HostedDB - Dedicated UNIX Servers
paperF13_6 However, the most significant disadvantage of applying neural networks to intrusion detection is the "black box" nature of the neural network.  Unlike expert systems which have hard-coded rules for the analysis of events, neural networks adapt their analysis of data in response to the training which is conducted on the network.  The connection weights and transfer functions of the various network nodes are usually frozen after the network has achieved an acceptable level of success in the identification of events.  While the network analysis is achieving a sufficient probability of success, the basis for this level of accuracy is not often known.  The "Black Box Problem" has plagued neural networks in a number of applications [11].  This is an on-going area of neural network research. 2.3   Potential Implementations There are two general implementations of neural networks in misuse detection systems.  The first involves incorporating them into existing or modified expert systems.  Unlike the previous attempts to use neural networks in anomaly detection by using them as replacements for existing statistical analysis components, this proposal involves using the neural network to filter the incoming data for suspicious events which may be indicative of misuse and forward these events to the expert system.  This configuration should improve the effectiveness of the detection system by reducing the false alarm rate of the expert system. Because the neural network will determine a probability that a particular event is indicative of an attack, a threshold can be established where the event is forwarded to the expert system for additional analysis.  Since the expert system is only receiving data on events which are viewed as suspicious, the sensitivity of the expert system can be increased, (typically, the sensitivity of expert systems must be kept low to reduce the incidence of false alarms).  This configuration would be beneficial to organizations that have invested in rule-based expert system technology by improving the effectiveness of the system while it preserves the investment that has been made in existing intrusion detection systems.  The disadvantage of this approach would be that as the neural network improved its ability to identify new attacks the expert system would have to be updated to also recognize these as threats.  If the expert system were not updated then the new attacks identified by the neural network would increasingly be ignored by the expert system because its rule-base would not be capable of recognizing the new threat. The second approach would involve the neural network as a standalone misuse detection system. In this configuration, the neural network would receive data from the network stream and analyze the information for instances of misuse.  Any instances which are identified as indicative of attack would be forwarded to a security administrator or used by an automated intrusion response system.  This approach would offer the benefit of speed over the previous approach, since there would only be a single layer of analysis.  In addition, this configuration should improve in effectiveness over time as the network learns the characteristics of attacks.  Unlike the first approach, this concept would not be limited by the analytical ability of the expert system, and as a result, it would be able to expand beyond the limits of the expert system’s rule-base.