INVESTIGATION OF NEURAL NETWORK ALGORITHM FOR DETECTION OF NETWORK HOST ANOMALIES IN THE AUTOMATED SEARCH FOR XSS VULNERABILITIES AND SQL INJECTIONS

 A problem of aberrant behavior detection for network communicating computer is discussed. A novel approach based on dynamic response of computer is introduced. The computer is suggested as a multiple-input multiple-output (MIMO) plant. To characterize dynamic response of the computer on incoming requests a correlation between input data rate and observed output response (outgoing data rate and performance metrics) is used. To distinguish normal and aberrant behavior of the computer one-class neural network classifieris used. General idea of the algorithm is shortly described. Configuration of network testbed for experiments with real attacks and their detection is presented (the automated search for XSS and SQL injections).  Real found-XSS and SQL injection attack software was used to model the intrusion scenario.  It would be expectable that aberrant behavior of the server will reveal itself by some instantaneous correlation response which will be significantly different from any of normal ones.  It is evident that correlation picture of attacks from different malware running,  the site homepage overriding on the server (so called defacing), hardware and software failures will differ from correlation picture of normal functioning. Intrusion detection algorithm is investigated to estimate false positive and false negative rates in relation to algorithm parameters. The importance of correlation width value and threshold value selection was emphasized.  False positive rate was estimated along the time series of experimental data.  Some ideas about enhancement of the algorithm quality and robustness were mentioned.

1. Kaustav Das. Detecting Patterns of Anomalies. CMU-ML-09-101. Pittsburgh, ProQuest, 2009, 152 p.
2. García-Teodoro P., Díaz-Verdejo J., Maciá-Fernández G., Vázquez E. Anomaly-based network intrusion detection: techniques, systems and challenges. Computers and Security, 2009, vol. 28, no. 1–2, pp. 18–28. doi: 10.1016/j.cose.2008.08.003
3. Hodge V.J., Austin J. A survey of outlier detection methodologies. Artificial Intelligence Review, 2004, vol. 22, no. 2, pp. 85–126. doi: 10.1023/B:AIRE.0000045502. 10941.a9
4. Chandola V., Banerjee A., Kumar V. Anomaly detection: a survey. ACM Computing Surveys, 2009, vol. 41, no. 3, art. 15. doi: 10.1145/1541880.1541882
5. Pradhan M., Pradhan S.K., Sahu S.K. Anomaly detection using artificial neural network. International Journal of Engineering Sciences & Emerging Technologies, 2012, vol. 2, no. 1, pp. 29–36.
6. Aneetha A.S., Bose S. The combined approach for anomaly detection using neural networks and clustering techniques. Computer Science & Engineering: An International Journal, 2012, vol. 2, no. 4, pp. 37–64. doi: 10.5121/cseij.2012.2404
7. Klionskiy D.M., Bolshev A.K. Application of artificial neural networks in the tasks of fault detection in the behaviour of complex dynamic objects. Neirokomp'yutery: Razrabotka, Primenenie, 2011, no. 11, pp. 32–45 (in Russian)
8. Krizhevsky A., Sutskever I., Hinton G.E. ImageNet classification with deep convolutional neural networks. In: Advances in Neural Information Processing Systems, 2012, pp. 1106–1114.
9. Eliseev V., Shabalin Y. Dynamic response recognition by neural network to detect network host anomaly activity. Proc. 8th Int. Conf. on Security of Information and Networks SIN’15. St. Petersburg, 2015, pp. 246–249. doi: 10.1145/2799979.2799991
10. Thottan M., Liu G., Ji C. Anomaly detection approaches for communication networks. In: Cormode В.G., Thottan M. Algorithms for Next Generation Networks. London, Springer, 2010, pp. 239–261. doi: 10.1007/978-1-84882-765-3_11
11. Dasgupta D., Majumdar N.S. Anomaly detection in multidimensional data using negative selection algorithm. Proc. 2002 Congress of Evolutionary Computation, CEC '02. Honolulu, USA, 2002, vol. 2, pp. 1039–1044. doi: 10.1109/CEC.2002.1004386
12. Thakur M.R., Sanyal S. A multi-dimensional approach towards intrusion detection system. International Journal of Computer Applications, 2002, vol. 48, no. 5, pp. 34–41. doi: 10.5120/7347-0236
13. Khatkhate A., Ray A., Keller E., Gupta S., Chin S.C. Symbolic time-series analysis for anomaly detection in mechanical systems. IEEE/ASME Transactions on Mechatronics, 2006, vol. 11, no. 4, pp. 439–447. doi: 10.1109/TMECH.2006.878544.
14. Ben-Gal I. Outlier detection. In: Data Mining and Knowledge Discovery Handbook. Springer, 2005, pp. 131–146. doi: 10.1007/978-0-387-09823-4_7
15. Bridges S.M., Vaughn R.M. Fuzzy data mining and genetic algorithms applied to intrusion detection. Proc. 23rd National Information Systems Security Conference. Baltimore, USA, 2000, pp. 13–31.
 

This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License