Information Technology Reference
In-Depth Information
The first issue to consider is the amount of scans. Data sets containing 1 scan (Data
sets 1, 3 and 7), 2 sweeps (Data sets 2, 4, 8 and 9) or 3 sweeps (Data sets 5 and 6)
have been used. Each scan is aimed at a different port number. The implications are
crystal clear; hackers can check the vulnerability of as many services/protocols as
they want.
A scan attempting to check port protocol/service can be aimed at any port number
(from 0 to 65535). The data sets contain scans aimed at port numbers such as 161 and
162 (well known ports assigned to Simple Network Management Protocol), 1434
(registered port assigned to Microsoft-SQL-Monitor, the target of the
W32.SQLExp.Worm), 3750 (registered port assigned to CBOS/IP ncapsalation), 4427
and 4439 (registered ports, as yet unassigned) and 65,788 (dynamic or private port).
In order to check the performance of the described ensembles in relation to the
time-related strategies, data sets 5, 6 and 7 have been used. Data set 5 was obtained by
spreading the packets contained in the three different scans (161, 162 and 3750) over
the captured session. In this data set, there is a time difference of 247360 ms between
the first (in the sweep aimed at port 161) and the last scan packet (in the scan aimed at
port 3750). The duration of the captured session (all the packets contained in the data
set) is 262198 ms, whereas in the original data set the scan lasts 164907 ms. In the
case of data set 7, the same mutation has been performed but only for packets relating
to the scan aimed at port 3750. On the other hand, the strategy of reducing the time
was used to obtain data set 6. In this case, the time difference between the first and the
last packet is about 109938 ms.
Finally, the number of packets contained in each scan was also considered. In the
case of a network scan, each packet means a different host targeted by the scan. Data
Table 1.
Results on data set 6 (two classes)
Ensembles
Classifier
Correctly Classified Instances
MLP, REPTree, PART,
id3, SMO, SMOreg,
Winnow, SPegasos
Training (99.983%)
Classification (100%)
FilteredClassifier
Training (99.983%)
Classification (100%)
Adaboost
JRip
Training (99.983%)
Classification (100%)
MultiboostAB
JRip
Training (99.9489%)
Classification (100%)
MultiboostAB
REPTree
Training (99.983%)
Classification (100%)
RandomSubSpace
REPTree
Training (99.9659%)
Classification (100%)
RandomSubSpace
SImpleCart
Training (99.983%) for both
Classification (100%) for both
RotationForest
REPTree and PART
Training (99.8636 %)
Classification (100%)
AttributeSelectedClassifier
SImpleCart
Training (99.9659%)
Classification (100%)
Bagging
REPTree
Search WWH ::
Custom Search