350 rub
Journal Neurocomputers №7 for 2011 г.
Article in number:
The development of the neural network module for monitoring of abnormal network activity
Authors:
A. A. Talalaev, I. P. Tishchenko, V. P. Fralenko, V. M. Khachumov
Abstract:
In the present work experimental researches on working out of the abnormal network activity monitoring module based on artificial neural networks (ANN) are executed. The information about the developed ways and algorithms of allocation of informative signs of network attacks is resulted. The implementation includes: algorithms of allocation of network and not network signs of attacks; feedforward ANN module; module that uses the Euclid-Mahalanobis distance, supplementing; a subsystem of preservation of informative signs and the utility «teach», intended for neural network component training. The set of informative signs of network attacks is defined by database KDD-99 (Knowledge Discovery and Data Mining), used as a source of expert knowledge for neural network component training. General mechanism of network attacks revealing with Neuronet module looks as follows: 1. Snort system captures packet. 2. On group of rules of Snort system using module Neuronet the call of Neuronet module is made to determine of character of the come package. 3. Neuronet module parses the package for allocation of informative network and not network signs. 4. Allocated informative signs move on ANN recognition. 5. The neural network analyzes the data and returns into the Neuronet module information about package accessory to one of classes of network attacks or a class «norm». 6. Neuronet module returns to the Snort system a value that characterizing a package as "abnormal" / «not abnormal». 7. Snort system produces a screening package or passes it on to destination. Testing results of monitoring module on the real network traffic flow on cluster are presented. Based on feedforward ANN and Euclid-Mahalanobis distance developed classifier shows high quality situations recognition and can be used as a part of various program complexes for increase of network safety level.
Pages: 32-38
References
  1. Сапожников А.А. Обнаружение аномальной сетевой активности / Доклады Томского государственного университета систем управления и радиоэлектроники. 2009. № 1 (19). Ч. 2. C.79-80.
  2. Технологии обнаружения сетевых атак − http://www.bstu.by/~opo/ru/uni/bstu/science/ids/
  3. Bog BOS: Snort − система обнаружения и предупреждения вторжений (IDS) − http://www.bog.pp.ru/work/snort.html
  4. Антивирусная проверка http трафика http://www.nag.ru/articles/reviews/16678/antivirusnaya-proverka-http-trafika.html; http://www.nag.ru/articles/reviews/16679/chuzhie-zdes-ne-hodyat-ids.html
  5. Синица И.Н.Вопросы безопасности и пути их решения в современных компьютерных сетях http://www.masters.donntu.edu.ua/2005/fvti/sydorenkov/library/article9.htm
  6. Системы обнаружения вторжений - http://www.intuit.ru/department/security/secopen/7/secopen_7.html
  7. Красоткин А. Обнаружение сетевых атак - Snort. - http://www.compdoc.ru/compdoc.ru-tov.html
  8. Правила Snort. - http://www.protocols.ru/modules.php-name=News&file=article&sid=44
  9. РожковД.Snort ? http://www.linuxcenter.ru/lib/articles/security/snort.phtml
  10. Fifth ACM SIGKDD International Conference on Knowledge Discovery & Data Mining http://www.kdd.org/kdd1999/
  11. The NSL-KDD Data Set ? http://nsl.cs.unb.ca/NSL-KDD/
  12. Амелькин С.А., Захаров А.В., Хачумов В.М.Обобщенное расстояние Евклида-Махаланобиса и его свойства // Информационные технологии и вычислительные системы. 2006. № 4. С.40-44.