2009 IEEE Symposium on Industrial Electronics and Applications (ISIEA 2009), October 4-6, 2009, Kuala Lumpur, Malaysia

Application of Artificial Neural Network in Detection of Probing Attacks

Iftikhar Ahmad
DCIS, UTP, Bandar Seri Iskandar, 31750, Tronoh, Perak, Malaysia / DSE, CCIS, King Saud University, P.O. Box 51178, Riyadh 11543, Kingdom of Saudi Arabia wattoohu@gmail.com

Azween B Abdullah
Department of Computer & Information Sciences, Universiti Teknologi, PETRONAS, Bandar Seri Iskandar, 31750 Tronoh, Perak, Malaysia azweenabdullah@petronas.com.my

Abdullah S Alghamdi
Department of Software Engineering, College of Computer & Information Sciences, King Saud University, P.O. Box 51178, Riyadh 11543, Kingdom of Saudi Arabia abdksu@gmail.com

Abstract-- The prevention of any type of cyber attack is

indispensable because a single attack may break the security of computer and network systems. The hindrance of such attacks is entirely dependent on their detection. The detection is a major part of any security tool such as Intrusion Detection System (IDS), Intrusion Prevention System (IPS), Adaptive Security Alliance (ASA), check points and firewalls. Consequently, in this paper, we are contemplating the feasibility of an approach to probing attacks that are the basis of others attacks in computer network systems. Our approach adopts a supervised neural network phenomenon that is majorly used for detecting security attacks. The proposed system takes into account Multiple Layered Perceptron (MLP) architecture and resilient backpropagation for its training and testing. The system uses sampled data from Kddcup99 dataset, an attack database that is a standard for evaluating the security detection mechanisms. The developed system is applied to different probing attacks. Furthermore, its performance is compared to other neural networks approaches and the results indicate that our approach is more precise and accurate in case of false positive, false negative and detection rate.

internet or its activity based on information system. A single probing attack may cause a great loss of a company that is providing backbone of many networks [2]. Therefore protecting company resources (servers, systems & other devices) is very serious from these attacks. In this paper, we propose an approach that detects probing attacks using a supervised neural network that is resilient backpropagation. The approach is based on classifying good traffic from bad in the sense of probing of service. We take different types of probing attacks samples from standard dataset Kddcup99 for training and some of them for testing the system [3]. In the following sections, we briefly introduce background, probing attack and its types, related works, proposed architecture, implementation, results and discussion. At last suggestion for future research area is provided. II. BACKGROUND

Index Terms-- Probing attack, Dataset, Multiple Layered

Perceptron, Resilient Backpropagation, Detection Rate, Neural Network, False Positive, False Negative, Learning, Remote to User, User to root

I.

INTRODUCTION

The rapid expansion of computer networks and mostly of the Internet has created many security problems. During recent years, number of attacks on network has dramatically increased .Therefore securing of network resources are very essential especially probing attacks. These attacks are the basics of other attacks like DOS, R2U, U2R and etc. Therefore securing a system from such attacks is very serious. These attacks does not involve in active activities but mostly do passive activities as finding out that which machines are active or on within the network, which services are using by the user and etc. Actually intruders or hackers use different probing tools to get flaws or parameters or algorithms that may helpful in their active attacks [1]. The purpose of probing attacks mostly knowing the services of company resources which are operating on

The attack detection tools are very important for providing safety in computer and network system. These tools fully depend on accuracy of attack detection. Moreover, the detection is also must for prevention of any attack. Therefore accurate detection of attack is very important. A number of attempts have been done in the field of attack detection but they suffered many limitations such as time consuming statistical analysis, regular updating, non adaptive, accuracy and flexibility. Therefore, it is an artificial neural network that supports an ideal specification of an attack detection system and is a solution to the problems of previous systems. As a result, an artificial neural network inspired by nervous system has become an interesting tool in the applications of attack detection systems due to its promising features. Attack detection by artificial neural networks is an ongoing area and thus interest in this field has increased among the researchers [1]. Let us review to some basic concepts and terminologies regarding our research. An unauthorized user who tries to enter in network or computer system is known as intruder. A system that detects and logs in appropriate activities is called as intrusion detection system. The intrusion detection systems can be classified into three categories as host

978-1-4244-4683-4/09/$25.00 2009 IEEE

557

Authorized licensed use limited to: UNIVERSIDADE FEDERAL FLUMINENSE. Downloaded on April 13,2010 at 15:53:08 UTC from IEEE Xplore. Restrictions apply.

2009 IEEE Symposium on Industrial Electronics and Applications (ISIEA 2009), October 4-6, 2009, Kuala Lumpur, Malaysia

based, network based and vulnerability assessment based. A host based IDS evaluates information found on a single or multiple host systems, including contents of operating systems, system and application files. While network based IDS evaluates information captured from network communications, analyzing the stream of packets traveling across the network. Packets are captured through a set of sensors. Vulnerability assessment based IDS detects vulnerabilities on internal networks and firewall [4]. Moreover, intrusion detection is further divided into two main classes such as misuse and anomaly detection. First is the general category of intrusion detection, which works by identifying activities which vary from established patterns for users, or groups of users. It typically involves the creation of knowledge bases which contain the profiles of the monitored activities. The second technique involves the comparison of a user's activities with the known behaviors of attackers attempting to penetrate a system. Misuse detection also utilizes a knowledge base of information [5]. Mostly attack detection tools use the evaluation parameters such as false positive, false negative and detection rate. A false positive occurs when the system classifies an action as anomalous (a possible intrusion) when it is a legitimate action. While a false negative occurs when an actual intrusive action has occurred but the system allows it to pass as non-intrusive behavior [6]. III. PROBING ATTACK AND ITS TYPES

It involves discovering the algorithms and parameters of the recommender system itself. It may be necessary for an intruder to acquire this knowledge through interaction with the system itself. Ipsweep: It probes the network to discover available services on the network. First intruder find out a machine on which he may be attacked. Portsweep: It probes a host to find available services on that host. If a service is known on the system so it may easily be attacked by the network intruder. Nmap: It is a complete and flexible tool for scanning a network either randomly or sequentially. Therefore, often intruders used this tool for scanning network parameters that may help them in attacking the system. Satan: It is an administration tool; it gathers information about the network. This information can be used by an attacker. Probing attacks can steel important information from your computer or your network and later may be used by the intruder. These attacks may also result in significant loss of time and money for many organizations. There are many methods for their prevention but has some limitations like varying nature of attacks [7,8, 9]. IV. RELATED WORKS

Dr. Dorothy Denning proposed an intrusion detection model in 1987 which became a landmark in the research in this area. The model which she proposed forms the basic core of most intrusion detection methodologies in use

today [10]. After this a lot works had been done in this field of intrusion in the form of statistical approaches, rule based, graphical and hybrid system. All of these approaches have limitations as described previously in the background section. Presently researchers are taking much interest in the application of attack detection tools by using neural networks due to its features. An artificial neural network consists of a group of processing elements (neurons) that are highly interconnected and convert a set of inputs to a set of preferred outputs [11]. The first artificial neuron was formed in 1943 by the neurophysiologist Warren McCulloch and the logician Walter Pits [12]. Artificial neural networks are alternatives. The first advantage in the use of a neural network in the attack detection would be the flexibility that the network would provide. A neural network would be capable of analyzing the data from the network, even if the data is incomplete or unclear. Similarly, the network would possess the ability to conduct an analysis with data in a non-linear fashion. Further, because some attacks may be conducted against the network in a coordinated attack by multiple attackers, the ability to process data from a number of sources in a non-linear fashion is especially important. The problem of frequently updation of traditional attack detector is also minimized by ANN. It has generalization property and hence able to detect unknown and even variation of known attacks. Another reason to employ ANN in probing attack detection is that, ANN can cluster patterns which share similar features, thus the classification problem in attack detection can be solved by ANN. The natural speed of neural networks is another advantage [13]. Performance comparison between backpropagation algorithms is presented by Iftikhar Ahmad, et.al, in which different supervised algorithms are benchmarked. They proposed an optimized solution with respect to mean square error after making many experiment on the standard dataset in the field of attack detection. The focus was to find best training neural network among backpropagation algorithms [13]. A systematic review in the field of intrusion detection by using artificial neural networks is also presented by Iftikhar Ahmad, et.al, in which they analyzed different approaches in terms of development, implementation, NN architecture, dataset and testing parameter details. They also point out many issues in current traditional as well as intelligent attack detection systems [2]. There are many works in the literature that deal with attack detection in networks but the application of artificial neural networks is a new area in this field. One of the major challenges for present intrusion detection approaches is to reduce false alarm rates. The false alarm rate is still high for recent neural intrusion detection approaches because they have not sufficient ability to attacks. Aikaterini Mitrokotsa et.al worked on attack detection by using ESOMS that is widely used in this field but the problem is performance accuracy as false positives and false negatives increases [14]. Another work on intrusion detection is done by Stefano Zanero et.al. They

558
Authorized licensed use limited to: UNIVERSIDADE FEDERAL FLUMINENSE. Downloaded on April 13,2010 at 15:53:08 UTC from IEEE Xplore. Restrictions apply.

2009 IEEE Symposium on Industrial Electronics and Applications (ISIEA 2009), October 4-6, 2009, Kuala Lumpur, Malaysia

also used the SOMS in their experiments with 75% detection rate and but it also suffered increase in false positives [15]. L. Prema Rajeswari et.al worked on intrusion detection and their developed model showed 83.59% accuracy with 16.41% false alarm in terms of attacks. [16]. Yao Yu et.al worked to improve false positive rate using their hybrid MLP/CNN neural network but still suffered with a false positive rate [17]. Morteza Amini, et.al tried to present a real-time solution using unsupervised neural nets like ART and SOM to detect known and unknown attacks in network traffic [7]. Rodes, et.at proposed MSOMS that used unsupervised learning and is best for data analysis collected from network and overflow detection [18]. Therefore, supervised neural network suffered training overhead while the others are not efficient in accuracy. In this paper, we have reworked of our previous work and focused on probing attacks by using different learning parameters, activation functions & layered nature of the proposed system. I. PROPOSED ARCHITECURE

optimum is selected as shown in the table 1.

TABLE 1 SELECTION OF HIDDEN LAYERS AND ITS NUMBER OF NEURON Sr.# 1 2 3 4 5 6 7 Hidden Layers H1 H1 H1 H1 H1 H1 H1 H2 H2 H2 H2 H2 H2 H3 H3 H4 H3 H3 H3 Neurons 14 14 14 20 30 14 30 9 9 9 10 25 9 3 6 3 4 5 15 RMSE 0.1487 0.1523 0.01486 0.1942 0.5632 0.00211 0.1342

The artificial neural network architecture used in our approach is feedforward. A feed forward neural net is composed of a number of consecutive layers/components, each one connected to the next by a synapse/connection. The design is a FFNN (feedforward neural network) with four layers connected with three synapses. Each layer is composed of a certain number of neurons, each of which has the same characteristics (transfer function, learning rate, etc). This multiple layered perceptron architecture consists of one input, two hidden and one output layer. The general architecture of the system is shown in the figure below.
1 1 1 1

This is a way for selection of number of hidden layers and its number of neurons as many other researchers did in their research. The Input layer takes input from the input file that contains data for training of the net. The hidden layers take inputs from the outputs of the input layer and apply its activation function. After this the output is sent to the output layer. The output layer allows a neural network to write output patterns in a file that are used for analysis of attacks [3, 13]. II. IMPLEMENTATION

We implemented the system in five different phases as shown in the figure below.
DATASET TRAINING/TESTING

PREPROCESSING DATA SET

2 41 14 9

DETERMINE THE NN ARCHITECTURE

Input Layer

Hidden Layers

Output Layer

TRAINING THE SYSTEM

Figure 1. General Architecture

The input layer consists of 41 neurons because the Kddcup99 data set contains 41 fields/characteristics for a TCP/IP packet to be used for attack detection. The hidden layers consist of 14 and 9 neurons respectively. The output layer consists of two neurons that classify normal packets from abnormal packets. There is no accurate formula for the selection of hidden layers so we can make it by comparison and select which one is best [19]. For choosing optimum set of hidden layers and its number of neuron a comparison is made for many cases and

TESTING THE SYSTEM

Figure 2. Implementation Phases

A. Dataset for Training and Testing The efficiency of the NN depends on the training data. The collecting of data for training is a critical problem. This can be obtained by three ways as by using real

559
Authorized licensed use limited to: UNIVERSIDADE FEDERAL FLUMINENSE. Downloaded on April 13,2010 at 15:53:08 UTC from IEEE Xplore. Restrictions apply.

2009 IEEE Symposium on Industrial Electronics and Applications (ISIEA 2009), October 4-6, 2009, Kuala Lumpur, Malaysia

traffic, by using sanitized traffic and by using simulated traffic. The first option to obtain training/testing data is collecting truly real data and attacking an organization. Although packets would be real, it was intolerable to attack an organization. In addition to that, privacy of the users in the organization would be debased as private emails, passwords and user identities would be released. In order to overcome security and privacy harms of using real traffic, sanitized traffic was proposed to be used by removing any sensitive data from the data stream. Then attack data can be inserted into the sanitized traffic. The benefit of this approach is that the data can be freely distributed. However, the below explained problems arise when using this approach. First of all, most of the content of the background activity may be removed by the sanitization attempt. Next, it is still possible to release sensitive data since it is infeasible to verify large amount of data. The third and the most common way to obtain data are to create a testbed network and generate background traffic on this network. In the testbed environment, background traffic is generated either by using complex traffic generators modeling actual network statistics or by using simpler commercial traffic generators creating small number of packets at a high rate. Advantage of this approach is that data can be freely distributed as it does not contain any sensitive information. Another advantage of this approach is that is guaranteed that generated traffic does not contain any unknown attacks as the background traffic is created by simulators. However difficulties exist when using this approach too. Firstly, its very costly and difficult to create a simulation. Next, in order to model various networks, different types of traffic is needed. In order to avoid dealing with difficulties of all three approaches, DARPA 1999 Attack Detection Evaluation dataset was used for training/testing data [1, 3, 7, 20]. B. Preprocessing Dataset This section describes how the data set is used for our experiment. The data set is preprocessed so that it may be able to give it as an input to our developed system. This data set consists of numeric and symbolic features and we converted it in numeric form so that it can be given as inputs to our neural network. We replaced symbolic with specific numeric, comma with semicolon, normal with 0, 1 and attack with 1, 0. Now this modified data set is ready to be used as training and testing of the neural network. C. Determining the NN Architecture There is no certain mathematical approach for obtaining the optimum number of hidden layers and their neurons. For choosing optimum set of hidden layers and its no. of neuron a comparison is made for many cases and optimum is selected as shown in the table 1. In our experiment 4 layer MLP with two hidden layers is found to be optimum among several cases [21]. The comprehensive structural design of attack detection

system for normal and attacked scenario is shown below.

Figure 3. A comprehensive design of IDS for normal scenario

Figure 4. A comprehensive design of IDS for attack scenario

D. Training the System In the training phase we have both input patterns and desired outputs related to each input vector. Aim of the training in MLP networks is minimizing output produced by the neural network and the desired output. In order to achieve this goal, weights are updated by carrying out certain steps known as training. When using a supervised learning algorithm RPROP, training process is usually terminated when the RMSE is reduced to an acceptable level. There is no standard for the RMSE, but usually the lower it is, the better the classification rate is. But a too low RMSE may result in over training of the neural network. This means that neural network loose generalization ability, hence it will just detect attacks that are exactly identical to the training data. Another criterion for training termination is the number of iterations. When a certain number of iterations were reached, the training was stopped, even if the desired RMSE was not reached. We trained the system on preprocessed data using resilient backpropagation for 1000 epoch. We used full featured packet of probing attacks from kddcup99 data set [3, 7]. A sample of training pattern of probing attack and its normal is shown below.
TABLE 2 A PROBING ATTACK AND ITS NORMAL PATTERN 0;18;25;20;8;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;1;15;0 .00;0.00;0.00;0.00;1.00;0.00;1.00;1;147;1.00;0.00;1. 00;0.50;0.00;0.00;0.00;0.00;1;0 0;18;25;20;8;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;1;25;0 .00;0.00;0.00;0.00;1.00;0.00;1.00;1;125;1.00;0.00;1. 00;0.50;0.00;0.00;0.00;0.00;1;0

Attack

Normal

560
Authorized licensed use limited to: UNIVERSIDADE FEDERAL FLUMINENSE. Downloaded on April 13,2010 at 15:53:08 UTC from IEEE Xplore. Restrictions apply.

2009 IEEE Symposium on Industrial Electronics and Applications (ISIEA 2009), October 4-6, 2009, Kuala Lumpur, Malaysia

We used Resilient Backpropagation algorithm for training of the net because it converges very quickly. It uses only the sign of the backpropagated gradient to change the biases/weights of the net. Hence it is local adaptive learning scheme and has the possibility to escape from local minima. The basic principle is to eliminate the harmful influence of the size of partial derivative on the weight step [22, 23, 24, 25]. The training phase consists of the following steps. 1. 2. 3. The Feedforward of input training pattern The calculation and backpropagation associated error The adjustment of the weights of

attack analysis. If the global error value is nearest to 0 and 1 then it is normal packet otherwise consider as attack. The system is implemented in JOONE powered by JAVA [26, 27]. The system is tested for different probing attacks and several reports are generated by the simulation. III. RESULTS AND DISCUSSIONS

The aim of training means to get good responses to input that is similar but not identical. E. Testing the System After the training is completed, the weights of the neural networks are frozen and performance of the neural networks evaluated. Testing the neural networks involves two steps, which are verification step and recall (or generalization) step. In verification step, neural networks are tested against the data which are used in training. Aim of the verification step is to test how well trained neural networks learned the training patterns in the training dataset. If a neural network was trained successfully, outputs produced by the neural network would be similar to the actual outputs. In recall or generalization step, testing is conducted with data which not used in training. Aim of the generalization step is to measure generalization ability of the trained network. After training, the net only involves computation of the feedforward phase. The structure of the testing net is shown in the figure.

After the training process was completed, testing was conducted basically in two steps. In the first step system was tested against the training dataset, in order to examine how well neural networks learned the training dataset after the training process. In the second step of the testing, trained neural networks were tested against a dataset, which is not a part of the training set, in order to examine generalization performance of the trained networks. In both testing steps performance of the neural networks was evaluated by examining the number of false positives and false negatives that they generated. First we gave packets as input to our system consisting of IPsweep attacks and some normal packets. So the system give 100 % detection rate and with no any false positive or false negative. It shows 97% detection rate in case of Nmap with 2% false positive and 1% false negative rate. It shows detection rate 98% in Portsweep attacks with 2% false positive rate. In case of Satan attacks it shows 97% detection rate with 2% of false positive rate and 1% as false negative rate. The simulation results are shown in the table below.
TABLE 3 ATTACK DETECTION PERFORMANCE Probing Attack Type IPsweep Nmap Portsweep Satan False Positive 0% 2% 2% 2% False Negative 0% 1% 0% 1%

Detection Rate 100 % 97 % 98 % 97 %

The graph of simulation results in case of probing attacks detection is shown the following figure.

Figure 5. A comprehensive design of IDS for testing scenario

It consists of one Input, two hidden and one output layers. Each layer consists of neurons. A neuron is a processing element that takes input and gives its output after applying its activation function. The layers are interconnected through synapses. The synapse acts as a transmission medium between the layers of our topology. The forward and backward propagation is done through these synapses by forward and backward mechanism. The output of the net is saved in file that will be used for

Figure 6. Attack and its Detection Rate

561
Authorized licensed use limited to: UNIVERSIDADE FEDERAL FLUMINENSE. Downloaded on April 13,2010 at 15:53:08 UTC from IEEE Xplore. Restrictions apply.

2009 IEEE Symposium on Industrial Electronics and Applications (ISIEA 2009), October 4-6, 2009, Kuala Lumpur, Malaysia

The system shows 98 % accuracy in term of detection rate that is promising value in case of attack detection. It has been noted that the resilient backpropagation shows best performance as compared to other NN approaches towards attack detection. The focus of our research was to increase attack detection rate. Once attack is detected then there are several available methods to block network attack. Now we try to compare our approach to other approaches in case of probing attack detection as shown in the graph.

[6] John McHugh, Testing Intrusion detection systems. ACM Transactions on Information and System Security, 3(4). November, 2000. [7] Morteza Amini, Rasool Jalili and Hamid Reza Shahriari, RTUNNID: A practical solution to real-time network-based intrusion detection using unsupervised neural networks, Computers & Security Volume 25, Issue 6, Elsevier Inc, September 2006, pp 459468. [8] The 3rd International Knowledge Discovery and Data Mining Tools Competition, website link accessed 2009, http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html. [9] M. Sabhnani and G. Serpen, "Application of Machine Learning Algorithms to KDD Intrusion Detection Dataset within Misuse Detection Context", http://www.eecs.utoledo.edu/~serpen/. [10] Denning, Dorothy. (February, 1987). An Intrusion-Detection Model. IEEE Transactions on Software Engineering, Vol. SE-13, No. 2. [11] Uwe Aickelin, Julie Greensmith, Jamie Twycross, Immune System Approaches to Intrusion Detection A Review Natural Computing, Springer Netherlands, Volume 6, Number 4 / December, 2007, pp 413-466. [12] Laurene Fausett, Fundamentals of Neural Networks Architecture, Algorithm, and Applications, Pearson Education, Inc. 2008, pp. 2124. [13] Iftikhar Ahmad, M.A Ansari, Sajjad Mohsin. Performance Comparison between Backpropagation Algorithms Applied to Intrusion Detection in Computer Network Systems as a chapter in the ISI book: RECENT ADVANCES in SYSTEMS, COMMUNICATIONS & COMPUTERS. 2008.(pp.47-52) [14] Aikaterini Mitrokotsa, Christos Douligeris, Detecting Denial of Service Attacks Using Emergent Self-Organizing Maps, IEEE International Symposium on Signal Processing and Information Technology 2005, pp 375-380. [15] Stefano Zanero, Sergio M. Savarsi, Unsupervised learning techniques for an intrusion detection system ACM Symposium on Applied Computing, Cyprus 2004,pp 412-419 [16] L.Prema Rajeswari, A.Kannan, An inrusion detection System Based on Multiple Level Hybrid Classifier using Enhanced C045 IEEEINTERNATIONAL CONFERENCE on Signal processing, Communications and Networking madras Institute of Technology, Anna University chemai india, 2008, pp 75-79 [17] Yao Yu; Yang Wei; Gao Fu-Xiang; Yu Ge, Anomaly Intrusion Detection Approach Using Hybrid MLP/CNN Neural Network, IEEE Intelligent Systems Design and Applications, 2006. ISDA apos; 06Sixth International Conference on Volume 2, Issue , 16-18 Oct. 2006 pp1095 1102. [18] Rodes, B., Mahaffey,J., & Cannady, J. Multiple Self Organizing Maps. 23rd Security Information System (2000). [19] Fox, Kevin L., Henning, Rhonda R., and Reed, Jonathan H. (1990). A Neural Network Approach Towards Intrusion Detection. In Proceedings of the 13th National Computer Security Conference. [20] Cannady J. Artificial neural networks for misuse detection. National Information Systems Security Conference; 1998. p. 36881. [21] Hui Zhu; Bo Huang; Tanabe, Y.; Baba, T., Innovative Computing Information and Control, 2008. ICICIC apos; 08. 3rd International Conference on Volume, Issue, 18-20 June 2008, pp 509 509. [22] JJF Cerqueira, AGB Palhares, MK Madrid , Man and Cybernetics, 2002 IEEE International Conference, 2002. [23] ELECTRONICS LETTERS 8th January 2004 Vol. 40 No. 1. [24] L. Jiao et al. (Eds.): ICNC 2006, Part II, LNCS 4222, SpringerVerlag Berlin Heidelberg 2006, pp 364 373. [25] Souza, B.A.; Brito, N.S.D.; et al, Comparison between backpropagation and RPROP algorithms applied to fault classification in transmission lines, S.S.B. Neural Networks, 2004. Proceedings. 2004 IEEE International Joint Conference on Volume 4, Issue, 25-29 July 2004 pp 2913 - 2918. [26] JAVA. Located at: http://java.sun.com. [27] JOONE API. Located at: http://www.joone.org

Figure 7.

Comparison of detection rate among different approaches of attack detection

It has been noted that our approach shows optimum results as compared to other approaches in the field of attack detection. IV. FUTURE RESEARCH

The resourceful attack detection approach may be developed that have very low error rate, high learning rate and quick attack detection by using this approach with other neural networks in the form of hybrid architecture. ACKNOWLEDGMENT The current work is being supported by department of Software Engineering, College of Computer & Information Sciences, King Saud University, Saudi Arabia. Special thanks to Dr. Mohsin Iftikhar for his valuable suggestions regarding papers presentation. REFERENCES
[1] CERT the U.S. Patent and Trademark Office http://www.cert.org/ [2] Iftikhar Ahmad, Azween B. Abdullah, Abdullah S. Alghamdi, Artificial Neural Network Approaches to Intrusion Detection: A Review, in the Book TELECOMMUNICATIONS and INFORMATICS, Included in ISI/SCI Web of Science and Web of Knowledge, Istanbul, Turkey, 2009, pp 200-205. [3] Iftikhar Ahmad, Sami Ullah Swati, Sajjad Mohsin. Intrusion Detection Mechanism by Resilient Back Propagation (RPROP) EUROPEAN JOURNAL OF SCIENTIFIC RESEARCH, Volume 17, No. 4 August 2007,pp 523-530. [4] Erland. Jonsson, Magnus. Almgren, Alfonso, Recent Advances in Intrusion Detection: 7th International Symposium, RAID 2004, Sophia Antipolis - Page 102. [5] Shahbaz Pervez, Iftikhar Ahmad, Adeel Akram, Sami Ullah Swati. A Comparative Analysis of Artificial Neural Network Technologies in Intrusion Detection Systems WSEAS TRANSACTION ON COMPUTERS, Issue 1, Volume 6, January 2007, pp.175-180.

562
Authorized licensed use limited to: UNIVERSIDADE FEDERAL FLUMINENSE. Downloaded on April 13,2010 at 15:53:08 UTC from IEEE Xplore. Restrictions apply.