paperF13_5
2.1 Advantages of Neural Network-based Misuse Detection Systems
The first advantage in the utilization of a neural network in the detection of instances of misuse
would be the flexibility that the network would provide. A neural network would be capable of
analyzing the data from the network, even if the data is incomplete or distorted. Similarly, the
network would possess the ability to conduct an analysis with data in a non-linear fashion. Both
of these characteristics is important in a networked environment where the information which is
received is subject to the random failings of the system. Further, because some attacks may be
conducted against the network in a coordinated assault by multiple attackers, the ability to
process data from a number of sources in a non-linear fashion is especially important.
The inherent speed of neural networks is another benefit of this approach. Because the
protection of computing resources requires the timely identification of attacks, the processing
speed of the neural network could enable intrusion responses to be conducted before irreparable
damage occurs to the system.
Because the output of a neural network is expressed in the form of a probability the neural
network provides a predictive capability to the detection of instances of misuse. A neural
network-based misuse detection system would identify the probability that a particular event, or
series of events, was indicative of an attack against the system. As the neural network gains
experience it will improve its ability to determine where these events are likely to occur in the
attack process. This information could then be used to generate a series of events that should
occur if this is in fact an intrusion attempt. By tracking the subsequent occurrence of these events
the system would be capable of improving the analysis of the events and possibly conducting
defensive measures before the attack is successful.
However, the most important advantage of neural networks in misuse detection is the ability of
the neural network to "learn" the characteristics of misuse attacks and identify instances that are
unlike any which have been observed before by the network. A neural network might be trained
to recognize known suspicious events with a high degree of accuracy. While this would be a very
valuable ability, since attackers often emulate the "successes" of others, the network would also
gain the ability to apply this knowledge to identify instances of attacks which did not match the
exact characteristics of previous intrusions. The probability of an attack against the system may
be estimated and a potential threat flagged whenever the probability exceeds a specified threshold.
2.2 Disadvantages of Neural Network-based Misuse Detection Systems
There appear to be two primary reasons why neural networks have not been applied to the
problem of misuse detection in the past. The first reason relates to the training requirements of
the neural network. Because the ability of the artificial neural network to identify indications of an
intrusion is completely dependent on the accurate training of the system, the training data and the
training methods that are used are critical. The training routine requires a very large amount of
data to ensure that the results are statistically accurate. The training of a neural network for
misuse detection purposes may require thousands of individual attacks sequences, and this
quantity of sensitive information is difficult to obtain.