Adaptation of the neural network-based IDS to new attacks detection

In this paper we report our experiment concerning new attacks detection by a neural network-based Intrusion Detection System. What is crucial for this topic is the adaptation of the neural network that is already in use to correct classification of a new “normal traffic” and of an attack representation not presented during the network training process. When it comes to the new attack it should also be easy to obtain vectors to test and to retrain the neural classifier. We describe the proposal of an algorithm and a distributed IDS architecture that could achieve the goals mentioned above.

💡 Research Summary

The paper addresses a well‑known limitation of neural‑network‑based intrusion detection systems (IDS): their inability to correctly classify traffic patterns that were not present during the training phase, whether those patterns represent new normal services or novel attacks. To overcome this, the authors propose both an algorithmic approach for automatic collection of previously unseen attack vectors and a distributed IDS architecture that can incorporate these vectors into the learning process in near‑real time.

Two neural‑network models are considered: a multilayer perceptron (MLP) trained with variants of back‑propagation (Levenberg‑Marquardt and resilient BP) and a support‑vector machine (SVM) implemented via LibSVM. The experiments use the classic KDD‑99 dataset (10 % for training, Corrected KDD for testing) and extend it with 14 new attacks generated by the Metasploit framework as well as new normal traffic (VoIP, instant messaging, streaming, online gaming) that were absent from the original dataset.

The proposed IDS consists of three logical modules. The H&N monitor runs on a honeypot placed in the DMZ, analyzes host logs and audit data, and when an attack is detected it extracts the associated network packet, converts it into a KDD‑99‑style feature vector, and forwards it with an alarm to the central module. The Net‑LAN monitor is deployed on each LAN segment; it captures packets via a sniffer, transforms them into the same feature vector format, and classifies them using a local neural‑network classifier. Alarms and vectors are also sent to the central module. The central module aggregates all alarms, retrains a “base classifier” using the newly collected vectors, updates the network’s weight matrix and the number of hidden neurons, and pushes the updated model to every Net‑LAN monitor, thus keeping the entire distributed system synchronized.

In the first experimental phase, both MLP and SVM are evaluated on the original KDD‑99 splits. The MLP achieves a mere 4.26 % detection rate for attacks that were not present in training, while the SVM reaches 18.7 %; both maintain >97 % detection for known attacks and exhibit low false‑alarm rates (≈2 %). This confirms that conventional neural‑network IDS struggle with truly novel patterns.

The second phase focuses on the SVM, which performed better on unseen attacks. After adding the 14 Metasploit attacks and the new normal traffic, the initial test shows four false alarms among the new normal vectors and four missed detections among the new attacks. However, the H&N monitor successfully captures the missed attack vectors from the honeypot. These vectors are fed back to the central module, which retrains the SVM and redistributes the updated model. A subsequent test shows zero false alarms and zero missed detections for all newly introduced traffic, demonstrating that the proposed feedback loop effectively adapts the IDS to emerging threats.

The authors discuss several practical considerations. The approach eliminates the need for manual collection of attack samples, enables rapid adaptation to new attacks, and allows real‑time blocking of malicious traffic via the Net‑LAN classifiers. Nevertheless, they acknowledge limitations: the retraining latency in a production environment is not quantified; reliance on the KDD‑99 feature set may cause confusion when new normal traffic closely resembles attack features, suggesting the need for additional or refined features; and the central module represents a potential single point of failure, which could be mitigated by decentralizing or replicating this component.

In conclusion, the paper presents a concrete, implementable framework that combines automatic honeypot‑based data acquisition, distributed neural‑network classification, and centralized, near‑real‑time model updating. Experimental results confirm that this architecture can substantially improve detection rates for previously unseen attacks and correctly classify new normal services, provided that the system’s performance and robustness are further refined for large‑scale deployment.