HostedDB - Dedicated UNIX Servers
paperF13_5 2.1   Advantages of Neural Network-based Misuse Detection Systems The first advantage in the utilization of a neural network in the detection of instances of misuse would be the flexibility that the network would provide.  A neural network would be capable of analyzing the data from the network, even if the data is incomplete or distorted.  Similarly, the network would possess the ability to conduct an analysis with data in a non-linear fashion.  Both of these characteristics is important in a networked environment where the information which is received is subject to the random failings of the system.  Further, because some attacks may be conducted against the network in a coordinated assault by multiple attackers, the ability to process data from a number of sources in a non-linear fashion is especially important. The inherent speed of neural networks is another benefit of this approach.  Because the protection of computing resources requires the timely identification of attacks, the processing speed of the neural network could enable intrusion responses to be conducted before irreparable damage occurs to the system. Because the output of a neural network is expressed in the form of a probability the neural network provides a predictive capability to the detection of instances of misuse.  A neural network-based misuse detection system would identify the probability that a particular event, or series of events, was indicative of an attack against the system.  As the neural network gains experience it will improve its ability to determine where these events are likely to occur in the attack process.  This information could then be used to generate a series of events that should occur if this is in fact an intrusion attempt.  By tracking the subsequent occurrence of these events the system would be capable of improving the analysis of the events and possibly conducting defensive measures before the attack is successful. However, the most important advantage of neural networks in misuse detection is the ability of the neural network to "learn" the characteristics of misuse attacks and identify instances that are unlike any which have been observed before by the network.  A neural network might be trained to recognize known suspicious events with a high degree of accuracy.  While this would be a very valuable ability, since attackers often emulate the "successes" of others, the network would also gain the ability to apply this knowledge to identify instances of attacks which did not match the exact characteristics of previous intrusions.  The probability of an attack against the system may be estimated and a potential threat flagged whenever the probability exceeds a specified threshold. 2.2   Disadvantages of Neural Network-based Misuse Detection Systems There appear to be two primary reasons why neural networks have not been applied to the problem of misuse detection in the past.  The first reason relates to the training requirements of the neural network. Because the ability of the artificial neural network to identify indications of an intrusion is completely dependent on the accurate training of the system, the training data and the training methods that are used are critical.   The training routine requires a very large amount of data to ensure that the results are statistically accurate.  The training of a neural network for misuse detection purposes may require thousands of individual attacks sequences, and this quantity of sensitive information is difficult to obtain.