An Intrusion Detection System using

Kohonens neural network maps

Neural Calculus class
Rotovei Doru
Master of Computer Science
2003 - 2004
Abstract
I present here an intrusion detection study using Kohonens self-organizing
maps (SOM). Kohonens method emulated the unsupervised learning in an
elegant and extremely simple manner. Recently his ideas were studied in the
context of Itrusion Detection Systems (IDS). The term intrusion is used to
describe attacks from the outside and this paper tries to present how IDSs
can be build based upon Kohonens SOM. The ideas discussed here were
implemented in a prototype Java application for intrusion detection system
using users behavior patterns.

Introduction

Intrusion detection is needed in todays computing environment because it is impossible to keep pace with the current and potential threats and vulnerabilities
in our computing systems. The environment is constantly evolving and changing fueled by new technology and the Internet. To make matters worse, threats
and vulnerabilities in this environment are also constantly evolving. Intrusion detection products are tools to assist in managing threats and vulnerabilities in this
changing environment.
Vulnerabilities are weaknesses in the systems. Vulnerabilities can be exploited
and used to compromise the computer system. New vulnerabilities are discovered
all of the time. Every new technology, product, or system brings with it a new generation of bugs and unintended conicts or aws. Also the possible impacts from
exploiting these vulnerabilities is constantly evolving. In a worst-case scenario, an
1

intrusion may cause production downtime, sabotage of critical information, theft

of condential information, cash, or other assets, or even negative public relations
that may affect a companys stock price.
Intrusion detection products are tools that can assist in protecting a company
from intrusion by expanding the options available to manage the risk from threats
and vulnerabilities. Intrusion detection capabilities can help a company secure its
information. The tool could be used to detect an intruder, identify and stop the
intruder, support investigations to nd out how the intruder got in, and stop the
exploit from use by future intruders. The correction should be applied across the
enterprise to all similar platforms. Intrusion detection products can become a very
powerful tool in the information security practitioners tool kit. This study presented here show how these IDSs can be build using neural networks algorithms
and especially Kohonens self-organizing maps.
I will present in the sencond part the State of Art and in the third one I will
present an introduction to Kohonens SOMs and the idea behind my Java application prototype. At the end I add my own conclusions.

State of art

Intrusion Detection Systems based on Neural Networks are a new challenge in

the last years because of their big potential of learning and adapting in real time
to new informations and threatens. Only a few articles that treat this problem are
described in the following State of Art.
In [3] it is described how Evolutionary Programming can be used to detect intrusions insight a computer system. The purpose is to detect stealthy intrusions in
the system, which means intrusions that avoid detection by current Intrusion Detection Systems. This is a problem for current IDSs because most of them use a
signature-basoach to detect attacks. If an existing signature pattern does not match
a new attack, or if an existing attack ca be changed to avoid being detected by the
signature, then, obviously the attack is not detected. Evolutionary algorithms are
all very similar in that they use the model of the biological process of evolution as
a framework for the algorithm. The article describe that the evolutionary programming technique generates nite state machines capable of matching or detecting
an input attack string.
Like in the previous article, in [4] is used a Evolutionary approach for detecting attacks. The difference here is that the authors use two different approaches
to detect intrusions. The rst one uses nite state transducers to examine packets
coming across the network, to determine if any particular sequence contains an attack. This type of detection provides the ability to dene patterns of known attacks
and their variations or modications. The second approach use Pareto-based mul-

tiobjective optimization. The results showed that the rst method is signicantly
fastert than the second one.
[6] shows how Self-Organizing Maps can be used to detect computer system
intrusions. Unlike other approaches, this article uses host session information in
contrast to methods based on operating system audit log les. It is described two
methods to detect intrusions: the rst use a FIFO shift register approach in which
each additional event causes the contents of the FIFO to shift along one position
so this method doesnt use a time stamp; the second method provide a time stamp
for each event and uses a different method to process the input of the rst level of
the SOMs.
Several neural networks algorithms are used in [8] to analyze the sequence
of system calls and to detect intrusions into the system. By using two different
encoding techniques (binary and decimal representation) this aticle shows that the
neural networks generate high true-positive rates very low false-positive rates and
for this they are a good candidate for the future IDSs.
In [7] are presented two kinds of IDSs. The rst one is constructed using
neural networks, and the second one is constructed using support vector machines.
The performance of these two is tested. It is observed that both the neural network
and SVMs deliver accurate results but the training time for SVMs is signicantly
shorter, an advantage that becomes rather important in situations where retraining
needs to be done quickly.

The implementation idea

3.1 The main idea

The most popular way to detect intrusions is by using the audit data generated
by the operating system. Since almost all activites are logged on a system, it
is possible that a manual inspection of these logs would allow intrusions to be
detected. It is important to analyze the audit data even after an attack has occured
to determine the extent of damage sustained; this analyses also helps in tracking
down the attackers and in recording the attacks patterns for future detection. A
good IDS that ca be used to analyze audit data for such insights makes a valuable
tool for information systems.
All operations made on a computer system are recorded in an audit log le.
The events (system activities) are recorded chronologically as a letter chain. Thats
why we can consider an audit log le like a big letter chain. This big chain can be
cut out in a constant length sub chains(activity patterns sub chains).
Every pattern corresponds to an elementary behavior of a user. The idea behind anormaly detection is to establish each userss normal activity prole (pat-

tern), and to ag deviations from the established prole as possible as intrusions

attempts.
When an intruder overpass the security policy and pretends to be an inside
user, the IDS alerts the administrator. This is a real scenario because an intruder
uses the system in a completely different manner as the real user.
An intruder connects to the system on an uncommon hour, uses frequently
directory-changing command, never uses the users favorite program etc. On the
other hand, a real user which tries to overpass the security policy assigned to him,
connects in the night, executes programs that usually never uses, will have many
audit system records, will use a printer that usually he never uses etc.
By this deviation of the comportment, the Kohonens SOM based Intrusion
Detection System can identify an intruder.

3.2 Kohonens map and my IDS implementation in Java

The Kohonen neural network contains only an input and output layer of neurons.
There is no hidden layer in a Kohonen neural network like there is in a feed forward neural network.
The input to a Kohonen neural network is given to the neural network using
the input neurons. These input neurons are each given the oating point numbers
that make up the input pattern to the network. Presenting an input pattern to the
network will cause a reaction from the output neurons.
As all log les contains essentially characters I made my application to recognize some character patterns in these log les. So, the input neurons are actually
letters of the alphabet. I used all 26 caps letters of the English alphabet (that means
the letters from A to Z). These letters are generated as a random number between
1 and 26. After that these letters are normalized in the [0..1] interval using the
formula: x = c/26 The normalized values will be the input neurons layer of the
network .
As I described in the previous subsection, I considered that the log le could
be cut out in sub chains from which the IDS can identify the users patterns. In
my tests I used especially 7 (normalized) letters long sub chains as input patterns
(considered as words).
The output of a Kohonen neural network is very different from the output of
a feed forward neural network. In a Kohonen neural network only one of the
output neurons actually produces a value. Additionally, this single value is either
true or false. When the pattern is presented to the Kohonen neural network, one
single output neuron is chosen as the output neuron. Therefore, the output from
the Kohonen neural network is usually the index of the neuron that red.
To be operative, the network must be trained. The Kohonens neural networks
training process is unsupervised which means that the network tries to nd itself

the patterns from the training set. The training set, because I hadnt a truly real
world log le, are 100 random words (usually of 7 letters) which are presented to
the network.
There are several steps involved in this training process. Overall the process
for training a Kohonen neural network involves stepping through several epochs
until the error of the Kohonen neural network is below acceptable level.
The training process for the Kohonen neural network is competitive. For each
training set one neuron will win. This winning neuron will have its weight adjusted so that it will react even more strongly to the input the next time. As different neurons win for different patterns, their ability to recognize that particular
pattern will be increased.
After the training process will follow the testing procedure. I compose a new
world with the same number of letters as in the training set and I give it to the
network. If the network reaction is bellow a user xed threshold the intrusion
alarm is activated. Why? Because if the network respond is bellow the threshold
this means that the user behavior is far from the learned pattern. The reason is
that could be an intruder which pretends to be the real user, or the user executes
something that he usually does not.

Conclusions

The tests that I made showed that this idea is plausible but as I hadnt a real log
le to test with I cannot pretend that the results are considerable relevant. Anyway
a few questions I still have:
What are the difference between AAB and BAA?
What happens if the user really changes its position in the company (e.g.
will be promoted and in this case his behavior and attributions are different)?
What about the false positive and false negative alarms? What are the true
values of the neural network parameters and weights to be really operative?
To these questions I cannot answer in this moment, as I hadnt enough time and resources to check out. The main purpose of my study was to show how Kohonens
SOMs could be used in building Intrusion Detection Systems and to describe,
building my own application, that it is a real idea and a good solution.

References
[1] Hariton Costin D. Dumitrescu. Inteligenta articiala. In Retele neuronale
teorie si practica. Teora, Bucuresti, 1996.

[2] Tury Taner Dr. M. Turban. Kohonens self organising networks with conscience. In Kohonens Self Organizing Maps and their use in Interpretation,
November 1997.
[3] Gregg H. Gunsch Kevin P. Anchor, Gary B. Lamont. An Evolutionary Programming Approach for Detecting Computer Networks Attacks. In Proceedings of the 2002 Congress on Evolutionary Computation, pages 10271032.
Piscataway,NJ: IEEE Service Center, 2002.
[4] Gregg H. Gunsch Kevin P. Anchor, Jesse B. Zydallis and Gary B. Lamont.
A Multiobjective Evolutionary Approach for Detecting Computer Networks
Attaks.
[5] Veronique Alanou et Jorg Abraham Ludovic Me. Utilisation de cartes de
Kohonen pour detecter des intrusions dans un systemes informatiques: une
pre-etude.
[6] Malcom I. Heywood Peter Lichodzijewski, A. Nur Zincir-Heywood. HostBased Intrusion Detection Using Self-Organizing Maps. In Proceedings of
the 2002 IEEE World Congress on Computational Intelligence.
[7] Andrew Sung Srinivas Mukkamala, Guadalupe Janoski. Intrusion Detection
Using Neural Networks and Support Vector Machines. In Proceedings of
lEEE International Joint Conference on Neural Networks, pages 17021707.
IEEE Computer Society Press.
[8] German Florez Zhen Liu and Susan M. Bridges. A Comparation of Input
Representations In Neural Networks: A Case Study In Intrusion Detection.