Intrusion Detection By Using Neural Networks

Since 1980s, the research on the theory and applications of artificial neural networks has always been a hot topic in the science and engineering fields. As a very important research branch of computational intelligence , a lot of achievements have been obtained during the last two decades. Neural networks have the special structures and principles for knowledge representation and information processing. All these merits result in lots of distinguished developments in many application domains.With the development of the Internet, more and more attention has been drawn to network security which also becomes a attractive focus for many researchers. Following the tendency of large scale network and complexly intrusive behaviors, the conventional network security technologies, aiming at defence purpose, can not fulfill the new requirements any more. Therefore, active protecting technologies come into being and can be used to tackle this problem, including the most important technology for intrusion detection.The research on applying neural network to the field of intrusion detection has attracted more and more attention of world wide researchers. Combining the advantages of neural networks with practical characteristics of intrusion detection, many new detection approaches can be constructed. Studying the combination cannot only extend the application fields of neural networks, but also acquire much social and economic benefits. The main contributions of the dissertation are as follows:(1) Using PCA neural networks (PCANN) to study intrusion detection. Combining the properties of PCA for feature extraction and dimensionality reduction, the classifier design methods are described in detail, including the parameters setting methods of PCANN-based classifier. After analyzing the shortages of single-layer network structure for intrusion detection, a hierarchical detection model based on APEX PCANN, namely HPCANN, is proposed which can be applied to both anomaly detection and misuse detection. Meanwhile, different detector performances are analyzed by using different distance metrics under dif- ferent data distribution scenarios. A modified adaptive GHA PCANN, which is able to approach the intrinsic dimension of input data, is used for intrusion detection. This method does not require a predefined dimension parameter for the principal subspace of a PCANN-based classifier. To avoid setting a detection threshold for one classifier, a multi-classifier competitive model is presented based on the competition among those local PCA feature patterns.(2) Using Self-Organizing Map (SOM) neural networks and its auto-clustering ability to study intrusion detection. The feature pattern of each SOM unit is constructed using PCA feature extraction method and a simplified PCASOM model is proposed. An online learning algorithm is also given and its properties are analyzed. By analyzing the general flows of clustering analysis using unsupervised manner, a cluster labelling method is given based on confidence factors.(3) Using neural gas (NG) neural networks to study intrusion detection. By analyzing the limitations of NG networks with static architecture, a simple growing NG (SGNG) algorithm is proposed and the pattern characterizing method of one-class classifier is also depicted. The SGNG can be used for supervised anomaly detection by constructing the normal profile. In order to adapt to the data distributions in input space, a principal component neural gas (PCNG) clustering method is proposed with its online learning algorithm. Some simulations are carried out based on the PCNG algorithm.(4) Developing an intrusion detection system (IDS) in the actual network environment. It describes how to design a real IDS in detail. The proposed IDS model includes two parts, i.e., a multiple neural networks based IDS (MNNIDS) model for outsider intruders detection and an address resolution protocol (ARP) based scheme to detect and prevent inside intruders and to control the limited access between legal hosts in a local area network (LAN). The functions and properties of MNNIDS by using multiple neural networks are analyzed. The second ARP-Based part of the actual IDS is designed and implemented in detail.