An Overview of Neural Networks Use in Anomaly ... - Semantic Scholar

Download PDF
3 downloads 2038 Views 118KB Size Report
Comment
Anomaly systems detect intrusions by searching for an abnormal system activity. ... Every good IDS should continuously monitor network looking for suspicious ...
Proceedings of 2009 Student Conference on Research and Development (SCOReD 2009), 16-18 Nov. 2009, UPM Serdang, Malaysia

An Overview of Neural Networks Use in Anomaly Intrusion Detection Systems Yusuf Sani, Ahmed Mohamedou, Khalid Ali, Anahita Farjamfar, Mohamed Azman, Solahuddin Shamsuddin Department of Communication Technology & Networks, Universiti Putra Malaysia, 43400, Selangor S.D., Malaysia [email protected], [email protected], [email protected], [email protected], [email protected], [email protected] Abstract— With the increasing number of computers being connected to the Internet, security of an information system has never been more urgent. Because no system can be absolutely secure, the timely and accurate detection of intrusions is necessary. This is the reason of an entire area of research, called Intrusion Detection Systems (IDS). Anomaly systems detect intrusions by searching for an abnormal system activity. But the main problem of anomaly detection IDS is that; it is very difficult to build, because of the difficulty in defining what is normal and what is abnormal. Neural network with its ability of learning has become one of the most promising techniques to solve this problem. This paper presents an overview of neural networks and their use in building anomaly intrusion systems.

II.

Every good IDS should continuously monitor network looking for suspicious behaviour, as such should know what an attack looks like, generate timely alert for a successful attack or better attack in progress. Since alert alone will do no much good we may insist on more stringent requirement, which is, a probable cause and remedy to be advanced. IDSs can either be Host-base IDSs: which monitor, audit, log and generate alert for attack on individual system, or Network-base IDSs: which have sensors throughout the network [1]. IDSs are more generally classified as misuse detection and anomaly detection [1-5]. Misuse detection is based on the characteristics of known attacks or system vulnerabilities, which are also called signatures. Any action that matches the signature is considered intrusive [1]. The main issues in misuse detection are how to build signatures that include possible signatures of attacks, or build a signature that includes all possible variations of the relevant attack to avoid false negatives. Another shortcoming of this approach is that it cannot detect zero-day attacks [2, 3]. Anomaly detection is based on the normal behaviour of a subject (e.g., a user or a system), any action that significantly deviates from the normal behaviour is considered intrusive or rather suspicious [1]. The most significant strength of the anomaly detection approach is prior knowledge of the security flaws of the target systems is not required. Thus, it is able to detect not only known intrusion but also unknown intrusion [4, 5]. Consequent of this, suspicious intrusive activities of legitimate users or masquerades are easily detected without breaking security policy [1].

Keywords- Intrusion Detection Systems; Neural Network; Anomaly Detection

I.

INTRUSION DETECTION SYSTEMS

INTRODUCTION

Companies and government agencies dependence on computer networks has never been more critical, and probability of attacks with devastating consequences has never been higher, hence the need for protection is becoming no less critical. Good network security suite should not only be able to detect attacks or recover from attack but should also have fast reactionary capabilities. Hacker, attacking from inside as an authorized user or from outside as an intruder, uses vulnerabilities or flaws on a system. It is therefore important to have a tool that monitors activity of users with intent of detecting malicious activities. This important part of network security is called Intrusion Detection System (IDS). Artificial intelligence is now widely employed to help in detecting intrusions on computer systems; this is because of its efficient and adaptive nature. Neural network is the branch of artificial intelligence that receives the highest attention. A neural network conducts an analysis of the information and provides a probability estimate that the data matches the characteristics which it has been trained to recognize, this help in no small measure in reducing false positive rate.

A. Approaches for anomaly detection Anomaly Detection in IDS is developed using either or combination of the following approaches:

This paper presents a review of various neural networks techniques use in anomaly detection IDSs. Section II presents an overview of IDS concept. Section III describes a brief introduction of neural network. Furthermore, section IV discusses how neural networks techniques are employed in IDSs. Section V deals with implementation issues and finally Section VI concludes the paper with a brief summary.

978-1-4244-5187-6/09/$26.00 ©2009 IEEE 89

x

Threshold detection: detecting abnormal activity on server or network, for example abnormal consumption of the CPU for one server [7].

x

Statistical measures: statistical models are employed in this type of IDS to learn from historical values. Some of the statistical models uses are mean and standard deviation [7].

x

Rule-based measures: Rule-Based analysis relies on sets of predefined rules that are provided by an administrator, automatically created by the system,

x

or both [6]. Expert systems are the most common form of rule-based intrusion detection approaches. x

Non-linear algorithm: here soft computing techniques such as neural networks and genetic algorithms are use [7]. III.

What makes neural networks one of the most promising components of anomaly detection IDS is their potential for training. Neural network is use in anomaly detection to help isolate new threats or to continuously adapt and learn what is and what is not a normal for a given system.

NEURAL NETWORK CONCEPTS

Human brain can recognize reason and learn at amazing speed to the envy of computer scientists. An attempt to emulate the way and manner human brain function gave rise to the field of Neural Network as early as 1940 [8]. Artificial neural networks were initially developed to exploit the processes of a brain in an attempt to get better results for such problems as speech and image recognition, classification and more recently intrusion detection. An important aspect of an artificial neural network is its ability to be trained hence adaptively improve it performance.

Generally, learning in neural network is done by modifying weights and threshold of neuron in light of external factors, in our case, the normal profile of a system. Training usually takes the form of presenting the network with set of typical inputs vectors, x1,x2,…,xn. In supervised training, each training input xi is accompanied by the value of expected output vector ti .The training session then compares the target output ti with the actual output, yi, that the network delivers and then modifies the weights and threshold according to some training scheme. In unsupervised mode, just the inputs are presented for training; the adjustments are made so that the network is able to recognize inputs as belonging to particular profile.

A neural network is basically a set of simple units called neurons; these elements are highly interconnected and transform a set of inputs to a set of desired outputs [8] as shown in figure 1. The result of the transformation is determined by the characteristics of the elements and the weights associated with the interconnections among them, therefore by adjusting the weight the output can be controlled. The process of updating the weights and thresholds is called learning.

IV.

Advantages of using neural network in IDS as enunciated in [15] are: x It provides more accurate statistical distribution than statistical models, because most statistical models make some assumptions about the underlying distribution of user behavior. These assumptions may not always be valid and can a times lead to high false-alarm. Neural network generally make less assumptions and normally modify them through learning process. x Neural network has low cost for development. Statistical model algorithms cost more to build, because it is costly to reconstruct statistical algorithms after removing assumptions that are found to be invalid. x It is highly scalable compared to other techniques. x Good in reducing both false positive error and false negative error rate. False positive rate counts of false alarms and false negative counts missed intrusions [9]. Anomaly detection IDS tend to have more false positives than false negatives.

As seen in figure 1. Artificial neuron consists of: Inputs: x1,x2,…,xn;

2.

Weights: w1,w2,…,wn;

3.

Threshold value: u;

4.

Summation block: s= w1 x1+…+ wn xn;

5.

Activation function: F;

6.

Output: y=F(s);

To form a functional neural network, neurons are arranged using one of the following architectures: x

NEURAL NETWORK AND IDS

The main drawback of anomaly detection IDSs is that it is difficult to define what a normal behaviour of the system [9], and without a proper and effective means of discriminating normal from abnormal profile, an anomaly detection IDS will hardly be of any use. The need to ameliorate this shortcoming made researchers to consider neural network technique; because neural networks have an enhanced ability to classify by learning and are good in pattern recognition [5].

Figure 1. A simple Neuron.

1.

Recurrent network: in this network, chain of neurons begins and ends with the same neuron. That is for n neurons the output of each provides an input to the other with at least one neuron whose output is one of its own inputs.

Feed forward network: neurons are arranged in manner that, the inputs to the first layer are the inputs of the network. The output of each neuron in the first layer becomes an input to each neuron in the second layer and these are the only inputs to it, and this pattern repeats itself in all subsequent layers, until the final layer whose outputs are the only outputs of the network.

90

IDS designers exploit neural network either as a pattern recognition technique [10] or for classification and prediction [11].

continuous until the neural network model is fully trained. The training exercise is then conducted periodically or in some secured IDS is done continuously. This would improve the performance of the IDS. Take note, since IDS itself is not immune from attack, continuous training should be avoided, since at least theoretically somebody can implant malicious data set as normal profiled data.

Pattern recognition is realized by using a multilayered feed forward neural network that has been trained accordingly [9]. During training, the neural network parameters are optimized to associate outputs with corresponding input patterns. In neural network algorithms, input pattern is identified by matching its output with the known class. During training session, output is compare with corresponding class, if it does not match, adjustment to weight and threshold values are made repeatedly until it matches the desired class [12]. Denial of service and probing are some of the types of attacks that are known to be easily detected by pattern recognition [10].

Figure 4. A typical model neural network used in IDS as presented in [14].

Figure 2. Multilayer feed forward neural network.

Classification and prediction is implemented using Kohonen’s self-organizing maps [13] to classifying inputs into clusters, with well defined boundaries for normal and abnormal profiles. The neural network will evolve through learning process to identify relevant profile for any type network traffic [9]. An important attack that can be detected using this technique is denial of service [11].

V.

IMPLEMENTATIONS OF NEURAL NETWORK IDS

Among the first attempt to incorporate neural network was the work of Ryan et al. [16]. They worked on offline anomaly detection system, which utilized a back-propagation Multi Layer Perception (MLP) neural network. The MLP was trained to identify users’ profile and at the end of each log session, the MLP evaluated the users’ commands for possible intrusions. They called the system NNID (Neural Network Intrusion Detector). This type of IDS counters attack-specific keyword in network traffic [18]. Another approach is to create a neural network that analyzes program behaviour profiles instead of user behaviour profiles. The method identifies the normal system behaviour of certain programs, and compares it to the current system behaviour [17]. Based on this principle Cannady [6] used a three layer neural network for offline classification of connection records in normal and misuse classes. The system designed in this study was intended to work as a standalone.

Figure 3. Kohonen’s self-organization map.

All the two mentioned research work implemented systems that have neural networks with two possible outputs: normal or anomaly. Moradi [10] presented an IDS with multi class problem in which not only the attack records are distinguished from normal ones, but also the attack type is identified.

A typical neural network model is depicted in figure 4, in this model we assumed that incoming packets has been extracted using anyone of the different methods available. The model can be used for both pattern recognition and classification neural network techniques. For the training phase, we will have both attack and normal data set, it should be noted, both data sets and neural network learning modules are connected to neural network model module, this is because it the main decider for what type of training scheme would be employed. For each training round the output is compared with expected output at the validation module and appropriate cost is assign to the whole operation, this will determine the extent of modification to both weight and threshold. The exercise

So far we have seen only IDSs that perform detection on a packet level, Alan. B. et al. [18] proposed IDS that will be able to generalize input further, as such recognize longer multipacket attacks. VI.

CONCLUSIONS

In this paper, we started with what IDS is, then we saw two main types of IDS, Anomaly detection IDS and Misuse

91

[9]

detection IDS with their advantages and disadvantages. Then we concentrated on anomaly detection IDS. After that, we gave a brief overview of neural network and how it works. Also, we show how neural network can be used to improve drawbacks of anomaly detection system. We concluded this paper with some examples of actual IDS system using the concept of neural network.

[10]

[11]

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

REFERENCES Khattab M. Ali, Venus W. Samawi, Mamoun Suleiman AL Rababaa, “The Affect of Fuzzification on Neural Networks Intrusion Detection System”, in Proc. ICIEA 2009, paper TuM3.3. S. Mukkamala, “Intrusion detection using an ensemble of intelligent paradigms”, Journal of Network and Computer Applications YJNCA, pp. 1-15, 2004. Sang-Jun Han, Sung-Bae Cho, "Evolutionary Neural Networks for Anomaly Detection Based on the Behavior of a Program”, IEEE Transactions on Systems, Vol. 36, NO. 3, June 2006. Dorothy E. Denning, “An Intrusion-Detection Model”, IEEE Transactions on Software Engineering, Vol.SE13.No.2, pp.222-232, February 1987. Porras, P. A., “STAT: A State Transition Analysis Tools for Intrusion Detection”, MSc Thesis, Department of Computer Science, University of California Santa Barbara, 1992, pp.15-20. Cannady J, “Artificial Neural Networks for misuse detection”, National Information Systems Security Conference, pp. 368-81, 1998. Theuns V, Ray H, “Intrusion Detection and Approahes”, Journal of Computer Communications, volume 25, pp. 1356-1365, 2002. Debar H, Becker M, Les Ulis,“A Neural Network Component for an Intrusion Detection System”, Proceedings IEEE Computer Society Symposium, 1992.

[12]

[13] [14]

[15] [16]

[17]

[18]

92

Vesely Arnošt, “Neural networks in intrusion detection systems”, Zemědělská ekonomika, vol. 50, pp. 35-39, 2004. M. Moradi, M. Zulkernine, “A Neural Network Based System for Intrusion Detection and Classification of Attacks”, Proc. of the 2004 IEEE International Conference on Advances in Intelligent Systems - Theory and Applications, pp. 148:1-6, November 2004. Alfantookh A, "DoS Attacks Intelligent Detection using Neural Networks", Journal of King Saud University Computer and Information Sciences, Vol. 18, 2005. H. Debar, M. Becker, D. Siboni, “ A neural network component for an intrusion detection system ”, Proceedings of 1992 IEEE Computer Society Symposium on Research in Security and Privacy, pp. 240 – 250, 1992. T. Kohonen, “The self-organizing map”, Proc. IEEE, vol. 78, no. 9, pp. 1464-1480, September 1990 Joo D.,“The neural network models for IDS based on the asymmetric costs of false negative errors and false positive errors ”, Expert Systems with Applications, Volume 25, Issue 1, pp. 69-75, October 2003. T. F. Lunt, "A survey of intrusion-detection techniques", Computers & Security, 12(4), pp. 405-418, June 1993. J. Ryan, M. Lin, R. Miikkulainen, “Intrusion Detection with Neural Networks,” AI Approaches to Fraud Detection and Risk Management: 1997 AAAI Workshop, pp. 72-79, 1997 Ghosh, A., Schwartzbard, A., and Shatz, M., “Learning Program Behavior Profiles for Intrusion Detection,” in Proceedings First USENIX Workshop on Intrusion Detection and Network Monitoring, April 1999. Alan Bivens, Chandrika Palagiri, Rasheda Smith, Boleslew Szymenski, Mark Embrechts,"NETWORKBASED INTRUSION DETECTION USING NEURAL NETWORKS", Proc. Intelligent Engineering Systems through Artificial Neural Networks ANNIE-2002, vol. 12, pp. 579-584, 2002.