffic into normal traffic, known
attacks and unknown attacks. But here we used 100 sessions, divided into
50 sessions with normal traffic and 50 sessions with attacks. The attacks
60
were separated into 25 sessions with known attacks and 25 sessions with
unknown attacks.
4.5.1 Normal traffic
For the testing with normal traffic we used sessions that were classified as
normal traffic in the DARPA data sets. Here we tested with some sessions of
normal traffic that the neural network had seen before, but mainly we used
traffic the neural network had not seen before. Here are the results from the
final experiment with normal traffic:

4 100 0.021995822141 50/50 100
6 100 0.018322100972 50/50 100
12 100 0.018230336374 50/50 100
24 100 0.018132969630 50/50 100
4 1000 0.006137723648 50/50 100
6 1000 0.004811317503 50/50 100
12 1000 0.004608365849 50/50 100
24 1000 0.004337760720 50/50 100
6 5000 0.002035273630 50/50 100
12 5000 0.001919316337 50/50 100
24 5000 0.001778245927 50/50 100
6 20000 0.000985901225 50/50 100
12 20000 0.000917864210 50/50 100
24 20000 0.000841241861 50/50 100
Table 4-5 Final experiment results for normal traffic
61
4.5.2 Known attacks
Known attacks are attack types that the neural network has been trained
with. Here are the results from the final experiment with known attacks:

4 100 0.021995822141 23/25 92
6 100 0.018322100972 23/25 92
12 100 0.018230336374 23/25 92
24 100 0.018132969630 23/25 92
4 1000 0.006137723648 23/25 92
6 1000 0.004811317503 23/25 92
12 1000 0.004608365849 23/25 92
24 1000 0.004337760720 23/25 92
6 5000 0.002035273630 23/25 92
12 5000 0.001919316337 23/25 92
24 5000 0.001778245927 23/25 92
6 20000 0.000985901225 23/25 92
12 20000 0.000917864210 23/25 92
24 20000 0.000841241861 23/25 92
Table 4-6 Final experiment results for known attacks
62
Unknown attacks are attack types that the neural network has not seen
before. Here are the results from the final experiment with unknown attacks:

4 100 0.021995822141 20/25 80
6 100 0.018322100972 20/25 80
12 100 0.018230336374 20/25 80
24 100 0.018132969630 20/25 80
4 1000 0.006137723648 20/25 80
6 1000 0.004811317503 20/25 80
12 1000 0.004608365849 20/25 80
24 1000 0.004337760720 20/25 80
6 5000 0.002035273630 20/25 80
12 5000 0.001919316337 20/25 80
24 5000 0.001778245927 20/25 80
6 20000 0.000985901225 20/25 80
12 20000 0.000917864210 20/25 80
24 20000 0.000841241861 20/25 80
Table 4-7 Final experiment results for unknown attacks
63
Chapter 5: Analysis and Comparison
5.1 Introduction
The results obtained in Chapter 4 are discussed in this chapter. It mainly

includes the analysis of the results of the experiments and shows which
attacks that was not detected by the neural network, and compares the
results from our experiments with results from other experiments.
5.2 RMS-error Comparison
As explained before, the lower the RMS rate is, the better the detection rate
normally is. In Figure 5-1 the differences in the RMS-error when we used
100, 1000, 5000 and 20000 iterations for the training of the neural network
are shown.
RMS-error com parison
0,022000000000
0,020000000000
0,018000000000
0,016000000000
0,014000000000 4 Hidden Units
RMS-error
0,012000000000 6 Hidden Units

0,010000000000 12 Hidden Units
0,008000000000 24 Hidden Units
0,006000000000
0,004000000000
0,002000000000
0,000000000000
100 1000 5000 20000
Iterations
Figure 5-1 RMS-error comparison
64
The RMS-error dropped pretty much when we increased the hidden units
from 4 to 6, but there were small changes in the RMS-error between using 6
hidden units and using 24 hidden units.
5.3 Sessions not detected
This is the sessions that were not detected by the neural network in the final
experiment. All the sessions in the normal traffic file was classified correctly,
but there were some sessions both in the known attacks and unknown
attacks that were not detected.
5.3.1 Known attacks
The two sessions of known attacks that were not detected were two sessions
with an attack method called warezmaster. Warezmaster is anonymous
upload of warez (usually illegal copies of copywrited software) onto a FTP
server [43].
06/19/1998 19:01:32 00:00:01 ftp-data 20 2605 172.016.112.050

206.186.080.111
06/19/1998 19:01:32 00:00:01 ftp-data 20 2606 172.016.112.050
206.186.080.111
Table 5-1 Known attacks not detected
Illegal FTP traffic is very difficult to detect. This kind of traffic can easily be
mistaken with normal upload of files to a FTP server. A way to stop this could
be to just allow a few authorised users to use FTP.
65
The first unknown attack missed was an ipsweep. The second missed attack
was a Denial of Service attack called smurf. The three last missed attacks
were all a Denial of Service attack called neptune.
06/17/1998 12:31:15 00:00:01 eco/i 7 7 202.077.162.213 172.016.010.153

06/17/1998 11:56:07 00:00:01 ecr/i 7 7 205.231.028.048 172.016.112.050
06/18/1998 15:10:26 00:00:01 tcpmux 55384 1 010.020.030.040
172.016.112.050
06/18/1998 15:10:26 00:00:01 tcpmux 55640 1 010.020.030.040
172.016.112.050
06/18/1998 15:10:26 00:00:01 tcpmux 55896 1 010.020.030.040
172.016.112.050
Table 5-2 Unknown attacks not detected
The surprising thing here is that there were 15 sessions with the attack type
ipsweep and 3 sessions with the attack type smurf, but only one session from
each of these attacks was missed. All the three sessions with the attack type
neptune were classified wrong. A positive result here is that all sessions with
the Denial of Service attack type back was classified correctly. This shows
that Denial of Service attacks can be completely stopped by the use of neural
networks.
5.4 False positives
As explained before, false positives are normal traffic that is classified as

attacks. In our experiments, we classified all normal traffic correctly. Both in
the first experiment and the final experiment we had a classification rate of
100 %, which gives a false positive rate of 0 %.
66
5.5 Comparison with other research
As mentioned before, there has been done a lot of research on intrusion

detection. Gosh and Schwartzbard used system behaviour as input for the
neural network in their experiment [37]. They used 4 weeks of training data
and 161 sessions with testing data. Out of these, they only had 22 attack
sessions. The results from this experiment showed a detection rate of 77.3 %
and a false positive rate of 3.6 %. In their experiments, they used software
behaviour for the input to the neural network, not user behaviour as we used
in our experiments. Lippmann and Cunningham have done some
experiments using keyword selection and neural networks [60]. The results
from their experiments showed a detection rate of 80%, but they had roughly
10 false alarms per day. Unfortunately they did not calculate the false
positive rate into percentage, so this could not be compared with our results
and the results from Gosh and Schwartzbards experiments.
Detection Rate
100,00 %
95,00 %
90,00 %
85,00 %
80,00 %
75,00 %
70,00 %
65,00 %
60,00 %
55,00 %
50,00 %
Earlier Research 1 [37] Earlier Research 2 [60] Our Research
Figure 5-2 Comparison with other research
67
In our research we had a detection rate of 86 % on 50 attacks (both known
and unknown attacks), but we had a false positive rate of 0 %. This means
that all normal sessions in our experiment were classified correctly as normal
traffic.
68
Chapter 6: Conclusion
6.1 Introduction
The attacks on computer networks that we can read about in the news are
only the ones detected. Some of the security breaches can be difficult to
detect without human involvement and today it is quite unrealistic to think that
detection, recovery and maintenance can be done automatically in a secure
environment. Intelligent support systems need to be designed to help
network administrators manage security, not to replace them.
6.2 Intrusion Detection with Neural Networks
As showed in this research, neural networks can successfully be used as a

method for training and learning an Intrusion Detection System. The main
problem with today’s Intrusion Detection System is that they produce many
false alarms, and this takes up much of a system administrator’s time and
resources.
To classify 23 out of 25 known attacks, which gives a classification rate of

92%, are very promising results. The two attacks not detected here are illegal
FTP traffic that is difficult to detect. Upload of illegal copies of copywrited
software are hard to detect, and can easily go for normal FTP traffic. A
solution to this could be to have a limit on how much normal users can
upload and download with FTP, and only let authorized users use FTP with
higher amount of FTP traffic.
A classification rate of 80 %, where we detected 20 out of 25 attacks, are

very promising results. This is a good classification rate for totally unknown
attacks for neural network. The results also showed that all sessions from a
69
Denial of Service type called back was detected. This shows that unknown
Denial of Service attacks can be stopped with the use of neural networks.
One problem with this result is that it did not detect another Denial of Service
attack called Neptune. We can not explain why this Denial of Service type
went completely undetected.
Another surprising result was the classification rate on normal traffic. Here
the neural network had a classification rate of 100 %, which gives a false
positive rate of 0 %. This means that none of the normal sessions were
classified as an attack. If normal traffic was classified as an attack a false
alarm would be raised, and false alarms are one of the biggest problems with
Intrusion Detection Systems today.
In this research, we have tested the ability of a backpropagation neural

network to classify normal traffic correctly and to detect attacks without a
huge amount of training data. The results of our study show that a neural
network do not need huge amount of training data to be able to classify traffic
correctly. Completely unknown attack has been detected, among them
Denial of Service attacks. Still one Denial of Service attack type went by
undetected, and this shows that more testing is needed to find out why this
happened.
6.3 Suggestions for further research
As mentioned above, there has been a lot of research on intrusion detection,

and also on the use of neural networks in intrusion detection. As showed in
this thesis, backpropagation neural networks can be used successfully to
detect attacks on a network. The same experiments should also be
conducted with other types of neural networks to see if these types can
improve the detection rate we got from the experiments with a
backpropagation neural network.
70
In this experiment all traffic was made on the same date, and experiments
with traffic from a longer period of time should be conducted. Another issue is
how much details should be collected. More collection activity is likely to raise
the detection rate, but at the same time too much data collection will slow
down the system. Collecting too little data gives the risk of missing some
attacks, so this is a trade-off that needs to be evaluated in each case of
implementation.
71
Appendix
The appendix contains all the original sessions we used from the DARPA
Intrusion Detection Evaluation data sets. They are exactly in the same format
as on the DARPA web page [54].
Appendix 1:Training data
Normal traffic
1 06/19/1998 07:53:13 00:00:01 ntp/u 123 123 172.016.112.020 192.168.001.010 0 -

2 06/19/1998 07:53:13 00:00:01 ntp/u 123 123 172.016.112.020 192.168.001.010 0 -
3 06/19/1998 07:55:34 00:00:01 domain/u 53 53 192.168.001.010 192.168.001.020 0 -
4 06/19/1998 07:55:34 00:00:01 domain/u 53 53 192.168.001.010 192.168.001.020 0 -
5 06/19/1998 08:00:14 00:00:01 domain/u 53 53 192.168.001.010 172.016.112.020 0 -
12 06/19/1998 08:00:29 00:00:04 smtp 1027 25 196.227.033.189 172.016.114.169 0 -
41 06/19/1998 08:06:55 00:00:01 http 1106 80 172.016.117.132 199.095.074.090 0 -
81 06/19/1998 08:08:58 00:00:01 http 1489 80 172.016.117.132 136.149.142.178 0 -
160 06/19/1998 08:13:13 00:00:07 smtp 2072 25 135.008.060.182 172.016.113.105 0 -
194 06/19/1998 08:16:04 00:00:24 ftp 2076 21 196.227.033.189 172.016.114.148 0 -
430 06/19/1998 08:23:03 00:00:01 domain/u 1647 53 192.168.001.010 172.016.112.020 0 -
680 06/19/1998 08:31:27 02:25:22 telnet 3268 23 135.013.216.191 172.016.112.050 0 -
791 06/19/1998 08:37:17 00:00:01 domain/u 1750 53 172.016.112.020 192.168.001.010 0 -
940 06/19/1998 08:41:50 00:00:01 domain/u 1219 53 192.168.001.010 172.016.112.020 0 -
1005 06/19/1998 08:42:44 00:00:01 smtp 4172 25 135.013.216.191 172.016.113.204 0 -
1018 06/19/1998 08:43:00 00:00:01 http 2794 80 172.016.116.044 207.077.090.095 0 -
1051 06/19/1998 08:45:13 00:00:01 ident 1157 113 172.016.114.050 196.037.075.158 0 -
1100 06/19/1998 08:46:47 00:00:01 http 3044 80 172.016.114.148 204.071.201.011 0 -
1114 06/19/1998 08:47:07 00:00:01 domain/u 1131 53 192.168.001.010 172.016.112.020 0 -
1178 06/19/1998 08:48:54 00:00:01 smtp 4192 25 195.073.151.050 172.016.113.084 0 -
1278 06/19/1998 08:50:38 00:00:01 http 3247 80 172.016.113.204 131.084.001.031 0 -
1380 06/19/1998 08:52:11 00:00:01 smtp 3639 25 172.016.114.169 197.218.177.069 0 -
1420 06/19/1998 08:52:43 00:00:01 domain/u 1201 53 192.168.001.010 172.016.112.020 0 -
1485 06/19/1998 08:55:03 00:00:01 ftp-data 20 4157 197.218.177.069 172.016.114.169 0 -
1570 06/19/1998 08:57:06 00:00:01 http 4218 80 172.016.116.044 207.077.090.095 0 -
1609 06/19/1998 08:59:23 00:00:01 domain/u 1396 53 192.168.001.010 172.016.112.020 0 -
1629 06/19/1998 08:59:58 00:00:01 domain/u 1705 53 192.168.001.010 172.016.112.020 0 -
4459 06/19/1998 09:59:54 00:00:01 domain/u 1675 53 192.168.001.010 172.016.112.020 0 -
72
4460 06/19/1998 09:59:54 00:00:01 domain/u 1675 53 192.168.001.010 172.016.112.020 0 -
4461 06/19/1998 10:00:05 00:00:01 http 16507 80 197.218.177.069 172.016.114.050 0 -
4462 06/19/1998 10:00:06 00:00:03 smtp 16515 25 135.008.060.182 172.016.114.168 0 -
4463 06/19/1998 10:00:06 00:00:01 domain/u 1855 53 172.016.112.020 192.168.001.010 0 -
4464 06/19/1998 10:00:06 00:00:01 smtp 16514 25 135.008.060.182 172.016.113.084 0 -
4465 06/19/1998 10:00:06 00:00:01 http 16513 80 197.218.177.069 172.016.114.050 0 -
4466 06/19/1998 10:00:06 00:00:01 http 16512 80 197.218.177.069 172.016.114.050 0 -
4467 06/19/1998 10:00:06 00:00:01 http 16511 80 197.218.177.069 172.016.114.050 0 -
4468 06/19/1998 10:00:06 00:00:01 http 16510 80 197.218.177.069 172.016.114.050 0 -
4691 06/19/1998 10:04:50 00:00:02 smtp 17339 25 194.007.248.153 172.016.113.204 0 -
4692 06/19/1998 10:04:51 00:00:02 smtp 17340 25 194.007.248.153 172.016.112.149 0 -
4693 06/19/1998 10:04:52 00:00:02 smtp 11397 25 172.016.114.168 197.182.091.233 0 -
4694 06/19/1998 10:04:52 00:00:01 smtp 11396 25 172.016.114.168 194.007.248.153 0 -
4695 06/19/1998 10:04:55 00:00:01 http 11398 80 172.016.114.169 198.003.096.170 0 -
4696 06/19/1998 10:05:00 00:00:01 domain/u 1715 53 192.168.001.010 172.016.112.020 0 -
4697 06/19/1998 10:05:00 00:00:01 domain/u 1715 53 192.168.001.010 172.016.112.020 0 -
4698 06/19/1998 10:05:00 00:00:01 domain/u 1755 53 192.168.001.010 172.016.112.020 0 -
4699 06/19/1998 10:05:00 00:00:01 domain/u 1802 53 192.168.001.010 172.016.112.020 0 -
4700 06/19/1998 10:05:00 00:00:01 domain/u 1883 53 192.168.001.010 172.016.112.020 0 -
4701 06/19/1998 10:05:00 00:00:01 domain/u 1891 53 192.168.001.010 172.016.112.020 0 -
4702 06/19/1998 10:05:02 00:00:01 http 11400 80 172.016.112.149 207.049.149.093 0 -
4703 06/19/1998 10:05:02 00:00:01 http 11399 80 172.016.114.169 198.003.096.170 0 -
4704 06/19/1998 10:05:10 00:00:01 domain/u 1924 53 192.168.001.010 172.016.112.020 0 -
4705 06/19/1998 10:05:10 00:00:01 domain/u 1961 53 192.168.001.010 172.016.112.020 0 -
4706 06/19/1998 10:05:11 00:00:01 domain/u 2036 53 192.168.001.010 172.016.112.020 0 -
4707 06/19/1998 10:05:11 00:00:01 domain/u 1985 53 192.168.001.010 172.016.112.020 0 -
5094 06/19/1998 10:16:26 00:00:01 domain/u 1411 53 172.016.112.020 192.168.001.010 0 -
5095 06/19/1998 10:16:26 00:00:01 domain/u 1419 53 172.016.112.020 192.168.001.010 0 -
5096 06/19/1998 10:16:27 00:00:01 smtp 19377 25 195.073.151.050 172.016.114.207 0 -
5097 06/19/1998 10:16:31 00:00:01 smtp 19463 25 197.218.177.069 172.016.114.148 0 -
5098 06/19/1998 10:16:31 00:00:01 domain/u 53 1426 192.168.001.010 172.016.112.020 0 -
5105 06/19/1998 10:16:45 00:00:01 http 19083 80 195.073.151.050 172.016.114.050 0 -
5106 06/19/1998 10:16:50 00:00:01 domain/u 1746 53 192.168.001.010 172.016.112.020 0 -
5107 06/19/1998 10:16:50 00:00:01 domain/u 1746 53 192.168.001.010 172.016.112.020 0 -
5221 06/19/1998 10:19:51 00:00:01 domain/u 1945 53 192.168.001.010 172.016.112.020 0 -
5222 06/19/1998 10:19:53 00:00:01 http 13369 80 172.016.114.168 207.025.071.024 0 -
5223 06/19/1998 10:19:54 00:00:01 smtp 19647 25 195.073.151.050 172.016.112.194 0 -
5224 06/19/1998 10:19:56 00:00:01 smtp 19773 25 195.073.151.050 172.016.113.105 0 -
5225 06/19/1998 10:19:57 00:00:01 http 13371 80 172.016.114.169 204.050.058.005 0 -
5226 06/19/1998 10:20:01 00:00:01 domain/u 1152 53 192.168.001.010 172.016.112.020 0 -
5227 06/19/1998 10:20:01 00:00:01 domain/u 2016 53 192.168.001.010 172.016.112.020 0 -
5228 06/19/1998 10:20:07 00:00:02 finger 19774 79 195.115.218.108 172.016.114.207 0 -
5229 06/19/1998 10:20:08 00:00:01 smtp 19773 25 195.073.151.050 172.016.113.105 0 -
5230 06/19/1998 10:20:11 00:00:01 domain/u 1191 53 192.168.001.010 172.016.112.020 0 -
7323 06/19/1998 11:22:45 00:00:01 domain/u 1679 53 192.168.001.010 172.016.112.020 0 -
73
7324 06/19/1998 11:22:45 00:00:01 domain/u 1728 53 192.168.001.010 172.016.112.020 0 -
7329 06/19/1998 11:22:52 00:00:06 smtp 21872 25 172.016.114.168 195.073.151.050 0 -
7334 06/19/1998 11:22:57 00:00:12 smtp 21937 25 172.016.112.149 195.115.218.108 0 -
7335 06/19/1998 11:22:57 00:00:01 domain/u 1873 53 192.168.001.010 172.016.112.020 0 -
10881 06/19/1998 13:07:07 00:00:01 domain/u 1423 53 192.168.001.010 172.016.112.020 0 -
10882 06/19/1998 13:07:07 00:00:01 domain/u 1426 53 192.168.001.010 172.016.112.020 0 -
10883 06/19/1998 13:07:07 00:00:01 domain/u 1434 53 192.168.001.010 172.016.112.020 0 -
10884 06/19/1998 13:07:07 00:00:01 domain/u 1439 53 192.168.001.010 172.016.112.020 0 -
10885 06/19/1998 13:07:07 00:00:01 domain/u 1426 53 192.168.001.010 172.016.112.020 0 -
10886 06/19/1998 13:07:09 00:00:01 http 3393 80 172.016.115.234 209.001.112.251 0 -
10887 06/19/1998 13:07:17 00:00:01 domain/u 1487 53 192.168.001.010 172.016.112.020 0 -
10888 06/19/1998 13:07:17 00:00:01 domain/u 1537 53 192.168.001.010 172.016.112.020 0 -
10889 06/19/1998 13:07:22 00:00:01 http 3456 80 172.016.115.234 204.177.145.235 0 -
14606 06/19/1998 14:42:54 00:00:01 http 12392 80 172.016.114.168 208.002.188.061 0 -
14607 06/19/1998 14:42:55 00:00:01 http 12415 80 135.008.060.182 172.016.114.050 0 -
14608 06/19/1998 14:42:55 00:00:03 smtp 12393 25 172.016.113.105 195.115.218.108 0 -
14609 06/19/1998 14:43:03 00:00:01 http 12395 80 172.016.114.168 208.002.188.061 0 -
14610 06/19/1998 14:43:04 00:00:01 http 12416 80 194.007.248.153 172.016.114.050 0 -
14611 06/19/1998 14:43:04 00:00:01 http 12417 80 194.007.248.153 172.016.114.050 0 -
14612 06/19/1998 14:43:18 00:00:01 http 12384 80 172.016.116.044 132.025.001.025 0 -
14613 06/19/1998 14:43:21 00:00:01 domain/u 1359 53 192.168.001.010 172.016.112.020 0 -
17472 06/19/1998 16:04:57 00:00:01 domain/u 53 1488 172.016.112.020 192.168.001.010 0 -
17473 06/19/1998 16:04:57 00:00:01 domain/u 1482 53 192.168.001.010 172.016.112.020 0 -
17474 06/19/1998 16:04:58 00:00:04 smtp 23705 25 172.016.113.084 135.008.060.182 0 -
17475 06/19/1998 16:04:58 00:00:01 http 23706 80 172.016.117.132 131.084.001.031 0 -
17476 06/19/1998 16:05:00 00:00:01 smtp 24737 25 195.073.151.050 172.016.112.149 0 -
74
Attacks
220 06/19/1998 08:16:42 00:00:01 imap 1029 143 202.049.244.010 172.016.114.050 1 imap
223 06/19/1998 08:16:45 00:00:01 imap 1029 143 202.049.244.010 172.016.114.050 1 imap
224 06/19/1998 08:16:51 00:07:01 imap 1029 143 202.049.244.010 172.016.114.050 1 imap
1190 06/19/1998 08:49:21 00:00:43 imap 1107 143 202.077.162.213 172.016.114.050 1 imap
12949 06/19/1998 14:18:25 00:00:01 eco/i - - 208.240.124.083 172.016.112.000 1 nmap
12950 06/19/1998 14:18:25 00:00:01 eco/i - - 208.240.124.083 172.016.112.001 1 nmap
12951 06/19/1998 14:18:25 00:00:01 eco/i - - 208.240.124.083 172.016.112.002 1 nmap
12952 06/19/1998 14:18:25 00:00:01 eco/i - - 208.240.124.083 172.016.112.003 1 nmap
12953 06/19/1998 14:18:25 00:00:01 eco/i - - 208.240.124.083 172.016.112.004 1 nmap
12954 06/19/1998 14:18:25 00:00:01 eco/i - - 208.240.124.083 172.016.112.005 1 nmap
12955 06/19/1998 14:18:25 00:00:01 eco/i - - 208.240.124.083 172.016.112.006 1 nmap
12956 06/19/1998 14:18:25 00:00:01 eco/i - - 208.240.124.083 172.016.112.007 1 nmap
12957 06/19/1998 14:18:25 00:00:01 eco/i - - 208.240.124.083 172.016.112.008 1 nmap
12958 06/19/1998 14:18:25 00:00:01 eco/i - - 208.240.124.083 172.016.112.009 1 nmap
12959 06/19/1998 14:18:25 00:00:01 eco/i - - 208.240.124.083 172.016.112.010 1 nmap
12960 06/19/1998 14:18:25 00:00:01 eco/i - - 208.240.124.083 172.016.112.011 1 nmap
12961 06/19/1998 14:18:25 00:00:01 eco/i - - 208.240.124.083 172.016.112.012 1 nmap
12962 06/19/1998 14:18:25 00:00:01 eco/i - - 208.240.124.083 172.016.112.014 1 nmap
12963 06/19/1998 14:18:25 00:00:01 eco/i - - 208.240.124.083 172.016.112.013 1 nmap
12964 06/19/1998 14:18:25 00:00:01 eco/i - - 208.240.124.083 172.016.112.016 1 nmap
12965 06/19/1998 14:18:25 00:00:01 eco/i - - 208.240.124.083 172.016.112.017 1 nmap
12966 06/19/1998 14:18:25 00:00:01 eco/i - - 208.240.124.083 172.016.112.018 1 nmap
12967 06/19/1998 14:18:25 00:00:01 eco/i - - 208.240.124.083 172.016.112.019 1 nmap
12968 06/19/1998 14:18:25 00:00:01 eco/i - - 208.240.124.083 172.016.112.020 1 nmap
12969 06/19/1998 14:18:25 00:00:01 eco/i - - 208.240.124.083 172.016.112.021 1 nmap
12970 06/19/1998 14:18:25 00:00:01 eco/i - - 208.240.124.083 172.016.112.022 1 nmap
12971 06/19/1998 14:18:25 00:00:01 eco/i - - 208.240.124.083 172.016.112.023 1 nmap
12972 06/19/1998 14:18:25 00:00:01 eco/i - - 208.240.124.083 172.016.112.024 1 nmap
12973 06/19/1998 14:18:25 00:00:01 eco/i - - 208.240.124.083 172.016.112.025 1 nmap
12974 06/19/1998 14:18:25 00:00:01 eco/i - - 208.240.124.083 172.016.112.026 1 nmap
12975 06/19/1998 14:18:25 00:00:01 eco/i - - 208.240.124.083 172.016.112.027 1 nmap
12976 06/19/1998 14:18:25 00:00:01 eco/i - - 208.240.124.083 172.016.112.028 1 nmap
12977 06/19/1998 14:18:25 00:00:01 eco/i - - 208.240.124.083 172.016.112.029 1 nmap
12978 06/19/1998 14:18:25 00:00:01 eco/i - - 208.240.124.083 172.016.112.030 1 nmap
20334 06/19/1998 19:03:44 00:00:11 ftp-data 20 2624 172.016.112.050 206.186.080.111 1
warezmaster
20335 06/19/1998 19:03:55 00:00:11 ftp-data 20 2636 172.016.112.050 206.186.080.111 1
warezmaster
20340 06/19/1998 19:04:05 00:00:03 ftp-data 20 2638 172.016.112.050 206.186.080.111 1
warezmaster
20728 06/19/1998 22:56:41 00:00:01 finger 79 79 172.016.113.050 172.016.113.050 1 land
2203 06/15/1998 09:36:59 00:00:01 eco/i - - 152.169.215.104 172.016.112.050 1 satan
75
2204 06/15/1998 09:37:01 00:00:01 eco/i - - 152.169.215.104 172.016.112.050 1 satan
2205 06/15/1998 09:37:04 00:00:01 eco/i - - 152.169.215.104 172.016.112.050 1 satan
2206 06/15/1998 09:37:04 00:00:01 1/u 1694 1 152.169.215.104 172.016.112.050 1 satan
2209 06/15/1998 09:37:04 00:00:01 1/u 1694 1 152.169.215.104 172.016.112.050 1 satan
2210 06/15/1998 09:37:04 00:00:01 1/u 1694 1 152.169.215.104 172.016.112.050 1 satan
2211 06/15/1998 09:37:04 00:00:01 ecr/i - - 172.016.112.050 152.169.215.104 1 satan
2212 06/15/1998 09:37:05 00:00:01 1/u 1694 177 152.169.215.104 172.016.112.050 1 satan
2213 06/15/1998 09:37:05 00:00:01 domain/u 1694 53 152.169.215.104 172.016.112.050 1 satan
2215 06/15/1998 09:37:05 00:00:01 1/u 1694 177 152.169.215.104 172.016.112.050 1 satan
2217 06/15/1998 09:37:05 00:00:01 domain/u 1694 53 152.169.215.104 172.016.112.050 1 satan
2219 06/15/1998 09:37:06 00:00:01 1/u 1694 177 152.169.215.104 172.016.112.050 1 satan
2220 06/15/1998 09:37:06 00:00:01 finger 4196 79 152.169.215.104 172.016.112.050 1 satan
2221 06/15/1998 09:37:06 00:00:02 finger 4200 79 152.169.215.104 172.016.112.050 1 satan
2222 06/15/1998 09:37:07 00:00:02 finger 4201 79 152.169.215.104 172.016.112.050 1 satan
2223 06/15/1998 09:37:08 00:00:02 finger 4204 79 152.169.215.104 172.016.112.050 1 satan
2224 06/15/1998 09:37:08 00:00:01 finger 4203 79 152.169.215.104 172.016.112.050 1 satan
2226 06/15/1998 09:37:09 00:00:02 finger 4205 79 152.169.215.104 172.016.112.050 1 satan
2227 06/15/1998 09:37:10 00:00:01 gopher 4211 70 152.169.215.104 172.016.112.050 1 satan
2228 06/15/1998 09:37:10 00:00:01 http 4212 80 152.169.215.104 172.016.112.050 1 satan
2229 06/15/1998 09:37:10 00:00:02 ftp 4214 21 152.169.215.104 172.016.112.050 1 satan
2230 06/15/1998 09:37:10 00:00:04 telnet 4216 23 152.169.215.104 172.016.112.050 1 satan
2231 06/15/1998 09:37:11 00:00:01 smtp 4218 25 152.169.215.104 172.016.112.050 1 satan
2232 06/15/1998 09:37:11 00:00:01 nntp 4219 119 152.169.215.104 172.016.112.050 1 satan
2233 06/15/1998 09:37:11 00:00:02 540 4220 540 152.169.215.104 172.016.112.050 1 satan
2234 06/15/1998 09:37:11 00:00:01 x11 4221 6000 152.169.215.104 172.016.112.050 1 satan
2235 06/15/1998 09:37:13 00:00:01 sunrpc 998 111 152.169.215.104 172.016.112.050 1 satan
2236 06/15/1998 09:37:13 00:00:01 56/u 1003 111 152.169.215.104 172.016.112.050 1 satan
2237 06/15/1998 09:37:13 00:00:01 444/u 32775 1004 172.016.112.050 152.169.215.104 1 satan
2238 06/15/1998 09:37:13 00:00:01 28/u 111 1003 172.016.112.050 152.169.215.104 1 satan
2239 06/15/1998 09:37:13 00:00:01 40/u 1004 32775 152.169.215.104 172.016.112.050 1 satan
4183 06/15/1998 11:14:34 00:00:02 http 24682 80 197.218.177.069 172.016.114.050 1 phf
4464 06/15/1998 11:32:20 00:02:31 telnet 25134 23 202.247.224.089 172.016.112.050 1 ffb
11748 06/15/1998 19:28:06 00:00:01 100 1234 100 207.075.239.115 172.016.114.050 1 portsweep
11749 06/15/1998 19:28:06 00:00:01 99 1234 99 207.075.239.115 172.016.114.050 1 portsweep
11750 06/15/1998 19:28:06 00:00:01 98 1234 98 207.075.239.115 172.016.114.050 1 portsweep
11751 06/15/1998 19:28:06 00:00:01 97 1234 97 207.075.239.115 172.016.114.050 1 portsweep
11752 06/15/1998 19:28:06 00:00:01 96 1234 96 207.075.239.115 172.016.114.050 1 portsweep
11753 06/15/1998 19:28:06 00:00:01 95 1234 95 207.075.239.115 172.016.114.050 1 portsweep
11754 06/15/1998 19:28:06 00:00:01 94 1234 94 207.075.239.115 172.016.114.050 1 portsweep
11755 06/15/1998 19:28:06 00:00:01 93 1234 93 207.075.239.115 172.016.114.050 1 portsweep
11756 06/15/1998 19:28:06 00:00:01 92 1234 92 207.075.239.115 172.016.114.050 1 portsweep
11757 06/15/1998 19:28:06 00:00:01 91 1234 91 207.075.239.115 172.016.114.050 1 portsweep
11758 06/15/1998 19:28:06 00:00:01 90 1234 90 207.075.239.115 172.016.114.050 1 portsweep
11759 06/15/1998 19:28:06 00:00:01 89 1234 89 207.075.239.115 172.016.114.050 1 portsweep
11760 06/15/1998 19:28:06 00:00:01 88 1234 88 207.075.239.115 172.016.114.050 1 portsweep
76
11761 06/15/1998 19:28:06 00:00:01 87 1234 87 207.075.239.115 172.016.114.050 1 portsweep
11762 06/15/1998 19:28:06 00:00:01 86 1234 86 207.075.239.115 172.016.114.050 1 portsweep
11763 06/15/1998 19:28:06 00:00:01 85 1234 85 207.075.239.115 172.016.114.050 1 portsweep
11764 06/15/1998 19:28:06 00:00:01 84 1234 84 207.075.239.115 172.016.114.050 1 portsweep
11765 06/15/1998 19:28:06 00:00:01 83 1234 83 207.075.239.115 172.016.114.050 1 portsweep
11766 06/15/1998 19:28:06 00:00:01 82 1234 82 207.075.239.115 172.016.114.050 1 portsweep
11767 06/15/1998 19:28:06 00:00:01 81 1234 81 207.075.239.115 172.016.114.050 1 portsweep
11768 06/15/1998 19:28:06 00:00:01 http 1234 80 207.075.239.115 172.016.114.050 1 portsweep
11769 06/15/1998 19:28:06 00:00:01 finger 1234 79 207.075.239.115 172.016.114.050 1 portsweep
77
Appendix 2: Testing data
Normal traffic
1 06/19/1998 07:53:13 00:00:01 ntp/u 123 123 172.016.112.020 192.168.001.010 0 -

2 06/19/1998 07:53:13 00:00:01 ntp/u 123 123 172.016.112.020 192.168.001.010 0 -
3 06/19/1998 07:55:34 00:00:01 domain/u 53 53 192.168.001.010 192.168.001.020 0 -
4 06/19/1998 07:55:34 00:00:01 domain/u 53 53 192.168.001.010 192.168.001.020 0 -
5 06/19/1998 08:00:14 00:00:01 domain/u 53 53 192.168.001.010 172.016.112.020 0 -
6 06/19/1998 08:00:14 00:00:01 domain/u 53 53 192.168.001.010 172.016.112.020 0 -
7 06/19/1998 08:00:17 00:00:04 smtp 1024 25 197.182.091.233 172.016.112.194 0 -
8 06/19/1998 08:00:20 00:00:02 smtp 1026 25 197.182.091.233 172.016.112.050 0 -
9 06/19/1998 08:00:20 00:00:01 domain/u 53 53 172.016.112.020 197.182.091.233 0 -
10 06/19/1998 08:00:26 00:00:01 domain/u 1075 53 172.016.112.020 192.168.001.010 0 -
11 06/19/1998 08:00:26 00:00:01 domain/u 1075 53 172.016.112.020 192.168.001.010 0 -
12 06/19/1998 08:00:29 00:00:04 smtp 1027 25 196.227.033.189 172.016.114.169 0 -
13 06/19/1998 08:00:32 00:00:01 eco/i - - 192.168.001.005 192.168.001.001 0 -
14 06/19/1998 08:00:32 00:00:01 ecr/i - - 192.168.001.001 192.168.001.005 0 -
15 06/19/1998 08:00:35 00:00:01 smtp 1028 25 196.227.033.189 172.016.114.207 0 -
16 06/19/1998 08:00:35 00:00:01 domain/u 53 53 172.016.112.020 196.227.033.189 0 -
17 06/19/1998 08:00:38 00:00:01 smtp 1049 25 194.007.248.153 172.016.113.105 0 -
18 06/19/1998 08:00:38 00:00:02 smtp 1052 25 196.227.033.189 172.016.112.149 0 -
20 06/19/1998 08:01:33 00:00:01 smtp 1025 25 172.016.112.149 196.227.033.189 0 -
21 06/19/1998 08:01:44 00:00:02 smtp 1026 25 172.016.114.207 196.227.033.189 0 -
22 06/19/1998 08:02:01 00:00:01 domain/u 1222 53 192.168.001.010 172.016.112.020 0 -
23 06/19/1998 08:02:01 00:00:01 domain/u 1348 53 192.168.001.010 172.016.112.020 0 -
24 06/19/1998 08:02:01 00:00:01 domain/u 1348 53 192.168.001.010 172.016.112.020 0 -
25 06/19/1998 08:02:01 00:00:01 domain/u 1222 53 192.168.001.010 172.016.112.020 0 -
26 06/19/1998 08:02:28 00:00:01 smtp 1104 25 197.182.091.233 172.016.114.148 0 -
27 06/19/1998 08:04:59 00:00:01 domain/u 1279 53 172.016.112.020 192.168.001.010 0 -
28 06/19/1998 08:04:59 00:00:01 domain/u 1279 53 172.016.112.020 192.168.001.010 0 -
29 06/19/1998 08:05:00 00:00:02 smtp 1065 25 172.016.114.050 195.073.151.050 0 -
30 06/19/1998 08:05:01 00:00:01 domain/u 1486 53 192.168.001.010 172.016.112.020 0 -
31 06/19/1998 08:05:01 00:00:01 domain/u 1486 53 192.168.001.010 172.016.112.020 0 -
1942 06/19/1998 09:08:05 00:00:01 domain/u 53 53 172.016.112.020 192.168.001.020 0 -
1943 06/19/1998 09:08:05 00:00:01 domain/u 1072 53 172.016.112.020 192.168.001.010 0 -
1944 06/19/1998 09:08:08 00:00:01 smtp 5304 25 194.027.251.021 172.016.114.207 0 -
3635 06/19/1998 09:39:18 00:00:01 domain/u 1508 53 172.016.112.020 192.168.001.010 0 -
3636 06/19/1998 09:39:18 00:00:01 ident 1362 113 195.073.151.050 172.016.112.194 0 -
5513 06/19/1998 10:29:00 00:00:01 smtp 20150 25 195.073.151.050 172.016.113.084 0 -
5514 06/19/1998 10:29:00 00:00:01 smtp 20512 25 195.073.151.050 172.016.113.105 0 -
5618 06/19/1998 10:31:22 00:00:01 domain/u 1095 53 192.168.001.010 172.016.112.020 0 -
78
5619 06/19/1998 10:31:22 00:00:01 ftp-data 20 15183 197.218.177.069 172.016.112.207 0 -
5620 06/19/1998 10:31:22 00:00:01 domain/u 1106 53 192.168.001.010 172.016.112.020 0 -
6820 06/19/1998 11:03:42 00:00:01 smtp 23122 25 194.027.251.021 172.016.114.168 0 -
6821 06/19/1998 11:03:42 00:00:01 domain/u 1402 53 192.168.001.010 172.016.112.020 0 -
7334 06/19/1998 11:22:57 00:00:12 smtp 21937 25 172.016.112.149 195.115.218.108 0 -
7335 06/19/1998 11:22:57 00:00:01 domain/u 1873 53 192.168.001.010 172.016.112.020 0 -
16493 06/19/1998 15:35:34 00:00:01 http 19974 80 196.037.075.158 172.016.114.050 0 -
16494 06/19/1998 15:35:34 00:00:01 ftp-data 20 19975 172.016.114.148 135.008.060.182 0 -
16884 06/19/1998 15:49:05 00:03:00 telnet 21004 23 172.016.112.207 194.027.251.021 0 -
16885 06/19/1998 15:49:05 00:00:01 domain/u 53 53 192.168.001.010 192.168.001.020 0 -
17474 06/19/1998 16:04:58 00:00:04 smtp 23705 25 172.016.113.084 135.008.060.182 0 -
17475 06/19/1998 16:04:58 00:00:01 http 23706 80 172.016.117.132 131.084.001.031 0 -
79
Known attacks
220 06/19/1998 08:16:42 00:00:01 imap 1029 143 202.049.244.010 172.016.114.050 1 imap
223 06/19/1998 08:16:45 00:00:01 imap 1029 143 202.049.244.010 172.016.114.050 1 imap
224 06/19/1998 08:16:51 00:07:01 imap 1029 143 202.049.244.010 172.016.114.050 1 imap
1190 06/19/1998 08:49:21 00:00:43 imap 1107 143 202.077.162.213 172.016.114.050 1 imap
13970 06/19/1998 14:20:11 00:00:01 eco/i - - 208.240.124.083 172.016.112.234 1 nmap
13971 06/19/1998 14:20:11 00:00:01 eco/i - - 208.240.124.083 172.016.112.235 1 nmap
13972 06/19/1998 14:20:11 00:00:01 eco/i - - 208.240.124.083 172.016.112.236 1 nmap
13973 06/19/1998 14:20:11 00:00:01 eco/i - - 208.240.124.083 172.016.112.237 1 nmap
13974 06/19/1998 14:20:11 00:00:01 eco/i - - 208.240.124.083 172.016.112.238 1 nmap
20316 06/19/1998 19:01:32 00:00:01 ftp-data 20 2605 172.016.112.050 206.186.080.111 1
warezmaster
20317 06/19/1998 19:01:32 00:00:01 ftp-data 20 2606 172.016.112.050 206.186.080.111 1
warezmaster
20322 06/19/1998 19:02:03 00:00:11 ftp-data 20 2611 172.016.112.050 206.186.080.111 1
warezmaster
20323 06/19/1998 19:02:13 00:00:12 ftp-data 20 2612 172.016.112.050 206.186.080.111 1
warezmaster
20324 06/19/1998 19:02:24 00:00:11 ftp-data 20 2613 172.016.112.050 206.186.080.111 1
warezmaster
20325 06/19/1998 19:02:34 00:00:11 ftp-data 20 2615 172.016.112.050 206.186.080.111 1
warezmaster
20328 06/19/1998 19:02:44 00:00:11 ftp-data 20 2616 172.016.112.050 206.186.080.111 1
warezmaster
20329 06/19/1998 19:02:54 00:00:12 ftp-data 20 2619 172.016.112.050 206.186.080.111 1
warezmaster
20728 06/19/1998 22:56:41 00:00:01 finger 79 79 172.016.113.050 172.016.113.050 1 land
20729 06/19/1998 22:56:42 00:00:01 finger 79 79 172.016.112.050 172.016.112.050 1 land
20730 06/19/1998 22:56:44 00:00:01 finger 79 79 172.016.114.050 172.016.114.050 1 land
20731 06/19/1998 22:56:45 00:00:01 finger 79 79 172.016.115.234 172.016.115.234 1 land
20732 06/19/1998 22:56:47 00:00:01 finger 79 79 172.016.115.005 172.016.115.005 1 land
20733 06/19/1998 22:56:48 00:00:01 finger 79 79 172.016.115.087 172.016.115.087 1 land
20734 06/19/1998 22:56:50 00:00:01 finger 79 79 172.016.116.194 172.016.116.194 1 land
20735 06/19/1998 22:56:51 00:00:01 finger 79 79 172.016.116.201 172.016.116.201 1 land
80
Unknown attacks
15868 06/17/1998 11:56:07 00:00:01 ecr/i 7 7 209.030.070.008 172.016.112.050 1 smurf

15869 06/17/1998 11:56:07 00:00:01 ecr/i 7 7 205.231.028.048 172.016.112.050 1 smurf
15870 06/17/1998 11:56:07 00:00:01 ecr/i 7 7 209.030.070.133 172.016.112.050 1 smurf
81881 06/17/1998 12:31:12 00:00:01 eco/i 7 7 202.077.162.213 172.016.010.111 1 ipsweep
81882 06/17/1998 12:31:12 00:00:01 eco/i 7 7 202.077.162.213 172.016.010.154 1 ipsweep
81883 06/17/1998 12:31:12 00:00:01 eco/i 7 7 202.077.162.213 172.016.010.108 1 ipsweep
81884 06/17/1998 12:31:15 00:00:01 eco/i 7 7 202.077.162.213 172.016.010.127 1 ipsweep
81885 06/17/1998 12:31:15 00:00:01 eco/i 7 7 202.077.162.213 172.016.010.128 1 ipsweep
81886 06/17/1998 12:31:15 00:00:01 eco/i 7 7 202.077.162.213 172.016.010.155 1 ipsweep
81887 06/17/1998 12:31:15 00:00:01 eco/i 7 7 202.077.162.213 172.016.010.154 1 ipsweep
81888 06/17/1998 12:31:15 00:00:01 eco/i 7 7 202.077.162.213 172.016.010.153 1 ipsweep
81889 06/17/1998 12:31:15 00:00:01 eco/i 7 7 202.077.162.213 172.016.010.152 1 ipsweep
81890 06/17/1998 12:31:15 00:00:01 eco/i 7 7 202.077.162.213 172.016.010.104 1 ipsweep
81891 06/17/1998 12:31:15 00:00:01 eco/i 7 7 202.077.162.213 172.016.010.105 1 ipsweep
81892 06/17/1998 12:31:15 00:00:01 eco/i 7 7 202.077.162.213 172.016.010.106 1 ipsweep
81893 06/17/1998 12:31:15 00:00:01 eco/i 7 7 202.077.162.213 172.016.010.107 1 ipsweep
81894 06/17/1998 12:31:15 00:00:01 eco/i 7 7 202.077.162.213 172.016.010.108 1 ipsweep
81895 06/17/1998 12:31:15 00:00:01 eco/i 7 7 202.077.162.213 172.016.010.109 1 ipsweep
92549 06/17/1998 16:18:48 00:00:01 http 27946 80 202.077.162.213 172.016.114.050 1 back
92550 06/17/1998 16:18:50 00:00:01 http 28008 80 202.077.162.213 172.016.114.050 1 back
92551 06/17/1998 16:18:51 00:00:01 http 28009 80 202.077.162.213 172.016.114.050 1 back
92552 06/17/1998 16:18:52 00:00:01 http 28010 80 202.077.162.213 172.016.114.050 1 back
9534 06/18/1998 15:10:26 00:00:01 tcpmux 55384 1 010.020.030.040 172.016.112.050 1 neptune
9535 06/18/1998 15:10:26 00:00:01 tcpmux 55640 1 010.020.030.040 172.016.112.050 1 neptune
9536 06/18/1998 15:10:26 00:00:01 tcpmux 55896 1 010.020.030.040 172.016.112.050 1 neptune
81
Appendix 3: Attacks used in this research
Attack Name Description

back Exploitable CGI-script which allows a client to
execute arbitrary commands on a machine with a
misconfigured web server.
ffb Buffer overflow using the ffbconfig UNIX command
leads to root shell.
imap Denial of service where a remote host is sent a UDP
packet with the same source and destination.
ipsweep Anonymous upload of warez (usually illegal copies of
copywrited software) onto FTP server
land Remote buffer overflow using imap port leads to root
shell.
neptune SYN flood denial of service on one or more ports.
nmap Denial of service attack against Apache web server
where a client requests a URL containing many
backslashes.
phf Network mapping using the nmap tool.
portsweep Surveillance sweep performing either port sweep or
ping on multiple host addresses.
satan Network probing tool which looks for well-known
weaknesses.
smurf Denial of service icmp echo reply flood.
warezmaster Multi-day scenario in which a user first breaks into
one machine.
82
References
[1] B. A. Forouzan, “TCP/IP Protocol Suite”, 1st Edition, McGraw-Hill

Companies, 2000
[2] E. G. Britten, J, Tavs, R. Bournas, “TCP/IP: The Next Generation”,

IBM Systems Journal, Vol. 34, No. 3, pp. 452-472, 1995
[3] C. J. P. Moschovitis, H. Poole, T. Schuyler and T. M. Senft, “History of

the Internet: A Chronology, 1843 to the Present”, Santa Barbara, CA :
ABC-CLIO, 1999
[4] B. Carlson, A. Burgess and C. Miller, “Timeline of Computing History”,

http://www.computer.org/computer/timeline/timeline.pdf, accessed
16.June, 2003
[5] CERT Coordination Center, “CERT/CC Statistics for 1988-2002”,

http://www.cert.org/stats/, accessed 16.June, 2003
[6] W. Stallings, “Cryptography and Network Security: Principles and

Practices”, 3rd Edition, Prentice Hall, 2003
[7] Richard Power, “2002 CSI/FBI Computer Crime and Security Survey”,
Vol. VIII, No.1, Spring 2002
[8] K. E. Strassberg, R. J. Gondek and G. Rollie, “Firewalls: The

Complete Reference”, McGraw-Hill/Osborne, 2002
[9] Google, http://www.google.com, accessed 16.June, 2003
[10] T. Titsworth, “Silver Bullets and Cybersecurity”, IEEE Multimedia, Vol.

10, No. 1, pp. 64-65, January/March 2003
83
[11] G. Goth, “Securing the Internet Against Attack”, IEEE Internet
Computing, Vol.7, No. 1, pp. 8-10, January-February, 2003
[12] Deloitte Touche Tohmatsu. AusCERT & NSW Police, “2002 Computer
Crime and Security Survey”, 2002
[13] R. Durst, T. Champion, B. Witten, E. Miller and L. Spagnuolo, “Testing

and Evaluating Computer Intrusion Detection Systems”,
Communications of the ACM, Vol. 42, No. 7, pp. 53-61, July 1999
[14] L. D. Paulson, “Stopping Intruders Outside the Gate”s, IEEE

Computer, Vol. 35, No. 11, pp. 20-22, November 2002
[15] L. D. Paulson,” Wanted: More Network-Security Graduates and

Research”, IEEE Computer, Vol. 35, No. 2, pp. 22-24, February 2002
[16] B. Hancock, “Internet Firewalls”, Computer Fraud & Security, Vol.

1998, No. 12, pp. 11-12, December 1998
[17] T. Draelos, D. Duggan, M. Collins and D. Wunsch, “Adaptive Critic

Designs for Host-Based Intrusion Detection”, Proc. of the 2002
International Joint Conference on Neural Networks, Vol. 2, pp. 1720-
1725, May 2002
[18] C. Herringshaw, “Detecting Attacks on Networks”, IEEE Computer, Vol

30, No 12, pp. 16-17, 1997
[19] D. Joo, T. Hong and I. Han, “The Neural Network Models for IDS
based on the asymmetric costs of false negative errors and false
positive errors”, Expert Systems with Applications, Vol. 25, pp. 69-75,
2003
84
[20] G. Giacinto, F. Roli and L. Didaci, “Fusion of Multiple Classifiers for
Intrusion Detection in Computer Networks”, Pattern Recognition
Letters, Vol. 24, pp. 1795-1803, 2003
[21] J. Ryan, M. J. Lin and R. Miikkulainen, “Intrusion Detection with Neural

Networks”, Advances in Neural Information Processing Systems, Vol.
10, pp. 943-949, Cambridge, MA: MIT Press, 1998
[22] Snort, http://www.snort.org, accessed 16.June, 2003
[23] E. Biermann, E. Cloete and L. M. Venter, “A Comparison of Intrusion

Detection Systems”, Computers & Security, Vol. 20, pp. 676-683, 2001
[24] R. Barruffi, M. Milano and R. Montanari, “Planning for Security

Management”, IEEE Intelligent Systems, Vol. 16, No. 1, pp. 74-80,
January/February 2001
[25] J. McHugh, “Intrusion and Intrusion Detection”, International Journey

of Information Security, Vol. 1, Is. 1, pp. 14-35, 2001
[26] R. A. Kemmerer and G. Vigna, “Intrusion Detection: A Brief

Introduction and History”, Security & Privacy – Supplement – IEEE
Computer Magazine, pp. 27-30, 2002
[27] J. P. Anderson, “Computer Security Threat Monitoring and

Surveillance”, Technical Report, James P. Anderson Co., Fort
Washington, Pa, 1980
[28] D. E. Denning, “An Intrusion-Detection Model”, IEEE Trans. Software

Eng., Vol. 13, No. 2, pp. 222-232, February 1989
[29] C. A. Carver, J. M. D. Hill and U. W. Pooch, “Limiting Uncertainty in

Intrusion Response”, 2001 IEEE Man Systems and Cybernetics
Information Assurance Workshop, pp. 142-147, New York, June 2001
85
[30] R. A. Maxion and K. M. C. Tan, ”Anomaly Detection in Embedded
Systems”, IEEE Trans. On Computers, Vol. 51, No. 2, pp. 108-120,
February 2002
[31] J. McHugh, A. Christie, and J. Allen, “Defending Yourself: The Role of

Intrusion Detection Systems”, IEEE Software, Vol. 17, No. 5, pp. 42-
51, September/October 2000
[32] S. C. Lee and D. V. Heinbuch, “Training a Neural-Network Based

Intrusion Detector to Recognize Novel Attacks”, IEEE Transactions On
Systems, Man, And Cybernetics - Part A: Systems And Humans, Vol.
31, No. 4, pp. 294-299, July 2001
[33] R. A. Maxion and K. M. C. Tan, “Benchmarking Anomaly-Based

Detection Systems”, IEEE Computer Society Press – International
Conference on Dependable Systems and Networks, pp. 623-630, 25-
28 June 2000
[34] S. B. Cho, “Incorporating Soft Computing Techniques Into a

Probabilistic Intrusion Detection System”, IEEE Transactions on
Systems, Man, and Cybernetics – Part C: Applications and Reviews,
Vol. 32, No. 2, pp. 154-160, May 2002
[35] P. Lichodzijewski, A. N. Zincir-Heywood and M. I. Heywood, “Host-

Based Intrusion Detection Using Self-Organizing Maps”, Proc. of the
2002 International Joint Conference on Neural Networks, May 2002
[36] J. Frank, “Artificial Intelligence and Intrusion Detection: Current and

Future Directions”, 17th National Computer Security Conference, pp.
22-33, Washington, 1994
[37] A. K. Ghosh and A. Schwartzbard, “A Study in using Neural Networks

for Anomaly and Misuse Detection”, Proc. 8th USENIX Security
Symposium, Washington, USA, 23-26 August 1999
86
[38] D. Dasgupta and F. González, “An Immunity-Based Technique to
Characterize Intrusions in Computer Networks”, IEEE Trans. On
Evolutionary Computation, Vol. 6, No 3, pp. 1081-1088, June 2002
[39] J. Cannady, “Next Generation Intrusion Detection: Autonomous

Reinforcement Learning of Network Attacks”, Proc. 23rd National
Information Systems Security Conference, pp. 1-12, Baltimore, 16-19
October 2000
[40] B. Balajinath and S. V. Raghavan, “Intrusion Detection through

learning Behavior Model”, Computer Communications, Vol. 24, No. 12,
pp. 1202-1212, July 2001
[41] T. Verwoerd and R. Hunt, “Intrusion Detection Techniques and

Approaches”, Computer Communications, Vol. 25, No. 15, pp. 1356-
1365, September 2002
[42] R. Lippman, “An Introduction to Computing with Neural Nets”, IEEE

Transactions on Acoustics, Speech and Signal Processing, Vol. 4, No.
2, pp 4-22, 1987
[43] H. Debar, M. Becker and D. Siboni, “A Neural Network Component for

an Intrusion Detection System”, Proc. 1992 IEEE Computer Society
Symposium on Research in Computer Security and Privacy, pp. 240-
250, Oakland, May 1992
[44] R. P. Lippmann and R. K. Cunningham, “Improving Intrusion Detection

Performance using Keyword Selection and Neural Networks”,
Computer Networks, Vol. 34, No. 4, pp. 597-603, October 2000
[45] DARPA Intrusion Detection Evaluation, Lincoln Laboratory,

Massachusetts Institute of Technology,
http://www.ll.mit.edu/IST/ideval/index.html, accessed 16.June, 2003
87
[46] S. Mukkamala, G. Janoski and A. Sung, “Intrusion Detection Using
Neural Networks and Support Vector Machines”, Proc. of the 2002
International Joint Conference on Neural Networks, Vol. 2, pp. 1702-
1707, May 2002
[47] C. Manikopoulos and S. Papavassiliou, “Network Intrusion and Fault

Detection: A Statistical Anomaly Approach”, IEEE Communications
Magazine, Vol. 40, No. 10, pp. 76-82, October 2002
[48] A. Housebolder, K. Houle and C. Dougherty, “Computer Attack Trends

Challenge Internet Security”, Security & Privacy – Supplement – IEEE
Computer Magazine, pp. 5-7, April 2002
[49] D. B. Chapman, S. Cooper and E. D. Zwicky, Building Internet

Firewalls, 2nd Edition, O’Reilly & Associates, 2000
[50] S. Northcutt and J. Novak, Network Intrusion Detection – An Analyst’s

Handbook, 2nd Edition, New Riders Publishing, 2001
[51] R. Comerford, “No Longer in Denial”, IEEE Spectrum, Vol. 38, No. 1,
pp. 59-61, January 2001
[52] L. Garber, “Denial-of-Service attacks Rip the Internet”, IEEE

Computer, Vol. 33, No. 4, pp. 12-17, April 2000
[53] S. Mohiuddin, S. Hershkop, R. Bhan and S. Stolfo, “Defending Against

a Large Scale Denial-of-Service Attack”, Proc. 2002 IEEE Workshop
on Information Assurance and Security, New York, 17-19 June 2002
[54] Y. Lapid, N. Ahituv and A. Neumann, “Approaches to Handling “Trojan

Horse” Threats”, Computers and Security, Vol. 5, No. 3, pp. 251-256,
September 1986
88
[55] F. Cohen, “Current Best Practice Against Computer Viruses”, 25th
IEEE International Carnahan Conference on Security Technology, Oct.
1-3, 1991
[56] J. Edwards, “Next-Generation Viruses Present New Challenges”, IEEE

Computer, Vol. 34, No. 5, pp. 16-18, May 2001
[57] K. Schreiner, “New Viruses Up the Stakes on Old Tricks”, IEEE

Internet Computing, Vol. 6, No. 4, pp. 9-10, July/August 2002
[58] The Honeynet Project, http://www.honeynet.org, accessed 16.June,

2003
[59] L. Spitzner, “The Honeynet Project: Trapping the Hackers”, Security &
Privacy – IEEE Computer Magazine, Vol. 1, pp. 15-23, March/April
2003
[60] R. F. Erbacher, K. L. Walker and D. A. Frincke, “Intrusion and Misuse

Detection in Large-Scale Systems”, IEEE Computer Graphics and
Applications, Vol. 22, No. 1, pp. 38-48, January/February 2002
89

10 1 1 107

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

10 1 1 107

Uploaded by

Copyright:

Available Formats

A Neural Network Based

Intelligent Intrusion Detection System

Robert Birkely, Bachelor of IT

School of Information Technology

Submitted in partial fulfilment of the requirements of the

This research addresses some of the e-security threats we have today. It is

Chapter 1: Introduction ............................................................................... 1

Chapter 2: Literature Review ...................................................................... 5

Chapter 4: Experimental Results.............................................................. 55

Chapter 5: Analysis and Comparison ...................................................... 64

Figure 2-1 CERT Reported incidents per Year .............................................. 7

First and foremost I would like to thank my supervisor Dr. V.

I would also like to give my thanks to my fiancé. Without her encouragement,

ADSL Asymmetric Digital Subscriber Line

In 1989, Kevin Mitnick was arrested for invading Digital Equipment

A totally safe system is per today impossible to achieve when we have

Most of the prevalent Internet attacks today can be stopped or mitigated

1.2 Motivations and Aims

1.3 Organization of the Dissertation

As mentioned earlier, all Information Systems and networks are threatened to

Table 2-1 Key findings from the two security surveys

In November 2001, two former Cisco Systems, Inc. accountants were

Figure 2-1 CERT Reported incidents per Year

A report [13] showed that in 1995 there were approximately 250.000

But just implementation of security components is not enough. Gene

Rebecca Herold, Senior Security Architect of QinetiQ Trusted Information

Figuratively speaking, a firewall is like a high fence guarding your house.

A firewall has four main functions [6]:

• Service control: Types of services that can be accessed.

Figure 2-2 Firewall protecting a LAN

• Packet filters: Works by filtering traffic based on packet content sent to

2.4 Intrusion Detection System

The goal of intrusion detection is seemingly simple; to detect intrusions. An

Intrusion detection is the process of monitoring computer networks and

• Information Source: data utilized by the Intrusion Detection System

Intrusion Detection Systems works by gathering information from the

• Monitoring and analyzing user and system activity.

The main goal of an effective Intrusion Detection System is to provide high

• False positives: Also known as false alarms. These errors occur

• Network-based detection: The Intrusion Detection System analyzes

Figure 2-3 Host and Network based Intrusion Detection System

2.4.1 What is an intrusion?

An intrusion is any set of actions that attempt to compromise a resource’s

• Attempted break-ins: attempts to gain access privileges by exploiting

System administrators normally use auditing to determine whether and how

At the heart of intrusion detection lays the ability to distinguish acceptable,

In the beginning of 1990 real time Intrusion Detection Systems where

• Most existing systems have security flaws that render them

2.4.3 Today’s system

Intrusion Detection Systems has been a standard approach to network

• An inability to analyse large amounts of data

Current Intrusion Detection Systems have limited response mechanisms that

• Soundness of approach: Does the approach actually detect

2.4.4 Anomaly Intrusion Detection Systems

Anomaly detection uses models of the intended behaviour of users and

Anomaly intrusion detection was the originally type of Intrusion Detection

This type of intrusion detection can detect a variety of abnormal patterns of

• Attempted break-in: Someone attempting to break into a system might

• Lack of profile information about the user’s behaviour.

2.4.5 Misuse Intrusion Detection Systems

Misuse detection contains attack descriptions (or “signatures”) and matches

Originally, and still, anomaly Intrusion Detection Systems has limitations