paperF13_7
3. Initial Analysis of Approach
In an effort to determine the applicability of neural networks to the problem of misuse detection
we conducted an analysis the approach utilizing simulated network traffic. The experiment was
designed to determine if indications of attack could be identified from typical network traffic, but
it was not intended to completely resolve the issue of applying neural networks to misuse
detection. The analysis did not address the potential benefit of identifying a priori attacks that
may be possible through the use of neural networks. However, determining if a neural network
was capable of identifying misuse incidents with a reasonable degree of accuracy was considered
to be the first step in applying the technology to this form of intrusion detection.
3.1 Neural Network Description
The first prototype neural network was designed to determine if a neural network was capable of
identifying specific events that are indications of misuse. Neural networks had been shown to be
capable of identifying TCP/IP network events in [27], but our prototype was designed to test the
ability of a neural network to identify indications of misuse. The prototype utilized a MLP
architecture that consisted of four fully connected layers with nine input nodes and two output
nodes. While there are a number of architectures that could be used to address this problem ([12])
a feed-forward neural network architecture was selected based on the flexibility and applicability
of the approach in a variety of problems.
The number of hidden layers, and the number of nodes in the hidden layers, was determined
based on the process of trial and error. Each of the hidden nodes and the output node applied a
Sigmoid transfer function (1/(1 + exp (-x))) to the various connection weights. The neural
network was designed to provide an output value of 0.0 and 1.0 in the two output nodes when the
analysis indicated no attack and 1.0 and 0.0 in the two output nodes in the event of an attack.
Data for training and testing the prototype was generated using the RealSecure network
monitor from Internet Security Systems, Inc. RealSecure is designed to be used by network
security administrators to passively collect data from the network and identify indications of
attacks. RealSecure uses an expert system that includes over 360 attack signatures that it
compares with current network activity to identify intrusions. The RealSecure monitor was
configured to capture the data for each event which would be consistent with a network frame,
(e.g., source address, destination address, packet data, etc.), and the results of the RealSecure
analysis of each event.
In addition to the normal network activity that was collected as events by RealSecure, the
host for the monitor was attacked using the Internet Scanner product from ISS, Inc, and the
Satan scanner. These applications were used because of their ability to generate a large number
of simulated attacks against a specified network host. The scanners were configured for a variety
of attacks, ranging from denial of service attacks to port scans. Approximately 10000 individual
events were collected by RealSecure and stored in a Microsoft Access database, of which
approximately 3000 were simulated attacks.