Information Technology Reference
In-Depth Information
-
Safe signal -
s
i
2
E.g. the inverse rate of change of number of network packets
per second. A high rate of change equals a low safe signal level and vice versa.
1. a confident indicator of normal behaviour in a predictable manner or a
measure of steady- behaviour
2. measure of an attribute which increases signal concentration due to the
lack of change in strength
-
Inflammatory signal -
s
i
3
e.g. high system activity when no user present at a
machine
1. a signal which cannot cause maturation of a DC without the other signals
present
2. a general signal of system distress
Signals, though interesting, are inconsequential without antigen. To a DC,
antigen is an element which is carried and presented to a T-cell, without regard
for the structure of the antigen. Antigen
is
the data to be classified, and works
well in the form of an identifier, be it an anomalous process ID[5] or the ID
of a data item [4]. At this stage, minimal antigen processing is performed and
the antigen presented is an identical copy of the antigen collected. Detection is
performed through the correlation of antigen with signals.
4
Return of the Nmap - the Port Scan Experiment
Revisited
The purpose of these experiments is as follows:
1. To validate the theoretical model which underpins the DCA
2. To investigate sensitivity to changes in the treatment of signals
3. To apply the DCA to anomaly detection for computer security
4.1
Port Scanning and Data
In this paper, port scanning is used as a model intrusion. While a port scan is not
an intrusion
per se
, it is a 'hacker tool' used frequently during the information
gathering stage of an intrusion. This can reveal the topology of a network, open
ports and machine operating systems. The behaviour of
outgoing
port scans pro-
vide a small scale model of an automated attack. While examination of outgoing
trac will not reveal an intruder at the point of entry, it can be used to detect
if a machine is subverted to send anomalous or virally infected packets. This is
particularly relevant for the detection of scanning worms and botnets. The DCA
is applied to the detection of an outgoing port scan to a single port across a
range of IP addresses, based on the ICMP 'ping' protocol.
Data is compiled into 30 sessions, namely 10 attack, 10 normal and 10 control
sessions. Each session includes a remote log-in to the monitored machine via
SSH, and contains an event. The attack session includes a port scan performed by
popular port scanning tool
nmap
,usingthe
-sP
option for an ICMP 'ping' scan,
