Information Technology Reference
In-Depth Information
alert corresponds to particular class of attacks. Thus, the IDS system in question
solves intrusion detection task.
Connection-based
data source is attached three specialized classifiers intended for
detection
DNS CB
,
R2U CB
and
Probe CB
classes of attacks, i.e. these classifiers are
trained to detect attacks of the classes "
Denial of Service
",
R2U
and
Probe
respec-
tively. Each of the above connection-based data source classifiers transmit the pro-
duced decision to particular meta-classifier (see Fig.2).
ConnectionWindowFeatures
data source forms input of two specialized classifi-
ers,
R2U CW
and
Probe CW
, trained for detection of attacks of the classes
R2U
and
Probe
respectively. They also send their decisions to particular classifiers of the
meta-level.
ConnectionWindowTrafficFeatures
data source is attached three specialized clas-
sifiers,
R2U CWT
,
Probe CWT
and
NormalCWT
trained for detection of attacks of the
classes of
R2U
,
Probe
and
Normal
activity (no attacks) respectively. They send their
decisions to various classifiers of meta-level.
Time WindowFeatures
data source forms input of three specialized classifiers,
DNS TW
,
R2U TW
, and
NormalTW
trained for detection of attacks of the classes
De-
nial of Service
,
R2U
and
Normal
activity (no attacks) respectively.
Time WindowTrafficFeatures
data source is attached three classifiers,
DNS TWT
,
R2U TWT
, and
ProbeTWT
trained for detection of attack classes
Denial of Service
,
R2U
and
Probe
respectively.
At the meta-level, three specialized meta-classifiers are introduced. Each of them
is responsible for combining decisions from source-based classifiers trained for detec-
tion of particular type of attack or
Normal
situation. They operate in asynchronous
mode while making decision every time when an event and data from at least one
source-based classifier arrives. A peculiarity of the decision making structure in ques-
tion (Fig.2) is that, in it, one more decision combining layer, top layer, is used. It
combines the inputs arriving from the specialized meta-classifiers thus solving the in-
trusion detection task.
2.3 Dynamics of IDS Operation
The data and event streams in the implemented IDS prototype are presented in Fig.1.
Let us describe the dynamics of these streams in the process of IDS operation.
Dump of the network traffic is captured by sensor,
Raw Data Sensor
. It produces
primary events of two types: (1)
PacketEvent
- receiving of an IP packet and
Packet
data, and (2)
ConnectionEvent
- completion of the connection and
Connection
data.
Events and data input to the component
NetworkFeatureExtractor
intended for extrac-
tion of the features from raw data and generation of the secondary events, that are (1)
ConnectionEvent
and associated arrays of the features,
ConnectionBased
and
Con-
tentBased
; (2)
ConnectionWindowEvent
indicating completion of a time window con-
taining given number of
connections and associated arrays of the features,
Connec-
tionWindowFeatures
and
ConnectonWindowTrafficFeatures
; (3)
TimeWindowEvent
indicating completion of the time window of a predefined duration and associated ar-
rays of the features,
TimeWindowFeatures
and
TimeWindowTraficFeatures
.