Detecting Anomalous and Unknown Intrusions against Programs in Real-Time.

Abstract

This report discusses the research and results discovered under a Phase I SBIR program awarded by DARPA and the U.S. Missile Command contract number DAAH01-97-C-R095. The main objective of this Phase I research grant is to study the feasibility in using connectionist approaches to detecting the existence of anomalous or unknown intrusions against programs in real-time. The research resulted in the development of a prototype that can be used to train a neural network on both normal and anomalous usage and behavior of programs. The prototype was applied to the usage of Web-based applications as well as to the usage and behavior of a system utility program. Initial results demonstrate the viability of this approach to detecting unknown attacks against systems through misuse and anomalous behavior of software programs. In addition to presenting the empirical results, we discuss theoretical issues in the constraints of this approach, as well as the commercial potential we see in this approach. Though many avenues of research, development, and commercialization still exist, the initial results from this Phase I project demonstrate the feasibility of using connectionist networks to detecting anomalous usage and behavior in programs.