Improving misuse detection with neural networks

Abstract

Misuse Intrusion Detection Systems are rule-based systems that search attack patterns in the data source. Detection ability of misuse detectors is limited to known attack patterns; hence unknown attacks may be missed. In addition, writing new signatures for novel attacks can be troublesome and time consuming. Similarly behavior based IDSs suffered from high rates of false alarms. Artificial neural networks have generalization ability, thus they can be used with intrusion detection system in order to identify normal and attack packets without the need of writing rules. We proposed to use neural networks with network-based IDS. To achieve this, system was trained and tested with both normal and malicious network packets. Backpropagation and Levenberg-Marquardt algorithms were used to train neural networks. For each of these training algorithms a 3-layer and a 4-layer MLP network sets were generated. In addition, self-organizing maps were used to classify attack instances. DARPA 1999 Intrusion Detection Evaluation dataset was used for training and testing, but lack of enough attack patterns in evaluation dataset made us to create a testbed to obtain sufficient malicious traffic. After training was completed, trained neural networks were tested against training dataset and test dataset, which is not part of the training dataset. Results of the experiments showed that, none of the trained backpropagation networks could identify attacks in training and/or testing data sets. But results of the Levenberg-Marquardt networks were more promising as nine of the trained Levenberg-Marquardt networks could identify attack and normal network packets in training and test datasets.