Information Technology Reference
In-Depth Information
is vital to provide some 'tolerance' for the processes which run constantly such
as the ssh demon. Further investigations will be performed with the use of safe
signals and the role of active suppression in the performance of the DCA.
Fig. 4.
Analysis of attack data for experiment M1-M4 in terms of accuracy at different
thresholds
The accuracy for experiments M1-M4 is calculated by applying increasing
threshold values to the MCAV values for the attack datasets, within a range of
0-1 at 0.1 intervals. If the MCAV value of a process exceeds this threshold then
the process is classed as anomalous. The number of true positives and true nega-
tives are calculated. The accuracy is calculated for each experiment (accuracy =
true positives+true negatives / total number of processes) and the results of this
analysis are presented in Figure 4. This figure shows that for experiment M1, if
the threshold is between 0.2 and 0.7 the anomaly detection accuracy is 100%. For
experiment M2 100% accuracy is also achieved, but is in the range of 0.3-0.8. M4
is of interest, as the range at which 100% accuracy is achieved is reduced in com-
parison to M1 and M2. As expected M3 performs significantly poorer than all
others, also shown in Figure 4. For the normal dataset a similar analysis showed
lower rates of false positives for increasing thresholds, with the exception of M3.
5
Conclusions
In this paper the DCA has been described in detail and interesting facets of the
algorithm have been presented. The importance of careful signal selection has
been highlighted through experiments. The DCA is somewhat robust to misrep-
resentation of the activating danger and PAMP signals, but care must be taken to
select a suitable safe signal as an indicator of normality. In addition, the influence
of multiple antigen presentation by each DC was investigated. Reduced antigen
throughput, a decrease in detection of true positives and an increase in the rate
of false positives are observed. The process by which these signals are combined
has been described, and how changes in the semantic mappings of the signals
influence the algorithm. Data processing was performed by a population of DCs,
and multiplicity in sampling produced improved results. The baseline experi-
ment highlighted that it is not possible to perform detection using a predefined
