Information Technology Reference
In-Depth Information
volume of false positives. For this reason, the literature proposes the integration of
pairs of methods in other to achieve better performance [3], [4].
This work proposes an approach that integrates or combines the results of multiple
correlation methods, not just a pair. This multiple integration was performed using an
artificial neural network (ANN), in particular, the network Growing Neural Gas
(GNG) [5]. We use the GNG network due to its clustering capabilities. Moreover, we
have taken into account the performance or efficiency of the methods, with the aim
that the integration process is conditioned by the best methods.
Having reviewed the state of the art (ch. 2) in related subjects, our proposal is
showed, which covers the metric to evaluate the correlation systems and the integra-
tion method (ch. 3); subsequently, (ch. 4) a test scenario is built using several correla-
tion systems and the GNG, and the proposal evaluation is showed; finally, (ch. 5) the
main conclusions deriving from research, as well as appropriate lines for future inves-
tigation are presented.
2 Related Works
ANN is one of the most widely used techniques in the IDS, because the neural net-
works have shown themselves to be powerful classifiers with tremendous generaliza-
tion and learning ability. On the other hand, the use of ANN for IDS are based on
their flexibility and adaptation to natural changes which may occur in the environ-
ment, and particularly to the ability to detect patterns of unknown attacks [6].
Unsupervised learning techniques like
Self-organizing map
(SOM) algorithm have
been used to cluster the content of the network packets. Others like
multilayer percep-
tron
(MLP) with
backpropagation
learning algorithm has been used to recognize host
attacks, and its analysis is based on both logs and system calls [7].
The research carried out by [8]
presents a neural network-based intrusion detection
method for the internet-based attacks on a computer network. In particular,
feedfor-
ward
neural networks with the back propagation training algorithm were employed in
this study. The experimental results on real-data showed promising results on detec-
tion and prediction of intrusions.
In [9] an integrated IDS using multiple ANN is developed. The approach used in
this work include the combination of two component neural networks, growing neural
gas and self-organizing map. An important feature of this system is that it can be
adapted to both anomaly and misuse detections for intrusive outsiders.
In the work carried out by [6] nine IDS based on ANN were implemented and
tested with several experiments and topologies. An important result of this research is
that, in average, the neural networks provided very good results, in some cases, detec-
tion rates of 99,60% are achieved.
The
specification of scenarios
correlation methods define the whole scenarios us-
ing an attack description language and model the correlation process as a pattern
recognition problem [10], [11]. These systems have very favorable results in terms of
detection capabilities, they have a high probability of recognizing the scenarios stored
in the database and rarely produce false positives. However, they have limitations
such as time needed to encode the scenarios and, above all, their inability to detect
new scenarios not specified in the database [3].
Search WWH ::
Custom Search