14th Annual Computer Security Applications Conference
December 7-11, 1998
Phoenix, Arizona


Detecting Anomalous and Unknown Intrusions Against Programs

The ubiquity of the Internet connection to desktops has been both boon to business as well as cause for concern for the security of digital assets that may be unknowingly exposed. Firewalls have been the most commonly deployed solution to secure corporate assets against intrusions, but firewalls are vulnerable to errors in configuration, ambiguous security policies, data-driven attacks through allowed services, and insider attacks. The failure of firewalls to adequately protect digital assets from computer-based attacks has been boon to commercial intrusion detection tools. Two general approaches to detecting computer security intrusions in real-time are misuse detection and anomaly detection. Misuse detection attempts to detect known attacks against computer systems. Anomaly detection uses knowledge of users' normal behavior to detect attempted attacks. The primary advantage of anomaly detection over misuse detection methods is the ability to detect novel and unknown intrusions. This paper presents a study in employing neural networks to detect the existence of anomalous and unknown intrusions against a software system using the anomaly detection approach.