HostedDB - Dedicated UNIX Servers
paperF13_7 3.  Initial Analysis of Approach In an effort to determine the applicability of neural networks to the problem of misuse detection we conducted an analysis the approach utilizing simulated network traffic.  The experiment was designed to determine if indications of attack could be identified from typical network traffic, but it was not intended to completely resolve the issue of applying neural networks to misuse detection.  The analysis did not address the potential benefit of identifying a priori attacks that may be possible through the use of neural networks.  However, determining if a neural network was capable of identifying misuse incidents with a reasonable degree of accuracy was considered to be the first step in applying the technology to this form of intrusion detection. 3.1   Neural Network Description The first prototype neural network was designed to determine if a neural network was capable of identifying specific events that are indications of misuse.  Neural networks had been shown to be capable of identifying TCP/IP network events in [27], but our prototype was designed to test the ability of a neural network to identify indications of misuse.  The prototype utilized a MLP architecture that consisted of four fully connected layers with nine input nodes and two output nodes. While there are a number of architectures that could be used to address this problem ([12]) a feed-forward neural network architecture was selected based on the flexibility and applicability of the approach in a variety of problems. The number of hidden layers, and the number of nodes in the hidden layers, was determined based on the process of trial and error.  Each of the hidden nodes and the output node applied a Sigmoid transfer function (1/(1 + exp (-x))) to the various connection weights.  The neural network was designed to provide an output value of 0.0 and 1.0 in the two output nodes when the analysis indicated no attack and 1.0 and 0.0 in the two output nodes in the event of an attack. Data for training and testing the prototype was generated using the RealSecure™ network monitor from Internet Security Systems, Inc.  RealSecure™ is designed to be used by network security administrators to passively collect data from the network and identify indications of attacks.  RealSecure™ uses an expert system that includes over 360 attack signatures that it compares with current network activity to identify intrusions. The RealSecure™ monitor was configured to capture the data for each event which would be consistent with a network frame, (e.g., source address, destination address, packet data, etc.), and the results of the RealSecure™ analysis of each event. In addition to the “normal” network activity that was collected as events by RealSecure™, the host for the monitor was “attacked” using the Internet Scanner™ product from ISS, Inc, and the Satan scanner.  These applications were used because of their ability to generate a large number of simulated attacks against a specified network host.  The scanners were configured for a variety of attacks, ranging from denial of service attacks to port scans.   Approximately 10000 individual events were collected by RealSecure™ and stored in a Microsoft Access™ database, of which approximately 3000 were simulated attacks.