With the rapid expansion of computer networks, network security has become a crucial issue for modern computer systems. As an important and active defense technology, the intrusion detection system (IDS) plays an important role in defensive systems. IDSs provide real-time protection from interior attacks, exterior attacks, and invalid operations, and it can intercept intrusions and respond whenever the network system integrity is violated (Ma, 2004). Many intrusion detection approaches have been deeply researched and some widely deployed. But the diversification, complexity, and scale of intrusions raise new demands for IDSs. Neural networks are tolerant of imprecise data and uncertain information. With their inherent ability to generalize from learned data they seem to be an appropriate approach to IDSs (Hofmann, Schmitz, & Sick, 2003). This article discusses the detection of distributed denial-of-service (DDoS) attacks using arti- ficial neural networks techniques. The implementation of a distributed intelligent intrusion detection system (DIIDS) is described, including both the data processing technique and neural networks approaches adopted.
Intrusion Detection System
Many IDSs are based on the general model proposed by Denning (1987). This model is independent of platform, system vulnerability, and type of intrusion. It maintains a set of historical profiles for users, matches an audit record with the appropriate profile, updates the profile whenever necessary, and reports any attacks detected.
IDSs can be divided into two types: (1) host-based IDSs and (2) network-based IDSs. Host-based IDSs evaluate information found on a single or multiple host systems, including contents of operating systems, system logs and application files. Network-based IDSs evaluate information captured from network communications, by analyzing the stream of packets traveling across the network. Packets are captured through a set of sensors placed at strategic points in the network (Jean & Philippe, 2001).
Intrusion detection schemes can be classified into two general categories (Ghosh, 1999a): (1) misuse detection and (2) anomaly detection. Misuse detection techniques assume that all kinds of intrusion behavior can be described as specific patterns, thus allowing the identification of intrusive behavior by comparing current user activity with specific patterns that have been observed previously during an attack. The most significant advantage of misuse detection techniques is that known attacks can be detected fairly reliably and with a low false positive rate. However, the key limitation of misuse detection techniques is that they cannot detect novel attacks.
Anomaly detection techniques assume that all kinds of intrusion behavior differ from normal user activities. Any current user behavior sufficiently deviant from the normal user activities will be flagged as anomalous and hence considered as a possible attack. The most significant advantage of anomaly detection techniques is that it directly addresses the problem of detecting novel attacks against systems. However, the most notable disadvantage of anomaly detection techniques is the high rates of false alarm.
In order to detect known attacks, subtle variations of known attacks, and novel attacks efficiently, IDSs should selectively combine aspects of both misuse detection techniques and anomaly detection techniques (Chen, 2004).
Key Terms in this Chapter
Intrusion Detection System (IDS): An IDS is a security system that monitors computer systems and network traffic. It analyzes the traffic for possible hostile attacks originating from outside the organization as well as for system misuse, and attacks originating from inside the organization.
Artificial Neural Networks: A type of artificial intelligence that attempts to imitate the way a human brain works. Rather than using a digital model, in which all computations manipulate zeros and ones, a neural network works by creating connections between processing elements, and the organization and weights of the connections determine the output.
Tribe Flood Network 2000 (TFN2K): This is a kind of distributed DDoS attack. TFN2K uses a client/server mechanism where a client issues commands simultaneously to a set of TFN2K servers. The servers then conduct the DDoS attacks against the victim(s).
Adaptive Resonance Theory: This is a kind of neural network. The basic ART system is an unsupervised learning model and typically consists of comparison and recognition fields (one each) of neurons, a vigilance parameter, and a reset module. There have been several types. ART2 supports continuous inputs.
Neural Network Expert System: Expert systems are an artificial intelligence application that uses a knowledge base of human expertise for problem solving. In a neural network expert system, the knowledge is encoded in the weight, and the artificial neural network generates inference rules.
Trinoo: This is a kind of distributed DDoS attack. Trinoo is the attack server. Trinoo waits for a message from a remote system and, upon receiving the message, launches a DDoS attack against a third party.
Distributed Denial of Service Attack (DDoS): A DDoS attack is an attack on a computer system or network that causes a loss of service to users, typically the loss of network connectivity and services by consuming the bandwidth of the victim network or by overloading the computational resources of the victim system.
Back-Propagation Neural Network: This is a kind of feed forward neural network. It consists of multiple layers of computational units and is fully interconnected between layers. Each neuron in one layer has directed connections to the neurons of the subsequent layer. It usually applies the sigmoid function as an activation function.