[680] in Intrusion Detection Systems
Re: Neural networks in IDS
daemon@ATHENA.MIT.EDU (Mark Joseph Crosbie)
Sun Mar 24 13:39:55 1996
To: ids@uow.edu.au
In-Reply-To: Your message of "Fri, 15 Mar 1996 14:13:13 +0100."
<199603151313.OAA04354@rueda.tel.uva.es>
Date: Tue, 19 Mar 1996 21:35:04 -0500
From: mcrosbie@cs.purdue.edu (Mark Joseph Crosbie)
Reply-To: ids@uow.edu.au
In message <199603151313.OAA04354@rueda.tel.uva.es>, Celestino Gomez Cid (adm)
writes:
>I'm working in a IDS system and I would use neural networks. Can anybody tell
>me where I could find information about Neural Networks in IDS ?
I have references to a number of papers that use "machine learning" techniques
for intrusion detection. Not all of them are about neural nets though. I'll
send them on to you below in case any of them are useful. The first paper by
Jeremy Frank is a survery of AI techniques in IDS and may be the most useful.
I think you can get it on the UC Davis web site: http://seclab.cs.ucdavis.edu/S
ecurity.html
The paper by Fox, Henning, Reed and Simonian may be the closest one to what
your interested in.
Regards,
Mark.
>
> Thanks,
> Celes.
>Celestino Gomez Cid celgom@tel.uva.es
-----------
@TechReport{frank-ai-ids,
author = "Jeremy Frank",
title = "Artificial Intelligence and Intrusion Detection:
Current and Future Directions",
institution = "University of California",
year = 1994,
month = "June"
}
@InProceedings{NADIR,
author = "Kathleen A. Jackson and David H. DuBois and Cathy A. Stallings
title = "An {E}xpert {S}ystem {A}pplication for {N}etwork {I}ntrusion
{D}etection",
volume = 14,
pages = "215-225",
booktitle = "14th National Computer Security Conference",
year = 1991,
organization = "NCSC",
month = "October",
abstract = "This paper presents the design of a Network Anomaly
Detection and Intrusion Reporter (NADIR). It
monitors network audit trails and compares entries
with and set of expert system rules that define
security policy. The expert system will be
applied to audit logs. The authors'
solution had to impose minimum overhead and effect
minimal changes to the target systems.
The audit records from each system are summarised
into statistical profiles. Anomalies can be detected
either by examining single audit records or by examining
activity spread across multiple audit records. The
rule base specifies security policy and also details
well-known invalid and suspicious behaviour. The
conclusions drawn from this are that the NADIR
prototype was a success as it helped in the
investigation of activity by unknown users. It also provided
interesting network-management data."
}
@InProceedings{nn-intrusion-detection,
author = "Kevin L. Fox and Ronda R. Henning and Johnathan
H. Reed and Richard P. Simonian",
title = "A {N}eural {N}etwork {A}pproach towards {I}ntrusion {D}etectio
volume = 13,
pages = "125-134",
booktitle = "Proceedings of the 13th National Computer Security Conference"
year = 1990,
month = "October",
publisher = "NCSC",
abstract = "This paper presents a technique for analysis of
audit trails using neural networks to detect
patterns. The neural network is used to track
normal-system state, and an expert system provides
intrusion analysis. The authors start by motivating
their work based on an analogy drawn from biology. A
organism's immune system is able to detect, repel
and learn from threats by viruses. They feel that
Artificial Intelligence can simulate the behaviour
of these natural antibodies."
}
@InProceedings{heberline-network-ids,
author = "B. Mukherjee and L. Todd Heberline and Karl N. Levitt",
title = "Network Intrusion Detection",
pages = 26,
booktitle = "IEEE Network",
year = 1994,
month = "May/June"
}
@Article{kephart-viruses,
author = "Jeffrey O. Kephart",
title = "A {B}iologically {I}nspired {I}mmune {S}ystem for
{C}omputers",
journal = "Artificial Life IV",
year = 1994
}
@InProceedings{ids-secure-networks,
author = "J.R. Winkler",
title = "A {UNIX} {P}rototype for {I}ntrusion and {A}nomaly {D}etection
in {S}ecure {N}etworks",
volume = 13,
pages = "115-124",
year = 1990,
month = "October",
abstract = "This paper describes a real-time intrusion detection
and monitoring system for network and host
security. User profiles are built up and then audit
records are examined in the context of these
profiles. There are a variety of granularity levels
which govern at what level audit data is
interpreted. Analysis tools provide statistical and
expert-system analysis. This is all tied together in
a graphical user interface."
}
@InProceedings{ides,
author = "Harold S. Javitz and Alfonso Valdes",
title = "The {SRI} {IDES} {S}tatistical {A}nomaly {D}etector.",
pages = 316,
booktitle = "IEEE Symposium on Research in Security and Privacy",
year = 1991,
month = "May"
}
@TechReport{net-intrusion-architecture,
author = "R. Heady and G. Luger and A. Maccabe and M. Servilla",
title = "The architecture of a network level intrusion detection system
institution = "University of New Mexico",
year = 1990,
address = "Dept. of Computer Science",
month = "August"
}
--------------------------------------------------------------------
Mark Crosbie mcrosbie@cs.purdue.edu
COAST Archive Maintainer security-archive@cs.purdue.edu
COAST Group Tel: (317) 494-9313
Dept. of Computer Sciences Fax: (317) 494-0739
1398 Computer Sciences Building, Purdue University
West Lafayette, IN 47907-1398, USA
URL: http://www.cs.purdue.edu/people/mcrosbie (PGP key available here)
