HostedDB - Dedicated UNIX Servers
paperF13_3 human experience into a computer application that then utilizes that knowledge to identify activities that match the defined characteristics of misuse and attack. Unfortunately, expert systems require frequent updates to remain current.  While expert systems offer an enhanced ability to review audit data, the required updates may be ignored or performed infrequently by the administrator.  At a minimum, this leads to an expert system with reduced capabilities.  At worst, this lack of maintenance will degrade the security of the entire system by causing the system’s users to be misled into believing that the system is secure, even as one of the key components becomes increasingly ineffective over time. Rule-based systems suffer from an inability to detect attacks scenarios that may occur over an extended period of time.  While the individual instances of suspicious activity may be detected by the system, they may not be reported if they appear to occur in isolation. Intrusion scenarios in which multiple attackers operate in concert are also difficult for these methods to detect because they do not focus on the state transitions in an attack, but instead concentrate on the occurrence of individual elements.  Any division of an attack either over time or among several seemingly unrelated attackers is difficult for these methods to detect. Rule-based systems also lack flexibility in the rule-to-audit record representation.  Slight variations in an attack sequence can effect the activity-rule comparison to a degree that the intrusion is not detected by the intrusion detection mechanism.  While increasing the level of abstraction of the rule-base does provide a partial solution to this weakness, it also reduces the granularity of the intrusion detection device. A number of non-expert system-based approaches to intrusion detection have been developed in the past several years [4, 5, 6, 9, 15, 25, and 26].  While many of these have shown substantial promise, expert systems remain the most commonly accepted approach to the detection of attacks. 1.2   Neural Networks An artificial neural network consists of a collection of processing elements that are highly interconnected and transform a set of inputs to a set of desired outputs.  The result of the transformation is determined by the characteristics of the elements and the weights associated with the interconnections among them.  By modifying the connections between the nodes the network is able to adapt to the desired outputs [9, 12]. Unlike expert systems, which can provide the user with a definitive answer if the characteristics which are reviewed exactly match those which have been coded in the rulebase, a neural network conducts an analysis of the information and provides a probability estimate that the data matches the characteristics which it has been trained to recognize.  While the probability of a match determined by a neural network can be 100%, the accuracy of its decisions relies totally on the experience the system gains in analyzing examples of the stated problem.