An Adaptive Intrusion Detection System Using Neural Networks J. M. Bonifácio Jr 1 , E. S. Moreira 1 , A. M. Cansian 2 and A. C. P. L. F. Carvalho 1 1 {boni, edson, andre}@icmsc.sc.usp.br Instituto de Ciências Matemáticas de São Carlos ICMSC/USP Po Box 668 - CEP 13560-970 - São Carlos - SP - Brazil 2 adriano@unesp.br UNESP - Universidade Estadual Paulista IBILCE/S.J.Rio Preto Po Box 136 CEP 15970-001 – São José do Rio Preto – SP - Brazil Abstract As the Internet expands both in number of hosts connected and in terms of the number of services provided, security has become a key issue for the technology developers. This work presents and analyses a prototype of an intrusion detection system. This system, positioned at key points of the network, will keep looking at the passing packets, in search of suspicious connections. The system provides a list of such connections for the administrator, enabling him/her to take the proper action at an early stage of the intrusion. Neural Networks are used to look for profiles of intrusion within the analysed data streams. The assessment is done through comparison with well-known profiles of intrusion. The system is highly adaptive, since new profiles can be added to the database and the Neural Network re-trained to consider them. Key Words Intrusion Detection System, Network Security, Neural Networks 1 INTRODUCTION The security, possession and handling of information have become an aspect of crucial importance for the whole society. On the other hand, piracy acts, intrusion attempts, consummate invasions and break-in actions are becoming frequent and involve an increasingly high number of computers (Bace, 1994)(Neumann, 1989). This scenario brings up the need for special security techniques in modern computer systems; ones that go beyond the traditional “locking up the doors” practice. Various Intrusion Detection Systems (IDS) (Lunt, 1993) have been developed and some of them have been introduced experimentally. These systems are divided into host-based (Javitz, 1991)(Winkler, 1990)(Lunt, 1990) and network-based (Heberlein, 1990, 1991)(Spirakis, 1994). Host-based systems use audit trails (which Proceedings of the 14th Int. Information Security Conference (IFIP/Sec'98, part of the 15th IFIP World Computer Congress) - ISBN: 3-85403-116-5 31 Aug - 4 Sep, 1998, Vienna/Budapest, Austria/Hungary, 1998. IFIP, Austrian Computer Society