Intrusion

Detection
Technologies

INDEX
CHAPTER ONE
INTRODUCTION
PAGE 1-2 BRIEF INTRODUCTION

PAGE 3-4 DIFFERENT ATTACK TYPES

CHAPTER TWO
LITERATURE SURVEY
PAGE 5 ANOMALY AND MISUSE DETECTION

PAGE 6-7 RULE BASED AND EXPERT SYSTEM

PAGE 8 PATTERN RECOGNITION APPROACH

PAGE 9 STATISTICAL APPROACH AND ANN

PAGE 10-12 NEURAL NETWORK DETECTION

PAGE 13 WORKING OF NEURAL NETWORK

PAGE 14-15 FRAMEWORK

PAGE 16 DIAGRAM OF FRAMEWORK

PAGE 17 REFERENCES

ABSTRACT
Intrusion detection is a significant focus of research in the
security of computer systems and networks.
This paper presents an analysis of the progress being made in the
development of effective intrusion
detection systems for computer systems and distributed
computer networks. The technologies which are
discussed are designed to detect instances of the access of
computer systems by unauthorized individuals
and the misuse of system resources by authorized system users.
A review of the foundations of intrusion
detection systems and the methodologies which are the focus of
current development efforts are discussed.
Next, the paper
compares the performance of the five neural
network methods in intrusion detection.

Finally, a discussion of the future technologies and methodologies

which
promise to enhance the ability of computer systems to detect
intrusions is provided.

Keywords: Intrusion detection, anomaly detection,

misuse detection, computer security
1

CHAPTER 1
Introduction

The active extension of computer networks and

particularly internet has raised numerous security issues.
During recent years, the number of intrusion has increased
extremely. Further, the dependency of private and
government corporations are also increasing on their
computer and network systems. Therefore, protecting these
systems from any intrusion or attack is very significant.
Because a single intrusion can cause a big loss or the
consistency of the network became unreliable. Therefore,
many intrusion detection approaches had been used to
ensure the computer and network system secure but the
main problem is which approach deals more with the
problem of intrusion detection.

An intrusion detection system (IDS) detects unwanted

manipulations of computer systems through the Internet.

Computer intrusion detection systems (IDS) are primarily

designed to protect the availability and integrity of critical
networked information systems.
 2
This includes network attacks against vulnerable services, data
driven attacks on applications, host based attacks such as
privilege escalation, unauthorized logins and access to

sensitive files, and malware (viruses, Trojan horses, and worms).

The most common computer intrusion detection systems

detect signs of known attacks by searching for attack-specific
keywords in network traffic.
 3

Most common types of attack are::

Denial of Service (DoS): A DoS attacks is a type of attack in

which the hacker makes a memory resources too busy to serve
legitimate networking requests and hence denying users
access to a machine e.g. apache, smurf, Neptune, ping of
death, back, mail bomb, UDP storm,etc.

Remote to User attacks (R2L): A remote to user attack is an

attack in which a user sends packets to a machine over the
internet, and the user does not have access to in order to
expose the machines vulnerabilities and exploit privileges
which a local user would have on the computer, e.g. xlock,
guest, xnsnoop, phf, sendmail dictionary etc.

User to Root Attacks (U2R): These attacks are exploitations in

which the hacker starts off on the system with a normal user
account and attempts to abuse vulnerabilities in the system in
order to gain super user privileges, e.g. perl, xterm.

Probing: Probing is an attack in which the hacker scans a

machine or a networking device in order to determine
weaknesses or vulnerabilities that may later be exploited so as
to compromise the system. This technique is commonly used in
data mining, e.g. satan, saint, portsweep, mscan, nmap etc.

The most common approaches are

statistical, rule based,
expert system, pattern
recognition and artificial neural network.

An IDS is composed of several components: Sensors which

generate security events, a Console to monitor events and

4
alerts and control the sensors, and a central Engine the records
events logged by the sensors in a database and uses a system
of rules to generate alerts from security events received.
5

CHAPTER 2

LITERATURE SURVEY

RELATED WORK

The following are the approaches being utilized to

accomplish the desirable elements of an intrusion detection
system.

Anomaly Detection
Anomaly detection is the general category of Intrusion
Detection, which works by identifying activities which vary
from established patterns for users, or groups of users.
Anomaly detection typically involves the creation of
knowledge bases which contain the profiles of the
monitored activities.

Misuse Detection
The second general approach to Intrusion Detection is
misuse detection. This technique involves the comparison
of a user's activities with the known behaviors of
attackers attempting to penetrate a system. Misuse
Detection also utilizes a knowledge base of information.

6
RULE BASED ANALYSIS
Most current approaches to the process of detecting
intrusions utilize some form of rule-based ANALYSIS. Rule-
Based analysis relies on sets of predefined rules that are
provided by anadministrator, automatically created by
the system, or both. The rules serve as operational
preconditions which are continuously checked in the audit
record by the intrusion detection mechanism. If the
required conditions of a rule are satisfied by user activity
the specified operation is executed. This approach was
unable to detect novel intrusion. A frequent update of
rules
is required in this approach that is time consuming.
Moreover, this approach was unable to detect new
attacks. Rule-based systems suffer from an inability to
detect attacks scenarios that may occur over an
extended period of time.
While the individual instances of suspicious activity may
be detected by the system, they may not be reported if
they appear to occur in isolation.
EXPERT SYSTEMS
Expert systems are the most common form of rule-based
intrusion detection approaches. The early intrusion
detection research efforts realized the inefficiency of any
approach that required a manual review of a system
audit trail.
While the information necessary to identify attacks was
believed to be present within the
voluminous audit data, an effective review of the material
required the use of an automated system.
7
The use of expert system techniques in intrusion
detection mechanisms was a significant milestone in the
development of effective and practical detection-based
information security systems.
An expert system consists of a set of rules that encode
the knowledge of a human "expert". These
rules are used by the system to make conclusions about
the security-related data from the intrusion detection
system. Expert systems permit the incorporation of an
extensive amount of human experience into a computer
application that then utilizes that knowledge to identify
activities that match the defined characteristics of misuse
and attack.
Unfortunately, expert systems require frequent updates
to remain current.
While expert systems offer an enhanced ability to review
audit data, the required updates may be ignored or
performed infrequently by the administrator.
At a minimum, this leads to an expert system with
reduced capabilities. At worst, this lack of maintenance
will degrade the security of the entire
system by causing the system's users to be misled into
believing that the system is secure, even
as one of the key components becomes increasingly
ineffective over time.

Intrusion scenarios in which multiple attackers operate in

concert are also difficult for these methods to detect
because they do not focus on the state transitions in an
attack, but instead concentrate on the occurrence
of individual elements.
8
Any division of an attack either over time or among
several seemingly
unrelated attackers is difficult for these methods to
detect.

Rule-based systems also lack flexibility in the rule-to-

audit record representation.
Slight
variations in an attack sequence can affect the activity-
rule comparison to a degree that the
intrusion is not detected by the intrusion detection
mechanism.
While increasing the level of
abstraction of the rule-base does provide a partial
solution to this weakness, it also reduces the
granularity of the intrusion detection device.

PATTERN RECOGNITION APPROACH

In this approach, a series of penetration scenarios are
coded into the system. This approach is effective in
reducing the need to review a large amount of audit data
 This is also unable to detect new attacks.
Therefore, a frequent updating of penetration scenarios is
Required.

STATISTICAL APPROACH
This approach involves statistical comparison of
specific events based on a predetermined set of criteria.
The
data was collected from the system and the network. This
collected data was tested for attack analysis by statistical
models. The models which have been most frequently
used
include the Operational Mode.

ARTIFICIAL NEURAL NETWORK

An artificial neural network consists of a collection of
processing elements that are highly
interconnected and transform a set of inputs to a set of
desired outputs. The result of the
transformation is determined by the characteristics of the
elements and the weights associated
with the interconnections among them. By modifying the
connections between the nodes the
network is able to adapt to the desired outputs.
Unlike expert systems, which can provide the user with a
definitive answer if the
characteristics which are reviewed exactly match those
which have been coded in the rule base, a
neural network conducts an analysis of the information
and provides a probability estimate that
the data matches the characteristics which it has been
trained to recognize. While the probability
of a match determined by a neural network can be 100%,
the accuracy of its decisions relies
totally on the experience the system gains in analyzing
examples of the stated problem.
10
The neural network gains the experience initially by
training the system to correctly identify
pre-selected examples of the problem. The response of
the neural network is reviewed and the
configuration of the system is refined until the neural
network's analysis of the training data
reaches a satisfactory level. In addition to the initial
training period, the neural network also
gains experience over time as it conducts analyses on
data related to the problem.

NEURAL NETWORK INTRUSION DETECTION SYSTEMS

A limited amount of research has been conducted on the

application of neural networks to
detecting computer intrusions. Artificial neural networks
offer the potential to resolve a number
of the problems encountered by the other current
approaches to intrusion detection. Artificial
neural networks have been proposed as alternatives to
the statistical analysis component of
anomaly detection systems. Statistical Analysis involves
statistical comparison of current events
to a predetermined set of baseline criteria. The technique
is most often employed in the detection
of deviations from typical behavior and determination of
the similarly of events to those which
are indicative of an attack. Neural networks were
specifically proposed to identify the typical
characteristics of system users and identify statistically
significant variations from the user's
established behavior.

11
Artificial neural networks have also been proposed for use
in the detection of computer
viruses.
Neural networks were proposed as statistical analysis
approaches in the detection of viruses
and malicious software in computer networks. The neural
network architecture may be a selforganizing
feature map which uses a single layer of neurons to
represent knowledge from a
particular domain in the form of a geometrically
organized feature map. The proposed network
was designed to learn the characteristics of normal
system activity and identify statistical
variations from the norm that may be an indication of a
virus.
While there is an increasing need for a system capable of
accurately identifying instances of
misuse on a network there is currently no applied
alternative to rule-based intrusion detection
systems. This method has been demonstrated to be
relatively effective if the exact characteristics
of the attack are known. However, network intrusions are
constantly changing because of
individual approaches taken by the attackers and regular
changes in the software and hardware of
the targeted systems. Because of the infinite variety of
attacks and attackers even a dedicated
effort to constantly update the rule base of an expert
system can never hope to accurately identify
the variety of intrusions.
The constantly changing nature of network attacks
requires a flexible defensive system that is
12
capable of analyzing the enormous amount of network
traffic in a manner which is less
structured than rule-based systems. A neural network-
based misuse detection system could
potentially address many of the problems that are found
in rule-based systems.
The aim of this work is to establish a framework that can
detect the known and the unknown
events of attacks and to choose the best algorithm
between nine algorithms which provides
minimum errors.
13

However, the most important advantage of Neural

Networks in misuse detection is the ability of the Neural
Network to "learn" the characteristics of misuse attacks
and identify instances that have been observed before by
the network. The probability of an attack against the
system may be estimated and a potential threat flagged
whenever the probability exceeds a specified threshold.
14
PROPOSED FRAMEWORK

All current Intrusion Detection Systems make four

assumptions about the systems that they are designed to
protect:
1. Activities taken by system users, either authorized or
unauthorized, can be monitored.
2. It is possible to identify those actions, which are
indications of an attack on a system.
3. Information obtained from the Intrusion Detection System
can be utilized to enhance the overall security of the
network.
4. The system is able to make analysis of an attack in
real-time. The proposed framework is described in terms
of
four phases; the first phase is the network sensor in this
phase we analyze the input packets to
obtain the packet parameters and then filtering these
parameters to obtain the needed parameters
for intrusion detection, the second phase is the event
manager which processes the filtered
parameters and then compare these parameters with
known attacks for determining attacks
signatures and also compare these parameters with
normal events then we go to the third phase
which is the response manager which respond to the
attack and normal events in a suitable
manner.
The fourth phase is the learning model in this phase we
use a mixed database of normal
and attack events then sending these events to learning
model of neural network. After obtaining
a learning module, the unlabeled events could be
classified as a normal or attack events.
17
REFERENCES
• A Comparative Analysis of Artificial Neural Network
Technologies in Intrusion Detection Systems
SHAHBAZ PERVEZ, IFTIKHAR AHMAD, ADEEL AKRAM, SAMI ULLAH SWATI
University of Engineering and Technology, Taxila, Pakistan
{Shahbaz, adeel}@uettaxila.edu.pk

• Artificial Neural Networks Architecture

For Intrusion Detection Systems and Classification of
Attacks

Mohammed Sammany, Marwa Sharawi, Mohammed El-Beltagy, Imane Saroit

• Network Intrusion Detection Using

an Improved Competitive Learning Neural Network
John Zhong Lei and Ali Ghorbani
Faculty of Computer Science
University of New Brunswick
Fredericton, NB, E3B 5A3, Canada

• Intrusion Detection with Neural Networks

Jake Ryan_
Department of Computer Sciences
The University of Texas at Austin
Austin, TX 78712
[email protected]
Meng-Jang Lin
Department of Electrical and Computer Engineering
The University of Texas at Austin
Austin, TX 78712
[email protected]
Risto Miikkulainen
Department of Computer Sciences
The University of Texas at Austin
Austin, TX 78712
Host-Based Intrusion Detection Using Self-Organizing Maps
Peter Lichodzijewski, A. Nur Zincir-Heywood, Member, IEEE, Malcolm I.
Heywood, Member, IEEE
Faculty of Computer Science, Dalhousie University, Halifax, NS, Canada

Current Intrusion Detection Technologies

James Cannady Jay Harrell
Georgia Tech Research Institute Georgia Tech Research Institute