Detecting Anomalies in Computer Networks Recurrent Neural Networks

Abstract

Due to the widespread use of computer networks as well as the numerous attacks that such networks face, a fast and accurate means of detecting attacks represents an ever growing need. In this paper, a system that uses a recurrent neural network (RNN) is explored as a potential method for detecting intrusions. The investigated system is applied to an unlabeled cyber-security data set in order to determine its effectiveness. The goal is to train the system on every individual user included in the data set so as to learn their behavior and then to allow for the identification of any deviations in their behavior. It should be stressed here that deviations in behavior (or anomalies) cannot be labeled as “intrusions” without the involvement of domain experts. Nevertheless, they can be used to identify potential attacks, and they can also be presented to cyber-security experts for further evaluation. Several architectures for the system are explored with the aim of identifying the optimal one. A system is developed to be both fast and good at identifying anomalous behavior, while at the same time it must be able to adapt to any changes the attackers might implement to avoid detection, thus the results shown in this work using an unlabeled data set to train the network does not allow for the accuracy of the system for identifying the attackers. This means that identifying the optimal architecture is a difficult task. Yet, the system used in this paper is able to identify likely anomalies, which leads to the conclusion that RNNs do represent an effective means of flagging anomalous behavior.