paperF13_3
human experience into a computer application that then utilizes that knowledge to identify
activities that match the defined characteristics of misuse and attack.
Unfortunately, expert systems require frequent updates to remain current. While expert systems
offer an enhanced ability to review audit data, the required updates may be ignored or performed
infrequently by the administrator. At a minimum, this leads to an expert system with reduced
capabilities. At worst, this lack of maintenance will degrade the security of the entire system by
causing the systems users to be misled into believing that the system is secure, even as one of the
key components becomes increasingly ineffective over time.
Rule-based systems suffer from an inability to detect attacks scenarios that may occur over an
extended period of time. While the individual instances of suspicious activity may be detected by
the system, they may not be reported if they appear to occur in isolation. Intrusion scenarios in
which multiple attackers operate in concert are also difficult for these methods to detect because
they do not focus on the state transitions in an attack, but instead concentrate on the occurrence
of individual elements. Any division of an attack either over time or among several seemingly
unrelated attackers is difficult for these methods to detect.
Rule-based systems also lack flexibility in the rule-to-audit record representation. Slight
variations in an attack sequence can effect the activity-rule comparison to a degree that the
intrusion is not detected by the intrusion detection mechanism. While increasing the level of
abstraction of the rule-base does provide a partial solution to this weakness, it also reduces the
granularity of the intrusion detection device.
A number of non-expert system-based approaches to intrusion detection have been developed in
the past several years [4, 5, 6, 9, 15, 25, and 26]. While many of these have shown substantial
promise, expert systems remain the most commonly accepted approach to the detection of
attacks.
1.2 Neural Networks
An artificial neural network consists of a collection of processing elements that are highly
interconnected and transform a set of inputs to a set of desired outputs. The result of the
transformation is determined by the characteristics of the elements and the weights associated
with the interconnections among them. By modifying the connections between the nodes the
network is able to adapt to the desired outputs [9, 12].
Unlike expert systems, which can provide the user with a definitive answer if the characteristics
which are reviewed exactly match those which have been coded in the rulebase, a neural network
conducts an analysis of the information and provides a probability estimate that the data matches
the characteristics which it has been trained to recognize. While the probability of a match
determined by a neural network can be 100%, the accuracy of its decisions relies totally on the
experience the system gains in analyzing examples of the stated problem.