MASAUM Journal of Computing, Volume 1 Issue 2, September 2009 236
On Artificial Intelligence Approaches for Network
Intrusion Detection Systems
Sattar B. Sadkhan
Traditional ID systems use a method known as
"fingerprinting" to identify malicious users. This method
Abstract- While the network is the medium over which requires the compilation of the unique traits of every type
most attacks or intrusions on computer systems are of attack on a computer system. Each generated fingerprint
lunched, the study of providing security in computer is first added to the attack database of a detection system
networks is a rapidly growing area of interest. and then compared to all subsequent user connections for
Artificial Intelligence strategies were developed aiming classification as either malicious or normal connection.
at finding solutions to a broad class of problems, This trait compilation is typically accomplished through
named complex problems, which could not be resolved human analysis by the creators of the system. The resulting
by traditional methods. fingerprint updates must then be manually installed on
This paper provides brief description of several each individual system in use.
Artificial Intelligent approaches that used to achieve There are several inherent problems with this method: a
the immunity for network intrusion detection systems system must first be compromised by any attack for a
(NIDS) . Also an investigation of the challenge facing finger print to be generated; a separate fingerprint is
the research in this very important field is given. required for each different type of attack; and as the
number of fingerprints grows, more computer resources
Index Term - Artificial Intelligence, Intrusion Detection, must be allocated to detection, degrading overall system
network security, Immunity, ANN, Genetic algorithm, performance. In addition, to gain protection from new
Agent. attacks, there is significant waiting period from the time a
new attack is first reported to the time that a fingerprint is
generated. During this waiting period, a system is left
I. INTRODUCTION vulnerable to the new attack and may be compromised.
With the explosion of Internet connectivity and Moreover, in extreme scenarios, a fingerprint-based
pervasive access every day users have both internal and system may be unable to allocate all required resources to
external networks, experts have seen a tremendous rise in detect attacks because of the number of fingerprints,
attacks and cooperate and governments networks. At the resulting in undetected attacks.
same time the complexity of our enterprise has increased. As an alternate solution for protecting computers from
Add to this the diversity of operating system platforms, malicious users, a model-based IDS may be used. Instead
routers, network protocols, applications, web servers, of using a fingerprint method of user classification. A
databases, etc.. Hence trying to spot an attack becomes model-based IDS does not require the constant updates
extremely difficult. Without sophisticated tools, it's nearly typical of fingerprint-based system because the
impossible. Every organization wants to know when they characteristics of any attack against a system will not
are under attack , as shown in Fig. (1). significantly change throughout the lifetime of the system
As reliance upon the use of digitally transmitted data because attack against a system will not significantly
over computer networks such as the Internet has increased change throughout the lifetime of the system because
, so has the need for protecting these networks from attacks are inherently different from normal behavior..
malicious users ( commonly called "hackers" or " There is a need to find the best ways possible to protect
crackers" ). Many methods for detecting malicious computer systems. Intrusion Detection (ID) is therefore
intruders (e.g., firewalls, password protected systems) needed as a wall to protect computer systems. Intrusion
currently exist. However these traditional methods are Prevention Techniques (IPT), such as user authentication
becoming increasingly vulnerable and inefficient due to (e.g. using passwords or biometrics), are not sufficient
their inherent problems. As a result, new methods for because as systems become ever more complex, there are
intrusion detection that are not hampered by vulnerability always system design flaws and programming errors that
and inefficiency must be developed. can lead to security holes. ID is therefore needed as
another wall to protect computer systems .
S. B. Sadkhan with the, University of Babylon, Iraq (phone:
Unfortunately, the reality of intrusion detection and
+9647801884154; e-mail: drengsattar@ ieee.org).
response doesn't even come close to our wishes. Yet,
Intrusion Detection Systems (IDS) are a valuable resource
. ID concerns with the identification of attempted or
ongoing attacks on computer system or network.
Issue in ID research include data collection, data reduction, misuse detection software is only as good as the database of
behavior classification, reporting and response . attack signatures that it uses to compare packets against. In
The aim of this paper is to provide an investigation study to anomaly detection, the system administrator defines the
different AI Approaches that deal with immunity of network baseline, or normal, state of the network’s traffic load,
Intrusion Detection. breakdown, protocol, and typical packet size. The anomaly
detector monitors network segments to compare their state to
the normal baseline and look for anomalies.
II.ID DEFINITION AND MODEL
• network-based vs. host-based systems: in a network-based
A. Definitions system, or NIDS, the individual packets flowing through a
Definition: Intrusion detection (ID) is a type of security network are analyzed. The NIDS can detect malicious
management system for computers and networks. An ID packets that are designed to be overlooked by a firewall’s
system gathers and analyzes information from various areas simplistic filtering rules. In a host-based system, the IDS
within a computer or a network to identify possible security examines at the activity on each individual computer or host.
breaches, which include both intrusions (attacks from outside
the organization) and misuse (attacks from within the • passive system vs. reactive system: in a passive system,
organization). ID uses vulnerability assessment (sometimes the IDS detects a potential security breach, logs the
referred to as scanning), which is a technology developed to information and signals an alert. In a reactive system, the
assess the security of a computer system or network. IDS responds to the suspicious activity by logging off a user
Intrusion detection functions include: or by reprogramming the firewall to block network traffic
from the suspected malicious source.
• Monitoring and analyzing both user and system activities
Though they both relate to network security, an IDS
• Analyzing system configurations and vulnerabilities differs from a firewall in that a firewall looks out for
intrusions in order to stop them from happening. The firewall
• Assessing system and file integrity limits the access between networks in order to prevent
intrusion and does not signal an attack from inside the
• Ability to recognize patterns typical of attacks network. An IDS evaluates a suspected intrusion once it has
taken place and signals an alarm. An IDS also watches for
• Analysis of abnormal activity patterns
attacks that originate from within a system.
• Tracking user policy violations A Network IDS (NIDS) is designed to support multiple
hosts, whereas a Host IDS (HIDS) is set up to detect illegal
ID systems are being developed in response to the increasing actions within the host. Most IDS programs typically use
number of attacks on major sites and networks. The signatures of known cracker attempts to signal an alert. Others
safeguarding of security is becoming increasingly difficult, look for deviations of the normal routine as indications of an
because the possible technologies of attack are becoming ever attack. ID is very tricky. Too much analysis can add excessive
more sophisticated; at the same time, less technical ability is overhead and also trigger false alarms. Insufficient analysis
required for the novice attacker, because proven past methods can overlook a valid attack.
are easily accessed through the Web. Detection or ID includes
Protocol anomaly: A deviation from the standard protocol.
the monitoring of a computer system or network and the
IDS may look for protocol anomalies in order to identify
ascertaining of anomalies or a series of activities indicating
attacks without a signature. Protocol anomalies reduce false
that a break-in is occurring. Without detection software,
positives with well-understood protocols, but may cause false
companies, medical and educational institutions, and
positives with poorly understood or complex protocols
government agencies would not be able to tell when they have
had a security incident or when the security incident began. Traffic anomaly: A deviation from the normal traffic pattern.
IDS may look for unusual traffic activities, such as a flood of
Definition of Intrusion Detection System (IDS) inspects all
UDP packets or a new service appearing on the network.
inbound and outbound network activity and identifies
Traffic anomalies can be used to identify unknown attacks and
suspicious patterns that may indicate a network or system
DoS floods, but tuning the IDS for this can be difficult. It also
attack from someone attempting to break into or compromise a
requires a clear understanding of the "normal" traffic.
Intrusion Prevention System (IPS) Software that prevents an
There are several ways to categorize IDS: attack on a network or computer system. An IPS is a
significant step beyond an IDS , because it stops the attack
• misuse detection vs. anomaly detection: in misuse from damaging or retrieving data. Whereas an IDS passively
detection, the IDS analyzes the information it gathers and monitors traffic by sniffing packets off a switch port, an IPS
compares it to large databases of attack signatures. resides inline like a firewall, intercepting and forwarding
Essentially, the IDS looks for a specific attack that has packets. It can thus block attacks in real time.
already been documented. Like a virus detection system,
B. Models for ID Other systems can acquire knowledge from set of training
In previous research, the options for model generation have instances. These training instances can be questions and
been to base it on normal user or to base it on malicious users correct answer pairs, or problems and the steps of solution.
: Rule based Induction derives rules which explain the training
- Model based on normal users, known as : Anomaly instances more clearly than a mathematical or statistical
detection models, use an empirical behavioral model of a analysis of data. Classifier system attempt to learn how to
normal user and classifies any computer activity that does fit classify future example from set of training data. Example of a
this model as malicious. This model tries to determine system that can be used as a classifier is a Neural Network, or
whether deviation from the established normal usage patterns a Decision Tree.
can be flagged as intrusions . In other meaning known and The goal of Feature Selection is to reduce the amount of
unknown intrusions are detected by analyzing changes in the information required to make good predictions, and to improve
normal pattern of utilization or behavior of the computer the error rate of classifiers. This is accomplished by
system. This approach does not use information about the researching subsets of features, or information sources, and
system behavior when an intrusion is in progress , as testing the ability of those features to classify the training
shown in Fig. (2) . instances.
- Model based on Malicious users are known as Misuse AI strategies were developed aiming at finding solutions
detection models. to a broad class of problems, named complex problems which
These models look for a pattern of malicious behavior, and could not be resolved by traditional methods. Some of the
behavior that fits this model is classified as malicious. methods presented constitute hybrid approaches, where AI
Actually this model uses patterns of well-known attacks or techniques, like neural networks, fuzzy systems and most
weak spots of the system to match and identify intrusions . influentially evolutionary strategies, were combined leading to
That means known intrusions are detected by looking at the the emergence of new computational paradigms  .
computer system behavior (some characteristic pattern of There are many Artificial Intelligence approaches that use
such intrusions). This approach uses some collected one or the other above-mentioned model to solve the intrusion
information about the system behavior under normal detection problem. In this paper , the attention will be focused
conditions and under some known intrusions to determine on the following approaches:
the current state of the system. In this case, the intrusion
detection problem is a classification problem , as shown 1. Data mining techniques over system audit data .
in Fig. (3) . 2. Distributing the detection task in multiple independent
Some new researches neither of the mentioned models was entities (autonomous agents) working collectively.
explicitly specified, allowing the genetic algorithm to generate 3. Fuzzy rule learning
the best model. An IDS must first be able to detect malicious 4. Neural networks
user connections, for which it must have a generalized model 5. Colored Petri net
of user behavior for comparison to users of a system. The 6. Model Generation by Using Genetic Algorithms
most efficient method of generating a user model is to apply a
data analysis algorithm to given " training data", which is A.Using data mining techniques over system audit data
representative of real world data, and then generate an
While the aim is to eliminate, as much as possible, the
empirical model of either type of the user based on this
manual and ad-hoc elements from the process of building an
training data. Previous research into empirical model
intrusion detection system. The data-centric point of view is
generation has data analysis algorithm such as generalized data
taken into consideration and the intrusion detection as a data
mining techniques, sparse Markov transducers, and genetic
Anomaly detection is about finding the normal usage patterns
There are also many other approaches that deals with
from the audit data, whereas misuse detection is about
immunity of computer network intrusion detection system but
encoding and matching the intrusion patterns using the audit
not through artificial intelligence, as an example (using short
data, as shown in Fig. (4) .
sequences of system calls ) will not be discussed in this paper.
The central theme of our approach is to apply data mining
techniques to intrusion detection. Data mining generally refers
to the process of (automatically) extracting models from large
III.ARTIFICIAL INTELLIGENCE (AI) BASED APPROACHES FOR
stores of data. The recent rapid development in data mining
has made available a wide variety of algorithms, drawn from
the fields of statistics, pattern recognition, machine learning,
AI is concerned with improving algorithms by employing and database.
problem solving techniques used by human beings. Human Thus, using data mining techniques over system audit data is
excel at tasks such as learning, or gaining the ability to to extract consistent and useful patterns of program and user
perform tasks from examples and training. An expert system behavior, and to build classifiers that can recognize anomalies
handles problems using a computer model of expert human . The basic data mining techniques used are the classical
reasoning. However, most expert system must undergo association rules and the frequent episodes.
continuous maintenance to perform well.
The idea is to first compute the association rules and frequent behavior in a computer network, and a fuzzy inference
episodes from audit data, which (intuitively) capture the intra- algorithm can be applied over such rules to determine when an
and (temporal) inter- audit record patterns. These patterns are intrusion is in progress. The main problem with this approach
then utilized, with user participation, to guide the data is to generate good fuzzy classifiers to detect intrusions.
gathering and feature selection processes. , This approach deals with the fuzzy classifiers using genetic
algorithms that can detect anomalies and some specific
intrusions. The main idea is to evolve two rules, one for the
B. Distributing the detection task in multiple independent
normal class and other for the abnormal class using a profile
entities (autonomous agents) working collectively
data set with information related to the computer network
during the normal behavior and during intrusive (abnormal)
This approach, review the architecture for a distributed behavior ,, as shown in Fig. (5).
Intrusion Detection System based on multiple independent
entities working collectively. These entities are called
Autonomous Agents . D. 3.4 Artificial Neural Networks
A software agent can be defined as," A software entity
which functions continuously and autonomously in a particular There are two general implementations of neural networks in
environment able to carry out activities in a flexible and misuse detection systems.
intelligent manner that is responsive to changes in the
environment Ideally, an agent that functions continuously a- involves incorporating them into existing or modified
would be able to learn from its experience. In addition, we expert systems. This proposal involves using the neural
expect an agent that inhabits an environment with other agents network to filter the incoming data for suspicious events
and processes to be able to communicate and cooperate with which may be indicative of misuse and forward these events
them, and perhaps move from place to place in doing so". to the expert system. This configuration should improve the
An autonomous agent is defined as a software agent that effectiveness of the detection system by reducing the false
performs a certain security monitoring function at a host. alarm rate of the expert system. Because the neural network
The agents are called as autonomous because they are will determine a probability that a particular event is
independently-running entities (i.e., their execution is indicative of an attack, a threshold can be established where
scheduled only by the operating system, and not by other the event is forwarded to the expert system for additional
process). Agents may or may not need data produced by other analysis. Since the expert system is only receiving data on
agents to perform their work, but they are still considered to be events which are viewed as suspicious, the sensitivity of the
autonomous. expert system can be increased, (typically, the sensitivity of
Additionally, agents may receive high-level control expert systems must be kept low to reduce the incidence of
commands such as indications to start or stop execution, or to false alarms). This configuration would be beneficial to
change some operating parameters from other entities. This organizations that have invested in rule-based expert system
high-level control does not interfere our definition of agent technology by improving the effectiveness of the system
autonomy. An agent may perform a single very specific while it preserves the investment that has been made in
function, or may perform more complex activities . existing intrusion detection systems .
The Internal design of the Agents as proposed using the
Genetic Programming paradigm as a basis for the internal b- this approach would involve the neural network as a
design of the agents. In this paradigm, populations of programs standalone misuse detection system. In this configuration, the
are evolved to solve a specific problem. The problem often has neural network would receive data from the network stream
no singular correct solution, or the solution is very expensive and analyze the information for instances of misuse. Any
to compute. The possible solution programs are represented as instances which are identified as indicative of attack would
parse trees for a simple meta_language and these parse trees be forwarded to a security administrator or used by an
are manipulated by operations similar to those found in natural automated intrusion response system. This approach would
genetics. After time the population of programs converges on a offer the benefit of speed over the previous approach, since
particular program which gives the optimal solution to the there would only be a single layer of analysis. In addition,
problem. this configuration should improve in effectiveness over time
as the network learns the characteristics of attacks. Unlike
the first approach, this concept would not be limited by the
C. Fuzzy Rule Learning
analytical ability of the expert system, and as a result, it
would be able to expand beyond the limits of the expert
The normal and the abnormal behaviors in networked system’s rule-base , as shown in Fig. (6).
computers are hard to predict as the boundaries cannot be well
defined. This prediction process may generate false alarms in
many anomaly based intrusion detection systems. However, E. 3.5 Colored Petri net
with fuzzy logic, the false alarm rate in determining intrusive This approach describes a generic model of matching that
activities can be reduced; a set of fuzzy rules (non-crisp fuzzy can be usefully applied to misuse intrusion detection. The
classifiers) can be used to define the normal and abnormal model is based on Colored Petri Nets. Guards define the
context in which signatures are matched. The notion of start - For the first approach (using data mining techniques over
and final states, and paths between them define the set of event system audit data) in order construct an accurate (effective)
sequences matched by the net. Partial order matching can also base classifier, we need to gather a sufficient amount of
be specified in this model. The main benefits of the model are training data and identify a set of meaningful features. Both
its generality, portability and flexibility. of these tasks require insight into the nature of the audit data,
A fundamental requirement of applying pattern matching to and can be very difficult without proper tools and guidelines.
intrusion detection is that matching be done with follows Then the accuracy of the detection models depends on
semantics rather than immediately follows semantics. For sufficient training data and the right feature set. So the
example, with follows semantics the pattern ab specifies the association rules and frequent episodes from the audit data
occurrence of the event a followed by the occurrence of event can be used to guide audit data gather and feature selection ,
b, It does not represent a immediately followed by b with no the critical steps in building effective classification models.
intervening event. This means that any two adjacent sub - In the second approach (Distributing the detection task in
patterns within a pattern are implicitly separated by an multiple independent entities (autonomous agents) working
arbitrary number (possibly zero) of events of any type. This collectively) we found many good points, the important of
assumption is appropriate in current systems: audit trail them are ,the ease of tailoring agents to your system, the
generation and modern user interfaces allow users to login resilience to subversion exhibited by agents and the highly
simultaneously through several windows thereby generating scalable nature of the agents approach. But, there are some
overlapped entries in the audit trail ,. drawbacks to this approach :
- They impose an overhead on the system as they will
F. 2.6 Model Generation by Using Genetic Algorithms
consume both memory and CPU cycles in order to monitor for
This approach analyzed the effectiveness of a genetic intrusions.
algorithm applied to the detection of computer intrusions and
malicious computer behavior. The use of genetic algorithms to -The possibility of false positives
detect malicious computer behavior is a novel approach to the - As in any intrusion detection system if the agents are
computer network intrusion detection problem presented in subverted then the intrusion detector becomes a security
designing an Intrusion Detection System. A genetic algorithm liability.
is a method of artificial intelligence problem-solving based on Because the agents are distributed throughout the system and
the theory of Darwinian evolution applied to mathematical monitor many different system parameters, they are more
models. immune to this sort of attack.
The genetic algorithm designed for this experiment promoted - The experiment for the third approach (Fuzzy rule
a high detection rate of malicious behavior and a low false learning),showed that the proposed approach works well in
positive rate of normal behavior classified as malicious. The detecting different attacks. The accuracy of the fuzzy
genetic algorithm was given “training data” from which an classifier was good. Also, the accuracy can be further
empirical model of malicious computer behavior was improved applying specific strategies to generate the fuzzy
generated. This model was then tested over previously unseen space for each monitored parameter. The evolved fuzzy rules
data to gauge its real-world performance. are not complex as no more than six attributes are used in each
The results presented show that the genetic algorithm was rule. It allows characterization of the normal and abnormal
successfully able to generate an accurate empirical behavioral behaviors in human words. In order to reduce the
model from training data and then able to successfully apply dimensionality of the problem, several statistical methods can
this empirical knowledge to data never seen before. . be applied before the evolution process is performed. It
In  , a test whether genetic algorithms are a viable option provides better characterization of the boundary between
for model generation in an artificial intelligence-based IDS, normal and abnormal. The fuzzy characteristics of rules
designed to replace or reinforce fingerprinting systems. The provide a natural estimate of the amount of deviation from the
genetic algorithm written for that experiment isolates forty-one normal.
different characteristics of user connections to classify users. - What we conclude from the forth approaches (Neural
For comparison with the former research has analyzed only networks is that The preliminary results from the experimental
five or fewer characteristics . This genetic algorithm also feed-forward neural network give a positive indication of the
applies the use of a novel randomized weighting system, based potential offered by this approach, but a significant amount of
on randomized coefficients in input data, to determine if a user research remains before it can function as an effective
is malicious or normal. Fig. (7) shows the application of intrusion detection system. A complete system will require the
Genetic Algorithm Theory to ID problem. ability to directly receive inputs from a network data stream.
The most difficult component of the analysis of network traffic
by a neural network is the ability to effectively analyze the
IV. DISCUSSION AND CONCLUSIONS information in the data portion of an IP (Internet Protocol)
datagram. The various commands that are included in the data
Let us start our conclusion depending upon our investigation often provide the most critical element in the process of
determining if an attack is occurring against a network. The
most effective neural network architecture is also an issue that for the detection of malicious intrusions into computer
must be addressed. A feed forward neural network that used a systems.
back propagation algorithm was chosen because of its
simplicity and reliability in a variety of applications. However,
alternatives such as the self organizing feature map also V. CHALLENGES AND FUTURE TRENDS
possess advantages in misuse detection that may promote their - The quality of the results presented by using GA in ID
use. In addition, an effective neural network-based approach to Problem warrants future research in the area of GA
misuse detection must be highly adaptive. Most neural network application in ID Problem. Hence the important step in this
architectures must be retrained if the system is to be capable of direction of research will be the implementation of such a
improving its analysis in response to changes in the input model generated by GA to real-time ID. By doing this, the
patterns, (e.g., “new” events are recognized with a consistent efficiency of a model generated could be gauged in the real-
probability of being an attack until the network is retrained to world and compared to traditional methods of ID. Also the
improve the recognition of these events). efficiency of a model generated by GA could be compared to
- For the fifth approach (Colored Petri net) there are several models generated using other techniques.
difficulties in intrusion detection using pattern matching. The - The search process, on subset of features or information
dominant one is the sheer rate at which the data generated by sources, and testing the ability of these features to classify
modern processors must be matched. The other major problem the training instances, itself is the subject of continuing
is the nature of the matching itself. An attacker may perform research in the AI community
several actions under different user identities, and at different Many IDSs employ AI methods in their systems. The
times, ultimately leading to a system compromise. The AI techniques are expected
complexity of matching in our model increases rapidly with to improve understanding of how non-intrusive and
increasing complexity of signatures. The model has several intrusive behavior differ, as
important advantages. well as enable hierarchical classification of different
• It is very portable, in the sense that intrusion signatures can types of attacks.
be moved across sites without rewriting to accommodate • Feature Selection in IDSs: It was shown that feature
fine differences in each vendor's implementation. selection can be effective in a small example. Feature
• Signatures can also be transparently moved to systems with selection can be used to determine which strings are the
somewhat different policies and ratings. An abstract audit best to search for. Feature Selection Techniques can be
record definition and a standard definition of a virtual modified to analyze the value of the features used in other
machine to represent guards ensures that patterns pre- IDSs and perhaps enhance their performance by
compiled to an intermediate representation can be moved eliminating noisy features.
across systems with minimal overhead. • Reconfiguration and Customization of IDs: IDSs can b e site
• Signatures can be dynamically added in the matching engine specific. Using data reduction techniques we can
while maintaining the partial matches of signatures customize an IDS to a particular site by finding the
already present in it. information sources most useful to that site's IDS needs.
• Signatures can be prioritized by considering each token as a We can also re-configure an IDS using feature selection
thread of control. Each thread then fetches events from an after finding new data sources. The Network Security
event manager and acts on them. By prioritizing certain Monitor can be configured to search for different strings
threads, patterns can be prioritized for matching. on a network.
• Clustering in ID: Clustering will be very useful in ID. Hence
The only disadvantage of doing this is that some a planning to use clustering techniques to explore patterns
optimizations, in audit and network data will be very important future
like common sub expression elimination of guards, may not aspect
be done for subsequently added patterns with respect to
patterns already compiled in the engine. Actions can also be
associated with patterns by incorporating them as expressions REFERENCES
in the post conditions.
- Finally the last conclusion about last approach (Model
 J.Gomez, F.Gonzalez and D.Dasgupta, "An Immuno-Fuzzy Approach to
Generation by Using Genetic Algorithms ) is that the success Anomaly Detection". To appear in the Proceedings of the IEEE International
of the genetic algorithm shows that this method of is a viable Conference on Fuzzy Systems (FUZZIEEE) May 25-28, 2003.
alternative. All hypothesis were proven: the genetic algorithm  J.Gomez and D.Dasgupta, "Evolving Fuzzy Classifiers For Intrusion
successfully evolved an individual’s model through Detection". To appear in the Proceedings of the 2002 IEEE Workshop on
Information Assurance, June 2002.
randomized mutation and the model generated over training  A. Chittur "Model Generation for An Intrusion Detection System using
data was successfully able to apply its empirical knowledge to Genetic Algorithms" Ossining High School,NY NOV,27 2001.
data not seen before. This supports the hypothesis that the  L. N. De Castro and F. J. Von Zuben (2000). Artificial Immune Systems:
characteristics of malicious computer connections are Part II – A Survey of Applications. Technical Report – RT DCA 02/00,
FEEC/UNICAMP, Brazil, 64 p.
inherently dissimilar to normal connections. The results of this  J. Cannady "Artificial Neural Networks for Misuse Detection". School of
approach show that genetic algorithms are a promising method Computer and Information Sciences, Nova Southeastern University,
Department of Computer Sciences, Purdue University, West Lafayette, Fort
Lauderdale, FL 33314 Department of Computer Sciences, Purdue University,
West Lafayette, 1998.
 J.S. Balasubramaniyan, J.O. Garcia-Fernandez, D.Isacoff, E.Spafford and
D. Zamboni "An Architecture for Intrusion Detection using Autonomous
Agents" . Technical Report 98/05,Department of Computer Sciences, Purdue
University, West Lafayette, IN 47907-1315, June 11, 1998.
W. Lee and S. Stolfo, “Data mining approaches for intrusion detection,”
in Proceedings of the 7th USENIX security symposium, (San Antonio,
 W. Lee , S. Stolfo and K.W. Mok “Mining Audit Data to Build Intrusion
Detection Models” in American Association for Artificial Intelligence, 1998.
 M. J. Ranum "Intrusion Detection :Challenges and Myths" ,
CEO,Network Flight Recorder, INC, 1996. Fig. (4) Data mining process of building Id models
 Mark Crosbie and Gene Spafford."Active defense of a computer system
using autonomous agents". Technical Report 95-008, COAST Group,
Department of Computer Sciences, Purdue University, West Lafayette, IN
47907-1398, Feb 1995.
 S.Kumar and Gene Spafford."A Pattern Matching Model for Misuse
Intrusion Detection". COAST Group, Department of Computer Sciences,
Purdue University, West Lafayette, IN 47907-1398, 1995.
 Robert A. Clyde, " Intrusion Detection Methodologies: A White Paper",
AXENT Technologies, 2001.
 Crosbie M, Spafford E.," Applying Genetic Programming to ID",
Proceedings of the AAAI 1995 Fall symposium, 1995.
 Jermy Frank, " Artificial Intelligence and Intrusion Detection: Current
and Future directions", university of California at Davis, 1994.
: Eskin E, Lee W, Stolfo SJ," Modeling system calls for ID with dynamic
window sizes", proceeding of DISCEX II, 2001.
Fig. (5) General Representation of Next Generation
Proactive Identification Model (NeGPAIM)
Fig. (1) An example of a simple computer network
Fig. (2) Anomaly-based ID
Fig. (6 ) An Example for used Topology for ANN in IDS
Fig. (3) Misuse-based ID
Fig. (7) Genetic Algorithm Theory applied to ID Problem.
Dr. Eng Sattar Bader Sadkhan , Chief
Scientific Researcher Science 1997,
Technology Expert Since 2003, Chairman of
IEEE IRAQ SECTION and (currently)
Postgraduate Lecturer in Babylon University.
Expert in : Wireless Digital Communication
and Information Security.
Diploma in Radar Equipments Repairing (1970-
1974)- from Wireless and Radar training Center – B.Sc. (1974-1978)
Baghdad – IRAQ – Electrical and Electronic Engineering. M.Sc. (1979-1981)
in VAAZ Academy- BRNO – CZECH Republic –Wireless Communication
Engineering. Ph.D. (1981-1984) in VAAZ Academy- BRNO- CZECH
Republic- Detection of Digital Modulated Signals. Diploma in Cryptography
in 1988 – From Switzerland.
Since 1991 up to 2003, in Communication Research and Development Center
–Institute of Research and Development. I am engaged as Researcher in this
Center and I obtained the director position of this center in 2000 till 8 April
Postgraduate Lecturer, Director of Cultural Relation and Scientific Affairs,
Director of Research Centers of Babylon Studies,
Editor-in-Chief, for the International Scientific Journal of Advancement
in Computing Technology, (IJACT), in South Korea, since beginning of
Member of (80) Scientific and Editing Committees of International
Scientific Journals, and International Conferences (Arabic and International).
Advisor of more than (100) Postgraduate theses (M.Sc. And Ph.D.).
Publishing more than (160) papers in (Arabic, and International)
Academicals journals and conferences.