Digging into IP Flow Records with a Visual Kernel Method - Computational Intelligence in Security for Information Systems

Information Technology Reference

In-Depth Information

4 Experimental Results

This section describes the datasets used for evaluating the proposed testing method

and how they were generated. Then, the obtained results are also detailed.

4.1 Datasets

Real-life datasets have been previously applied to perform ID [16], [17], it has been

proved that this low-dimensional datasets allow the detection of some anomalous

situations [11]. Packets travelling along the network are characterized by using a set

of features, extracted from the packet headers contribute to build up the neural-

network input vector, x

5 ; these features can be listed as follows:

∈ℜ

Timestamp: the time the packet was sent.

−

Source port: the port number of the device that sent the packet.

−

Destination port: the port number of the target host, i.e. the host to which the

packet is sent.

−

Protocol ID: an integer number that identifies the protocol over TCP of the packet.

−

Size: the packet size (in Bytes).

From these datasets, one of them was selected as the original one that was later mu-

tated. It contained examples of two different attacks:

−

Three different network scans aimed at port numbers 161, 162 and 3750. A time

difference between the first and the last packet included in each sweep of 17 866

ms for port number 161, 22773 ms for port number 162 and 17755 ms for port

number 3750.

−

An MIB (Management Information Base) information transfer event. This anoma-

lous situation and its potential risks are fully described in [17], [32].

On the basis of this original dataset, several mutations were generated according to

the testing technique previously described.

Several testing data sets containing the following key features were obtained by

mutating different characteristics of the original data:

−

Case 1 (modifying both the amount of scans and the destination ports):

•

Data set 1.- only one scan: port 3750.

•

Data set 2.- two scans: ports 161 and 162.

•

Data set 3.- only one scan: port 1734.

•

Data set 4.- two scans: ports 4427 and 4439.

−

Case 2 (modifying both time and the number of scans):

•

Data set 5.- three time-expanded scans: ports 161, 162 and 3750.

•

Data set 6.- three time-contracted scans: ports 161, 162 and 3750.

•

Data set 7.- one time-expanded scan: port 3750.

−

Case 3 (modifying both the amount of packets and the destination ports):

•

Data set 8.- two 5-packet scans: ports 4427 and 4439.

•

Data set 9.- two 30-packet scans: ports 1434 and 65788.

Computational Intelligence in Security for Information Systems

Search WWH ::

Custom Search

Home