Information Technology Reference
In-Depth Information
Figure 3. This shows experiment M1-M4 for the two normal processes of the bash
shell (
bash
) and ssh demon (
sshd
) and the two anomalous processes namely the
nmap
and the pseudo-terminal slave (
pts
) which displays the nmap output. The
MCAV values for the anomalous processes is significantly higher than that of
the normal processes for experiments M1, M2 and M4. Experiment M3 does not
show the same trend, though interestingly the nmap MCAV is not significantly
different to the values for experiments M1, M2 and M4. All MCAV values for ex-
periment M5 equal 1 because antigen is never presented in a semi-mature context
due to lack of other signals. The normal session is represented in a similar man-
ner, also shown in Figure 3. Significantly lower values for MCAV for all processes
are reported, with the exception of experiment M3. The processes of interest in-
clude the bash shell, ssh demon, the file transfer (
scp
) and a forwarding client
(
x-forward
). In the control experiment the mean MCAV values for all presented
antigen were zero - no processes of interest could be highlighted. From this we can
assume that the process of remote log-in is not enough to change the behaviour of
the machine. All antigens were presented in a safe context implying steady-state
system behaviour reflected through the MCAV output of the algorithm.
4.5
Analysis
In experiment M1 distinct differences are shown in the behaviour of the algorithm
for the attack and normal datasets. The MCAV for the the anomalous process is
significantly larger than the MCAV of the normal processes. This is encouraging
as it shows that the DCA can differentiate between two different types of pro-
cess based on environmentally derived signals. In experiment M2 the PAMP and
danger signals were switched. In comparison with the results presented for ex-
periment M1, the MCAV for the anomalous process is not significantly different
(paired t-test
p<
0
.
01). However, in experiment M2, the standard deviations
of the mean MCAVs are generally larger and is especially notable for the nmap
process. Potentially, the two signals could be switched (through accidental means
or incorrect signal selection) without altering the performance of the algorithm
significantly. Experiment M3 involved reversing the mapping of safe and PAMP
signals. The safe signal is generated continuously when the system is inactive and
when mapped as a PAMP constantly generated full maturation in the artificial
DCs, shown by the high MCAV value for all processes indiscriminately. Interest-
ingly, in M3 the MCAV value for the anomalous processes in the attack datasets
is lower than the normal process' value. For the normal dataset, all processes are
classified as anomalous, all resulting in a MCAV of 1, a 100% false positive rate.
These three experiments show that adding some expert knowledge is beneficial
to the performance of the algorithm. It also supports the use of the proposed
signal selection schema for use within the algorithm and has highlighted one key
point - danger and PAMP signals should increase in response to a change in the
system, whereas a PAMP must be the opposite, namely an indicator of little
change within the system.
By comparing the results from experiment M1 and M4, the influence of mul-
tiple antigen sampled per DC can be observed. In M4, the anomalous processes'
