A Neural Network Component for an Intrusion Detection System Herv6 DEBAR Monique BECKER Didier SIBONI CSEE/DCI INT CSEE/DCI herve@etna.int-evry.fr mbecker@frint5 1.bitnet didie@froisil 1.bitnet CSEE/f)CI 6, Avenue des tropiques BP80 91943 Les Ulis Cedex France INT:9,RueCharles Fourier 91011 Evry Cedex France Abstract In this paper, we present a possible application of neural networks as a component of an intrusion detection system. Neural network algorithms are emerging nowadays as a new arnficial intelligence techm”quethat can be applied to real-l~e problems. We present an approach of user behavior modeling that takes advantage of the properties of neural algorithms and display results obtained on preliminary testing of our approach. 1: Introduction The use of artificial intelligence for detecting intrusions on computer systems is now widely considered as the only way to build efficient and adaptive intrusion detection systems. Beyond expert systems, tilcial neural networks are evolving as a new technique related to artificial intelligence. They appear as an alternate solution for treating problems where the explicit knowledge necessary to build an expert system is not available. The hacker, attacking from inside as an authorized user or from outside as an intruder, uses vulnerabilities or flaws on the system. These vulnerabilities are specific to a given version and release of the hardware and software on the computer. It is therefore interesting to build a tool that monitors the activity of users without specifically looking for known vulnerabilities. The data come from the audit mechanisms activated on the systems, either for security purposes or for others, such as accounting. This path has been opened by IDES [1]. IDES has two components, an expert system looking for evidence of attacks on known vulnerabilities of the system, and a statistical model of the behavior of a user on the computer system under surveillance. This model learns the habits a user has when he works with the computer, and raises warnings when the current behavior is not consistent with the previously learned patterns. This change in behavior may indicate a masquerade or of a change in activity. A single warning is not the proof of an intrusion. The expert system is therefore responsible for collecting these warnings. By analysing and correlating them, it is able to raise alarms of suspected break-ins or attempts of break-in. This approach has proven to be successful [2] and has been followed until now, with improvements to the statistical model of user’s behavior to make it as accurate as possible [3,4]. This statistical model, based primarily on mean and standard deviation, has expanded to a complex structure to incorporate correlation between measuresand time decay. The enhancements to the model have been aimed at reducing the rate of false alarms. It is indeed very difficult to fix the threshold of alarm on a statistical variable. Too low, and the false alarm rate increases to unacceptable levels. Too high, and there is a risk of missing an alarm. Also, this view of the user behavior makes the assumption that the data generated is a stochastic process. In order to take advantages of the existing correlation between the different measures related to the behavior of a user, the statistical model has to approximate each of the measures with a gaussian law. We feel that an approach more closely related to time series can be of help in this model of the user behavior. The statistical model provides information, but its increasing complexity makes improvement difficult. We therefore suggest the time series approach to add another scope to the model. Also, we feel the need for alternative techniques. We thus introduce the use of a neural network component for modeling user’s behavior as a component for an intrusion detection system. There are several potential uses of neural networks in this field, as foreseen in [5], and we are presenting a neural network that learns time series, applied to the audit data. In this paper, we present a model of the behavior of a user on a computer system using a neural network coupled with an expert system. Part 2 explains in more details how we see the audit data as a time series, and what hypotheses we make in order for the model to learn the behavior. Part 3 briefly presents neural networks and describes our choice of an algorithm among the many 240 0-8186-2S25-1 /92 $3.00@ 1992 IEEE