Information Technology Reference
In-Depth Information
Thus, for a limited number of attributes and more records, the proposed
algorithm has proved more ecient compared to Apriori.
3
Experiments
3.1
Misuse Detection
For the sake of clarity, the algorithm is described through the example of number
of attacks. Each attack includes a number of records, in some attacks tens of
instances are collected, each record includes five attributes shown in table 1. We
dig out continuous and discontinuous patterns of these attacks with the misuse
intrusion detection algorithms. Results are shown in Figure 5.
The first examined attack is
Back
attack, which belongs to denial of service
attack against the Apache web server.
Back
attack is fabricated by submitting
frontslashes contained in URL's requests. The
Back
attack causes instances of
the http process on the victim machine. As the server tries to process these
requests it becomes unable to process other requests, consequently, the attack
slows down the server. Attack signatures in Figure 5 show that the attacker https
to the victim machine “172.016.114.050” from a certain machine. This flow of
request consumes excessive processor time, when the original data was checked
back, we found the attribute
Src port
has many values, none of them support the
minimal given support value. Consequently, it is replaced by star in the patterns,
and didn't appear in large-sequences
L
(1,0) or in super-large-sequences,
SupL
.
The second simulated attack is the
ftp-write
attack, which belongs to R2U
attack. It takes advantage of misconfiguration of an anonymous ftp, which allows
the intruder to add files such as an rhosts file, and gain local access to the system.
This is exactly what the patterns show in Figure 5. Regardless of the values of
attributes:
Src port
and
dest port
, which are represented by star, the attacker
anonymously ftps the victim machine, performs some tasks such as creating
“.rhosts” file, and disconnects from the server. Then, as the second pattern
shows, login to the victim machine by using rlogin to connect back to the server
as ftp user, and finally performs some illegal actions on the victim machine.
An
eject
attack, the third simulated attack, belongs to U2R category. It ex-
ploits buffer overflow vulnerability of the distributed “eject” binary with Solaris
2.5. This vulnerability, if exploited, is used to gain root access on the attacked
machine. As shown from the attack signature in figure 5, the attacker telnets the
workstation “172.016.112.050”, regardless of what source port is used, or from
where the attack is launched, which explains the stars in the last three patterns.
Then, telnet victim machine is exploited to distribute the malicious code. The
implanted code, if compiled, can be run on the victim machine, as a command
line session where the attacker can gain root access.
The last simulated attack is
ipsweep
which belongs to the probing attacks
family. Attackers use this attack to search for vulnerable machines to determine
which hosts are listening on a network. It can be performed by sending an ICMP
Ping packets to every possible address within a subnet, listening machines will
respond to the sender. The generated attack pattern shows that a Ping packet
