SURVEY network via the input layer, which communicates


INTRODUCTION: The aim of this report is to study and
summarize the detailed neural network architecture for anomaly detection. The
following information is gathered from many IEEE conference and research

                As the usage of the computer networks,
especially the Internet is increasing day-by-day all over the world, the
network security threats are also increasing rapidly with the same pace. With
the advancement of modern technologies, high speed machines and superfast
networks have made our life easier and hassle free. In today’s world, we cannot
even think about a day without computer and Internet. From fast communication
using emails, chatting or social websites to online transactions or shopping,
the role of Internet as well as computer network is unquestionable. But so much
dependency on these often compels us to pay high price in terms of loss of
money, loss of valuable data and more.


networks are the simplified models of the biological neuron systems. They are assembled
in layers. Each layer consists of a number of interconnected nodes which
contain an active function. Patterns are presented to the network via the input
layer, which communicates to one or more hidden layers, where the actual
processing is done via a system of weighted connections.


of the major fields where researchers paying attention is intrusion detection. The
goal here is to implement an Intrusion Detection System or IDS that will track
the intruders and protect the system from them. According to researchers,
Artificial Intelligence (AI) based approaches are more effective compare to
other approaches. For conventional techniques for intrusion detection, human
efforts are required but AI related approaches can do the same with minimal
human interaction. The problem of anomaly based detection is that, it generates
large number of false positive attacks. Another important aspect is that,
today’s high speed networks generate colossal amount of data which flow
continuously through the network, so it is very difficult to achieve 100%
detection rate.


detection system is basically a defense mechanism of the network system which
detects any malicious activities and raises alarm so that precautionary
measures can be taken to prevent the attack. Intrusion detection can be
classified into two types and they are misuse detection and anomaly detection.
Misuse detection system is reliable in nature because it is deterministic. It
uses known attack patterns to identify known intrusions, but the disadvantage
of this system is, it is unable to detect unknown attacks. Not only that, a database
is required for it which makes it difficult to maintain as well as time consuming.

 On the contrary, the anomaly-based intrusion
detection system can compare between the regular and anomalous activities of a
network system. So unlike misuse detection, this system works well for both
known as well as unknown attacks. But the disadvantage of this detection system
is that, apart from detecting genuine attacks, it may raise some false alarms
also where no intrusion has occurred. Considering the performance of IDSs, following
terms are often used when discussing their capabilities:

True positive (TP): classifying an intrusion. The true positive rate is
synonymous with detection rate, sensitivity and recall, which are other terms
often used in the literature.

False positive (FP): incorrectly classifying normal data as an intrusion. Also
known as a false alarm.

True negative (TN): correctly classifying normal data as normal. The true
negative rate is also referred to as specificity.

False negative (FN): incorrectly classifying an intrusion as normal.

Accuracy= (TP+TN) / (TP+TN+FP+FN) Accuracy is also referred to as an overall
classification rate


have found that the human ability of thinking, reasoning and learning can be
imitated to some extent by computer. Neural network has the ability to imitate
some behavior of human brain. They also pointed out that “neural network is
capable enough of approximate matching”, where incomplete patterns could be
recognized also. Neural network is composed of ‘nodes’ which are nothing but
processing elements and some weighted connections between the nodes. These
nodes operate independently. BPNN is a special type of neural network. A BPNN
has multiple layers. Each layer consists of one or more than one interconnected
nodes with some ‘activation function’. The left-most layer is known as ‘Input
layer’ and the right-most layer is known as ‘Output layer’. Between these two
layers there may be one or more than one hidden layers. Patterns are presented as
input to the network via the input layer, which in turn communicates to the
hidden layers where the actual processing is done through a set of weighted

network starts with a set of fresh pattern as input data and set of pre-defined
weights in each connection. It works through a forward calculation from input
layer to output layer through hidden layers followed by a backward calculation
from output to input layer for error rectification by adjusting the old weights
in the connections. Every set of forward and backward operations are termed as
single ‘Epoch’. For every epoch, a fresh set of pattern is given to the network
as input. The network is trained in this way with a training set for certain
number of epochs. After the training phase, the network is capable of
identifying the unknown pattern according to its training.

W-new = W-old + ? (desired – output) * input.

This process is repeated for a certain number of
times until the error is minimized and valid for all the patterns.




In order to build anomaly detection system using neural networks,
certain steps should be followed (Figure 1). First step, randomly collect some
data sessions from Intrusion Detection Evaluation dataset and test neural
network. Second step is preprocessing the collected data, which is in binary format,
also known as neural network format. Third step is determining the neural
network structure, which determines the number of hidden layers. The hidden
nodes in each layer, activates function used in neural network and training
algorithm. Fourth step is training neural network until a certain number of
iterations or a certain RMSE value reached. Fifth and the final step is to test
the neural network.

The testing section has three parts. In the preliminary
experiment, the neural network is properly trained to detect attacks and give
data about errors. The next experiment follows with a small amount of traffic.
In final experiment higher amount of traffic is used. In these last two
experiments, normal traffic with known attacks and unknown attacks in three different

                One of the major fields
where the researchers are

paying attention is intrusion detection.

One of the major fields where the researchers are

paying attention is intrusion detection.

One of the major fields where the researchers are

paying attention is intrusion detection.

One of the major fields where the researchers are

paying attention is intrusion detection.



Fig 1 Steps
to be taken to build neural network based anomaly detection System


results: According to International Journal of Engineering Sciences & Emerging
Technologies, April 2012.

ISSN: 2231 – 6604 Volume 2, Issue 1, pp: 29-36 ©IJESET



If any
conclusions may be drawn from the data, they are, perhaps, as fol­lows- Neural
networks can successfully be used as a method for Anomaly Detection. The main
problem with IDP is that they give inefficient results and this consumes maximum
time of a system administrator. In the above case, neural network has a
classification rate of 100 %, which gives 0 % error. This means that the normal
sessions are considered as safe. If normal traffic was classified as a threat
an error would be raised.