Digging into IP Flow Records with a Visual Kernel Method - Computational Intelligence in Security for Information Systems

Information Technology Reference

In-Depth Information

source port, destination port and time. It is important to consider that our integration

method is general (GNG neural network algorithm), not ad-hoc as in previous works.

However, we propose a minor modification of the GNG learning algorithm [5], us-

ing the C ID measure (to prioritize, in the integration process, the more reliable and

efficient methods). These methods will have more weight in the final result. Specifi-

cally, we modify the adaptation criteria of the reference vectors of winner neuron and

its neighbors with respect to the input patterns, using the C ID measure of each correla-

tion method. So, the increase of reference vectors of the winning neuron and its

neighbors will be as great as the performance measure of the correlation method asso-

ciated to the input pattern.

∆

∆ ,

Thus, the neurons of network will be closer to the greater quality input patterns.

Finally, the final map will have learned mainly patterns of correlation methods with

great ability to detect but unable to correlate new scenarios. But the map also will

have learned patterns that can detect unknown attacks, as well as the inherent capacity

of neural networks to generalize and recognize new patterns from other previously

observed. Therefore, the neural network can detect known and new scenarios

4 Tests and Results

We built our test scenario in order to evaluate the outcome of our approach and com-

pare it with other proposals. The Figure 2 shows the test scenario developed.

We have used Snort sensor as local IDS, possibly the world's most widely used

IDS. In the correlation stage, because the approach allows multiple systems, we have

deployed three systems: alertSTAT, a tool developed by the University of California,

this tool belongs to the specification of scenarios type; PreCons module, that imple-

ments the prerequisites and consequences approach defined in [4], EMERALD [17],

one of the well-known intrusion detection monitors, which perform the correlation

process by clustering. GNG neural network has been used in the integration phase and

a response module that basically generates reports.

For the tests are uniform, we have used as input characteristics to the GNG neural

network the same attributes used in [17], addresses and ports of source and destina-

tion, attack class and time. Moreover, the learning parameters of the network have

been 2000 , 0.1 , 0.01 , 0.5 , 0.005 .

In order to validate the modification of the GNG algorithm, we must consider that

the tests have been conducted both with the original algorithm and the modified algo-

rithm. In addition, in order to obtain results that can be compared with other propos-

als, we need to use a standardized test data. To date, DARPA intrusion detection

evaluation data is the most comprehensive set known to be generated for the purpose

of evaluating the performance of any given IDS [18].

Search WWH ::

Custom Search

Home