Information Technology Reference
In-Depth Information
Data Mining [5], [6], [7], Expert Systems [8], Fuzzy Logic [9], or Neural Networks
[10], [11], [12] among others - together with statistical [13] and signature verification
[14] techniques have been applied mainly to perform a 2-class classification (nor-
mal/anomalous or intrusive/non-intrusive).
IDS evaluation is not a clear cut task [15]. Previous works have presented several
techniques to test and evaluate misuse detection models for network-based IDSs. A
testing technique to prove the effectiveness and capability of any visualization-based
IDS, employing numerical data to confront unknown attacks has been previously
proposed [16], [17]. In this case, the method is used to asses different classifiers in the
detection of mutated network scans. The ability to detect such scans can help identify-
ing wider and potentially more dangerous threats to a network. The main advantage of
this testing model is that it provides the classifiers with brand new attacks - network
scans in this case -.
A port scan may be defined as a series of messages sent to different port numbers
to gain information on their activity status. These messages can be sent by an external
agent attempting to access a host to find out more about the network services the host
is providing. A port scan provides information on where to probe for weaknesses, for
which reason scanning generally precedes any further intrusive activity. This work
focuses on the identification of network scans, in which the same port is the target for
a number of computers. A network scan is one of the most common techniques used
to identify services that might then be accessed without permission [18].
The remaining sections of this study are structured as follows: section 2 introduces
the proposed testing technique. While the applied classifiers are described in section
3, experimental results are presented in section 4. The conclusions of this study are
discussed in section 5, as well as future work.
2 A Mutation Testing Technique for IDSs
Testing an ID tool is the only way to establish its effectiveness. This paper focuses
on checking the performance of IDSs when confronting with unknown anomalous
situations.
Misuse IDSs based on signatures rely on models of known attacks. The effective-
ness of these IDSs depends on the "goodness" of their models. This is to say, if a
model of an attack does not cover all the possible modifications, the performance of
the IDS will be greatly impaired.
The proposed mutation testing model was previously applied to a visualization-
based IDS [16], [17] and is based on mutating attack traffic. In general, a mutation
can be defined as a random change. In keeping with this idea, the testing model modi-
fies different features of the numerical information extracted from the packet headers.
The modifications created by this model may involve changes in aspects such as:
attack length (amount of time that each attack lasts), packet density (number of pack-
ets per time unit), attack density (number of attacks per time unit) and time intervals
between attacks. The mutations can also concern both source and destination ports,
varying between the different three ranges of TCP/UDP port numbers: well known
(from 0 to 1023), registered (from 1024 to 49151) and dynamic and/or private (from
49152 to 65535).
Search WWH ::
Custom Search