Machine learning and AI

Why Artificial Neural Networks (ANN) Technology Offers a Promising Future in IDS/IPS

Daniel Brecht
May 4, 2015 by
Daniel Brecht

Intrusion systems have been the subject of considerable research for decades to improve the inconsistencies and inadequacies of existing methods, from basic detectability of an attack to the prevention of computer misuse. It remains a challenge still today to detect and classify known and unknown malicious network activities through identification of intrusive behavioral patterns (anomaly detection) or pattern matching (misuse or signature-based detection). Meanwhile, the number of network attack incidents continues to grow.

Protecting a computer network against attacks or cybersecurity threats is imperative, especially for companies that need to protect not only their own business data but also sensitive information of their clients as well as of their employees. It is not hard to see why even just one breach in data security from a single intrusion of a computer network could wreak havoc on the entire organization. Not only would it question the reliability of the networks' infrastructure, but it could also seriously damage the business's reputation.

Learn Cybersecurity Data Science

Learn Cybersecurity Data Science

Build your skills using machine learning and other cutting-edge tools to perform various cybersecurity tasks.

An organization's first defense against breaches is a well-defined corporate policy and management of systems, as well as the involvement of users in protecting the confidentiality, integrity, and availability of all information assets. Security awareness training is a baseline for staff to gain the knowledge necessary to deter computer breaches and viruses, mitigate the risks associated with malicious attacks, and defend against constantly evolving threats.

Users' awareness and strict IT policies and procedures can help defend a company from attacks, but when a malicious intrusion is attempted, technology is what helps systems administrators protect IT assets. When it comes to perimeter data security, traditional defense mechanisms should be in layers: firewalls, intrusion detection systems (IDS) and intrusion prevention systems (IPS) can be used.

Research and new developments in the field of IDPS (Intrusion Detection and Prevention System) prove different approaches to anomaly and misuse detection can work effectively in practical settings, even without the need of human interaction/supervision in the process.

Several case studies emphasize that the use of Artificial Neural Networks (ANN) can establish general patterns and identify attack characteristics in situations where rules are not known. A neural network approach can adapt to certain constraints, learn system characteristics, recognize patterns and compare recent user actions to the usual behavior; this allows resolving many issues/problems even without human intervention. The technology promises to detect misuse and improve the recognition of malicious events with more consistency. A neural network is able to detect any instances of possible misuse, allowing system administrators to protect their entire organization through enhanced resilience against threats.

This article explores Artificial Intelligence (AI) as a means to solve the difficulties in identifying intrusions of insecure networks, such as the Internet, and discusses the use of artificial neural networks (ANN) for effective intrusion detection to detect patterns that separate attacks from genuine traffic. It will clarify why ANN technology offers a promising future in the identification of instances of misuse against computer systems.

Furthermore, the article will also point out the different directions in which research on neural networks concentrate and the developments and expected future in the intrusion detection and prevention (IDPS) field.

IDS & IPS Technology: Detection and Prevention Techniques

With computer intrusions—the unauthorized access or malicious use of information resources—becoming more common and a growing challenge to overcome, IT professionals have come to rely more on detection and prevention technologies to protect availability of business-critical information resources and to safeguard data confidentiality and integrity.

IDS tools sniff network packet traffic in search of interferences from external sources and can spot a hacker attempting to gain entry; they are designed to detect threats, misuse or unauthorized access to a system or network and are able to analyze system events for signs of incidents. Using both hardware and software, IDSs can detect anything that is suspicious either on a network or host; they then create alarms that system administrators can review to spot possible malicious entries.

Intrusion detection systems (IDS) can be classified as: Host based or Network based with the former checking individual machines' logs and the latter analyzing the content of network packets; Online or Offline, capable of flagging a threat in real-time or after the fact to alert of a problem; Misuse-based or Anomaly-based, either specifically checking a deviation from a routine behavior or comparing activities with normal, known attackers' behavior.

While an IDS is designed to detect attacks and alert humans to any malicious events to investigate, an IPS is used to prevent malicious acts or block suspicious traffic on the network. There are four different types of IPS: network-based intrusion prevention system (NIPS) that looks at the protocol activity to spot suspicious traffic; wireless intrusion prevention system (WIPS) that analyzes wireless networking protocols and is so important in the BYOD and mobile-centric world; network behavior analysis (NBA) that can spot attacks that create unusual traffic, such as distributed denial of service (DDoS) attacks, and it can use anomaly-based detection and stateful protocol analysis; and host-based intrusion prevention system (HIPS) that can be installed on single machines and can use signature-based and anomaly-based methods to detect problems.

IDS and IPS tools are often used concurrently, as they are not mutually exclusive. Thus IDPS can offer twice the protection. Security technologist and chief technology officer of Co3 Systems Bruce Schneier mentions, "Good security is a combination of protection, detection, and response." That just happens to be what IDPS does; it is deployed for information gathering, logging, detection and prevention. These tools provide threat identification capabilities, attack anticipation, and more. Having a network-based IDPS (NIDPS) with signature-based and anomaly-based detection capabilities allows inspecting the content of all the traffic that traverses the network. NIDPS are essential network security appliances that help in maintaining the security goals. They are highly used, as Indraneel Mukhopadhyay explains, for "identifying possible incidents, logging information about them, attempting to stop them, and reporting them to security administrators."

The all familiar Snort—an open-source NIDPS—is a highly used free threat intelligence program, created by Martin Roesch in 1998, that is capable of real-time traffic analysis and packet logging; it utilizes a rules-based detection engine to look for anomalous activity. What makes it a popular choice is its easy-to-use rule language. It can protect even the largest enterprise networks. Snort is an IP-centric program; administrators can view system security logs and find any irregularities or issues relating to things such as improper access patterns. Snort is said to be the most widely deployed intrusion prevention system in the world.

Deploying IDS and IPS devices requires a specialized skill set to ensure it properly identifies abnormal traffic and alert network administrator as needed. Along with proper configuration to a predefined rule set, provided by the administrator, these devices need to be fine-tuned (as new threats are discovered) in order to weed out false positives and be adjusted to specific network parameters (when the infrastructure has been altered) to maximize accuracy.

Once the type of IDPS technology has been selected, it is key to determine how many components (sensors, agents) will need to be deployed to function accurately to capture security issues, process events and alert appropriate personnel of suspicious activities. Direct network monitoring of the IDPS components like inline sensors between the firewall and the Internet border router is essential to achieve detection and prevention of malicious activity, such as denial of service attacks committed by an intruder. IDPS agents installed on endpoints can not only monitor the current network but also can assign appropriate priorities to alerts.

Past and Present of IDSs

IDPSs are able to monitor the events of interests on the systems and/or networks and are then able to identify possible incidents, log information about them, and attempt to stop common attacks and report them to security administrators. In the past, Intrusion Detection and Prevention (IDPS) has either been signature-based (able to check activity against known attackers' patterns, the signature), anomaly-based (also referred to as heuristic, that alerts when traffic and activity are not normal), or based on stateful protocol analysis that looks at the "state" in a connection and "remembers" significant events that occur.

These methods are effective but do have some downfalls. IDSs are known to have two main problems: the number of alarms generated and the need for tuning. Anomaly-based detection, for example, needs training and if issues arise during the training period a malicious behavior might be "learned" as legitimate by the system; it's also prone to many false positives. When analysis is based on rules provided by a vendor or an administrator, instead, updates must be frequent to ensure the proper functioning of the system.

The number of alarms generated (many being false) can overwhelm system security managers and prevent them from quickly identifying real ones. The continuous tuning of the intrusion to detect the slightest of variances and training required in order to maintain sufficient performance remains an issue.

With a growing number of intrusion events, there is the need to use innovative intrusion detection techniques for critical infrastructure network protection. Research has concentrated on Artificial Neural Networks (ANNs) that can provide a more flexible approach to intrusion prevention in terms of learning.

As the need for reliable automatic IDPS builds up, for it to gain acceptance as a viable alternative, it needs to function at a sufficient level of accuracy. That is where Neural Networks and Artificial Intelligence can play an effective role in the improvement of ID systems with the ability to learn from previous episodes of intrusion to identify new types of attack with less analyst interaction with the ID itself.

In fact, information system experts believe that Artificial Intelligence (AI) can provide significant improvements to IDS/IPS systems, especially in terms of effectiveness and decreased false positive/negative rates, a major issue in intrusion management.

Next Generation Intrusion Detection and Prevention (IDPS)

Due to a new generation of hackers that are better organized and equipped than in the past, to get past perimeter security, it is clear that a different approach is required, says Joshua Crumbaugh, lead penetration tester at Tangible Security, Inc., NagaSec. As per the DRAFT Special Publication 800-94 Revision 1, Guide to ..., the Next-Generation IDPS for host and network-based deployment options will have automated identification, location, isolation, and resolution of threats in real-time.

A GCN staff post, "What's next in cybersecurity automation," provides insight on the Enterprise Automated Security Environment (EASE) concept for "shared situational awareness in cyber-relevant time" and, with the concerted efforts of government and private sector interests, the concept may foster continuous innovation for cyberspace defense across the board. Other than EASE, the US Government has already evaluated other options to defend against cyber-attacks that mine homeland security. It pursued, for example, as a project to develop a smart network of sensors (named Einstein) to detect cyber-attacks against critical infrastructures.

IPS/IDS has changed, as research shows, with AI techniques that have improved IDSs by making them capable of detecting both current and future intrusion attacks while triggering fewer false positives and negatives. New ANNIDS (Neural networks applied to IDS) techniques have been able to improve the way detection systems are trained to recognize patterns, conduct problem solving and fault diagnosis too.

In today's world, there is the need "for building high-speed, reliable, robust and scalable ANN-based network intrusion detection and prevention system that is highly useful for [humankind] and organizations," Mukhopadhyay says. Neural network based AIs are able to discover emergent collective properties that are too complex to be noticed by either humans or other computer techniques. AI based techniques are used to classify behavior patterns of a user and an intruder in a way that minimizes false alarms from happening, explains Archit Kumar, India, an M.Tech Student, Department of CSE, in a research paper for IJARCSMS.

IDS based on ANN uses algorithms that can analyze the captured data and judge whether the data is intrusion or not by means of behavioral analysis of the neural computation during both learning and recall. Although ANNIDS' main drawbacks are lower detection precision for low-frequent attacks, and weaker detection stability in the beginning, it is a suitable solution for intrusion detection and network security, says Suresh Kashyap, an Indian research scholar at the Dr. C.V. Raman University. He adds that ANNIDS can be trained and tested by customized datasets enabling it to identify known and unknown (new) attacks with increasing accuracy when other methods fail.

Current AI techniques for improving automation of the intrusion detection process are not easily deployable in real life, yet many experiments and tests have been carried out with results showing ANNs capable of detecting intrusive activity in a distributed environment to provide local "threat-level" monitoring of computer DDoS attacks before the successful completion of an intrusion.

ANN s are great in terms of learning capabilities and effectiveness in capturing anomalies in activities, but also have some significant downfalls, such as, for example, the requirement of high computational resources. Researchers have been working on resolving this issue by trying to find a way to help ANN systems process info faster and effectively. An approach using AI techniques combined with genetic algorithms and fuzzy logic, for instance, proved well suited for detecting malicious behavior in distributed computer systems. Research concentrated also on the possibility to clustered data in subgroups using fuzzy clustering to use then a different ANN on each set. Results are obtained faster and are then aggregated to have a complete picture.

Another method explored more recently is deploying new ANN-based intelligent hybrid IDS models for anomaly detection that involve network- and host-based technologies under a single management console. These are also applicable to many environments: from Grid and Cloud Computing to mobile and network computers. In such an architecture, a Distributed Intrusion Detection System (DIDS) that relies on network and host based sensors is apt to increase the efficiency of the system yielding fast results of abnormal data determined by multiple heterogeneous recognition engines and management components to solve security issues.


Whether it is through a hybrid IDS using honey pot technology and anomaly detection or artificial neural network (ANN) based IDSs techniques, it is essential to detect and prevent attacks immediately as attempted. Information security practitioners suggest organizations are confident that their security control mechanism in place are sufficient enough for the protection of computer data and programs, but apparently, as per the PwC findings from the 2014 US State of Cybercrime Survey, a good majority of them fail to assess for threats or place emphasis on prevention mechanisms. What's more, they also lack the ability to diagnose and troubleshoot less sophisticated attacks and have yet to consider where IDS/IPS fits in their security plan. Both system solutions work together and form an integral part of a robust network defense solution.

As per the annual Worldwide Infrastructure Security Report (WISR) that provides insight into the Global Threat Landscape, organizations will face even more concerns regarding APT, so they ought to step up their network security defenses with near-real-time intrusion detection to defend critical data and applications from today's sophisticated attacks.

The new reality in IT security is that network breaches are inevitable, and the ability to monitor and control access and behavior patterns and misuse relies upon intrusion detection and prevention methods to be more quickly identified and more effectively addressed. An IDS/IPS is a must-have device; an ANN model based on ESNN learning patterns and classifying intrusion data packets is an effective approach. The main advantages of the ANNs over traditional IDSs are their abilities to learn, classify, process information faster, as well as their ability of self-organization. For these reasons, Neural Networks can increase the accuracy and efficiency of IDSs and AI techniques can improve IDS/IPS effectiveness.


Brecht, D. (2010, April 15). Network Intrusion Detection Systems: a 101. Retrieved from

Compare Business Products (2014, March 18). Security: IDS vs. IPS Explained. Retrieved from

GCN. (2014, December 9). What's next in cybersecurity automation. Retrieved from

Infosecurity Magazine. (2011, October 21). Small enterprises are suffering more intrusions, survey finds. Retrieved from

InfoSight Inc. (n.d). Intrusion Detection (IDS) & Intrusion Prevention (IPS). Retrieved from

Kashyap, S. (2013, May). Importance of Intrusion Detection System with its Different approaches. Retrieved from

Kumar, A. (2014, May). Intrusion detection system using Expert system (AI) and […]. Retrieved from

Mukhopadhyay, I. (2014). Hardware Realization of Artificial Neural Network Based Intrusion Detection & Prevention System. Retrieved from

Onuwa, O. (2014, November 29). Improving Network Attack Alarm System: A Proposed Hybrid Intrusion Detection System Model. Retrieved from

Saied, A. (n.d.). Artificial Neural Networks in the detection of known and unknown DDoS attacks: Proof-of-Concept. Retrieved from

Surana, S. (2014). Intrusion Detection using Fuzzy Clustering and Artificial Neural Network. Retrieved from

Vieira, K. (2010, August). Intrusion Detection for Grid and Cloud Computing. Retrieved from

Wang, L. (n.d.). Artificial Neural Network for Anomaly Intrusion Detection. Retrieved from

Zakaria, O. (n.d.). Identify Features and Parameters to Devise an Accurate Intrusion Detection System Using Artificial Neural Network. Retrieved from

Learn Cybersecurity Data Science

Learn Cybersecurity Data Science

Build your skills using machine learning and other cutting-edge tools to perform various cybersecurity tasks.

Zamani, M. (2013, December 8). Machine Learning Techniques for Intrusion Detection. Retrieved from

Daniel Brecht
Daniel Brecht

Daniel Brecht has been writing for the Web since 2007. His interests include computers, mobile devices and cyber security standards. He has enjoyed writing on a variety of topics ranging from cloud computing to application development, web development and e-commerce. Brecht has several years of experience as an Information Technician in the military and as an education counselor. He holds a graduate Certificate in Information Assurance and a Master of Science in Information Technology.