ANN BASED NETWORK INTRUSION DETECTION SYSTEM

Abstract

The rapid proliferations of Internet and our dependence on networks in all domains of life have made us more vulnerable to breaches of internet/network security. It is difficult to prevent such attacks by security policies; firewalls or other mechanisms alone as operating system and application software are known to contain weaknesses or bugs. The attackers continually exploit these loopholes in network protocols and software component. Intrusion detection systems are designed to detect such attacks that enviably occur despite security precautions. An attack on a network is considered an abnormal activity. It is this underlying assumption that is critical in detecting an attack in an anomaly based detection technique,. where as misuse detection identifies a pending attack based on its prior knowledge of attack signatures. In this dissertation work, an amalgamation of both misuse and anomaly based detection technique, employing their individual strength in detecting attacks, is proposed using Hybrid Neural Network-in which the output of Kohonen's Self Organized Map provides input to feed forward neural network. The data from MIT Lincoln Laboratory created DARPA 1999 Intrusion Detection Evaluation data set (approximately of size 10 GB) was applied for training and testing of probtype. The system prototype designed, is a network based intrusion detection system that scrutinizes tcpdump data on a source-by-source basis in a time window to develop windowed traffic behavioral trends. It is assumed that the evidences of an attack lie within the packets and can be identified either by individual analysis of packet in some cases or by ascertaining the attackers intention by analyzing sequel of packets in a time window frame. The core detection engine of our system is based on anomaly based detection technique, which detects attack by sensing deviations from its learned normal trait. The abnormality is self-learned by the system by way of Kohonen based Self-organizing mapping techniques. The clustering mechanism maps the windowed traffic trend of individual machines to clusters indicative of behavior pattern based on features extracted from network activity. The features extracted are decisive in forming abnormal clusters in its outliers. Data mining skills are applied to compute statistical trend and IV ANN Based Network Intrusion Detection System features that are flagged by the presence of attack signatures. The features presented to the clustering mechanism, reflect the behavioral trend of source machine in communication with victim in terms of both statistical features as well as flags indicative of attack signatures. The clusters so formed during training are learned as normal or abnormal by the neural network. The supervised training of the neural network, is carried but by means of the labeled tcpdump data using Levenberg-Marquardt algorithm for back propagation. The work inv