Neural network model for detecting network scanning attacks

Abstract

© International Research Publication House This paper discusses the concept and problem of detecting network scanning attacks and describes the targets of network scanning attacks. The main attack methods and approaches to scanning network ports are considered. Intrusion detection systems (IDS) are used to detect network scanning attacks. Based on the method of detecting attacks, such systems are divided into IDS, which detects attacks based on signatures, and IDS, which detects attacks based on anomalies. In practice, it is recommended that these IDS detection methods be used together. It is proposed to use a trained neural network as a tool for detecting network scanning attacks. The implementation of the neural network required to prepare the initial data for training, to determine the parameters of the network, to conduct training, and to evaluate the results of its testing. When developing a neural network model, data from the publicly available set "NSL-KDD" were used. During data processing, entries that were not related to network scanning attacks were removed from the original NSL-KDD set. After processing the initial data, the sample contained 5108 records, 3379 of which characterized normal connections, and 1729 connections were related to network scanning attacks. The Deductor modeling environment was used to build a neural network model. The structure of the constructed neural network was as follows: 11 input neurons, 1 output neuron, and one hidden layer consisting of 23 neurons. The neural network was trained using an error backpropagation algorithm. The quality of the neural network model was assessed using contingency tables with the calculation of the classification accuracy, as well as errors of the first and second kind. The values of these errors turned out to be insignificant. The constructed neural network model revealed most of the connections characterizing network scanning attacks. The neural network assessment confirmed its adequacy and the possibility of effective practical use for detecting network scanning attacks.