USENIX Technical Program - Abstract - Security Symposium 99
A Study in Using Neural Networks for Anomaly and Misuse Detection
Anup K. Ghosh and Aaron Schwartzbard, Reliable Software Technologies
Current intrusion detection systems lack the ability to
generalize from previously observed attacks to detect even slight
variations of known attacks.
This paper describes new process-based intrusion detection approaches
that provide the ability to generalize from previously observed
behavior to recognize future unseen behavior. The approach employs artificial neural networks (ANNs), and can be used
for both anomaly detection in order to detect novel attacks and misuse
detection in order to detect known attacks and even variations of
known attacks. These techniques were applied to a large corpus of data collected by Lincoln Labs at MIT for an intrusion detection system evaluation sponsored by the U.S. Defense Advanced Research Projects Agency (DARPA). Results from applying these techniques for both anomaly and misuse detection against the DARPA evaluation data are presented.