Detection Of Intrusion Attacks Using Neural Networks Mikolaj Karpinski1, Alexander Shmatko 2, Serhii Yevseiev3, Daniel Jancarczyk4 and Stanislav Milevskyi5 1,4 University of Bielsko-Biala, Department of Computer Science and Automatics, Willowa Str. 2, Bielsko-Biala, 43-309, Poland 2,3,5 Simon Kuznets Kharkiv National University of Economics, Cybersecurity and Information Systems Department, ave. Science, 9-A, Kharkiv, 61166, Ukraine Abstract The rapid expansion of computer networks makes security issues among computer systems one of the most important. Intrusion detection systems are using artificial intelligence more and more. This article discusses intrusion detection. Multi-layer perceptron (MLP) is used to detect offline intrusion attacks. The work uses the issues of determining the type of attack. Various neural network structures are considered to detect the optimal neural network by the number of input neurons and the number of hidden layers. It has also been investigated that activation functions and their influence on increasing the ability to generalize a neural network. The results show that the neural network is a 15x31x1 way to classify records with an accuracy of about 99% for known types of attacks, with an accuracy of 97% for normal vectors and 34% for unknown types of attacks. Keywords 1 detection of anomalies, expert systems, neural networks, intrusion detection system, network attacks. 1. Introduction firewalls, vulnerability analysis, detection and prevention systems, etc. Intrusion Detection and Intrusion Detection Systems, or, as they are Currently, information technology has called, the means of detecting attacks, is precisely penetrated practically all spheres of life of modern this mechanism of protection of the network, society. And an integral part of information which is assigned the functions of protection technology is the Internet. The reason for such an against network attacks. intensive development of information technology There is a large number of methods for is the growing need for quick and high-quality detecting network attacks, but as attacks processing of information, the instantaneous constantly change special databases with rules or transmission of information to various parts of the signatures to detect attacks requiring continuous world. In this regard, one of the main tasks is to administration, there is a need to add new rules. ensure the security of information that is One of the ways to eliminate this problem is to use transmitted or processed on the network, the neural network as a mechanism for detecting protection against network attacks. network attacks. Unlike the signature approach, At the moment, complex information security the neural network performs an analysis of systems are becoming increasingly important. As information and provides information about the components of such system act as antivirus attacks that it is trained to recognize. In addition, protection systems, integrity monitoring systems, III International Scientific And Practical Conference “Information Security And Information Technologies”, September 13–19, 2021, Odesa, Ukraine EMAIL: mkarpinski@ath.bielsko.pl (A. 1), asu.spios@gmail.com, (A. 2), Serhii.Yevseiev@hneu.net, (A. 3), djancarczyk@ath.bielsko.pl (A. 4), Stanislav.Milevskiy@hneu.net (A. 5) ORCID: 0000-0002-8846-332X (А. 1), 0000-0002-2426-900X (A. 2), 0000-0003-1647-6444 (A. 3), 0000-0003-4370-7965 (A. 4), 0000-0001-5087-7036 (A. 5) ©️ 2021 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). CEUR Workshop Proceedings (CEUR-WS.org) neural networks have the advantage - they are able describing the behavior of entities in the system to adapt to previously unknown attacks and detect will be incomplete or excessive. This results in the them [1-3]. passage of attacks or false alarms in the system. The advantages of statistical systems are their 2. Analysis of existing methods for adaptation to change the behavior of the user, as well as the ability to detect the modifications of intrusions detecting the attack. Among the shortcomings it is possible to note the high probability of Detecting network attacks is a process of occurrence of false reports of attacks, as well as recognizing and responding to suspicious activity their pass. directed to the network or computing resources of Knowledge-based methods include such an organization [3]. From what information methods, which in the context of the given facts, analysis methods are used for analysis, the rules of output and comparison, reflect the signs effectiveness of the technology of detecting of given attacks, produce actions to detect attacks network attacks strongly depends on. Currently, based on the found mechanism of search [4]. As a there are many methods for detecting attacks, let's search procedure, a pattern matching, a regular consider some of them. expression machine, a logical sequential Behavioral methods are called methods based conclusion, a state transition, etc. can be used. on the use of information about the normal Their name implies that systems based on their behavior of the system and its comparison with application work with a knowledge base, the parameters of observable behavior [1]. The including information about already known presented group of methods is oriented on the attacks. Here the knowledge base is represented construction of a standard, or normal, system or by a repository containing expert records user system. In the course of their work, systems supporting the logic of their processing and that use this approach compare current activity interpretation (that is, it is characterized by the figures with a profile of normal activity, and the presence of a subsystem of logical output). If there case of significant deviations can be considered as is no precise knowledge about the modification of evidence of an attack. These methods are the harmful activity, then these methods can not characterized by the presence of false positives, cope with the detection of various variations of which are explained primarily by the complexity this harmful activity. The group of data methods of the exact and complete description of the includes signature methods. plurality of legitimate user actions. In addition, for In signature methods, system events are most such systems, it is necessary and necessary presented in the form of strings of characters from to carry out the stage of the previous setting, a certain alphabet. The essence of these methods during which the system "gaining experience" to is to set the set of attack signatures in the form of create a model of normal behavior. The length of regular expressions or patterns based on model this interval for data collection may take several matching and verify the match of the observed weeks, and sometimes a few months. These events with these expressions. Signature is a set of disadvantages are often the main reasons for the attributes that can distinguish network attacks refusal to use systems based on behavioral from other types of network traffic. In the input methods in favor of systems that use accurate package, the byte is viewed by byte and compared representation of network security breaches. One to the signature (signature) - a characteristic line of the behavioral methods is statistical analysis. of the program, indicating the characteristics of Statistical analysis is the core of methods for malicious traffic. Such a signature may contain a detecting anomalies in the network. At the very key phrase or a command that is associated with beginning of this method, profiles are defined for an attack. If a match is found, an alarm is each subject of the analyzed system. Any announced [4]. deviation of the profile used from the reference is The main advantage of the signature method is considered to be unauthorized activity. [2] that the detection of known samples of abnormal It should be noted that in the statistical events is carried out as effectively as possible. But systems an important role is played by the correct at the same time, the use of a signature database choice of controlled parameters that characterize of a large volume negatively affects the the differences in normal and abnormal traffic. It performance of the detection system. The may turn out that due to the wrong choice of the disadvantage of this method is the impossibility of number of observed parameters, the model detecting attacks whose signature has not yet been There are many properties in the neural determined. network, but the most important is its ability to Methods of computing intelligence. This learn. The process of training the network reduced category includes neural networks. The neural to the change in weight coefficients. network is a set of processing elements - neurons, interconnected by synapses, which convert the set 𝑁𝐸𝑇 = ∑ 𝑥𝑛 𝑤𝑛 (1) of input values into a set of desired output values 𝑛 [5-6]. Neural networks are used in a wide range of The multilayer neural network includes input, applications: pattern recognition, control theory, output and hidden layers (Figure 2). cryptography, data compression. Neural networks have the ability to learn from the sample and generalize with noisy and incomplete data. In the learning process, adjustment of the coefficients associated with synaptic weights is performed. There are several methods for training neural networks. One of the most well-known and most widely used learning algorithms for multilayer neural networks is the direct dissemination of the method of reverse error propagation [7-8]. This algorithm uses a gradient descent with minimization of the mean square error for each iteration of its execution. Figure 2: Multilayer Neural Network One of the important advantages of neural networks is their ability to take into account the Input layer - serves to distribute data over the characteristics of attacks, identifying elements network and does not do any calculations. Outputs that are not similar to those studied [9-10]. of this layer transmit signals to the inputs of the next layer (hidden or output). 3. Method Hidden layers are layers of normal neurons that process data obtained from the previous layer Neural networks are one of the areas of and transmit signals from the input to the output. research in the field of artificial intelligence, Their input is the output of the previous layer, and based on attempts to recreate the human nervous the output is the input of the next layer. system, namely the ability of the nervous system Output layer - usually contains one neuron to learn and correct mistakes that should enable (maybe more), which gives the result of the work of the human brain to be simulated, calculations of the entire neural network. [11]. albeit roughly, [11]. The neural network consists To conduct research, it was decided to use the of neurons. The block diagram of the neuron is NSL-KDD attack database. This database is based shown in Figure 1. on the basis of the KDD-99 on the initiative of the American Association for Advanced Defense Research DARPA. [12] It covers a wide range of different intrusions. Data is a text file. This file contained both normal vectors and an abnormal activity vector. Abnormal activity is marked by an attack type. All attacks in NSL-KDD are divided into four groups: Figure 1: Structural scheme of the neuron DoS (Denial of Service Attack), U2R (Users to Root Attack), R2L (Remote to Local Attack) and The structure of the neuron from the following Probe (Probing Attack). Table 1 lists the types of blocks represented: attacks, their number and the class to which the 1. Input signals. attack belongs. 2. Weighting factors. 3. Composer and its output NET. Table 1 4. The activation function of the neuron F(x). Information about attacks 5. Output signal. Type Number Class № Attribute name back 956 DOS 21 is_host_login land 18 DOS 22 is_guest_login neptune 41214 DOS 23 count pod 201 DOS 24 srv_count smurf 2646 DOS 25 serror_rate teardrop 892 DOS 26 srv_serror_rate buffer_overflow 130 U2R 27 rerror_rate loadmodule 72 U2R 28 srv_rerror_rate perl 34 U2R 29 same_srv_rate rootkit 30 U2R 30 diff_srv_rate ftp_write 43 R2L 31 srv_diff_host_rate imap 126 R2L 32 dst_host_count guess_passwd 1231 R2L 33 dst_host_srv_count multihop 254 R2L 34 dst_host_same_srv_rate phf 7 R2L 35 dst_host_diff_srv_rate spy 3 R2L 36 dst_host_same_src_port_rate warezclient 890 R2L 37 dst_host_srv_diff_host_rate warezmaster 205 R2L 38 dst_host_serror_rate ipsweet 3599 Probe 39 dst_host_srv_serror_rate nmap 1493 Probe 40 dst_host_rerror_rate portsweep 2931 Probe 41 dst_host_srv_rerror_rate satan 3633 Probe 42 attack_type normal 67343 - The Deductor Academic 5.3 software to Each record has 42 attributes describing construct and test the neural network was used. different attributes (table 2). Deductor is a platform for creating complete analytical solutions. The platform employs Table 2 advanced methods for extracting, rendering data List of attributes for each entry and analyzing data. Deductor Academic - The free version for educational purposes only intended. № Attribute name In this paper, the study for attacks like DoS 1 duration conducted. Therefore, a parser written to extract 2 protocol_type the necessary vectors. There were 4 files for 3 service training and testing of the neural network: 4 flag KDDTrainDos + .txt, KDDTestDefinedDos + 5 src_bytes .txt, KDDTestNormalDos + .txt, 6 dst_bytes KDDTestUndefinedDos + .txt. The files contain a 7 land set of training data, a set of known attacks and 8 wrong_fragment normal vectors that listed in the training set, as 9 urgent well as a set of unknown attacks. 10 hot The file for training the neural network 11 num_failed_logins contains 7,000 records, the contents of the file 12 logged_in given in Table 3. 13 num_compromised 14 root_shell Table 3 15 su_attempted Contents of the training file 16 num_root Attack name Number of attacks 17 num_file_creations back 556 18 num_shells neptune 4000 19 num_access_files smurf 1446 20 num_outbound_cmds teardrop 492 normal 506 Research of intrusion detection was performed using multilayer perceptron. A test file with known attack types contains 5000 entries. The table of contents given in 4. Experimental results Table 4. Before the construction of the neural network Table 4 training data set excluded parameters have the The contents of the file for testing with known same meaning throughout the sample. This was types of attacks done to accelerate results. Attack name Number of attacks The first neural network was built on 28 back 400 parameters. It consisted of an input, one hidden neptune 3000 and output layers. The input and hidden layer smurf 1200 neurons had 28 each, consisting of one output teardrop 400 neuron containing conclude attack (1 - attack, 0 - normal traffic). This neural network is presented A normal testing file contains 781 entries. The in Figure 3. file with unknown types of attacks are attacks such land and pod, the number of entries is 219. Figure 3: Neural network 28x28x1 with unknown types of attacks for the neural After building a neural network was conducted network, namely attacks like land and pod. three tests to assess the quality of its work in Unlike previous tests, the result is very detecting attacks. The first test was carried out for different. That is, in this case, we can say that only attacks from known types for neural network every 4th attack will be detected. But it should be (back, neptune, smurf, teardrop). Neural network noted that since these types of attacks were not with almost 100% (99.78%) accurately present in the training set, we can say that this is a recognizes known types of attacks. Further testing good result. And also the knowledge that such was conducted for normal traffic. In this case, the methods as statistical analysis and the method of results were similar to results for known types of signature analysis, in the absence of information attacks (98.98%). And the last test was performed about the attack data in general, would mark them as normal traffic suggests that the use of neural networks to detect intrusions is justified, since All neural networks 15x16x1 have the same they have the ability to adapt to unknown attacks. look, the difference between them is only in Since satisfactory results were obtained, a different activation functions and the value of the decision was made to construct neural networks slope parameter (Table 5). with different parameters to determine the optimal configuration for detecting the maximum number Table 5 of attacks. Changes were made in the number of Test Neural Networks input parameters, in the change of activation Activation Slope function and its steepness, and in the number of № Size function function hidden layers. 1 15х16х1 Sigmoid 1 The following neural networks have a 2 15х16х1 Sigmoid 1,5 common configuration: 15 input neurons, 16 neurons in the hidden layer and 1 output neuron 3 15х16х1 Hypertangens 1 (Figure 4). 4 15х16х1 Arctangens 1 Figure 4: Neural network 15х16х1 the sigmoid. The artagens and the hypertension, For each of the networks built previously however, did not give satisfactory results, described tests were conducted, such as intrusion although the recognition of attacks with an detection with known types, normal traffic and unknown type has increased significantly, the attacks with unknown types. The results obtained quality of the definition of normal traffic has with the use of these neural networks are suffered greatly. Therefore, in this case, we can presented in Table 6. conclude that for this task, the function of activating the sigmoid is better suited. Regarding Table 6 the slope coefficient, we can say that the Results of neural network 15x16x1 coefficient 1.5 did not improve the results. № Detection Detection Detecting Therefore, the following studies were conducted of known of normal Unknown with sigmoid and factor 1, since the best results were obtained for this configuration. Further attacks,% vectors,% Attacks,% changes relate only to the number of neurons and 1 99,76 97,18 34,25 the number of hidden layers. 2 99,88 95,13 33,79 Next, neuronal networks with 21, 26 and 31 3 100 0 100 neurons were constructed on a hidden layer. 4 99,18 60,69 57,08 Further tests were carried out. The results are presented in Table 7. Based on the results, we can say that the best of all has shown itself the function of activation of Table 7 The last two experiments were conducted with Results of neural networks a neural network with two hidden layers (Figure Size Detection Detection Detecting 5) and a neural network with a smaller number of of known of normal Unknown input neurons - 10 (Figure 6). attacks,% vectors,% Attacks,% 15х21х1 99,68 95,77 33,79 15х26х1 99,78 96,03 33,79 15х31х1 99,7 96,8 34,7 Figure 5: Neural network with two hidden layers Figure 6: Neural network with 10 input neurons The results represented in Table 8. 15х15х15х1 99,8 95,01 34,25 10х22х1 99,96 93,34 31,51 Table 8 Results of neural networks 15x15x15x1 and From the results it can be seen that the neural 10x22x1 network with 10 input neurons has worse results Size Detection Detection Detecting than neural networks with more input parameters. Thus, a strong reduction in the number of input of known of normal Unknown parameters has a negative effect on the result. As attacks,% vectors,% Attacks,% for a neural network with two hidden layers, it has approximately the same results as the neural [4] Alekseev A.S., TEACHING THE networks 15x16x1 and 15x31x1. If you APPLICATION OF NEURAL summarize the value (to sum up the percentage NETWORKS FOR DISPLACEMENT OF and find it divided by the number of INCORPORTS // Problems of modern experimentation findings) for networks with better results, namely for 15x16x1, 15x31x1 and pedagogical education. - 2017. - no. 57-6. - 15x15x15x1, then you can see which neural p. 44-50. network has better coped with the task (table 9). [5] Subba B., Biswas S., Karmakar S. A neural network based system for intrusion detection Table 9 and attack classification //2016 Twenty Neural network results with the best results Second National Conference on Size Detection Detection Detecting Genera Communication (NCC). – IEEE, 2016. – С. of known of normal Unknown lized 1-6. attacks,% vectors,% Attacks,% value, [6] Park S., Park H. ANN Based Intrusion % Detection Model //Workshops of the 15х15х 99,8 95,01 34,25 76,35 International Conference on Advanced 15х1 15х31х 99,7 96,8 34,7 77,07 Information Networking and Applications. – 1 Springer, Cham, 2019. – С. 433-437. 15х16х 99,76 97,18 34,25 77,06 [7] E. Belov, M. Maslennikov, A. Korobeinikov. 1 The use of a neural network to detect network attacks. Scientific and Technical Journal of 5. Conclusions Information Technologies, Mechanics and Optics. - 2007. - №. 40 Among the considered neural networks, the [8] Subba B., Biswas S., Karmakar S. Intrusion best with the task of detecting attacks was copied detection systems using linear discriminant neural network with 31 neurons in the hidden analysis and logistic regression //2015 layer. Annual IEEE India Conference (INDICON). So, as can be seen in comparison with the first – IEEE, 2015. – С. 1-6. experiment, where the percentage of unknown [9] Fernandes G. et al. A comprehensive survey attacks was 27.4% managed to get an increase to on network anomaly detection 34%, that is, every third unknown attack would be //Telecommunication Systems. – 2019. – Т. detected. 70. – №. 3. – С. 447-489. Thus, we can conclude that although the percentage is not very large, it is satisfactory, as it [10] Barabash Oleg, Laptiev Oleksandr, Tkachev is much better than skipping attacks as normal Volodymyr, Maystrov Oleksii, Krasikov traffic. It can be said that the use of multilayer Oleksandr, Polovinkin Igor. The Indirect perceptron for this task is justified. method of obtaining Estimates of the Parameters of Radio Signals of covert means of obtaining Information. International 6. References Journal of Emerging Trends in Engineering Research (IJETER), Volume 8. No. 8, [1] Beqiri E. Neural Networks for Intrusion August 2020. Indexed- ISSN: 2278 – 3075. Detection Systems. In: Jahankhani H., pp4133 – 4139. Hessami A.G., Hsu F. (eds) Global Security, DOI:10.30534/ijeter/2020/17882020. Safety, and Sustainability. ICGS3 2009. [11] Serhii Yevseiev, Roman Korolyov, Andrii Communications in Computer and Tkachov, Oleksandr Laptiev, Ivan Opirskyy, Information Science, vol 45. Springer, Olha Soloviova. Modification of the Berlin, Heidelberg algorithm (OFM) S-box, which provides [2] Reddy E. K. Neural networks for intrusion increasing crypto resistance in the post- detection and its applications //Proceedings quantum period. International Journal of of the World Congress on Engineering. – Advanced Trends in Computer Science and 2013. – Т. 2. – №. 5. – С. 3-5. Engineering (IJATCSE) Volume 9. No. 5, [3] Mustafaev, AG, A Neural Network System September-Oktober 2020, pp 8725-8729. for Detecting Computer Attacks Based on DOI: 10.30534/ijatcse/2020/261952020. Analysis of Network Traffic, Security Issues. [12] NSL-KDD dataset // - 2016. - №. 2. - p. 1-7. https://github.com/defcom17/NSL_KDD