HostedDB - Dedicated UNIX Servers
paperF13_9 The preprocessed data was finally loaded into the DataPro utility provided by Qnet 97.01, (Table 3).  Qnet uses this application to load data into the neural network during training and testing. Input 1 Input 2 Input 3 Input 4 Input 5 Input 6 Input 7 Input 8 Input 9 Output 1 0 2314 80 1573638018 -1580478590 1 1 401 3758 0 0 1611 6101 801886082 -926167166 1 1 0 2633 1 Table 3: Sample of DataPro input to neural network 3.2    Results The training of the neural network was conducted using a backpropagation algorithm for 10,000 iterations of the selected training data.  Like the feed-forward architecture of the neural network, the use of a backpropagation algorithm for training was based on the proven record of this approach in the development of neural networks for a variety of applications [12].  Of the 9,462 records which were preprocessed for use in the prototype, 1000 were randomly selected for testing and the remaining were used to train the system. The training/testing iterations of the neural network required 26.13 hours to complete.  At the conclusion of the training the following results were obtained: · Training data root mean square error = 0.058298 · Test data root mean square error = 0.069929 · Training data correlation = 0.982333 · Test data correlation = 0.975569 The figures matched very closely with the desired root mean square (RMS) error of 0.0 and the desired correlation value of 1.0. After the completion of the training and testing of the MLP neural network the various connection weights were frozen and the network was interrogated.  Three sample patterns containing “normal” network events and a single simulated attack event (e.g., ISS scans, Satan scans, SYNFlood, etc.) were used to test the neural network.  The MLP was able to correctly identify each of the imbedded attacks in the test data, (Figures 1-3). While this prototype was not designed to be a complete intrusion detection system, the results clearly demonstrate the potential of a neural network to detect individual instances of possible misuse from a representative network data stream.