Design of Neural Networks for Intrusion Detection
TELKOMNIKA, Vol.14, No.3A, September 2016, pp. 321~325
ISSN: 1693-6930, accredited A by DIKTI, Decree No: 58/DIKTI/Kep/2013
DOI: 10.12928/TELKOMNIKA.v14i3A.4387
321
Design of Neural Networks for Intrusion Detection
1
Huiran Wang1, Ruifang Ma*2
College of Computer Science, Xi’an Polytechnic University, Xi’an City, 710048, China
School of Software Engineering, Xi’an Jiaotong University, Xi’an 710049, P. R. China
*Corresponding author, e-mail: 122290930@qq.com
2
Abstract
There are increasing demands for accessing information over the Internet, more and more
networks are designed and deployed. The information and network security becomes a key issue for us to
study. Neural network is effective to detect network intrusion. Much effort has been taken in this field.
Stolfo et al put forward 41 higher-level derived features to distinguish normal connections from abnormal
connections. Unfortunately, with these 41 derived features as inputs, IDS systems take long time to
converge when training and work slowly during on-line detections. We quantize derived features to digital
type before feeding them to IDS systems. We reduce the number of inputs while keeping IDS systems high
detection rates. After a long time of hard work, we achieved a good architecture, i.e. 18-35-1, of BP neural
network for IDS systems. And we choose trainbfg as training function.
Keywords: Intrusion detection, neural network, derived features
Copyright © 2016 Universitas Ahmad Dahlan. All rights reserved.
1. Introduction
Twenty-first centuries is the age of information, the Internet is the fastest way to get
information. As a result, more and more networks are deployed and used. With the wide spread
of Internet, network security and information security is particularly important. We should study
this problem deeply. Intrusion detection is an important aspect of network security. Neural
network is an effective tool for intrusion detection. Many scholars have carried out in-depth
research in this field [1, 2]. Stolfo et al [3] put forward 41 higher-level derived features to
distinguish normal connections from abnormal connections. These features are grouped into
four kinds, i.e., basic features, content features, time-based traffic features, and host-based
traffic features. Many researchers use these features to study intrusion detection method, and
obtained detection rates up to 91% with false positive rates less than 1% [4, 5].
Nevertheless, with these 41 features as inputs, IDS systems converge slowly. We try to
reduce the number of features to IDS systems.
2. BP Neural Network
BP (Back Propagation) neural network consists of two processes, one is forwardpropagation of information and the other is back-propagation of errors. Each neuron in input
layer is responsible for receiving input information from the outside world, and passes the
information to neurons in middle layer. The middle layer is the layer to process internal
information, responsible for information transformation. The middle layer can be designed as a
structure with single hidden layer or with multi hidden layer according to the demand of
information change. The last is called the hidden layer. The information that is transmitted to
neurons of the output layer completes a forward propagation of the learning process after
further processing, and the information processing results is output to the outside world from the
output layer. The phase of backward propagation of the error starts when the actual output is
not in conformity with the expected output. The errors modify the weights of each layer
according to the error gradient descent principle, and back propagate layer by layer to the
hidden layer and the input layer. The cycle process of information forward propagation and error
back propagation creates the constant adjustment of the weights of each layer, and process of
learning and training in neural network. This process has been carried out until the output error
of the network is reduced to an acceptable level, or the pre-set number of learning is reached.
Received April 14, 2016; Revised July 26, 2016; Accepted August 6, 2016
322
ISSN: 1693-6930
3. Quantization of Derived Features
Derived features fall into three data types, i. e., continuous type, discrete type, and
symbolic type. Symbolic type of derived features cannot be feed directly to IDS systems. We
have to quantize them to digital type. Three features and attack types belong to symbolic data
type. We assign a digital value to each value of the features with symbolic data type. During
quantization of protocol feature, we give three digital value to tcp, udp and icmp respectively as
shown in Table 1. We assign similarly 10 digital values to flag feature, 70 digital values to
service feature.
Table 1. Quantization of protocol feature
ID
1
2
3
Original value
TCP
UDP
ICMP
Quantization value
1
2
3
In regard to quantization of network attack, the digital values consist of two parts, one
part of which presents the attack type, and the other the attack itself as shown in Table 2.
Table 2. Quantization of attack feature
ID
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Attack type
dos
dos
dos
dos
dos
dos
probe
probe
probe
probe
r2l
r2l
r2l
r2l
r2l
r2l
r2l
r2l
u2r
u2r
u2r
u2r
Attack
back
land
neptune
pod
smurf
teardrop
ipsweep
nmap
portsweep
satan
ftp_write
guess_passwd
imap
multihop
phf
spy
warezclient
warezmaster
buffer_overflow
loadmodule
perl
rootkit
quantization value
11
12
13
14
15
16
21
22
23
24
31
32
33
34
35
36
37
38
41
42
43
44
4. Features Inputting to IDS Systems
Now, more and more people use the internet. Traffic data grows fast since extensive
use of the Internet. Choices of adapted features inputting to an IDS system are important for the
success of these IDS systems. In traditional solutions [4, 6], nine elements of network packets
are fed to IDS systems as input features. These elements contain network protocol, source port
number, destination port number, source IP address, destination IP address, ICMP type, ICMP
code, raw bytes length, and raw bytes.
Another element (Attack) was added to each record according to whether this
connection represented an attack on a network.
These solutions do not work well, as hackers use false IP addresses usually and start
intrusions from multiple computers at the same time. Stolfo et al. put forward higher-level
features that are helpful in telling normal connections from attacks [3]. There are 41 derived
features in total. These features are grouped into four kinds, i.e., basic features, content
features, time-based traffic features, and host-based traffic features. With these features as
inputs, IDS systems may achieve detection rates up to 91%.
TELKOMNIKA Vol. 14, No. 3A, September 2016 : 321 – 325
ISSN: 1693-6930
TELKOMNIKA
323
However, with so many features as inputs, IDS systems take long time to converge
while training and work slowly during on-line detections. Our purpose is to reduce the number of
inputs and keep IDS systems high detection rates.
We construct different architectures of BP neural networks with different input number.
In the hidden layer, we make use of tansig [7] as transfer function. In the output layer, logsig is
employed as transfer function. As the training function, we utilize trainrp (Resilient
Backpropagation). Network traffic data has a total of 2109 records. The calculation environment
is as following: Dell Precision 3000, Intel 6th Gen Core™ i7 6700 CPU, 16GB 2x8GB 2133MHz
DDR4 ECC UDIMM RAM, 4000 GB SATA 5900RPM HD, Windows 7 profession Edition.
From Figure 1, we understand that the detection rates vary with number of inputs, but
the fluctuation is relative small. From Figure 2, we know that the training time increase rapidly
with the number of input.
Detection rate
90
89.5
89
88.5
88
87.5
87
86.5
86
85.5
85
0
5
10
15
20
25
30
35
40
45
Number of input feature
Figure 1. Detection rate vs input number
Figure 2. Training time vs input number
Based on the above fact, we come to conclusion that the best value for input number is
18. In other words, we should take 9 basic features and 9 time-based features as inputs to IDS
systems. Taking features as inputs, the IDS system reaches a higher detection rate (over 88%)
and the training time is still shorter (about 120 seconds).
5. Design of Architecture of IDS Systems
According to Kolmogorov theorem, we may utilize a 3-layer neural network n-u-m in IDS
systems. Where, n represents the input number, m represents the output number. As presented
in section 4, 18 is a good choice for input number. The output of an IDS system is designed to
show whether there is any intrusion at given time. One output for IDS system is a better solution
[9]. In this section, we focus our attention on the determination of the node number at the hidden
layer.
We experimented with different node number in the hidden layer. The calculation
environment is the same as in section 4. The detection rate vs. node number in hidden layer is
shown in Figure 3. This figure indicates that the detection rate reaches a maximum at the point
where the node number u in hidden layer equals to 35 [10-12].
6. Results and Analysis
We train our “good” architecture of 18-35-1 BP neural networks with various training
functions. After 2500 epochs, we got the training time shown in Figure 4 and the mean square
error illustrated in Figure 5.
These two figures indicated that the training function trainbfg provides the shortest
training time (110 seconds) and relative smaller mean square error (0.005). So, we choose
trainbfg as training function.
Design of Neural Networks for Intrusion Detection (Ruifang Ma)
ISSN: 1693-6930
Training time (second)
324
Figure 3. Determination of node number in the
hidden layer
8000
6000
4000
2000
0
Figure 4. Training time vs. training functions
0.12
Mean square error
0.1
0.08
0.06
0.04
0.02
0
Figure 5. Mean square error vs. training functions
7. Conclusions
We quantize derived features to digital type before feeding them to IDS systems. After
simulation, analysis and experiment, we reduced the input number from 41 to 18, and obtained
a “good” architecture, i.e. 18-35-1, of BP neural network for IDS systems. We choose trainbfg as
training function. With this architecture, the IDS system gives a shorter training time and
reaches higher detection rate.
Acknowledgements
This work is supported by a research project of The Science and Technology Bureau of
Xi’an Beilin District (No.GX1607).
References
[1]
[2]
[3]
[4]
[5]
[6]
[7]
Yang YH, Huang HZ, Shen QN, Wu ZH, Zhang Y. Research on Intrusion Detection Based on
Incremental GHSOM. Chinese Journal of Computers. 2014; 37(5): 1216-1224.
HU Mingxia. Intrusion Detection Algorithm Based on BP Neural Network. Computer Engineering.
2012; 38(6): 148-150.
Stolfo J, Wei F, Lee W, Prodromidis A, Chan PK. Cost-based modeling and evaluation for data
mining with application to fraud and intrusion detection. Results from the JAM Project by Salvatore.
1999.
Pan ZS, Chen SC, Hu GB, Zhang DQ. Hybrid neural network and C4.5 for misuse detection. IEEE
The Second International Conference on Machine Learning and Cybernetics. 2003.
Kayacýk HG, Zincir-Heywood AN, Heywood MI. Selecting Features for Intrusion Detection: A Feature
Relevance Analysis on KDD 99 Intrusion Detection Datasets. Third Annual Conference on Privacy,
Security and Trust. Canada. October. 2005: 12-14.
Cannady J. Artificial Neural Networks for Misuse Detection. Proceedings National Information
systems Security Conference (NISSC'98). Arlington VA. Oct.1998: 443-456.
Hagan MT, Demuth HB, Beale M. Neural Network Design. China Machine Press. CITIC Publishing
House. 2002.
TELKOMNIKA Vol. 14, No. 3A, September 2016 : 321 – 325
TELKOMNIKA
ISSN: 1693-6930
325
[8]
Abdar M, Kalhori SRN, Sutikno T, Subroto IMI, Arji G. Comparing Performance of Data Mining
Algorithms in Prediction Heart Diseases. International Journal of Electrical and Computer
Engineering (IJECE). 2015; 5(6): 1569-1576.
[9] Dadkhah M, Obeidat MM, Jazi MD, Sutikno T, Riyadi MA. How can we identify hijacked journals?
Bulletin of Electrical Engineering and Informatics. 2015; 4(2): 83-87.
[10] Zhou Y, Yang J. Application of Matlab in Intrusion Detection Systems. Journal of Shandong
University. 2003; 12: 92.
[11] Yan X, Wu Q, Zhang C, Li W, Chen W, Luo W. An improved genetic algorithm and its application.
Indonesian Journal of Electrical Engineering and Computer Science. 2012; 10(5): 1081-1086.
[12] Susanto BM. Naïve Bayes Decision Tree Hybrid Approach for Intrusion Detection System. Bulletin of
Electrical Engineering and Informatics. 2013; 2(3): 225-232.
Design of Neural Networks for Intrusion Detection (Ruifang Ma)
ISSN: 1693-6930, accredited A by DIKTI, Decree No: 58/DIKTI/Kep/2013
DOI: 10.12928/TELKOMNIKA.v14i3A.4387
321
Design of Neural Networks for Intrusion Detection
1
Huiran Wang1, Ruifang Ma*2
College of Computer Science, Xi’an Polytechnic University, Xi’an City, 710048, China
School of Software Engineering, Xi’an Jiaotong University, Xi’an 710049, P. R. China
*Corresponding author, e-mail: 122290930@qq.com
2
Abstract
There are increasing demands for accessing information over the Internet, more and more
networks are designed and deployed. The information and network security becomes a key issue for us to
study. Neural network is effective to detect network intrusion. Much effort has been taken in this field.
Stolfo et al put forward 41 higher-level derived features to distinguish normal connections from abnormal
connections. Unfortunately, with these 41 derived features as inputs, IDS systems take long time to
converge when training and work slowly during on-line detections. We quantize derived features to digital
type before feeding them to IDS systems. We reduce the number of inputs while keeping IDS systems high
detection rates. After a long time of hard work, we achieved a good architecture, i.e. 18-35-1, of BP neural
network for IDS systems. And we choose trainbfg as training function.
Keywords: Intrusion detection, neural network, derived features
Copyright © 2016 Universitas Ahmad Dahlan. All rights reserved.
1. Introduction
Twenty-first centuries is the age of information, the Internet is the fastest way to get
information. As a result, more and more networks are deployed and used. With the wide spread
of Internet, network security and information security is particularly important. We should study
this problem deeply. Intrusion detection is an important aspect of network security. Neural
network is an effective tool for intrusion detection. Many scholars have carried out in-depth
research in this field [1, 2]. Stolfo et al [3] put forward 41 higher-level derived features to
distinguish normal connections from abnormal connections. These features are grouped into
four kinds, i.e., basic features, content features, time-based traffic features, and host-based
traffic features. Many researchers use these features to study intrusion detection method, and
obtained detection rates up to 91% with false positive rates less than 1% [4, 5].
Nevertheless, with these 41 features as inputs, IDS systems converge slowly. We try to
reduce the number of features to IDS systems.
2. BP Neural Network
BP (Back Propagation) neural network consists of two processes, one is forwardpropagation of information and the other is back-propagation of errors. Each neuron in input
layer is responsible for receiving input information from the outside world, and passes the
information to neurons in middle layer. The middle layer is the layer to process internal
information, responsible for information transformation. The middle layer can be designed as a
structure with single hidden layer or with multi hidden layer according to the demand of
information change. The last is called the hidden layer. The information that is transmitted to
neurons of the output layer completes a forward propagation of the learning process after
further processing, and the information processing results is output to the outside world from the
output layer. The phase of backward propagation of the error starts when the actual output is
not in conformity with the expected output. The errors modify the weights of each layer
according to the error gradient descent principle, and back propagate layer by layer to the
hidden layer and the input layer. The cycle process of information forward propagation and error
back propagation creates the constant adjustment of the weights of each layer, and process of
learning and training in neural network. This process has been carried out until the output error
of the network is reduced to an acceptable level, or the pre-set number of learning is reached.
Received April 14, 2016; Revised July 26, 2016; Accepted August 6, 2016
322
ISSN: 1693-6930
3. Quantization of Derived Features
Derived features fall into three data types, i. e., continuous type, discrete type, and
symbolic type. Symbolic type of derived features cannot be feed directly to IDS systems. We
have to quantize them to digital type. Three features and attack types belong to symbolic data
type. We assign a digital value to each value of the features with symbolic data type. During
quantization of protocol feature, we give three digital value to tcp, udp and icmp respectively as
shown in Table 1. We assign similarly 10 digital values to flag feature, 70 digital values to
service feature.
Table 1. Quantization of protocol feature
ID
1
2
3
Original value
TCP
UDP
ICMP
Quantization value
1
2
3
In regard to quantization of network attack, the digital values consist of two parts, one
part of which presents the attack type, and the other the attack itself as shown in Table 2.
Table 2. Quantization of attack feature
ID
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Attack type
dos
dos
dos
dos
dos
dos
probe
probe
probe
probe
r2l
r2l
r2l
r2l
r2l
r2l
r2l
r2l
u2r
u2r
u2r
u2r
Attack
back
land
neptune
pod
smurf
teardrop
ipsweep
nmap
portsweep
satan
ftp_write
guess_passwd
imap
multihop
phf
spy
warezclient
warezmaster
buffer_overflow
loadmodule
perl
rootkit
quantization value
11
12
13
14
15
16
21
22
23
24
31
32
33
34
35
36
37
38
41
42
43
44
4. Features Inputting to IDS Systems
Now, more and more people use the internet. Traffic data grows fast since extensive
use of the Internet. Choices of adapted features inputting to an IDS system are important for the
success of these IDS systems. In traditional solutions [4, 6], nine elements of network packets
are fed to IDS systems as input features. These elements contain network protocol, source port
number, destination port number, source IP address, destination IP address, ICMP type, ICMP
code, raw bytes length, and raw bytes.
Another element (Attack) was added to each record according to whether this
connection represented an attack on a network.
These solutions do not work well, as hackers use false IP addresses usually and start
intrusions from multiple computers at the same time. Stolfo et al. put forward higher-level
features that are helpful in telling normal connections from attacks [3]. There are 41 derived
features in total. These features are grouped into four kinds, i.e., basic features, content
features, time-based traffic features, and host-based traffic features. With these features as
inputs, IDS systems may achieve detection rates up to 91%.
TELKOMNIKA Vol. 14, No. 3A, September 2016 : 321 – 325
ISSN: 1693-6930
TELKOMNIKA
323
However, with so many features as inputs, IDS systems take long time to converge
while training and work slowly during on-line detections. Our purpose is to reduce the number of
inputs and keep IDS systems high detection rates.
We construct different architectures of BP neural networks with different input number.
In the hidden layer, we make use of tansig [7] as transfer function. In the output layer, logsig is
employed as transfer function. As the training function, we utilize trainrp (Resilient
Backpropagation). Network traffic data has a total of 2109 records. The calculation environment
is as following: Dell Precision 3000, Intel 6th Gen Core™ i7 6700 CPU, 16GB 2x8GB 2133MHz
DDR4 ECC UDIMM RAM, 4000 GB SATA 5900RPM HD, Windows 7 profession Edition.
From Figure 1, we understand that the detection rates vary with number of inputs, but
the fluctuation is relative small. From Figure 2, we know that the training time increase rapidly
with the number of input.
Detection rate
90
89.5
89
88.5
88
87.5
87
86.5
86
85.5
85
0
5
10
15
20
25
30
35
40
45
Number of input feature
Figure 1. Detection rate vs input number
Figure 2. Training time vs input number
Based on the above fact, we come to conclusion that the best value for input number is
18. In other words, we should take 9 basic features and 9 time-based features as inputs to IDS
systems. Taking features as inputs, the IDS system reaches a higher detection rate (over 88%)
and the training time is still shorter (about 120 seconds).
5. Design of Architecture of IDS Systems
According to Kolmogorov theorem, we may utilize a 3-layer neural network n-u-m in IDS
systems. Where, n represents the input number, m represents the output number. As presented
in section 4, 18 is a good choice for input number. The output of an IDS system is designed to
show whether there is any intrusion at given time. One output for IDS system is a better solution
[9]. In this section, we focus our attention on the determination of the node number at the hidden
layer.
We experimented with different node number in the hidden layer. The calculation
environment is the same as in section 4. The detection rate vs. node number in hidden layer is
shown in Figure 3. This figure indicates that the detection rate reaches a maximum at the point
where the node number u in hidden layer equals to 35 [10-12].
6. Results and Analysis
We train our “good” architecture of 18-35-1 BP neural networks with various training
functions. After 2500 epochs, we got the training time shown in Figure 4 and the mean square
error illustrated in Figure 5.
These two figures indicated that the training function trainbfg provides the shortest
training time (110 seconds) and relative smaller mean square error (0.005). So, we choose
trainbfg as training function.
Design of Neural Networks for Intrusion Detection (Ruifang Ma)
ISSN: 1693-6930
Training time (second)
324
Figure 3. Determination of node number in the
hidden layer
8000
6000
4000
2000
0
Figure 4. Training time vs. training functions
0.12
Mean square error
0.1
0.08
0.06
0.04
0.02
0
Figure 5. Mean square error vs. training functions
7. Conclusions
We quantize derived features to digital type before feeding them to IDS systems. After
simulation, analysis and experiment, we reduced the input number from 41 to 18, and obtained
a “good” architecture, i.e. 18-35-1, of BP neural network for IDS systems. We choose trainbfg as
training function. With this architecture, the IDS system gives a shorter training time and
reaches higher detection rate.
Acknowledgements
This work is supported by a research project of The Science and Technology Bureau of
Xi’an Beilin District (No.GX1607).
References
[1]
[2]
[3]
[4]
[5]
[6]
[7]
Yang YH, Huang HZ, Shen QN, Wu ZH, Zhang Y. Research on Intrusion Detection Based on
Incremental GHSOM. Chinese Journal of Computers. 2014; 37(5): 1216-1224.
HU Mingxia. Intrusion Detection Algorithm Based on BP Neural Network. Computer Engineering.
2012; 38(6): 148-150.
Stolfo J, Wei F, Lee W, Prodromidis A, Chan PK. Cost-based modeling and evaluation for data
mining with application to fraud and intrusion detection. Results from the JAM Project by Salvatore.
1999.
Pan ZS, Chen SC, Hu GB, Zhang DQ. Hybrid neural network and C4.5 for misuse detection. IEEE
The Second International Conference on Machine Learning and Cybernetics. 2003.
Kayacýk HG, Zincir-Heywood AN, Heywood MI. Selecting Features for Intrusion Detection: A Feature
Relevance Analysis on KDD 99 Intrusion Detection Datasets. Third Annual Conference on Privacy,
Security and Trust. Canada. October. 2005: 12-14.
Cannady J. Artificial Neural Networks for Misuse Detection. Proceedings National Information
systems Security Conference (NISSC'98). Arlington VA. Oct.1998: 443-456.
Hagan MT, Demuth HB, Beale M. Neural Network Design. China Machine Press. CITIC Publishing
House. 2002.
TELKOMNIKA Vol. 14, No. 3A, September 2016 : 321 – 325
TELKOMNIKA
ISSN: 1693-6930
325
[8]
Abdar M, Kalhori SRN, Sutikno T, Subroto IMI, Arji G. Comparing Performance of Data Mining
Algorithms in Prediction Heart Diseases. International Journal of Electrical and Computer
Engineering (IJECE). 2015; 5(6): 1569-1576.
[9] Dadkhah M, Obeidat MM, Jazi MD, Sutikno T, Riyadi MA. How can we identify hijacked journals?
Bulletin of Electrical Engineering and Informatics. 2015; 4(2): 83-87.
[10] Zhou Y, Yang J. Application of Matlab in Intrusion Detection Systems. Journal of Shandong
University. 2003; 12: 92.
[11] Yan X, Wu Q, Zhang C, Li W, Chen W, Luo W. An improved genetic algorithm and its application.
Indonesian Journal of Electrical Engineering and Computer Science. 2012; 10(5): 1081-1086.
[12] Susanto BM. Naïve Bayes Decision Tree Hybrid Approach for Intrusion Detection System. Bulletin of
Electrical Engineering and Informatics. 2013; 2(3): 225-232.
Design of Neural Networks for Intrusion Detection (Ruifang Ma)