Information Technology Reference
In-Depth Information
Attack type
Generated patterns for chosen attacks
back
(DoS)
Week-2
Friday
Pattern 1: http (service)
Pattern 2: 80 (Des. port)
Pattern 3: 135.008.060.182 (Src. IP)
Pattern 4: 172.016.114.050 (Des. IP)
Pattern 5: http,*,80
Pattern 6: 135.008.060.182,172.016.114.050
Pattern 7: http,*,80,135.008.060.182
Pattern 8: http,*,80,135.008.060.182,172.016.114.050
ftp-write
(R2U)
Week-2,Friday
Pattern 1: ftp,*,195.073.151.050,172.016.112.050
Pattern 2: Login,*,195.073.151.050,172.016.112.050
eject
(U2R)
Week-6
Thursday
Pattern 1: telnet (service)
Pattern 2: 23 (Des. port)
Pattern 3: 172.016.112.050 (Des. IP)
Pattern 4: telnet,*,23
Pattern 5: 23,*,172.016.112.050
Pattern 6: telnet,*,23,*,172.016.112.050
ipsweep
(Probing)
Week-3,Wednesday
Pattern 1: eco/i,7,7,202.077.162.213,*
Fig. 5.
Number of chosen attacks, and their behavior as continuous and discontinuous
sequences
“eco/i” is always sent from the same source “202.077.162.213”, and the attribute
Dest IP address
is replaced by star “
” which explains that the Ping message
is sent to a variety of destinations. That is exactly how the attack is performed.
The experiment indicates that the pattern we obtained is different from the
command pattern, it is a new pattern. It can describe attacks more accurately,
detect the attacks whose features appear only once, improve detection rate, and
offer a new idea for the research of intrusion detection.
∗
3.2
Anomaly Detection
Data Model and Preprocessing.
In our experiments, and to evaluate the
algorithm as an anomaly detector, we used the Basic Security Module (BSM)
audit data collected by DARPA. Besides many attributes of BSM events, each
session contains one or more system calls information that are generated by the
programs running on the Solaris system. Also, each session is labelled with a
related unique process number.
Programmatically, for each single process all related individual sessions are
extracted, and then the complete set of ordered system calls spreading over the
sessions are recorded. For our data model, we only recorded the names of the
executed system calls ignoring other session attributes. And then, the algorithm
is used to transform each process into its related continuous and discontinuous
patterns. A sample of System calls generated by one user during two processes;
118 and 102 is shown in table 1.
Anomaly Model.
Our implementation is based on normal programs behavior.
Two stages have to be defined, the learning and detection stages. In the following,
the two stages are presented in more details.
