Professional Documents
Culture Documents
Introduction
Intrusion detection is needed in todays computing environment because it is impossible to keep pace with the current and potential threats and vulnerabilities
in our computing systems. The environment is constantly evolving and changing fueled by new technology and the Internet. To make matters worse, threats
and vulnerabilities in this environment are also constantly evolving. Intrusion detection products are tools to assist in managing threats and vulnerabilities in this
changing environment.
Vulnerabilities are weaknesses in the systems. Vulnerabilities can be exploited
and used to compromise the computer system. New vulnerabilities are discovered
all of the time. Every new technology, product, or system brings with it a new generation of bugs and unintended conicts or aws. Also the possible impacts from
exploiting these vulnerabilities is constantly evolving. In a worst-case scenario, an
1
State of art
tiobjective optimization. The results showed that the rst method is signicantly
fastert than the second one.
[6] shows how Self-Organizing Maps can be used to detect computer system
intrusions. Unlike other approaches, this article uses host session information in
contrast to methods based on operating system audit log les. It is described two
methods to detect intrusions: the rst use a FIFO shift register approach in which
each additional event causes the contents of the FIFO to shift along one position
so this method doesnt use a time stamp; the second method provide a time stamp
for each event and uses a different method to process the input of the rst level of
the SOMs.
Several neural networks algorithms are used in [8] to analyze the sequence
of system calls and to detect intrusions into the system. By using two different
encoding techniques (binary and decimal representation) this aticle shows that the
neural networks generate high true-positive rates very low false-positive rates and
for this they are a good candidate for the future IDSs.
In [7] are presented two kinds of IDSs. The rst one is constructed using
neural networks, and the second one is constructed using support vector machines.
The performance of these two is tested. It is observed that both the neural network
and SVMs deliver accurate results but the training time for SVMs is signicantly
shorter, an advantage that becomes rather important in situations where retraining
needs to be done quickly.
the patterns from the training set. The training set, because I hadnt a truly real
world log le, are 100 random words (usually of 7 letters) which are presented to
the network.
There are several steps involved in this training process. Overall the process
for training a Kohonen neural network involves stepping through several epochs
until the error of the Kohonen neural network is below acceptable level.
The training process for the Kohonen neural network is competitive. For each
training set one neuron will win. This winning neuron will have its weight adjusted so that it will react even more strongly to the input the next time. As different neurons win for different patterns, their ability to recognize that particular
pattern will be increased.
After the training process will follow the testing procedure. I compose a new
world with the same number of letters as in the training set and I give it to the
network. If the network reaction is bellow a user xed threshold the intrusion
alarm is activated. Why? Because if the network respond is bellow the threshold
this means that the user behavior is far from the learned pattern. The reason is
that could be an intruder which pretends to be the real user, or the user executes
something that he usually does not.
Conclusions
The tests that I made showed that this idea is plausible but as I hadnt a real log
le to test with I cannot pretend that the results are considerable relevant. Anyway
a few questions I still have:
What are the difference between AAB and BAA?
What happens if the user really changes its position in the company (e.g.
will be promoted and in this case his behavior and attributions are different)?
What about the false positive and false negative alarms? What are the true
values of the neural network parameters and weights to be really operative?
To these questions I cannot answer in this moment, as I hadnt enough time and resources to check out. The main purpose of my study was to show how Kohonens
SOMs could be used in building Intrusion Detection Systems and to describe,
building my own application, that it is a real idea and a good solution.
References
[1] Hariton Costin D. Dumitrescu. Inteligenta articiala. In Retele neuronale
teorie si practica. Teora, Bucuresti, 1996.
[2] Tury Taner Dr. M. Turban. Kohonens self organising networks with conscience. In Kohonens Self Organizing Maps and their use in Interpretation,
November 1997.
[3] Gregg H. Gunsch Kevin P. Anchor, Gary B. Lamont. An Evolutionary Programming Approach for Detecting Computer Networks Attacks. In Proceedings of the 2002 Congress on Evolutionary Computation, pages 10271032.
Piscataway,NJ: IEEE Service Center, 2002.
[4] Gregg H. Gunsch Kevin P. Anchor, Jesse B. Zydallis and Gary B. Lamont.
A Multiobjective Evolutionary Approach for Detecting Computer Networks
Attaks.
[5] Veronique Alanou et Jorg Abraham Ludovic Me. Utilisation de cartes de
Kohonen pour detecter des intrusions dans un systemes informatiques: une
pre-etude.
[6] Malcom I. Heywood Peter Lichodzijewski, A. Nur Zincir-Heywood. HostBased Intrusion Detection Using Self-Organizing Maps. In Proceedings of
the 2002 IEEE World Congress on Computational Intelligence.
[7] Andrew Sung Srinivas Mukkamala, Guadalupe Janoski. Intrusion Detection
Using Neural Networks and Support Vector Machines. In Proceedings of
lEEE International Joint Conference on Neural Networks, pages 17021707.
IEEE Computer Society Press.
[8] German Florez Zhen Liu and Susan M. Bridges. A Comparation of Input
Representations In Neural Networks: A Case Study In Intrusion Detection.