A Real-Time Intrusion Detection Algorithm for Network Security HAZEM M. EL-BAKRY Faculty of Computer Science & Information Systems, Mansoura University, EGYPT E-mail: helbakry20@yahoo.com NIKOS MASTORAKIS Department of Computer Science, Military Institutions of University Education (MIUE) -Hellenic Naval Academy, Greece Abstract — E-government is an important issue which integrates existing local area networks into a global network that provide many services to the nation citizens. This network requires a strong security infrastructure to guarantee the confidentiality of national data and the availability of government services. In this paper, a framework for network intrusion detection systems is presented. Such framework utilizes data mining techniques and is customized for the E-Government Network (EGN). It consists of two phases: an offline phase in which the intrusion detection system learns the normal usage profiles for each local network domain, and a real time intrusion detection phase. In the real time phase, known attacks are detected at a global layer at the EGN perimeters while normal behavior is filtered out at a local layer defined for each LAN domain. Clustering is used to focus the analysis on the remaining suspicious activity and identify whether it represents new intrusive or normal behavior. This framework is intended to detect intrusions in real-time, achieve low false alarm rates, and continuously adapt to the environment changes and emergence of new behavior. This research is a development for the work presented in [22,23]. The main achievement of this paper is the fast attack detection algorithm. Such algorithm based on performing cross correlation in the frequency domain between data traffic and the input weights of fast time delay neural networks (FTDNNs). It is proved mathematically and practically that the number of computation steps required for the presented FTDNNs is less than that needed by conventional time delay neural networks (CTDNNs). Simulation results using MATLAB confirm the theoretical computations. Keywords— Fast Intrusion Detection, Clustering, Data Mining, E- Government, Cross correlation, Frequency domain, and Neural Networks. 1. Introduction Intrusion detection is the process of monitoring the activities of a computer or network system and analyzing them for signs of intrusions or attacks [1]. The intrusion detection system (IDS) is the software or hardware that automates this monitoring and analysis. The intrusion detection system depends on two basic processes to work: monitoring the underlying system activity and analyzing the resulting event data. The analysis process can be conducted by means of two main techniques: The first is misuse detection, in which data is analyzed to find intrusions matching predefined attack signatures kept by the IDS, and the second is anomaly detection, in which data is analyzed to spot anomalies different from a predefined normal profile of the protected system. The IDS analysis phase is concerned with finding intrusions within large amounts of activity data. Since data mining techniques can analyze large data sets and discover interesting patterns hidden in them, they have been used to discover patterns of intrusions that may exist among the data monitored by the IDS. However, IDSs that use data mining techniques suffer from high false alarm rates because they are used mainly for anomaly detection, and they need extensive training over attack-free correctly labeled data instances [2]. In this paper a framework for a fast data mining-based network intrusion detection system for the E-Government Network (EGN) is presented. The EGN generally consists of multiple independent governmental domains that are linked together via a virtual private network. Communications from outside parties that wish to use the EGN services are carried out through the Internet and are screened by a central security system. This architecture suggests that the functions of the IDS be distributed over two conceptual layers: a global layer to enhance the security of the EGN domain where it is connected to the public domain, and a local layer to enhance the security of the local governmental domains that provide specific services. The proposed framework adapts this layered approach to detect intrusions, where the IDS performs known attacks detection at the global layer and normal profile filtering at the local layer. Then it uses clustering to analyze unknown activity to find out whether it is similar to the system profile in the local layer or to the known attacks detected in the global layer. The gradual filtering of known behavior (whether known attacks or known normal profiles) leaves only a small subset of data to be analyzed for possible new intrusions, which improves the detection rate of the intrusion detection system [3]. This framework works through two phases: a phase in which local normal profiles are built for each domain, and a phase of real time detection that depends on the layered approach previously outlined. The real time intrusion detection system utilizes the existing domain knowledge about intrusion signatures and attempts to help establish new knowledge about the intrusions. This framework aims at achieving a low false alarm rate while keeping the suspicion level of the intrusion detection system high. 2. Data Mining Intrusion Detection Systems Most of the work in the area of building operational IDSs using data mining depends on an offline analysis phase to build models of normal behavior. The Minnesota Intrusion Detection System (MINDS) proposed in [4] uses a suite of data mining techniques to automatically detect attacks against computer networks. MINDS first constructs features that are used in the data mining analysis. Known attack detection module is then used to detect network connections that correspond to attacks for which the signatures are available, and they are removed from further analysis. Next, the data is fed into the MINDS anomaly detection module that uses an WSEAS TRANSACTIONS on COMMUNICATIONS Hazem M. El-Bakry, Nikos Mastorakis ISSN: 1109-2742 1222 Issue 12, Volume 7, December 2008