Dissertation Survey Paper by Yolinda Chiramba on Intrusion Detection System using Neural Networks

1. A SURVEY ON INTRUSION DETECTION using NEURAL
NETWORKS
Yolinda Chiramba1
, Walter Mambodza2
1
Department of Information Security & Assurance, Harare Institute of Technology, Zimbabwe
1ychiramba@gmail.com
2
School of Information Science and Technology, Harare Institute of Technology, Zimbabwe
2wmambodza@hit.ac.zw
Abstract— The major concerns in the building and utilization of
a network based computer systems is maintaining confidentiality,
integrity and availability (CIA) of the system resources.
Developments of all computer infrastructure have raised the
vulnerability of these systems leading to attacks and intrusions.
There are security threats that results in the damage to our
network system e.g. attempted break-in, masquerading, denial-
of-service. For network security Intrusion Detection Systems are
being used. Many methods and algorithms have been proposed
for the development of intrusion detection system using Neural
Networks. This paper shows how other researchers developed
their systems using neural networks.
Keywords— IDS, ANN, Intruder, Malicious
I. INTRODUCTION
Computer networks are widely being used and thus the wide
spreading of attacks on information systems, to protect critical
information Intrusion Detection Systems are being developed.
For event log monitoring Intrusion Detection Systems are used.
There are also used to monitor network traffic to discover any
unusual connections that change the normal profile in a
network. These unusual connections are recognised as
intrusion. Technique of detection and place in the network
structure can be used to classy Intrusion Detection Systems.
Network based and Host based are the two types of Intrusion
Detection System. Network based IDSs are used to monitor
network packets and they search for any suspicious admittance
to network by analysing movement for signs of malicious
activity whereas Host based IDSs are used for monitoring log
files, behaviour processing and monitoring networks traffic
attained from internals of a computer system. This paper aim
to survey different methods and algorithms used in the training
on the neural network of an Intrusion Detection System with
the objective of coming up with useful system of IDS.
II. LITERATURE REVIEW
There are techniques and algorithms that are used to train
neural networks. The diagram shows some of the algorithms
that can be used in the training of the neural network.
Below are research papers that were conducted in the field
of IDS using neural networks by other researchers:
a) Fariba Haddadi et al. [1] Developed an IDS by means of
a Feed-forward neural network algorithm. In their paper, they
exhibited the learning phase, “early stopping” scheme which
was used as a mitigation to override the “over-fitting”
difficulty found in neural networks. DARPA dataset was used
to evaluate their system. The connections chosen from the
dataset were pre-processed and feature range altered. The
alterations used impacted the ultimate recognition results
remarkably.
Using a Feed-forward NN the authors developed a network
base IDS, categorising the normal connections in the network
and attacks that can affect the network. Upon completion of
attack detection, the form of attack was then revealed by the
system in much aspect. In the paper the results showed faster
training, less overhead, minimum memory consumption and
over fitting was prevented. In training and testing datasets two
experiments were implemented on different number of
connections. This data was acquired from dataset which ensued
pre-processing. Outcomes inferred that projected IDS
performance, in these two experimentations, was

2. interchangeable and response rates were very adjacent [1]. As
such, due to lower computational overhead, IDS with minimal
data is more appropriate. Sequel to this survey, the authors
achieved a marked improvement in these two types of attacks
detection rates and they reduced computational overhead and
memory usage [1].
V. K. Pachghare et al. [2] used "Self Organizing Maps"
(SOM) algorithm in training their neural network. Through this
study it was observed that neural networks is turning into a
formidable tool which has since been used on many problems.
In their paper, the neural network component employed the
neural approach, which base on the assumption that each user
leaves an exceptional and exclusive mark after using a certain
computer. In their paper, their system was able to alert the
system administrator for any possible security malicious acts.
The technique used is a very significant methodology for
automatic mathematical characterisation of acceptable system
activity. The researchers explained how they used Self
Organizing Maps for developing an Intrusion Detection
System. They described the system overview and the flow
diagram for the SOM. They also presented the benefits and
demerits of the algorithm. As a learning curve, I’m now able
to comprehend that even a simple map, when trained on normal
data, will detect the anomalies associated with features of both
buffer overflow intrusions it is exposed to. The SOM prepares
itself to detect any aberrant network activity thus after its
learning process, they don’t need to be told how the intrusion
behaviour is [2].
Advantages of using SOM:
 a very simple algorithm
 It has Topological clustering.
 It can works with non-linear data set.
Disadvantage of using SOM:
 SOM are time consuming when training
Omar et al. [3]; explained how Intrusion Detection Systems
(IDS) are now a requisite in network security systems due to
rising of malicious users who are causing attacks. Their paper
addressed Probes attacks which can also be termed
reconnaissance attacks. Their aim was to get any possible data
or information in a network. Host Sweep and Port Scan attacks
are the two types of attack of Probes attack. The hosts in the
network are identified by Host Sweep attacks, while port scan
identify accessible services that are found in the network. [3]
The authors used an expert system for them to be able to exploit
the rate of recognition of network attacks. They achieved this
by implanting the attacks’ behaviour that is temporal into a
neural network architecture (TDNN). The researchers
completed their system and tested it, their results portrayed that
their system had a good detection rate.
The author in his paper used Test driven development
algorithm to identify the temporal behaviour of attacks that are
being done in network. Packets were captured in real time, the
authors developed a capturing of packets module that was used
to present packets to a pre-processing stage. [3] The two
attacks relevant features were extracted from the pre-
processing stage. In the paper, these features were stored in a
tapped line of a Test Driven Development (TDD), and
produced outputs that represent likely attack behaviours in a
pre-specified number of packets. After all the experiments the
results were utilized to recognize the attacks by the behaviour
recognition neural network. [3] However considering they
tested with DARPA 1998 which is out-of-date considering new
test cases that are being used their results may not be so
favourable.
Ojesanmi et al. [4] presented a Neural Network-based
technique that used both unsupervised learning techniques and
supervised learning techniques. Training and Detection were
the two phases used by the authors to design their system. The
authors used Multiple Self–Organizing Map algorithm for
training of the neural network. For capturing quite a number of
input patterns, SOM algorithm was used. In their paper to
convert the input into a reasonable value (0, 1) they used
Sigmoid Activation Function (SAF). (1, +1) was assigned
randomly to learning weights to obtain the output [8]. Root
Mean Square (RMS) error analysis was used to perform the
training model. The assessment result of the new design
indicated a better technique when comparing to the best other
related work. [4]
The neural network was trained by a self-organising
algorithm termed “Kohonem”. Considering the results of the
process when they compared out their project with recent other
projects [4] from the results in the paper it showed that their
algorithm improved the detection accuracy with nearest 4%
which is not a favourable result. For other related projects in
their paper it showed that the rate of detecting intrusion was
nearly 0.95, while their project was 0.965. The difference can
be seen as small, but however for detecting intrusion even a
successful attack can jeopardise the whole system security.
Zahra et al. [5] used Differential Evolution algorithm of
supervised learning for the training of their neural network.
The researchers used KDD dataset for their experiments that
were a resultant from the standard dataset (KDD). In their
paper they provided the comparative outcomes of the
differential evolution. To compare their results the authors
utilised the Multilayer Perceptron (MLP) neural network
classification algorithms.
The authors algorithm i.e. differential evolution algorithm
which they used in their paper can be applied for training
neural network based intrusion detection engines since it is an
arithmetical optimization algorithm. They reduced the
dimensions or features of the datasets. The results of their study
showed higher accuracy in intrusion detection. The main
problem in IDE in Intrusion Detection System is great
dimensionality that leads to low performance, so it is essential
to reduce the features; in their paper they used PCA to reduce
the feature set.
Fungai Mutyambizi et al. [6] in her paper used back
propagation neural network as the algorithm to train her neural
network, with the aim of classifying normal traffic correctly
and detecting known and unknown attacks without using huge
amount of training data. The developer used KDD datasets for
the testing and training of the neural network.
The final output showed that the detection rate was 98%.
This showed that the developer was able to classify attacks
correctly thus minimising false alarm rates. The results of the
study showed that a neural network doesn’t need huge amounts

3. of data to be trained for it to classify traffic correctly. Unknown
attacks were detected, among them Denial of service. However,
the algorithm that was used by the authors can result in sub-
optimal solutions as it can get stuck in local minima. Back
propagation is also a slow algorithm to use.
The table below shows the advantages and disadvantages of
the algorithms and methods previously mentioned that were
used by different authors.
Table 1
Technique Advantages Disadvantages
Feed-forward
Neural
Network
 They have a
fixed
computatio
n time.
 Computatio
n Speed is
very high
this is
because of
their
parallel
structure.
 Their
prediction is
not well
explained
i.e. the
processes
that takes
place during
the training
of a network
is not well
interpretable
.
Self-
organising
map
 They are
very simple
and easy to
understand.
 It has the
excellent
ability to
visualize
high-
dimensional
data onto 1
or 2
dimensional
space
making it
exceptional
especially
for
dimensional
ity
reduction.
 SOM are
time
consuming
when
training.
TDD Neural
Network (Test
Driven
Development)
 Has a high
ability of
reducing
bugs.
 It’s hard to
apply in
practice.
Combining
Supervised and
Unsupervised
Learning
Techniques
 Improved
performanc
e since there
won’t be a
single
model.
Individual
classifiers
may be
optimised
or trained
differently.
 Time
consuming
Differential
Evaluation
 There is fast
convergence
 Can be
implemented
using few
control
parameters.
 The
convergence
is unstable
Back
Propagation
Neural
Network
 Mathematical
formula used
in algorithm
can be applied
to any
network
 Relatively a
simple
implementatio
n
 It is a standard
method and
generally
works well
 Slow and
inefficient
 Can get
stuck in
local minima
resulting in
sub-optimal
solutions.
III. CONCLUSION
After an analysis of previous research papers by different
authors and analysing their methods of IDS and algorithms
they used I noticed the gap on the efficiency of the IDS being
developed to answer to all these problems I am proposing a
system that provide an additional level of protection to detect
intrusion. With a rising number of intrusion in network systems,
there is the need to use innovative intrusion detection
techniques for securing networks. The Researcher has
concentrated on Neural Networks (NNs) that can provide a
more flexible approach to intrusion detection in terms of
learning using Self Organising Maps; An unsupervised
algorithm that is simple and easy-to-understand. Neural
network based AIs are able to learn emergent intrusions that
are too difficult to be noticed by either individuals or other
computer systems.
ACKNOWLEDGMENT
This survey paper was made possible by the department of
Information Security and Assurance of Harare Institute of
Technology. Without guidance this paper would not be a

4. success, my supervisor, Mr. Mambodza made sure this paper
would be a success, he gave me the chance to realise my
capabilities and strengths. To my friends and family I am most
grateful. Thank you all.
REFERENCES
[1] Intrusion Detection and Attack Classification Using Feed-Forward
Neural Network Fariba Haddadi, Sara khanchi, Mehran Shetabi, Vali
Derhami. Yazd University Yazd, Iran 978-0-7695-4042-9/15 $26.00 ©
2015 IEEE DOI 10.1109/ICCNT.2010.28
[2] Intrusion detection system using self-organising maps. V. K. Pachghare
Assistant Professor, Deven M. Nikam Student, Department of
Computer Engineering and Information Technology, College of
Engineering Pune, Pune India nikamdm07 @comp.coep.org.in 978-1-
4244-4711-4/14/$25 .00 ©2014 IEEE
[3] Network intrusion detection system using attack behavior classification;
Omar Al-Jarrah Department of Computer Engineering Jordan
University of Science and Technology Irbid 22110, 978-1-4799-3023-
4/14/$31.00 ©2014 IEE
[4] International Journal of Computer Applications (0975 – 8887) Volume
106 – No. 18, November 2014 19 Neural Network based Intrusion
Detection Systems Sodiya A.S
[5] Intrusion Detection using Neural Networks trained by Differential
Evaluation algorithm by Zahra Salek Information Technology
department Alzahra University Tehran, Iran
Zahra.Salek@student.alzahra.ac.ir.
[6] Fungai Mutyambizi ,Neural Networks Based Intrusion Detection, HIT
Capstone (HIT 400) Department of Computer Science, Mr. T Mpofu,
School of Information Sciences and Technology, Harare Institute of
Technology, Harare, Zimbabwe,2014- 2015
[7] Neural Networks for Intrusion Detection and its Application. E.
Kesavalu Reddy Member IAENG. WCE 2015, July 3-5, 2015 London
UK
[8] Motivation (International Journal of Innovative Research in Computer
and Communication Engineering IJIRCCE)
[9] An Integrated System of Intrusion Detection Based on Rough Set and
Wavelet Neural Network Ling Yu Bo Chen1 Junmo Xiao Department
of Computer Science Nanjing Normal University Nanjing 210097,
P.R.Chinabchen@njnu.edu.cn Institute of Communication Engineering,
and PLA University of Science & Technology Nanjing 210007,
P.R.China
[10] P. Lichodzijewski, A. Zincir-Heywood, and M. Heywood. "Dynamic
intrusion detection using self-organizing maps", 2002.
[11] McHugh, J.: Testing intrusion detection systems: a critique of the 1998
and 1999 DARPA intrusion detection system evaluations as performed
by Lincoln laboratory. ACM Trans. on Information and System
Security 3 (2000) 262-294.
[12] Wenke Lee and Salvatore J. Stolfo, "A framework for constructing
features and models for intrusion detection systems", ACM Trans. Inf.
Syst. Secur., 3(4):227-261, 2000.
[13] Rhodes, B., Mahaffey, 1., Cannady, 1., "Multiple Self-Organizing Maps
for Intrusion Systems"
[14] Bishop, C. M, "Neural Networks for Pattern Recognition", Oxford:
Clarendon-Press, 1996.
[15] Lane, T., and Brodley, C. E. 1999. Temporal sequence learning and data
reduction for anomaly detection. ACM Transactions on Information and
System Security 2(3):295- 331
Yolinda Chiramba is a student of the SIST at Harare Institute of
Technology. Currently studying towards a BTech Degree in
Information Security and Assurance.
Walter Mambodza is a lecturer of the SIST at Harare Institute of
Technology. Has a vast knowledge in cyber security