Real Time Intrusion Detection System based on Neural

Network
The first author
Muna Mhammad Taher Jawhar : from Iraq
Ph.D. scholarship
Department of Computer Science
Jamia Millia Islamia
New Delhi, India
E-mail:muna.taher@gmail.com
Ph. No. : 9958414112

The second author

Monica Mehrotra
Department of Computer Science
Jamia Millia Islamia
New Delhi, India
E-mail:drmehrotra2000@gmail.com
 Real Time Intrusion Detection System based on Neural Network
Abstract
Intrusion detection is an interesting approach that could be used to improve the security
of network system. Intrusion detection system detects suspected patterns of network
traffic on the remaining open parts through monitoring user activities. In this paper,
evolving a real time network intrusion detection system based on Neural Network for
recognize attacks types in the network traffic packet. We used Multilayer Perceptrons
and Hamming networks to detect attacks in this model. The experimental results
demonstrate that the designed models are promising in terms of accuracy and
computational time of real word intrusion detection. Training and testing data obtains
from the real network traffic by using NDIS hooking algorithm.

Keywords : Intrusion Detection system, Network security, Neural Network, NDIS.

I. Introduction
Incessant distribution of application of information technologies to all spheres of
human activity constantly puts new requirements to a level of security of information
system. The number of attacks and criminals concerning computer network is
increases[16]. So the network security has become a very important issue. The
intrusion detection has become research focus of the network security. The intrusion
detection technology uses the trace information which are left by the intruder such as
the failure records of attempt to log to find the illegal intrusion from the outsider or
insider effectively. The intrusion detection system is the computer system which can
realize the intrusion detection technology[9].
Intrusion detection systems(IDS) can be classified as network based and host-based
according to the information source of the detection. Network-based IDS monitors
the network traffic and looks for network-based attacks, while host-based IDS is
installed on host and monitors the host audit trail. Intrusion detection systems can be
roughly classified as anomaly detection and misuse detection. Anomaly detection is
based on the normal behavior of a subject (e.g., a user or a system), any action that
significantly deviates from the normal behavior is considered intrusive. Misuse
detection is based on the characteristics of known attacks or system vulnerabilities,
which are also called signatures. Any action that matches the signature is considered
intrusive. Misuse-base detection detects attacks based on signatures (known attacks
signatures), at which the traffic pattern compared with these signatures, if a match is
found, then it is reported as an attack, otherwise it is not. So misuse detection cannot
detect novel attacks. On the other hand, anomaly-based detection depends on
monitoring system activity and classifying it as either normal or anomalous. The
classification is based on heuristics or rules, rather than patterns or signatures, and
will detect any type of misuse that falls out of normal system behavior. Thus, it is able
to detect not only known intrusion but also unknown intrusion. In addition, this
approach can detect the intrusion that is achieved by the abuse of legitimate users or
masqueraders without breaking security policy[10][7].
However, the major problem of existing models is recognition of attacks in real time
before the damage happen. In this paper, we propose a new method for a real time
network intrusion detection system based on Neural Networks by using NDIS
hooking program works as internet packet sniffer. The paper is organized as follows
section 2 overview of previous work, section 3 discuss the Network Driver Interface
Specification (NDIS), while in section 4 describes architecture and main component
of the system model, section 5 present experimental result, and the conclusion in
section 6.

II. Overview of Previous Work

Neural Networks(NNs) approach is one of the most interesting in this area. An
increasing amount of research in the last few years has investigated the application of
Neural Networks to intrusion detection. If properly designed and implemented, Neural
Networks have the potential to address many of the problems encountered by rule-
based approaches. Neural Networks were specifically proposed to learn the typical
characteristics of system’s users and identify statistically significant variations from
their established behavior. In order to apply this approach to Intrusion Detection, we
would have to introduce data representing attacks and non-attacks to the Neural
Network to adjust automatically coefficients of this Network during the training
phase. In other words, it will be necessary to collect data representing normal and
abnormal behavior and train the Neural Network on those data. After training is
accomplished, a certain number of performance tests with real network traffic and
attacks should be conducted[4]. And instead of processing program instruction
sequentially, Neural Network based models on simultaneously explorer several
hypotheses making the use of several computational interconnected elements
(neurons), this parallel processing may imply time savings in malicious traffic
analysis[11].
In particular several Neural Networks based approaches were employed for Intrusion
Detection. Tie and Li[15] used the BP network with GAs for enhance of BP, they
used some type of attack with some feature of KDD data. The detection rate was for
satan 90.97, guess-password 85.60 and peral 90.79. Jimmy and Heidar[8] used
feedforward Neural Networks with Back Propagation training algorithm, they used
some feature from TCP Dump and the classification result is 25/25. Dima, Roman and
Leon[5] used Radial Based Function (RBF) Neural Network for classification and the
accuracy result is 93.2. Iftikhar, Sami and Sajjad[6] used Resilient Back propagation
for detect each type of attack along the accurse detection rate was 95.93. Mukkamala,
Andrew, and Ajith[14] used Back Propagation Neural Network with many type of
learning algorithm the performance of the network is 95.0.

III. Network Driver Interface Specification (NDIS)

In 1989, Microsoft and 3com jointly developed the NDIS, which lets protocol drivers
communicate with network adapter drivers in a device independent manner[13]. So
the NDIS device driver is related to the OSI model at the data link layer [3]. NDIS
standardizes access to the network card, so that the same software may be used to
access any brand of network device [17]. In fact, it become a requirement, when
developing device driver for network card in all varieties of windows[3]. The NDIS is
a interface between a protocol stack and network adapter card driver[12]. NDIS
intermediate drivers can see all network traffic taking place on a system because the
drivers lie between protocol drivers and network drivers[2]. Its provides drivers to
interface with network adapter hardware via functions call API functions[1]. As
shown in figure(1).
 Figure (1): NDIS hooking driver with relation to user mode

IV. The system model architecture

In this model, three stages to detect a type of attacks, as shown in the following Figure
2.

Figure (2): The architecture of the system

The components of the model are :

A. Data Provider
The system is using real data from the internet by using NDIS hooking program
which work as packet sniffer. NDIS hooking sniffer is control, capture and extract
appropriate features from the packet traveling in internet. The features extract
from the packet headers of protocol IP,TCP and UDP which using in this model
are: source IP address, destination IP address, source port, destination port,
SYN,ACK,FIN,RES flags, urgent mode flag and protocol type.

B. Preprocessor
The Preprocessor component gets traffic feature from data provider then
convert to binary bipolar form in order to feed the neural net sensors in Neural
Network based analyzer component. And, sent them to the network
classification stage. Therefore the following operation are applied to the
feature.
• Normalization
In the normalization, each numerical value in the data set is normalized
in form 1 and -1. All the features which have integer value or
continuous convert to binary bipolar.

C. Neural Network classification stage

There are two architecture of Neural Network used in this paper, first is
Multilayer Perceptrons (MLP) and the second is Hamming networks and
MAXNET. The structure of MLP which are used is explain as follows: input
 layer is 10 nodes, one hidden layer with 5 nodes and output layer is 5 nodes,
the transfer function that used by all nodes at both layers is "logsig" where:

Logsig(n)=1/ (1+exp(-n)) …….(1)

The network trains by using different training algorithms. While hamming

network have two layers, in the first layer calculate the hamming distance
between the input vector and the exampler ( which contain the signature of
attacks). In the second layer of the network will strengthen the largest value
and will eliminate the others. In other words, only one neuron will be the
winner corresponding to the exampler index that matches the input. The output
is 5 nodes which calculate as:

Ym=(1/2)Xm+n/2 …….(2)

Yk+1=Fnet(WmYk)…….(3)

0 if output <0
Fnet=
Output if output >=0 …………..(4)

Where m is length of exampler matrix , n is number of bits in input vector X, Ym

output of first layer and Yk is output of the second layer.

V. The experimental results

To assess the effectiveness of proposed intrusion detection approaches, the series of
experiments were performed. We have used 5208 training samples for learning of
neural network. Proposed intrusion detection approaches are implemented to detect 8
types of attacks from the dataset including LAND attack, NULL TCP packet, xmas
tree, SYN/FIN, IOS UDP Bomb, chargen Dos, Broadcast source address and normal.
The distribution of an attack and normal records are 80%-20%. To evaluate the
performance of the system, there are two major indicators of performance: the
detection rate for each attack type, false positive and false negative rate. The detection
rate (true attack alarms) is defined as the number of intrusion instances detected by
the system divided by the total number of intrusion instances present in the test set.
The false positive rate (false attack alarms) represents the total number of normal
instance that were classified as intrusion divided by the total number of normal
instances. Table 1 represent the experiment for training MLP using different training
algorithms with parameter No. of epochs is 1000 and goal (MSE) is 0.05.

Table 1:the result of running the MLP network for different learning algorithms
Training algorithm No. of Epochs Detection time Gradient MSE
Resilient back propagation 43 0:04 0.153 0.0501
Gradient descent with momentum 1000 0:47 0.0448 0.159
Levenberg-Marquardt 7 0:13 0.809 0.0486
One step secant 1000 2:03 4.85 0.101
Scaled conjugate gradient 1000 1:36 0.000469 0.0864
BFGS quasi-newton 1000 2:15 0.00275 0.0665
Gradient descent w/momentum & 1000 0:42 0.000961 0.0604
 adaptive lr backpropagation
Conjugate gradient backpropagation 51 0:8 0.0161 0.0816
with Polak-Ribiere update

The following figure is illustrate the performance of MLP network.

(a):Resilient back propagation (b): Levenberg-Marquardt

(c): BFGS quasi-newton (d): Conjugate gradient

backpropagation with Polak-Ribiere
update
Figure (3): the performance of MLP network with the best result of training algorithm

The best two training algorithms as figure (3) illustrate are Resilient back propagation
and Levenberg-Marquardt are using for testing. Table (2) describe the result of test
MLP network.
Table (2): result of MPL testing
Resilient back propagation Levenberg-Marquardt
Attack name Input Output Detection rate Output Detection rate %
%
LAND attack 360 48 13.33 413 86.53
NULL TCP packet 144 29 20.13 0 0
Xmas tree 147 147 100 0 0
SYN/FIN 162 0 0 767 30.12
IOS Bomb 144 144 100 145 100
Chargen Dos 597 622 95.98 0 0
Broadcast 72 0 0 0 0
Snork 2160 2160 100 2151 99.58
Normal 1440 1925 74.80% 1461 98.56
Unknown attack 133 268
Time 8.2412 S 8.3293
Total 5208

From the table above, see the Resilient back propagation is better than Levenberg-
Marquardt in classification of attacks types, the false negative is 12.87% and the
classification rate of the Resilient back propagation is 87.65%, while the classification
rate of Levenberg-Marquardt is 81.73%, and false negative is 0.55%.
Table 3 represents the results of experiment using Hamming and MAXNET

Table (3): the result of Hamming and MAXNET experiment

Attack name Input Output Detection rate %
LAND attack 360 159 44.16
NULL TCP packet 144 1026 20.23
Xmas tree 147 234 62.82
SYN/FIN 162 143 88.27
IOS Bomb 144 184 98.01
Chargen Dos 597 578 96.81
Broadcast 72 72 100
Snork 2160 1852 85.74
Normal 1440 962 70.80
Time 140.075
Total 5208

The detection rate for each type of the attack is shown above. The classification rate
of Hamming network is 80.66%, and the false negative is 0.91%. The system are
implemented under windows XP operating system by using Matlab R2008a as a
programming language.

VI. Conclusion
Network Intrusion Detection System is a hot field of the network security research,
and it is a new kind of defense technology of the network security. Usage of neural
network for intrusion detection was present in many publication. Unfortunately, in
description of simulation process very often is lack of recognition of new attacks, low
accuracy detection rate. In this paper, we propose a new method for real time network
intrusion detection system by using Neural Network. Two architecture of Neural
Network used in this paper, MLP and Hamming Networks, with NDIS hooking
program used as internet packet sniffer. The training and testing data used from NDIS
hooking program with simulate eight types of attacks.

Acknowledgment
This work has been financially supported by the Indian Council of Cultural Relations
(I.C.C.R.), India. It has been also partially subsidized by the University of Mousl,
Ministry of Higher Education and scientific Research, Iraq.

Reference
1. AL-Dabbagh, Omar, "Implementation and Analysis of a Software System for
protection of Local Area Network from internal Intruder", Ph.D. thesis,
Department of Computer Science, University of Mousl, Iraq, 2006.
2. Barkley W. and Macdonald D., "Microsoft windows 2000 TCP/IP
Implementation Details", Microsoft Corporation, 2000.
3. Dhawan S., "Network Device Drivers", Van Nostrand Reinhold, 1995.
4. Dima Novikov, Roman V. Yampolskiy, and Leon Reznik, " Artificial
Intelligence Approaches For Intrusion Detection", IEEE,2006.
5. Dima Novikov, Roman V. Yampolskiy and Leon Reznik, " Anomaly
Detection Based Intrusion Detection" , Proceedings of the Third International
Conference on Information Technology: New Generations, IEEE, 2006.
6. Iftikhar Ahmad, Sami Ullah Swati and Sajjad Mohsin, " Intrusions Detection
Mechanism by Resilient Back Propagation (RPROP)", European Journal of
Scientific Research ISSN 1450-216X Vol.17 No.4, pp.523-531, 2007.
7. Jawhar Muna M. T. and Monica M., "Intrusion Detection System: A design
perspective", the proceeding of international conference for data management,
IMT, Gaziabad, India, 2009.
8. Jimmy Shum and Heidar A. Malki, "Network Intrusion Detection System
Using Neural Networks", Fourth International Conference on Natural
Computation, IEEE, 2008.
9. Jingwen Tian and Meijuan Gao, " Network Intrusion Detection Method Based
on High Speed and Precise Genetic Algorithm Neural Network", 2009
International Conference on Networks Security, Wireless Communications and
Trusted Computing, IEEE, 2009.
10. Khattab M. Ali, Venus W, and Mamoun Suleiman Al Rababaa, "The Affect of
Fuzzification on Neural Networks Intrusion Detection System", IEEE, 2009.
11. Lília de Sá Silva, Adriana C. Ferrari dos Santos, José Demisio S. da Silva, and
Antonio Montes, "A Neural Network Application for Attack Detection in
Computer Networks", Instituto Nacional de Pesquisas Espaciais – INPE,
BRAZIL, 2004.
12. Oney W., "programming the Microsoft Windows Driver Model", Microsoft
Press, 1999.
13. Ries C., "Defeating Windows Personal Firewalls: Filtering Methodologies,
attacks, and Defenses", 2005
14. Srinivas Mukkamala, Andrew H. Sung, and Ajith Abraham, " Intrusion
detection using an ensemble of intelligent paradigms", Journal of Network and
Computer Applications 28. p167–182, 2005.
15. TIE-JUN Zhou and LI Yang, "The Research of Intrusion Detection Based on
Genetic Neural Network", Proceedings of the 2008 International Conference on
Wavelet Analysis and Pattern Recognition, Hong Kong, IEEE, 30-31 Aug, 2008.
16. Vladimir Golovko, Pavel Kachurka, and Leanid Vaitsekhovich, "Neural
Network Ensembles for Intrusion Detection", IEEE International Workshop on
Intelligent Data Acquisition and Advanced Computing Systems: Technology and
Applications , Dortmund, Germany, 2007.
17. Wolthusen S., "Tempering Network Stacks", Security Technology Department
Fraunhoferstr, Germany, 2004.