ON APPLICABILITY OF NEURAL NETWORK IN INTRUSION DETECTION AND PREVENTION

— Intrusion Detection and Prevention Systems (IDPS) are used to capture anomalies and suspicious activities in the computer networks. IDPS are one of the important security mechanism used for the network security within an organization.There are various tools and techniques that exist in the literature and the market but still there is a need for proposing the robust model for Intrusion Detection. Some of the tools are limited to detect Intrusion in some protocols. However, No such tools exists that can check Intrusion in all the networking protocols. This work gives the systematic literature review of the techniques that are used for Intrusion and Detection using Artificial Neural Networks. Furthermore, Artificial Neural Network based Intrusion detection model is proposed and implemented. keywordsIDS, IPS, IDPS, Intrusion Detection Systems, Intrusion Detection and Prevention Systems, NIDPS, HIDPS, ANNs,Artificial Neural Networks.


I. INTRODUCTION
The network security is a serious concern for the companies these days. Many techniques are used by the companies to counterfeit inside and outside attacks. The primary objectives are to achieve Confidentiality, Integrity and Availability. It is evident from the annual security reports of fortune 500 companies that the increase in Network based attacks and Dos (Denial of Services) are rapid. The most common is via web applications. "Wanna cry" ransonware is one of the recent examples. For securing the networks, many techniques are used by the companies like Firewall, Honeypots, and Honeynets etc. However Intrusion Detection if used correctly is the most efficient techniques for mitigation of network based attacks. Intrusion Detection and Prevention Systems (IDPS) are the security techniques that company used to protect its networks before the attack happens. It detects the anomaly and unusual behavior of the network or host. IDPS is actually a database that stores the known attack patterns and signature, while analyzing the network traffic, if the patterns and signature matches it give alert and notifications. Next step is now incident response. Artificial Neural Networks (ANNs) are the crucial area of Artficial Intelligence that depicts the human brain and are capable of learning, and therefore can predict the outputs and results based on the learning. ANNs has various applications in data analytics, prediction modeling, and pattern recognition and so on. This work gives the systematic literature review of techniques that are proposed in the literature for Intrusion Detection and Prevention using Artificial Neural Networks. The objective is to find further research scope and gaps in research if exists. Finally, ANNs based model for Intrusion detection is implemented using MATLAB. The work has been organized as follows: Section 2 explains Intrusion Detection and Prevention Systems (IDPS), their types and implementation. Section 3 Artificial Neural Networks. Section 4 gives a systematic literature review. Section 5 presents proposed model for Intrusion Detection using ANNs and the last section concludes.

II. INTRUSION DETECTION AND PREVENTION SYSTEMS
Intrusion Detection is the technique of rectifying the anomalies in the behavior of network or host. The concept of Intrusion can be understood with an example of access control for manufacturing departments and Finance department in an organization. If finance is accessing Payroll database, there is no intrusion as they have access for it. Now, consider someone in your organization from manufacturing department is accessing payroll database, this is an Intrusion as manufacturing department doesn't have access for it and there is no relevance. IDPS are the tools that actually implement Intrusion Detection. It must be noted that IDS is capable of only detecting and notifying Intrusions, the tools and systems which are capable of preventing Intrusion is known as Intrusion Prevention Systems (IPS). Generally, The Intrusion Detection and Prevention Systems (IDPS) are used practically which is capable of detection as well as prevention. IDPS are generally deployed between the intranet and internet of the network. It is placed in the DMZ so that it can efficiently analyses internal traffic and external traffic. However, it can be placed according to the needs and security of the organization [1]. However, there is a difference between misuse detection and intrusion detection. Misuse detection is generally targeted towards individuals while Intrusion detection targets individual with no authorized access.
vulnerabilities. NIDPS is deployed in the computer having NIC in the promiscuous mode so that it can accept all the packets in the network. Depending upon the requirement HIDS can be deployed with Hubs, Switch, Router, VLAN or ports depending upon system on which it is operating on. One of the biggest advantages of NIDPS is that it can carry many sensors for monitoring DMZ (Demilitarized Zone) by the system which is working towards HIDPS. However, HIDPS cannot detect certain types of traffic for intrusion like encrypted traffic. Also, it cannot detect attacks and intrusion made by the specific host in the networks. There are many NIDPS tools available in the market some of them are SNORT, Cisco Intrusion Detection System and Symantec Net Prowler. .

 Host-Based Intrusion Detection and Prevention Systems (HIDPS)
This type of IDPS can only inspect traffic on one specific system. The scope of HIDPS is limited to the one host on which it is working. HIDPS not usually put NIC on promiscuous mode as it doesn't have to deal with network traffic like NIDPS. The intention of deploying HIDPS is to check unauthorized access and activities. It can be thought of as checking and securing one specific machine for intrusion and detection. For example, if thousands of mail is sent by the word processor, the HIDPS will give alert and notification. Some of tools widely used for HIDPS are Tripwire, Real Secure and Swatch.

IDPS Techniques
The Intrusion detection techniques can be divided into two types namely:- Signature Based or Pattern Matching IDS In this type of intrusion detection techniques the data of known attacks uploaded into the database as a signature. The alerts can be generated on the basis of fragmented IP packets, malformed ICMP packets and Streams of SYN packets. These alerts are used to change the firewall configuration so that attacks can be mitigated. However, signature based IDPS is tightly coupled with some disadvantages for example it can only deal with intrusions similar to loaded signatures, rest of the traffic would be passed further. The disadvantages of this type of IDS are that it can detect only signatures that are stored. Obfuscated attacks cannot be recognized by Signature based IDS [2]. The Figure.

 Anomaly based IDS
This approach identifies the abnormal activity by comparing it with normal activities. This type of IDS analyses the behavior of the systems. It captures and stores the trends and behavior of the protocols with respect to situations and attacks. Accordingly it will generate alert and notifications depending upon the behavior of that protocol. For example, if the group of daytime employees starts logging in at night time, the IDPS will generate an alert. It is widely used to inspect attacks on application layer protocols like DNS, HTTP, SMTP, DHCP etc. The Figure.2 Below shows the working of Anomaly-Based IDS [2]. Each neuron is capable of transferring information from one to another. ANNs are connected to each other similar to biological neurons. They receive input and pass it to further to process and give output. Neurons are connected with some weights on the link. ANNs are capable of learning with adjustment of weights in the links. They receive input and based on input it can give output or can predict the same. This is done by the mechanisms of learning by the ANNs. There are two types of topologies that are widely used in ANNs namely FeedForward and FeedBack. FeedForward-In this topologies, the direction of information is unidirectional, there is no loop. This kind of network has applications in Classification, Pattern Recognition etc.

Figure.3 FeedForward Model ANNs
FeedBack-This topology has feedback options. The direction of information is bidirectional. It has application in prediction models.

Figure.4 FeedBack Model ANNs
ANNs can be trained to do specific tasks depending upon the situation and circumstances. This is done by the process of learning. Learning is the process similar to our brain, for example if we are blocking TCP protocol in firewall and still not able to mitigate attacks, next time we will not block TCP protocol, this is learning from the situation. Similarly ANNs learns from the situations and circumstances and can predict the future. Learning in ANNs can be classified as:- Supervised Learning: -Training by giving inputs and outputs.
 Unsupervised Learning: -Training when there is no training data is giving. ANNs finds itself the best answer.
 Reinforcement Learning: -it is inspired by the behaviorist psychology. Training by giving ANNs some specific tasks and giving ANNs time to itself analyze the change and behavior.
However, depending upon the requirements and problems, one can use any type of learning and models of ANNs to solve real world problems. The role of ANNs in the field of computer science is emerging these days. It is seen in past decade that application of ANNs in computer science and biotechnology is increasing. However, still there is a need of exploring this algorithm of Artificial Intelligence so that it can apply to problems of scientific research.
IV. LITERATURE REVIEW .The literature review has been carried out in an order to find out existing techniques related to Intrusion Detection using Artificial Neural Network. The top journals of the computer science domain has been explored and verified to get legit information about the topic excluding papers exists in a grey literature. However, the paper with good citations is considered. The literature review is performed in following five journals:-1.
ACM Digital Library 3.
Wiley Online Library 5. Springer The search term while doing literature review was "Intrusion Detection using Artificial Neural Network". The relevant papers then filtered out to get exact papers related to the Intrusion Detection. It is seen in the literature review that IEEE Xplore has shown maximum papers related to Intrusion Detection. Table.1 summarizes the literature review:- Tool found similar and matching patterns and signature. It will generate alert.  The case is then monitored and analyzed for Incident response.
The Figure.20 Illustrates the working of the model:- Figure

VI. CONCLUSION AND FUTURE SCOPE
The ANNs based model can easily be implemented in the MATLAB environment. The ANNs based model is capable of detecting intrusion in the system and giving alerts. In this work we trained data of 100 datasets and trained it for ANNs learning, moreover the results are encouraging. This model could be used as a robust IDPS. Also, the systematic literature review has been carried out in an order to find techniques that still exists for the intrusion detection. There are various techniques that have limitations and there is no strong ANNs based model for Intrusion Detection that exists. Therefore, need for proposing new technique arises. It may be seen that various work has been done using Artificial Neural Network. Therefore, robust model using ANNs can be built. Also, Genetic Algorithm can be applied for the optimization using ANNs.