Nick Pongratz's Neural Network Intrusion Detection System

Application of Neural Networks to Recognize Computer Identity Hijacking

Nick Pongratz
University of Wisconsin - Madison
Math 340 - Professor Amir Assadi
Spring 2001

INTRODUCTION

The rapid growth of computer networks is obvious.  Companies are setting up
shop on the Internet and consumers are increasingly turning to the Web for
their shopping and information gathering.  The Internet - a public
communication tool - scratches the surface, however.  Private networks
abound: intranets, extranets, WANs, LANs, MANs.  Networking is becoming so
entrenched in our society that pretty soon devices such as our toasters will
be part of Home Area Networks.  

With this growth comes an increased (and often frantic) need for increased
security.  No company wants its assets stolen, and no one wants to come home
to a burned-down house because a script kiddie from the other side of the
world decided a toaster would be fun to crack.

One very important component of computer/network security is an intrusion
detection system (IDS).  An IDS by itself does not prevent security
breaches, but rather detects illegitimate use by monitoring unusual
activity.  This unusual activity can take an infinite number of forms.  The
recent, costly denials of service (DOS) to Yahoo, eBay, and Buy.com are
considered "illegitimate use."  

Currently, most IDSs monitor a system by looking for specific
"signatures" of behavior.  However, using current methods, it is almost
impossible to develop a comprehensive-enough database to warn of
attacks.  This is for three main reasons.  First, these signatures must be
hand-coded.  Attack signatures that are already known are coded into a
database, against which the IDS uses to check current behavior.  This system
may be imagined as being very rigid.  Second, because there is a
theoretically infinite number of methods and variations of attacks, an
infinite size database would be required to detect all possible
attacks.  This, of course, is not feasible.  Also, any attack that is not
included in the database has the potential to cause great harm.  One other
problem is that current methods are likely to raise many false alarms.  So
not only do novel attacks succeed, but legitimate use can actually be
discouraged.  

Enter neural networks.

The beauty of a neural network intrusion detection system (NNIDS) is that a
neural network is not limited to the knowledge held by its
programmer.  Neural nets learn from prior user behavior.  Therefore, using a
neural net in an IDS is much more efficient and adaptable to each user.

There are disadvantages, of course.  The greatest disadvantage is that if
the NNIDS learns from behavior that is mostly illegitimate, the NNIDS will
only flag legitimate behavior.  Therefore permissions must be setup
correctly before an NNIDS is allowed to learn.  
There are many ways an NNIDS may be implemented.  An NNIDS could be made to
analyze an extremely large variety of data, includes data passing over
network ports, user input on the commandline, and data being changed in
memory, to name a few.  A complete NNIDS would incorporate the monitoring of
every process of every system, an extremely large task.

The simple NNIDS for this project is based on that used by Ryan, Lin, and
Miikkulainen (1998).  The NN in this project analyzes the input of 5
theoretical users on a theoretical network consisting of 5 theoretical
computers running a theoretical UNIX-like operating system (OS).  Due mostly
to time constraints and available data, this project will only analyze user
behavior, looking for anomalies that would indicate the possible hijacking
of a user's account.  

Specifically, the NN in this project trains by first analyzing the commands
that a user enters onto the commandline.  When someone logs on, the NNIDS
analyzes the behavior of the current user's commandline habits.  This NNIDS
would be part of a possible program run at the end of the day (off-line) by
a system administrator to compare the user's logged sessions with their
normal pattern of operation.  The administrator is then notified where there
is a sufficient difference.

The three phases for building this NNIDS will shadow those used by Ryan, et
al. (1998):

  1- Collect training data: obtain audit logs for each user for a period of
several days.  For each day and user, form a vector that represents how
often the user executed each command.

  2- Training: train the neural network to identify the user based on these
command distribution vectors.

  3- Performance: let the network identify the user for each new command
distribution vector.  If the network's suggestions is different from the
actual user, of if the network does not have a clear suggestion, signal an
anomaly.

It should be stressed that this system is not designed for realtime
use.  That would require a different system and would likely use much more
computational power than an offline system.  It should also be noted that
this system only evaluates the commands executed from the commandline.  User
privacy is protected because the data that is analyzed does not include the
arguments passed to the command. 

Based on what I have read so far, I am of the opinion that an NNIDS must not
be the only form of security applied to a network.  It is by no means
perfect.  But by complementing existing security systems and processes, it
is possible that a much more reliable and secure system may be made.


RELATED READING

Tan, Kymie.  1995.  The Application of Neural Networks To UNIX Computer
Security.  http://citeseer.nj.nec.com/tan95application.html . 

Cannady, James.  1998.  Artificial Neural Networks for Misuse
Detection. http://citeseer.nj.nec.com/cannady98artificial.html .

Ryan, Jake, Meng-Jang Lin, and Risto Miikkulainen.  1998.  Intrusion
Detection with Neural Networks.  
http://citeseer.nj.nec.com/ryan98intrusion.html .

Frank, Jeremy.  1994.  Artificial Intelligence and Intrusion
Detection: Current and Future Directions.  
http://citeseer.nj.nec.com/frank94artificial.html .