Information Technology Reference
In-Depth Information
across a range of 1020 IP addresses. The normal session includes a transfer of a
file of 2.5MB from the monitored machine to a remote server. The control session
has no event and allows us to observe any signal deviations caused through
monitoring the SSH session.
4.2
Signals and Antigen
Data from the monitored system are collected for the duration of a session. These
values are transformed into signal values and written to a log file. Each signal
value is a normalised real-number, based on a pre-defined maximum value. For
this experiment the signals used are PAMPs, danger and safe signals. Inflamma-
tory cytokines (
S
i
4
) do not feature as they are not relevant for this particular
problem. PAMPs are represented as the number of “destination unreachable”
errors-per-second recorded on the ethernet card. When the port scan process
scans multiple IP addresses indiscriminately, the number of these errors in-
creases, and therefore is a positive sign of suspicious activity. Danger signals
are represented as the number of outbound network packets per second. An in-
crease in network trac could imply anomalous behaviour. This alone would not
be useful as legitimate behaviour can cause an increase in network packets. The
safe signals in this experiment are the inverse rate of change of network packets
per second. This is based on the assumption that if the rate of sending network
packets is highly variable, the machine is behaving suspiciously. None of these
signals are enough on their own to indicate an anomaly. In these experiments
the signals are used to
detect
the port scan, and to
not detect
the normal file
transfer.
During the session each process spawned from the monitored
ssh
session is
logged through capturing all system calls made by the monitored processes using
strace
. Antigen is created with each system call made by a process, with antigen
represented as the process ID value of a system call. Each antigen is processed
subsequently by the DCA, and those presented with context are assigned a
MCAV for assessment.
4.3
The Experiments
Experiments are performed to examine the influence of using different signal
mappings. In these experiments a signal designed to be a PAMP is used as
a danger signal and vice versa. The same is performed with PAMP and safe
signals. We hypothesise based on previous experience using the DCA that it will
be robust to incorrect signal mapping between danger and PAMP signals, but
will lose detection accuracy if a safe signal is switched with a PAMP.
We also examine the effect of multiple antigen sampling on the performance of
the algorithm. The DCA is designed so each DC can present multiple antigen on
migration from the sampling population. Each DC presents a small subset of the
total antigen within the tissue for its lifetime in the cell cycle. If multiple copies
of the same antigen are used, robust coverage of input antigen can be achieved.
To investigate the influence of multiple antigen presentation, an experiment is
