Information Technology Reference
In-Depth Information
Fig. 3.
The rate of detection for attack (upper graph) and normal (lower graph) for
the 4 processes of interest (MCAV value) for experiments M1-M4 is shown
MCAV are significantly greater than that of the normal processes. In compar-
ison with M1, the detection of the anomalous processes was not significantly
different for
nmap
, and was slightly lower for the
pts process
.Conversely,the
MCAV for all normal processes from both the attack and normal datasets was
greater than in experiment M1. Examination of the number of antigen presented
revealed that fewer antigens per process were presented than in experiment M1.
This implies that the MCAV values were generated from a smaller set size and
could be responsible for the differences in detection. Multiple antigen sampling
can improve the detection of anomalous processes while reducing the amount
of normal processes presented as anomalous. More experiments must be per-
formed using a range of antigen vector sizes to confirm this result. Experiment
M5 yielded interesting results, showing it is not possible to discriminate between
normal and anomalous (nmap) processes based on the PAMP signal alone. In
M5, 3 out of the 10 datasets yielded no results, with insucient PAMP signal
generated to cause antigen presentation. For the remaining 7 datasets, all pro-
cesses of interest produced a MCAV of 1. No discrimination was made between
the normal and anomalous processes. In the absence of being able to discrimi-
nate based on the MCAVs, it may still be possible to determine the anomalous
process for M5 based on the ratio of presented antigen to antigen input. The
ratio for nmap antigen over the 7 successful runs is 0.054, and 0.02 for the ssh
demon. A paired T-test shows that the sshd antigen ratio was significantly larger
than the nmap ratio, further confirming the poor performance of DC Lite. One
possible explanation for the poor performance of the DCA is that the safe signal
