JOURNAL OF COMPUTING, VOLUME 4, ISSUE 2, FEBRUARY 2012, ISSN 2151-9617 https://sites.google.com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.

ORG

29

A New Approach for Anomaly Intrusion Detection by MLP and CNN Neural Networks
Mohammad Nabizadeh Gangaraj, Sam Jabbehdari and Ahmad Khadem-Zadeh
Abstract By increasing information exchange and developing computer networks, diversity of attack is grown. Most of attacks are mixture of a series of events and abnormal happenings that are mainly called time-delayed attacks. They are not effectively recognized by current intrusion detection systems. We suggest using MLP neural network and CNN for detection of time delay attacks. MLP neural network noticeably can detect real-time attack and CNN neural network can assist to MLP for detection of time delay attacks. Our suggested method by using KDD Cup99 data set results in increasing detection of Probe attacks and denial of service (DoS) without increasing of false alarm rate.

Index Terms MLP, CNN, Anomaly, Detection Rate and False Alarm Rate

1 INTRODUCTION
uring recent two decades, importance of computer networks security has considerable increase. In order to increase security of computer networks in addition to use firewall and other equipments of intrusion prevention, it is required using other tools such as intrusion detection systems. Generally intrusion detection systems are divided into two classes including: Signature Based Detection and Anomaly Detection. In signature based detection the identified intrusion patterns are compared with interval traffic so that in case of compatibility, intrusion is detected. Advantage of this method is low level of False Alarm Rate and its disadvantage is that it cannot detect new attacks [1]. In anomaly detection method, first of all a profile of ordinary network behavior is created. Then, any traffic that has deviates from created profile is detected as intrusion. Advantage of this method is detection of new intrusions and its disadvantage is high false alarm rate. If the present behavior has deviates from ordinary behavior, the anomaly detection model, identifies data as an attack [2]. There are many methods for detecting intrusion that have high false alarm rate so that may cause problem for network security manager [3]. The remainder of the paper is organized as follows; Section 2 presents related works of intrusion detection systems with ANN. Section 3 introduces our proposal system. Section 4 clarifies the experiments and results finally in Section 5 the conclusions and feature works are discussed.

2 RELATED WORKS
One of the most significant challenges for current intrusion detection approaches is to reduce false alarm rate. The false alarm rate is still too high for current neural network intrusion detection approaches because they have not enough capability to detect time-delayed attacks. MLP/CNN neural networks are used for higher detection rate of time-delayed attacks [4]. In this method used real time MLP neural network with time delay CNN neural network that input data enter to MLP neural network and then MLP output data enter to CNN as an input data. In mentioned method Probe detection rate is still low. The Distributed Time Delay Neural Network (DTDNN) as a dynamic neural network is attempted to more detecting of time-delayed attacks [5], but in addition to much time spends for training, its attack detection rate is still low. Tow hidden layers MLP is used for anomaly intrusion detection [6, 7]. MLP is used only for detecting two changed known attacks of DoS, and other aspects of this method are not considered. The detection rate of this method is rather acceptable but is not very well as its Probe detection rate can be better.

2.1 Neural Networks

Neurons of neural network are communicating to each other through different methods. One of these methods is called Feed Forward. The reason of calling this name is that outputs for neurons of each layer feed their next layer neurons. A simple model of this method is shown in the figure.1.

Mohammad Nabizadeh Gangaraj Department of Computer Engineering, North Tehran Branch, Islamic Azad University, Tehran, Iran. Sam Jabbehdari Department of Computer Engineering, North Tehran Branch, Islamic Azad University, Tehran Iran. Ahmad Khadem-Zadeh. Iran Telecommunication Research Center, ITRC, Tehran, Iran.

JOURNAL OF COMPUTING, VOLUME 4, ISSUE 2, FEBRUARY 2012, ISSN 2151-9617 https://sites.google.com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.ORG

30

3 PROPOSED METHOD
Whereas percentage of time-delayed attacks including: DoS and Probe covers most of the present and new attacks; therefore, it is used from CNN neural network to detect time delay attack including: DoS and Probe and it is used from MLP neural network to detect real-time attack including: RU. As a result, instead of using mixture of both methods like article [4], we act as follows in Figure.2:

Preprocessor Input data from network traffic or log files

CNN(trainlm)

MLP(trainbr)

Fig.1. 2 layers feed forward neural network with 4 inputs and 2 outputs [8]. Neural network while training, upon receiving input data at first layer and receiving target data at last layer, attempts to adjust weight of edge and fixed initial amount that is called bias. Then within test stage by using these amounts and receiving input data it estimates output target data [4].

CNN with "trainbr"

function training

Example of data: Protocol type, duration, Service, flag serror-rate

Message Filter Final Message Network Manager

2.2 Detecting time-delayed attacks

Nowadays intrusions are often divided into several sessions spread out over a long period of time by attackers that take deliberate steps to minimize the chances of detection by an intrusion detection system [9]. Most of attacks are composed of a series of abnormal events. Each of these events individually may appear normal, but when analyzed as a subtle probing, an evolving pattern can be recognized imbedded in ordinary traffic [4]. Thus, we need to identify these temporary diffusing and possibility of collaborative attacks, such as DoS or Probe, which are called time-delayed, attacks [10]. Because the most intrusion detection systems only have real-time classification capability, thus they may cause a large number of false alarm rates [4].

Fig.2. Our proposed method by MLP and CNN neural networks . Initial Data: in this stage data entered from network traffic or data extracted from log file are collected. In simulation stage the input of neural networks were including 35 features like(protocol type, service, duration, flag, serrorrate ) and other output within 4 messages (RU, Probe, DoS, Normal) from set of KDD Cup99 data set. Pre-Processing: in this stage the collected data in the previous stage are classified and prepared as comprehendible numbers for being used at neural networks (RU= 1, Probe=2, DoS= 3, Normal=0) The processed data are separately sent to each of the neural networks and according to the patterns receiving during training, a message is sent to the next module (message filter).It is shown in the Figure.3.

2.3 Sensitivity to the Time-delayed Events

Identification of time-delayed attacks always depends on keeping memory of past events. Because of the complicacy of intrusive behaviors, the Sensitivity to the Timedelayed Events (STE) will affect the performance of an intrusion detection system. If the STE of a system is higher, the system can detect more attacks at higher false alarm rates. If the STE of a system is lower, the system can detect fewer attacks at lower false alarm rates [4]. In order to increase rate of detecting attacks and decreasing false alarm rate, we suggest to use CNN and MLP neural network according to architecture that is mentioned in the next stage.

JOURNAL OF COMPUTING, VOLUME 4, ISSUE 2, FEBRUARY 2012, ISSN 2151-9617 https://sites.google.com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.ORG

31

Final Message If msg1 = msg2 = msg3 If(msg3 != Probe) & (msg2 != RU) &(msg1 = DoS) Msg1

ously sends its specialty message, the message filter unit send a message consisting of unlabeled attack (without determining group) for network manager. This method may slightly increase load of calculation.

Msg1

4 THE SIMULATION AND THE EXPERIMENTAL RESULTS

In order to simulate MLP and CNN neural networks, the Matlab software is used and we preprocessed data of KDD Cup99 for preparing them to enter into neural network. Neural networks are trained by 13000 normal records, 9000 DoS records, 2000 Probe records and 1000 RU records and while being trained they are tested by using two different set of data. The first data set including changed known attacks: 3000 normal records, 2000 DoS records, 500 Probe records and 250 RU records, and another test data set including new attacks: 1500 records of DoS, 500 records of Probe, 200 records of RU. In order to select number of records for each class of attacks, their ratio is determined i.e. among total KDD Cup99 data if the DoS attack number are 5 times higher than Probe attack number, then the number of selected DoS data for establishing set of training data is also 5 times higher than Probe attack number and in the same mode, in order to select record for set of test data. The obtained results by comparing previous methods are offered in the following table. Detection rate and false alarm rate is calculated by using following formula. DR: Detection Rate of attacks FAR: False Alarm Rate TP: True Positive (detect anomaly to anomaly) TN: True Negative (detect normal to normal) FP: False Positive (detect normal to attack) FN: False Negative (detect attack to normal)

If (msg3 != Probe) & (msg1 != DoS) &(msg2 = RU)

Msg2

If (msg2 != RU) & (msg1 != DoS) &(msg3 = Probe)

Msg3

If (msg3 != Probe) & (msg1 != DoS) &(msg2 = Normal)

Msg2

If (msg3 = Probe) & (msg2 = RU)& (msg1 = DoS)

Unlabeled attack

Msg1= message from CNN (trainlm)

Msg2 = message from MLP (trainbr)

Msg3 = message from CNN with "trainbr"

Fig.3. Message Filter Module in our proposed method.

By repeated testing we found out that if we use training function of "trainbr" instead of using ordinary training function i.e. "trainlm" according to article [5], MLP neural network can detect RU attack type more than when we use "trainlm", also for CNN with "trainbr" for detect Probe attack, but for detecting DoS attack using CNN with "trainlm" is better than "trainbr". Message of each network is separately sent to message filter unit. Whereas CNN neural network can detect time delay attacks of DoS and Probe, MLP neural network can detect real-time attacks of RU, Therefore, in order to send final message to network manager, it is recommended to use the following pattern: If the sent message by CNN neural network with "trainlm" indicates DoS attack (i.e. detection of attack that CNN neural network can identify it more accurate than other methods) and message of other neural networks is nonspecialty message of them, the criterion of making decision is the message sent from CNN neural network that use "trainlm" training function and we use the same style for any type of attack. If within specific mode, each network simultane-

DR

TP FP , FAR [11] TP FN FP TN

100 80 60 40 20 0

2hidden layerMLP DTDNN MLP/CNN Proposed Methode

Fig.4. Detection Rate of changed known attacks for Anomaly Detection Systems.

JOURNAL OF COMPUTING, VOLUME 4, ISSUE 2, FEBRUARY 2012, ISSN 2151-9617 https://sites.google.com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.ORG

32

60 50 40 30 20 10 0 DoS Probe RU Proposed Method MLP/CNN 2hiddenlayer MLP DTDNN

other methods. New works can be conducted on the our proposed method by using data mining for decreasing required memory and increasing detection accuracy. Also we can change more parameters of neural network for detecting different types of attack at different networks.

REFERENCES
[1] V. Dao, A Performance Comparison of Different Back Propagation Neural Networks Methods in Computer Network Intrusion Detection, Proc. of the Fourth IASTED International Conference on Visualization, Imaging, and Image. Acta Press, Marbella, 159165, 2004. E. Eskin, M. Miller, Z. Zhong, et al. Adaptive Model Generation for Intrusion Detection Systems, Proc. of Workshop on Intrusion Detection and Prevention, 7thACM Conference on Computer Security, Athens, GR: 2000. K. Anup, S. Ghosh. A Study in Using Neural Networks for Anomaly and Misuse Detection, Proc. of the 8th USENIX Security Symposium, USENIX press, Washington, D.C., 1999. Y. Yu, Y. Wei, G. Fu-xiang and Y. Ge, Anomaly Intrusion Detection Approach Using Hybrid MLP/CNN Neural Network, Proceedings of the Sixth IEEE International Conference on Intelligent Systems Design and Applications, 2006. M.I. Laheeb, Anomaly Network Intrusion Detection System Based on Distributed Time-Delay Neural Network (DTDNN), Journal of Engineering Science and Technology Vol. 5, No. 4 , School of Engineering, Taylors University, 2010.

Fig.5. Detection Rate of unknown attacks for Anomaly Detection Systems.

[2]

%
3.5 3 2.5 2 1.5 1 0.5 0

FAR

[3]

[4]

FAR

MLP/CNN

Proposed Method

[5]

MLP

DTDNN

Fig.6. False Alarm Rate on Dataset for Anomaly Detection Systems. According to Figure. 4 and 5 which show the results of our simulation, rate of detecting RU attack by our proposed method is nearly 2% to 10% higher than previous methods. In addition, rate of detecting DoS and Probe attacks in comparison to previous methods is respectively 3% to 9% and 8.5% to 24% higher than previous methods. Apart from these superiorities, our proposed method has nearly 0.06% more false alarm rate than MLP/CNN method. It is shown in Figure.6. According to higher rate of detecting attack in suggested method, this amount of false alarm is acceptable.

5 CONCLUSION
According to requirement of detection of time-delayed attacks by intrusion detection system, it is recommended to use CNN neural network with MLP neural network. In order to improve their performance it is better to use them separately. In addition it is better if we use "trainbr" training function with CNN and MLP neural network for detecting Probe and RU attacks that was mentioned in previous section. The results of the our proposed method indicate 8.5% to 24% increasing rate of detecting Probe attack in comparison to

M. Moradi, and M. Zulkernine, A neural network based system for intrusion detection and classification of attacks, IEEE International Conference on Advances in Intelligent Systems Theory and Applications, Luxembourg-Kirchberg, Luxembourg, 2004. [7] M. Sammany, M. Sharawi, M. El-Beltagy, and I. Saroit, Artificial neural networks architecture for intrusion detection systems and classification of attacks, Accepted for publication in the 5th international conference INFO, Cairo University, 2007. [8] S. Haykin, Feed Forward Neural Networks: An Introduction. [9] K. Kendall, A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems, Master's Thesis, Massachusetts Institute of Technology, 1998. [10] W. Campbell, Traditional Indications and Warnings for Host Based Intrusion Detection, Proc. of CERT Conference, CA press, Omaha, 1999. [11] C. Zhou, S. Karunasekera, and C. Leckie, Evaluation of a Decentralized Architecture for Large Scale Collaborative Intrusion Detection, In Proceedings of the 10th IFIP/IEEE International Symposium on Integrated Network Management, 2007.

[6]

Mohammad Nabizadeh Gangaraj is now M.Sc. student in Computer Engineering at North Tehran Branch, Islamic Azad University, Iran. Sam Jabbehdari currently working as assistant professor at the department of Computer Engineering in IAU (Islamic Azad University), North Tehran Branch, in Tehran, since 1993. He received his both B.Sc. and M.S. degrees in Electrical Engineering Telecommunication from K.N.T (Khajeh Nasir Toosi) University of Technology, and IAU, South Tehran Branch in Tehran, Iran, in 1988, through 1991

JOURNAL OF COMPUTING, VOLUME 4, ISSUE 2, FEBRUARY 2012, ISSN 2151-9617 https://sites.google.com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.ORG

33

respectively. He was honored Ph.D. degree in Computer Engineering from IAU, Science and Research Branch, Tehran, Iran in 2005. He was head of Postgraduate Computer Engineering Department IAU-North Tehran Branch during 2008-2010. He also has written Advanced Topics in Computer Networks book in Persian Language (Tehran, Classic, 2009). His current research interests are Scheduling, QoS, MANETs, Wireless Sensor Networks and Grid Computing Systems. Ahmad Khadem-Zadeh was born in Meshed, Iran, in 1943. He received the B.Sc. degree in applied physics from Ferdowsi University, Meshed, Iran, in 1969 and the M.Sc., Ph.D. degrees respectively in Digital Communication and Information Theory & Error Control Coding from the University of Kent, Canterbury, UK. He is currently the Head of Education & National Scientific and International Scientific Cooperation Department at Iran Telecom Research Center (ITRC). He was the head of Test Engineering Group and the director of Computer and Communication Department at ITRC. He is also a lecturer at Tehran Universities & he is a committee member of the Iranian Electrical Engineering Conference Permanent Committee. Dr. Khadem-Zadeh has been received four distinguished national and international awards including Kharazmi International Award, and has been selected as the National outstanding researcher of the Iran Ministry of Information and Communication Technology.