paperF13_6
However, the most significant disadvantage of applying neural networks to intrusion detection is
the "black box" nature of the neural network. Unlike expert systems which have hard-coded rules
for the analysis of events, neural networks adapt their analysis of data in response to the training
which is conducted on the network. The connection weights and transfer functions of the various
network nodes are usually frozen after the network has achieved an acceptable level of success in
the identification of events. While the network analysis is achieving a sufficient probability of
success, the basis for this level of accuracy is not often known. The "Black Box Problem" has
plagued neural networks in a number of applications [11]. This is an on-going area of neural
network research.
2.3 Potential Implementations
There are two general implementations of neural networks in misuse detection systems. The
first involves incorporating them into existing or modified expert systems. Unlike the previous
attempts to use neural networks in anomaly detection by using them as replacements for existing
statistical analysis components, this proposal involves using the neural network to filter the
incoming data for suspicious events which may be indicative of misuse and forward these events
to the expert system. This configuration should improve the effectiveness of the detection system
by reducing the false alarm rate of the expert system. Because the neural network will determine a
probability that a particular event is indicative of an attack, a threshold can be established where
the event is forwarded to the expert system for additional analysis. Since the expert system is
only receiving data on events which are viewed as suspicious, the sensitivity of the expert system
can be increased, (typically, the sensitivity of expert systems must be kept low to reduce the
incidence of false alarms). This configuration would be beneficial to organizations that have
invested in rule-based expert system technology by improving the effectiveness of the system
while it preserves the investment that has been made in existing intrusion detection systems. The
disadvantage of this approach would be that as the neural network improved its ability to identify
new attacks the expert system would have to be updated to also recognize these as threats. If the
expert system were not updated then the new attacks identified by the neural network would
increasingly be ignored by the expert system because its rule-base would not be capable of
recognizing the new threat.
The second approach would involve the neural network as a standalone misuse detection system.
In this configuration, the neural network would receive data from the network stream and analyze
the information for instances of misuse. Any instances which are identified as indicative of attack
would be forwarded to a security administrator or used by an automated intrusion response
system. This approach would offer the benefit of speed over the previous approach, since there
would only be a single layer of analysis. In addition, this configuration should improve in
effectiveness over time as the network learns the characteristics of attacks. Unlike the first
approach, this concept would not be limited by the analytical ability of the expert system, and as a
result, it would be able to expand beyond the limits of the expert systems rule-base.