Information Technology Reference
In-Depth Information
alert corresponds to particular class of attacks. Thus, the IDS system in question
solves intrusion detection task.
Connection-based data source is attached three specialized classifiers intended for
detection DNS CB , R2U CB and Probe CB classes of attacks, i.e. these classifiers are
trained to detect attacks of the classes " Denial of Service ", R2U and Probe respec-
tively. Each of the above connection-based data source classifiers transmit the pro-
duced decision to particular meta-classifier (see Fig.2).
ConnectionWindowFeatures data source forms input of two specialized classifi-
ers, R2U CW and Probe CW , trained for detection of attacks of the classes R2U and
Probe respectively. They also send their decisions to particular classifiers of the
meta-level.
ConnectionWindowTrafficFeatures data source is attached three specialized clas-
sifiers, R2U CWT , Probe CWT and NormalCWT trained for detection of attacks of the
classes of R2U , Probe and Normal activity (no attacks) respectively. They send their
decisions to various classifiers of meta-level.
Time WindowFeatures data source forms input of three specialized classifiers,
DNS TW , R2U TW , and NormalTW trained for detection of attacks of the classes De-
nial of Service , R2U and Normal activity (no attacks) respectively.
Time WindowTrafficFeatures data source is attached three classifiers, DNS TWT ,
R2U TWT , and ProbeTWT trained for detection of attack classes Denial of Service ,
R2U and Probe respectively.
At the meta-level, three specialized meta-classifiers are introduced. Each of them
is responsible for combining decisions from source-based classifiers trained for detec-
tion of particular type of attack or Normal situation. They operate in asynchronous
mode while making decision every time when an event and data from at least one
source-based classifier arrives. A peculiarity of the decision making structure in ques-
tion (Fig.2) is that, in it, one more decision combining layer, top layer, is used. It
combines the inputs arriving from the specialized meta-classifiers thus solving the in-
trusion detection task.
2.3 Dynamics of IDS Operation
The data and event streams in the implemented IDS prototype are presented in Fig.1.
Let us describe the dynamics of these streams in the process of IDS operation.
Dump of the network traffic is captured by sensor, Raw Data Sensor . It produces
primary events of two types: (1) PacketEvent - receiving of an IP packet and Packet
data, and (2) ConnectionEvent - completion of the connection and Connection data.
Events and data input to the component NetworkFeatureExtractor intended for extrac-
tion of the features from raw data and generation of the secondary events, that are (1)
ConnectionEvent and associated arrays of the features, ConnectionBased and Con-
tentBased ; (2) ConnectionWindowEvent indicating completion of a time window con-
taining given number of connections and associated arrays of the features, Connec-
tionWindowFeatures and ConnectonWindowTrafficFeatures ; (3) TimeWindowEvent
indicating completion of the time window of a predefined duration and associated ar-
rays of the features, TimeWindowFeatures and TimeWindowTraficFeatures .
Search WWH ::




Custom Search