Article Preview
TopIntroduction
The goal of a network intrusion detection system (IDS) is to define normal and abnormal behavior across the computer network (Kabiri & Ghorbani, 2005). Furthermore, they are constantly attacked and must be able to defend against these intrusions. Mafra, Moll, Fraga and Santin (2010) see this as a recurring problem. This research will look into devising a model for detecting these new and unknown attacks using multi-layered neural networks and advanced algorithms. However, these systems have problems that can affect their performance in detecting intrusions unless they are addressed. These include: poor accuracy, limited real-time performance, reduced scalability, can’t detect new threats and weak response (Kandeeban & Rajesh, 2011a). This research will look into solving some of these problems to improve detection of new and unknown attacks upon network systems.
However, today’s intrusion detection systems are plagued with working in a dynamic attack environment where hackers use new or variants of current threats. Improper detection of attacks can lead to the compromise of sensitive data and possible identity or money theft. A challenge for IDSs is to detect these new threats that adapt to evade current detection methods (Chandola, Banderjee & Kumar, 2009). Current signature-based detection methods cannot keep up with this changing environment (Joo, Hing & Han, 2003). This forces IDSs to adapt to changing environments by using anomaly detection methods. The common model used is an anomaly-based multi-layer feed forward neural network (MLFFNN) IDS. The MLFFNN IDS model takes in traffic data and feeds it through the network to its output without any feedback to the input. These models can adapt to learn about new and unknown intrusions according to Hua and Xiaofeng (2008). However, accurate classification of attacks by anomaly detection is affected by the architecture, input data and the algorithm used (Choudhary & Swarup, 2009). Architecture and algorithms used can affect the performance and convergence rates of anomaly-based IDSs (Choudhary & Swarup, 2009). The performance rate is the measurement of how well the IDS detects intrusions. It consists of the detection rate of how well the device discovers an abnormality and the error rate, which is when the device doesn’t correctly identify the threat. The convergence rate is a measurement of the time it takes to train the IDS. This is measured in seconds and how many times the process has to repeat itself until a certain error threshold is met. Each time the process is repeated is called an epoch. Research is ongoing to optimize MLFFNN IDS performance and convergence rates to handle these dynamic attacks. Contributing to this is the difficulty that an IDS must work correctly in unknown environments and deal with different attacks (Al-Sharafat & Naoum, 2009).