paperF13_11
4. Further Work
The preliminary results from our experimental feed-forward neural network give a positive
indication of the potential offered by this approach, but a significant amount of research remains
before it can function as an effective intrusion detection system. A complete system will require
the ability to directly receive inputs from a network data stream. The most difficult component of
the analysis of network traffic by a neural network is the ability to effectively analyze the
information in the data portion of an IP datagram. The various commands that are included in the
data often provide the most critical element in the process of determining if an attack is occurring
against a network.
The most effective neural network architecture is also an issue that must be addressed. A feed-
forward neural network that used a backpropagation algorithm was chosen because of its
simplicity and reliability in a variety of applications. However, alternatives such as the self-
organizing feature map also possess advantages in misuse detection that may promote their use.
In addition, an effective neural network-based approach to misuse detection must be highly
adaptive. Most neural network architectures must be retrained if the system is to be capable of
improving its analysis in response to changes in the input patterns, (e.g., new events are
recognized with a consistent probability of being an attack until the network is retrained to
improve the recognition of these events). Adaptive resonance theory ([2]) and self-organizing
maps ([16]) offer an increased level of adaptability for neural networks, and these approaches are
being investigated for possible use in an intrusion detection system.
Finally, regardless of the initial implementation of a neural network-based intrusion detection
system for misuse detection it will be essential for the approach to be thoroughly tested in order
to gain acceptance as a viable alternative to expert systems. Work has been conducted on
taxonomies for testing intrusion detection systems ([3, 22]) that offer a standardized method of
validating new technologies. Because of the questions that are certain to arise from the
application of neural networks to intrusion detection, the use of these standardized methods is
especially important.