INTRUSION DETECTION USING HYBRID NEURAL NETWORKS

Seminar Report Submitted

IN PARTIAL FULFILLMENT OF THE REQUIREMENT

FOR THE AWARD OF DEGREE OF

BACHELOR OF TECHNOLOGY
OF THE
JAWAHARLAL NEHRU TECHNOLOGICAL UNIVERSITY
HYDERABAD

By
Sana Tahseen
18RT1A1239

Under the guidance of

Ms. Uzma Haroon

(Asst. Professor, IT, NSAKCET)

Department of Information Technology

NAWAB SHAH ALAM KHAN COLLEGE OF ENGINEERING &
TECHNOLOGY
(Affiliated to JNTU, Hyderabad)
MALAKPET, HYDERABAD, TELENGANA

2021-2022

1
 Certificate

This is to certify that the seminar entitled “Intrusion Detection Using Hybrid Neural
Networks” is a bonafied work of Sana Tahseen,bearing18RT1A1239 Submitted in partial
fulfillment of the requirement for the award of BACHELOR OF TECHNOLOGY in
INFORMATION TECHNOLOGY during the academic year 2018-2022.

This is further certified that the work done under my guidance, and the results of this work
have not been submitted elsewhere for the award of any other degree.

Guide Head Of the Department

Ms. Uzma Haroon Prof. G. S. Rao

2
3
 List of Figures

Figure No Figure Name Page No

4.1 Architecture of Back Propagation Algorithm 9

4. 2 Hybrid ANN (SOM_BPN) Model 11

List of Tables

Table No Table Name Page No

4.3 Simulation Results:- Performance Results of Hybrid Model 14

4. 4 Simulation Results- Comparing the performance of the 15

proposed model

i
 TABLE OF CONTENT

CONTENTS PAGE NO

List of Figures i

List of Tables ii

Abstract iii

Chapter 1
1. INTRODUCTION 1-2
1.1 Problem Statement 2
1.2 Contribution 2

Chapter-2
2. ORGANIZATION OF REPORT 3

Chapter 3
3. PREVIOUS WORK 4-5
3.1 Drawbacks of Conventional System 5

Chapter 4
4. PRESENT WORK 6-15
4.1 Advantages of using Hybrid Based Approach 7
4.2 Description of Network Attacks 7
4.3 Review of Back Propagation Network 8

ii
 4 4 Overview of SOM Network . 9
4.5 Proposed Hybrid SOM BPN model for Intrusion Detection 10
4.6 Simulation Results 13

Chapter 5
5. ADVANTAGES 16

Chapter 6
6. APPLICATIONS 17

Chapter 7
7. CONCLUSION (WITH FUTURE ENHANCEMENT) 18

REFERENCES

iii
 Abstract:

o Intrusion Detection is a critical process in network security. It is the task of detecting,

preventing and possibly reacting to the attack and intrusions in a network based
computer systems. This paper presents an intrusion detection system based on Self-
Organizing Maps (SOM) and Back Propagation Network (BPN) for visualizing and
classifying intrusion. The performance of the proposed Hybrid Neural Network
approach is tested using KDD cup' 99 data available in the UCI KDD archive. The
proposed approach considers all kinds of attacks under major category (Normal,
DOS, Probe,U2R, and R2L) which provides an insightful visualization for network
intrusion and works well in detecting different attacks in the considered system.

 Keywords: Network security; intrusion detection system; machine learning; attacks; data
mining; classification; feature selection

iv
v
 Chapter 1
Introduction

Along with the computer network, the network security becomes a problem. In order to
prevent network intrusion, intrusion detection technology becomes hot spot problems for people
research. Intrusion detection test system diagram monitors and prevents possible intrusion or other
harm behaviors on your system and network resources as far as possible.
Building neural network model through the authorized user's behavior characteristics so that it can
be used to monitor the invasion behavior. At present, intrusion detection system research based on
the neural network has made many achievements. Its application in intrusion detection system can
improve the efficiency of the intrusion detection system, and enhance the system self learning ability
[1, 2, 3, 4, 5, 6]. But there are also many problems which need to be solved. At present the most
studied, and the most widely applied network is a kind of multilayer feed forward neural network,
but the MLP network model does not have memory function of previous events, and MLP network
needs long training time. It is the nonlinear mapping global approximation [5]. In order to overcome
the above problems, this paper presents a hybrid neural network structure based on generalized RBF
network and Elman network. Among them, the Elman network is used to memorize the previous
events. RBF network uses local index.

This work puts forward the intrusion detection model is the combination of misuse
monitoring and anomaly detection model. It uses DARPA data set to do test evaluation for system
monitoring results. After the experiment it proves this model can effectively improve the detection
rate, and reduce the rate of false alarm and fail.
SVM1 can be used for classification and works by finding a hyperplane in N-dimensional
space that separates n classes. Hyperplanes are of any possible type chosen to separate two different
class data points a finding a hyperplane with maximum margin results in better accuracy. Data points
closer to the hyperplane influence its position and orientation and are named support vectors. In the
NSL-KDD dataset, there are 42 features, so it is pretty complex to draw it. The classifier’s margin is
maximized with these support vectors’ help, and they helped build an SVM.SVM works on the

1
output of a linear function. If the output of a function is 1, it will classify to one class; if it is −1, then
it will classify to other classes.

1.1 Problem Statement

Due to deep integration between the world and the internet, the network framework always
experiences various kinds of attacks. Identification of these attacks is a technical issue and currently
the area of concern these days. Intrusion violates fundamental privacy conditions, e.g.,
confidentiality, integrity, accessibility, denial of services. The purpose of this research is to identify
an intrusion on network.

1.2 Contribution
Here we briefly discuss an approaches for Intrusion Detection based on Hybrid Neural
Network:

(i) Using SOM and MLP

2
 Chapter 2
Organization of Report
Chapter 1: It gives the introduction of the topic what is an IDS, where it’s used, and it’s need. It
includes the problem statement and contribution of the topic being discussed with one of the Hybrid
Neural Network Model.

Chapter 3: It deals with the previous work which was done on Intrusion Detection System with
using only single Neural Network Model that’s either by using Anomaly based Method or by
Misuse Detection Method.

Chapter 4:It shows the present work on the model that is by using the combination of both misuse
detection and anomaly based methods with Self Organizing Maps(SOM) and Back Propagation
Algorithm (BPA) approach.

Then the simulation results of this model are briefly discussed.

Chapter 5:It includes the advantages of the proposed model with briefly described challenges in
this model.

Chapter 6:It has one of the applications of the Hybrid Neural Network for Intrusion Detection
Model.

Chapter 7:Lastly, the conclusion is drawn over the topic with it’s future enhancements being
discussed.

3
 Chapter 3
Previous work

The earliest preliminary ids concept was delineated in 1980 by James Anderson at the  Na-
tional Security agency  and consisted of a set of tools intended to help administrators review audit
trails.[34] User access logs, file access logs, and system event logs are examples of audit trails.
Fred Cohen noted in 1987 that it is impossible to detect an intrusion in every case, and that
the resources needed to detect intrusions grow with the amount of usage.[35]
Dorothy E. Denning, assisted by Peter G. Neumann, published a model of an IDS in 1986
that formed the basis for many systems today.[36] Her model used statistics for anomaly detection,
and resulted in an early IDS at SRI International named the Intrusion Detection Expert System
(IDES), which ran on Sun workstations and could consider both user and network level data.
[37] IDES had a dual approach with a rule-based Expert System to detect known types of intrusions
plus a statistical anomaly detection component based on profiles of users, host systems, and target
systems. The author of "IDES: An Intelligent System for Detecting Intruders," Teresa F. Lunt, pro-
posed adding an Artificial neural network as a third component. She said all three components could
then report to a resolver. SRI followed IDES in 1993 with the Next-generation Intrusion Detection
Expert System (NIDES).[38]
The Multics intrusion detection and alerting system (MIDAS), an expert system using P-
BEST and Lisp, was developed in 1988 based on the work of Denning and Neumann. [39] Haystack
was also developed in that year using statistics to reduce audit trails.[40]
In 1986 the National Security Agency started an IDS research transfer program under Re-
becca Bace. Bace later published the seminal text on the subject, Intrusion Detection, in 2000.[41]
Wisdom & Sense (W&S) was a statistics-based anomaly detector developed in 1989 at
the Los Alamos National Laboratory.[42] W&S created rules based on statistical analysis, and then
used those rules for anomaly detection.
4
 In 1990, the Time-based Inductive Machine (TIM) did anomaly detection using inductive
learning of sequential user patterns in Common Lisp on a VAX 3500 computer.[43] The Network Se-
curity Monitor (NSM) performed masking on access matrices for anomaly detection on a Sun-3/50
workstation.[44] The Information Security Officer's Assistant (ISOA) was a 1990 prototype that con-
sidered a variety of strategies including statistics, a profile checker, and an expert system. [45] Com-
puterWatch at AT&T Bell Labs used statistics and rules for audit data reduction and intrusion detec-
tion.[46]
Then, in 1991, researchers at the University of California, Davis created a prototype Distrib-
uted Intrusion Detection System (DIDS), which was also an expert system. [47] The Network Anom-
aly Detection and Intrusion Reporter (NADIR), also in 1991, was a prototype IDS developed at the
Los Alamos National Laboratory's Integrated Computing Network (ICN), and was heavily influ-
enced by the work of Denning and Lunt.[48] NADIR used a statistics-based anomaly detector and an
expert system.
The Audit Data Analysis and Mining (ADAM) IDS in 2001 used tcpdump to build profiles
of rules for classifications.[52] In 2003, Yongguang Zhang and Wenke Lee argue for the importance
of IDS in networks with mobile nodes.[53]

3.1 Drawbacks of conventional approaches:

The earlier approaches were either by using the misuse detection method or by anomaly
based method.

 Signature-based detection (also known as “misuse detection”) comes with a

database of known attack signatures. It compares monitored data with the signature database.
A misuse detection IDS checks the input stream for the presence of an attack pattern like a
classic antivirus. This signature can take the form of a sequence of bytes or characters, but
more complex patterns are often represented as a branching tree diagram. To be efficient, the
database of this kind of IDSs must be updated regularly. However, even with the latest
updates, only known attacks can be detected using this method.

 Anomaly detection tries to learn a “normal” or “expected” behavior of the

system. Any deviation from this behavior is considered as a potential attack and will generate

5
 an alarm. This method does not require updates or even the presence of a database. It can
identify unknown attacks but also creates a lot of false positives that are difficult to process.
It is also more difficult to collect information about the attack since it is not clearly identified
by a signature.

Chapter 4
Present work
Recently, Artificial Neural Networks [3, 4] have been successfully applied for developing the
IDS. ANN has the advantage of easier representation of nonlinear relationship between input and
output and its inherent computational speed. Even if the data were incomplete or distorted, a neural
network would be capable of analyzing the data from a network. An increasing amount of research
has been conducted on the application of neural networks for detecting network intrusions. A
Multilayer Perceptron (MLP) was used in [5] for misuse detection with a single hidden layer. A
Similar approach was applied in [6] but generic keywords were selected to detect the attack
preparations and actions after the break-in. Self-Organizing Map was applied to perform the
clustering of network traffic and to detect attacks in [7 8]. In [7], SOM was used to map the
networkconnections onto 2-dimensional surfaces, which were displayed to the network
administrator. The intrusions were easily detected in this view. However, the approach needs a
visual interpretation by the network administrator. The SOM is trained by using the normal network
traffic in [8]. The trained SOM reflects the distribution of the normal network connections. If the
minimum distance between a network connection and the neurons of the trained SOM is more than a
pre-set threshold, this connection is classified as an intrusion. All those ANN based approaches
either concentrates on detecting the attacks (classification) by supervised learning algorithm (Misuse
Detection) or on detecting the attacks (clustering / visualization) by an unsupervised learning
algorithm (Anomaly Detection). Nevertheless, visualizing together with classifying intrusion data
has not been introduced in any network IDS. A hybrid model of the SOM and the MLP was
proposed in [9]. In that work, the selforganizing map was combined with the feed-forward neural
network for detecting the intrusions in their home network. In [10] the same proposed approach has

6
been implemented but it is tested using DARPA 1999 data set which finds trouble in detecting all
types of attacks simultaneously. In [11], the selforganizing map was combined with the Resilient
Propagation Neural Network (RPROP) for visualizing and classifying intrusion and normal patterns.
RPROP is an accelerated version of supervised Back Propagation Neural Network. In that work
some selected attacks were used (Neptune, Portsweep and Satan) from the KDD cup' 99 data. Even
though the response of RPROP is faster, they show poor performance in detecting all sorts of
attacks. In this paper, the hybrid model proposed in [9, 10, 11] is developed but with the
modification that all sort of attacks are considered under major category (DOS, Probe, U2R and
R2L) from KDD cup' 99 data which are first visualized using SOM and the weights from SOM is
used as an input to the BPN that classifies the network into one of the categories.

4. 1 Advantages of using Hybrid based Approach

Hybrid detection combines the two solutions to mitigate weaknesses of each category:
anomaly detection then misuse detection, misuse detection then anomaly detection, or both at the
same time. The goal is to detect known attacks with their signatures, and to use anomaly detection to
identify unknown intrusions

4.2 Description of network Attacks

Four major categories of Network Attacks [12] considered in this work are DOS, Probe,
U2R, R2L. These categories of attacks include 24 numbers of different intrusions.

4.2.1. Denial of Service (DoS) attacks

DoS is a class of attacks where an attacker makes some computing or memory resource too
busy or too full to handle legitimate requests, thus denying legitimate users access to a machine
There are different ways to launch DoS attacks: by abusing the computer's legitimate features; by
targeting the implementations bugs; or by exploiting the system's misconfigurations. DoS attacks are
classified based on the services that an attacker renders unavailable to legitimate users. Apche2,
Back, Land, Mailbomb, SYN Flood, Ping of Death, Process Table, Smurf, Syslogd, Teardrop and
Udpstorm are the common Denial of Service attacks.

7
 4. 2.2 Probing

Probing is a class of attacks where an attacker scans a network to gather information or find
known vulnerabilities. An attacker with a map of machines and services that are available on a
network can use the information to look for exploits. There are different types of probes: some of
them abuse the computer's legitimate features; some of them use social engineering techniques. This
class of attacks is the most commonly heard and requires very little technical expertise. Ip sweep,
mscan, nmap, saint and satan are the common Probing attacks.

4.2.3. User to root attacks

User to root exploits are a class of attacks where an attacker starts out with access to a normal
user account on the system and is able to exploit vulnerability to gain root access to the system. Most
common exploits in this class of attacks are regular buffer overflows, which are caused by regular
programming mistakes and environment assumptions. Eject, Ffbconfig, Fdformat. Load module,
perl, ps, Xterm are the common User to Root attacks.

4.2.4 Remote to user attacks

A remote to user (R2L) attack is a class of attacks where an attacker sends packets to a
machine over a network, then exploits machine's vulnerability to illegally gain local access as a user.
There are different types of R2U attacks: the most common attack in this class is done using social
engineering. Dictionary, Ftp-write, Guest, Imap, Named, Phf, Send Mail, Xlock and Xsnoop are the
common Remote to User attacks

4. 3 Review of Back Propagation Network

Artificial Neural Networks [13, 14] can be viewed as parallel and distributed processing
systems which consists of a huge number of simple and massively. The MLP architecture us the
most popular paradigm of artificial neural networks in use today. FiE shows a standard multilayer
feed forward network with tilayers. The neural network architecture in this class share common
feature that all neurons in a layer are connected (all neurons in adjacent layers through unidirectional
branches. That is, the branches and links can only broad information in one direction, that is, the
"forward direction(The branches have associated weights that can be adjacent according to a defined

8
learning rule. Feed forward neural network training is usually carried out using the called back
propagation algorithm. Hence it is also called by the name Back Propagation Network (BPN).
Training the network with back propagation algorithm results in a non-linear mapping function
between the input and output variables. Thus, given the input/output pairs, the network can have its
weights adjacent by the back propagation algorithm to capture the non-linear relationship.

Fig. 4. 1 Architecture of a Back Propagation Network

After training, the networks with fixed weights provide the output for the given input. The
standard back propagation algorithm for training the network is based on the minimization of an
energy function representing the instantaneous error.

4.4 Overview of SOM Network

The self-organizing map (SOM) [15, 16] is a subtype of artificial neural networks. It is
trained using unsupervised learning to produce low dimensional representation of the training
samples while preserving the topological properties of the input space. This makes SOM especially
good for visualizing high-dimensional data. The model was first described by the professor Teuvo
9
Kohonen and is thus sometimes referred to as a Kohonen map.The self-organizing map is a single
layer feedforward network where the output neurons are arranged in low dimensional (usually 2D or
3D) grid. Each input is connected to all output neurons. Attached to every neuron there is a weight
vector with the same dimensionality as the input vectors. The number of input dimensions is usually
a lot higher than the output grid dimension. SOMs are mainly used for dimensionality reduction
rather than expansion. The goal of the learning in the self-organizing map is to associate different
parts of the SOM lattice to respond similarly to certain input patterns.

This is partly motivated by how visual, auditory or other sensory information is handled in
separate parts of the cerebral cortex in the human brain. The weights of the neurons are initialized
either to small random values or sampled evenly from the subspace spanned by the two largest
principal component eigenvectors The latter alternative will speed up the training significantly
because the initial weights already give good approximation of SOM weights. The training utilizes
competitive learning. When a training sample is given to the network, its Euclidean distance to all
weight vectors is computed. The neuron with weight vector most similar to the input is called the
Best Matching Unit (BMU).

The weights of the BMU and neurons close to it in the SOM lattice are adjusted towards the
input vector. The magnitude of the change decreases with time and is smaller for neurons physically
far away from the BMU. The update formula for a neuron with weight vector Wv(t) is

(1) Wv(t + 1) = Wv(t) + ®(v, t)a(t)(D(t) - Wv(t)) (3)

where o(t) is a monotonically decreasing learning coefficient and D(t) is the input vector. The
neighborhood function ®(v,t) depends on the lattice distance between the BMU and neuron v. In the
simplest form it is one for all neurons close enough to BMU and zero for others, but a gaussian
function is a common choice, too. Regardless of the functional form, the neighborhood function
shrinks with time. At the beginning when the neighborhood is broad; the self-organizing takes place
on the global scale. When the neighborhood has shrunk to just a couple of neurons the weights are
converging to local estimates. This process is repeated for each input vector, over and over, for a
(usually large) number of cycles. The network winds up associating output nodes with groups or
patterns in the input these patterns can be named, the names can be attached to the associated nodes
in the trained net.
10
 4.5. Proposed Hybrid SOM BPN Model for Network Intrusion Detection

The proposed methodology for Intrusion Detection in Computer Networks is based on using
Artificial Neural Network (ANN) for detecting the Normal and Abnormal Conditions of the given
parameters, which leads to various attacks.

Fig. 2 clearly depicts the proposed the Hybrid ANN (SOM_BPN) model for developing a
Network Intrusion Detection System (NIDS). The following issues are to be addressed while
developing an ANN for Network Intrusion Detection [17]:

1. Selection of input and output variables

2. Data preprocessing and representation
3. Data Normalization
4. Selection of Network Structure, Training and Testing.
4.5.1 Selection of input and output variables

For the application of machine learning approaches, it is Important to properly select the
input variables, as ANNs are Supposed to learn the relationships between input and output Variables
on the basis of input-output pairs provided during Training.

11
 Fig. 4.2 Hybrid ANN(SOM_BPN) Model for NIDS

In the ANN-based Network Intrusion detection model, the Input variables represent a TCP/IP
Connection. A Connection Is sequence of TCP packets starting and ending at some well Defined
times, between which data flows to and from a source IP address to a target IP address under some
well defined Protocol. For each TCP/IP, there are 41 input features. Among them, 32 features are
continuous variables and 9 Features are discrete variables. The output is labeled as either Normal or
as an attack, with exactly one specific attack type. Attacks fall into four main categories:

 DOS: denial-of-service, eg. SYN flood

 Probing: Surveillance Scanning
 R2L: unauthorized access from a remote machine, eg., Guessing password;
 U2R: unauthorized access to local super user (rroot Privileges, e.g., various
“buffer overflow” attacks.
4.5.2 Data preprocessing and representation

Before training the neural network, the dataset should be Preprocessed to remove the
redundancy present in the data And the non-numerical attributes should be represented in Numerical
form suitably. In this ANN based Misuse detection model, the output is represented as below

12
 [0 0 0 0] 4 Normal

[0 0 0 1] 4 DOS

[0 0 1 0] 4 Probe

[O 1 0 0] – R2L

[1 0 0 0] 4 U2R

4.5.3 Data normalization

During training of the neural network, higher valued input Variables may tend to suppress
the influence of smaller ones. Also, if the raw data is directly applied to the network, there Is a risk
of the simulated neurons reaching the saturated Conditions. If the neurons get saturated, then the
changes in The input value will produce a very small change or no Change in the output value. This
affects the network training To a great extent. To minimize the effects of magnitudes Among inputs
as well as to prevent saturation of the neuron Activation function, the input data is normalized before
being presented to the neural network.

4.5.4 Selection of network structure, training and testing

The proposed hybrid approach uses two different network Structures SOM and BPN. Both
are Feed Forward Neural Network Structure but uses different learning algorithm and Meant for
different tasks. Initially the data set is Preprocessed, normalized and fed into SOM network for
Visualization and dimensionality reduction. Like most Artificial neural networks, the SOM has two
modes of operation, during the training process a map is built, the Neural network organizes itself,
using a competitive process. The network must be given a large number of input vectors, As much as
possible representing the kind of vectors that are Expected during the second phase (if any).
Otherwise, all Input vectors must be administered several times. During the Mapping process a new
input vector may quickly be given a Location on the map, it is automatically classified or
Categorized. There will be one single winning neuron: neuron whose weight vector lies closest to the

13
input vector. This can be simply determined by calculating the Euclidean distance between input
vector and weight vector.

4.6. Simulation Results

This section presents the details of the simulation results. Self organizing map is an
unsupervised neural network algorithm. In this work, the training was employed through batch
algorithm of SOM to cluster and visualize data. The output weight information from SOM is fed into
the back propagation neural network. The final quantization error is 0.285 and Final topographic
error is 0.019. The BPN model used here is a single hidden layer of tansigmoidal neurons, which
receives the inputs, then broadcast their outputs to an output layer of linear neurons, which compute
the corresponding values.

Table 4.3 :Simulation Results:- Performance Results of Hybrid Model

14
 The collected training data are normalized and applied to the neural network with
corresponding output, to learn the input-output relationship. The neural network model was trained
using the back propagation algorithm with the help of MATLAB neural network toolbox. At the end
of the training process, the model obtained consists of the optimal weight and the bias vector.

After training the generalization performance of the network is evaluated with the help of the
test data and it shows that the trained ANN is able to produce the correct output even for the new
input. After training the network with least error rate, the testing data was fed as input to the
network. The testing data comprises of both normal and abnormal data. The output performance
results from the network will be shown in the Table 1. Fig. 4.2 shows the training performance of the
neural network model. This shows that the trained neural network model is able to produce the
correct output even for the new input.

15
 Table 4.4: Simulation Results- Comparing the performance of the proposed model

Table II compares the performance of the proposed approach with other approaches reported
in the literature in terms of data set used and type of attacks considered in the simulation study. From
table II it is inferred that even though the same approach has been proposed in the literature, the
attacks considered vary. All the approaches proposed in the literature considers only selected very
few attacks. But here all sorts of attacks (given in section II 4 category of attacks which include 24
number of intrusions) are considered and the proposed approach shows 98.91% of detection rate for
all attacks together.

16
 Chapter 5
Advantages and Challenges
Hybrid-based systems give better performance by utilizing the strength of more than one
approach to overcome the limitations of individual techniques. However, while incorporating the
different methods, a few things should be taken into consideration. First, hybrid systems can have
either a layered or parallel architecture but opting for one of them is a preliminary requirement.
Moreover, in layered architecture deciding the correct sequence of multiple components for
processing events is another challenge. For example, the authors in work proposed the hybrid system
where the anomaly detection component is placed first followed by the misuse component. The
second point to be considered is how to resolve the conflicts between results classified by these
components since there may be the case when one classifies an event into a safe class and the other
declares the same as an intrusive.The hybrid approach, is aimed towards utilizing the potential of
multiple methods in such a way that the strength of other overcomes the weakness of one. However,
the fact is that how well the different components are integrated determines the performance of
hybrid-based systems.

Some of the advantages of this model are:

 Flexibility
 Adaptability
 Pattern Recognition and possibly detection of new pattern
 Learning Ability

17
 Chapter 6
Applications

Prelude SIEM is a Security information and event management (SIEM). Prelude SIEM Ori-
ginal author(s) Yoann Vandoorselaere Developer(s) C-S Initial release 1998 Stable release 5.2.0 /
September 11, 2020; 14 months ago[1] Repository www.prelude-siem.org/git/ Written in Python, C
Operating system Linux, *NIX Standard(s) RFC4765 Available in French, English, German, Span-
ish, Italian, Polish, Portuguese, Russian Type SIEM License Proprietary software and GPLv2 Web-
site www.prelude-siem.com www.prelude-siem.org

It is a tool for driving IT security. Prelude SIEM collects and centralize information about the
company’s IT security to offer a single point of view to manage it. Thanks to its logs and flows ana-
lyzer, Prelude SIEM create alerts about intrusions and security threats in the network in real-time.
Prelude SIEM provides multiple tools to do forensic and reporting on Big Data and Smart Data to
identify weak signals and Advanced Persistent Threat (APT). Finally, Prelude SIEM embeds all
tools for the exploitation phase to make works easier for operators and help them with risk manage-
ment.

While a malicious user (or software) may be able to evade the detection of a single IDS
(NIDS, HIDS, etc.), it becomes exponentially more difficult to get around the defenses when there
are multiple protection mechanisms. Prelude SIEM comes with a large set of sensors, each of them
monitoring different kinds of events. Prelude SIEM permits alert collection to the WAN scale,
whether its scope covers a city, a country, a continent or the world.

18
 Prelude SIEM is a SIEM system capable of inter-operating with all the systems available on
the market.[2] It implement natively the Intrusion Detection Message Exchange Format (IDMEF,
RFC 4765) format which start to be demanded all around the world. In this way, it is natively ID-
MEF compatible with OpenSource IDS: AuditD, Nepenthes, NuFW, OSSEC, Pam, Samhain, Sancp,
Snort, Suricata, Kismet, etc. but anyone can write its own IDS or use some of the 3 rd party sensors
available, given Prelude SIEM’s open APIs and libraries.

Chapter 7
Conclusion
This work has presented a neural network based approach for Intrusion detection in a
network based computer system using Self Organizing Map and Back Propagation network. The
bottleneck of any ANN model for intrusion detection is the data set used and the attack considered.
The data required for the development of neural network model have been obtained from KDD Cup'
99 data. Totally 4 category of attacks which include 24 number of intrusion from the computer
network were considered in the developed model. The SOM network is used to visualize and study
the characteristics of each input features and the weight information (Code Book Vectors) from
SOM is fed into BPN for classifying the attacks. For all kinds of attacks considered together the
network shows the very good detection rate compared to the results reported in the literature.

One of the promising approaches that can be taken is focusing on particular types of attacks
and preparing solution directly for them, as showed in couple of reviewed papers. This could make
proposed solutions more adaptive to new types of threats. Additionally, what would have to be
addressed is the enormous amount of data that are processed every day in the world. IDSs that will
be created in future will have to be resistant to the problems connected with data volume.

19
References:

Peyman Kabiri, and Ali A.Ghorbani, "Research on Intrusion Detection and Response: A Survey,"
International Journal of Network Security, Vol.1, No.2, pp. 84-102, September 2005.

D.E.Denning, "An Intrusion Detection Model," IEEE Transaction on Software Engineering, Vol.
13, No.2, pp. 222-232, February 1987.

H. Debar, M.Becker and D.Siboni, "A Neural Network Component for an Intrusion Detection
System," Proceedings of 1992 IEEE Computer Society Symposium on research in security and
privacy, Oakland, May 1992, pp. 240-250.

[4] J.M. Bonoficio, "Neural Networks Applied in Intrusion Detection Systems", Neural Networks
Proceedings, IEEE World Congress on Computational Intelligence, Vol. 1, 1998,pp. 205-210.

J. Cannady, "Artificial Neural Networks for Misuse Detection," Proceedings of National

Information Systems Security Conference (NISSC'98), Arlington, October 1998, pp.443-456.

R.P. Lipmann and R.K Cunningaham. "Improving Intrusion Detection Performance using keyword
selection and neural networks", Computer Networks (Amsterdam, Netherlands:1999), Vol. 34, No.4,
September 1999, pp.597- 603.

L.Girardin, "An eye on network intruder-administrator shootouts", in proceedings of the workshop

on Intrusion Detection and Network Monitoring(ID'99), USENIX Association, Berkeley, USA,
1999, pp. 19-28.

M.Ramadas, S.Ostermann, and B.Tjaden, "Detecting anomalous network traffic with self organizing
maps", in Recent Advances in Intrusion Detection, 6th International Symposium, RAID 2003, pp.
36-54, 2003.

James Cannady and Jim Mahaffey, "The application of Artificial Intelligence to Misuse Detection",
in proceedings of the first Recent Advances in Intrusion Detection(RAID) Conference, 1998.

20
C.Jirapummin, N.Wattanapongsakorn and P.Kanthamanon, "Hybrid Neural Networks for Intrusion
Detection System "Proceedings of the 2002 International Technical Conference on Circuits /
Systems, Computers and Communications (ITCCSCC 2002), Thailand, 2002, pp.928-931.

Alan Bivens, Chandrika Palagiri, Rasheda Smith, Boleslaw Szymanski, Mark Embrechts, "Network
Based Intrusion Detection using Neural Networks" Intelligent Engineering Systems through
Artificial Neural Networks, Vol. 12, Proc. ANNIE, 2002

Kristopher Kendall, "A Database of Computer Attacks for the Evaluation of Intrusion Detection
System", ME Thesis Report, Department of Electrical Engineering and Computer Science,
Massachusetts Institute of Technology, June 1999.

Devaraj, R.UmaRani and J.Preetha Roselyn, "Artificial Neural Network Model for Voltage Security
Based Contingency Ranking", Accepted for publication in Applied Soft Computing Journal
(04/388), "in press".

D.Devaraj and B. Yegnanarayana, "Performance of neural network based contingency selection

with reduced input features", Proceedings of Intelligent system Applications to Power Systems
(ISAP-2001) Conference, Hungary, June 2001.

Kohonen, T., "The Self-Organizing Map", Proceedings of the IEEE ,Vol. 78, pp. 1464- 1480,
(1990).

Kohonen, T., "New Developments and Applications of SelfOrganizing Maps", IEEE Transactions,
pp. 164 - 171, 1996.

P.GaneshKumar, D.Devaraj, V.Vasudevan, "Artificial Neural Network for Misuse Detection in

Computer Network", Proceedings of the International Conference on Resource Utilization and
Intelligent Systems (INCRUIS-2006), Kongu Engineering College, Perunduari, Erode, 4-6
January'2006, pp.889-893.

KDD-cup' 99 dataset, http:Hkdd.ics.uci.edu/databases/kddcup99/kddcup99.htm

DARPA Intrusion Detection Evaluation - MIT Lincoln Laboratory-

(http:Hwww.ll.mit.edu/IST/ideval)

URL: SOM Toolbox http:Hwww.cis.hut.fi/projects/somtoolbox/, last updated: March 2005.

21