Investigation of neural network classification of computer network attacks

We investigate the neural network classification of computer network attacks using statistical anomaly detection, carried out by HIDE. HIDE is a hierarchical, multitier, multiobservation-window, anomaly based network intrusion detection system, prototyped in our laboratory for the US Army´s Tactical Internet. HIDE monitors several network traffic parameters simultaneously, constructs a probability density function (PDF) for each, statistically compares it to a reference PDF of normal behavior using a similarity metric, then combines the results into an anomaly status vector that is classified by a neural network classifier. Many simulation experiments have been carried out focusing on the denial of service (DOS) class of attacks, including UDP, ICMP and TCP flooding attacks. We investigated the detection effectiveness of the perceptron (P), backpropagation (BP), perceptron-backpropagation-hybrid (PBH), fuzzy ARTMAP, and radial-based function (RBF) artificial neural network (ANN) classifiers. We present here results on several data sets from different UDP flooding scenarios. The results showed that the PBH and BP classifiers outperform all others. ICMP and TCP DOS attacks behave similarly to the UDP ones.