Neural Network Model

Neural Network Model for Detecting Intrusions or Attacks on a Network

KDD Cup 1999 Computer Network Intrusion Detection

Introduction

The increasing reliance on networked computers, and the growing expertise in subverting such systems, makes intelligent and adaptive threat detection vital. Computer security revolves around con?dentiality, integrity, and availability. Integrity refers to the trustworthiness of data or resources, and is usually phrased in terms of preventing improper or unauthorized change. Integrity mechanisms fall into two classes: prevention or detection. Prevention mechanisms try to maintain the integrity of data by blocking unauthorized attempts to change data (Bonifacio, 1998, pp. 205-10). On the other hand, detection mechanisms do not try to prevent violations of integrity, but simply report that data integrity can no longer be assumed. Intrusion Detection Systems (IDSs) attempt to detect intrusion and attacks through analyzing events in computer systems or networks. IDSs can be classi?ed as being based on anomaly detection or misuse detection depending on how they analyse data.

Misuse detection systems detect known attacks using attack patterns and signatures known a priori, while anomaly detection systems detect attacks by observing deviations from normal behaviour of the system, network, or users (Amini and Jalili, 2004). Some early research on IDSs explored neural nets for intrusion detection. These can be used only after training on normal or attack behaviours, or combination of the two. Both supervised and unsupervised neural nets have been used. Most supervised neural net architectures require retraining to improve analysis on varying input data, but unsupervised nets, which offer greater adaptability, can improve their analysis capability dynamically.

Evaluation

As an approach to intrusion detection, the three approaches are tested with a subset of the publicly available KDD-99 cup data. The KDD datasets are a public collection of di?erent types of data led by the ACM Special Interest Group on Knowledge Discovery and Data Mining (Eskin, 2002, pp.96-105). The data which are relevant for intrusion detection and network security were published under the KDD 99 heading (for other datasets and KDD approaches, respectively). This dataset contains a wide variety of intrusions simulated in a military network environment and is a de facto dataset for benchmarking and evaluating IDS tools.

The Sample

To evaluate the accuracy of the proposed methodologies, 1200 random cases of the 42 features (variables) contained in KDD-99 were used. Table 1 presents some descriptive statistics of these 42 features. A feature that has zero variability (standard deviation) is not used in the analysis, as it is indicated by 'out' in the last column of Table 1. Finally, only 30 features were used in the analysis, indicated by 'in'. It should be highlighted that the indicator of 'bad' connections, designating intrusions or attacks, and 'good' normal connections, is presented by variable V42. The sample contains 1013 normal connections (84.5%) and 187 intrusions (15.6%).



Cluster Analysis

Table 2 presents the results from the application of three di?erent cluster analysis methods: (1) betweengroups linkage cluster method and Pearson's correlation coe?cient distance measure; (2) Ward's cluster method and Pearson's correlation coe?cient distance ...