The have a reference normal behavior and then flag

The abundance of the Internet has
raised alarms regarding the security of digital resources with the
computer-based attacks. Initially, firewalls were introduced to solve the
computer security problems. However, firewalls merely reduce exposure rather
than eliminating the attacks. The computer-based attacks can enter in spite of
firewall by exploiting errors in the configuration, obtaining backdoor entry
around the firewall and using other such unauthorized privileges. The
shortcoming of firewalls to effectively secure the digital systems has led to
the growth of intrusion detection software industry. The intrusion detection
software attempts to detect the possible attacks in real time before important
digital assets are compromised. The intrusion detection can be further
classified into two main classes on the basis of what they can detect: misuse
detection and anomaly detection. Misuse detection methods attempts to model
attacks on a system as specific patterns and then systematically scan the
system for the occurrences of these patterns. Anomaly detection assumes that
intrusions are highly correlated to abnormal behavior exhibited by either a
user or an application. The basic idea is to have a reference normal behavior and
then flag behaviors that are significantly different from these normal
measurements.  The most significant drawback
of misuse detection approaches is that they will only detect the attacks, for
which they are trained. Newer versions of the attacks go unnoticed in case of
misuse detection. The main advantage of anomaly detection approaches is the
ability to detect novel attacks against software systems, variants of known
attacks and deviations from normal programs.

The technique to identify unusual
behavior that do not follow expected behavior is called anomaly behavior. Some
of its examples are healthcare monitoring system in spotting of a malignant
tumor in an MRI scan, fault detection in credit card transactions etc.
Anomalies can be broadly classified as: (1) Point anomalies- A single instance
of data that is far off from the rest. (2) Contextual anomalies- Common in
time-series data, this anomaly is context specific. (3) Collective anomalies- A
set of data instances collectively helps in detecting anomalies. Neural
networks are used to learn the normal behavior and detect the potential
intrusions. The important aspect is that anomaly detection is performed at
software process level using machine learning techniques. Since the advent of
neural networks in 1940s by McCulloch and Pitt, it represents one of the most
interesting and debated topics. Neural networks can learn from the environment
by adjusting their internal structure through a training processes. It uses
non-linear regression to abstract information from abnormal training cases to
predict future attacks. An architecture of the system for analyzing programs
for malicious behavior is shown

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!

order now



This architecture comprises of
applying feedback to the network during training to indicate whether the input
is normal or anomalous. During recall, the neural network classifies inputs as
either anomalous or normal. However, one drawback of this approach is that the
training period of the neural network may take hours or days to complete. Also,
it stands good only for the data on which it has been trained. If new data is
added to the training set, neural network has to be re-trained over the entire
set and not just the set that was added. Once a structure has been identified
for a particular application it has to be trained. For this initial weights are
randomly chosen. There are two approached to training- (1) supervised –
Involves providing network with desired output either by manually grading the
network performance or by assigning desired outputs to the inputs. The network
processes the inputs and compares its results against the desired outputs.
Errors are propagated back to the system to adjust the weights that control the
network. The set of data that enables training is called the training set.
During training, same set of data is circulated to refine the connection
weights.(2) unsupervised- In this type, network has to make sense of the input
without any external support.

The most popular training method for
neural networks is the back-propagation algorithm. It consists of three layers:
input, hidden and output layer. During training phase, the training data is fed
into the input layer. The data is propagated to the hidden layer and then to
output layer. In this kind of forward pass of the back propagation, each node
in hidden layer gets input from all the nodes from input layer. They are
multiplied with appropriate weights and then summed. Similarly, each node in
the output layer gets input from all the nodes in the hidden layer. The output
values of the output layer are compared with the target output values. The
target output values are used to teach the network. The error between the
actual output values and target output values is calculated and propagated back
towards hidden layer. The error is used to update connection strengths between
the nodes. Thus, backpropagation algorithm searches for weight values that
minimize the total error of the network over the set of training examples.  Backdrops can produce nearly correct outputs
for inputs that were not included in the training set. The disadvantage of
backpropagation are that they are computationally complex and requires time to
train.  However, backpropagation networks
are good at classifying complex relationships which is useful to distinguish
normal and anomalous behavior. The generalized backpropagation neural network
is shown in figure 2. The input layer controls the number of inputs and
internal states, the output nodes control the total number of classes the
network is classifying. The backpropagation is trained with supervision so the
desired output for each input is determined during the training phase.