The Power of Temporal Pattern Processing in Anomaly Intrusion Detection

A clear deficiency in most of todays anomaly intrusion detection systems (AIDS) is their inability to distinguish between a new form of legitimate normal behavior and a malicious attack based on known previous normal behaviors. This deficiency is known as the lack of generalization ability. The lack of generalization ability of the present AIDS results mainly in two direct consequences. As a first consequence, the current AIDS are capable of detecting neither new sophisticated attacks nor slight variations of known attacks launched against computing systems. The high rate of false positive and false negative alerts generated by the current AIDS is the second consequence. Many research initiatives that utilize machine learning techniques including neural networks have been proposed to overcome the lack of generalization. Unfortunately, most of such research initiatives have intrinsically focused on utilizing static techniques, that perform structural pattern recognition. Temporal pattern processing techniques have not gained much attention in this arena. In this research, we present a novel anomaly intrusion detection system based on recurrent neural networks (RNN) which is a temporal pattern processing technique. We show that RNN can efficiently discriminate novel intrusive behaviors while recognizing new normal behaviors. Thus, they reduce the false positive and negative alarms, and address the lack of generalization problem associated with the current AIDS. The ability of RNN to generalize normal as well as intrusive behavior outperforms Multilayer Perceptron (MLP) neural network, a structural pattern recognition technique, in a significant way.