Information Technology Reference
In-Depth Information
Table 1.
Distribution of attack classes
against types of operating systems
All classifiers of the source-based layer
as well as meta-classifiers of the first and
top layers were trained and tested based on
DARPA data [3]
1
. Generalized information
about these data that are used for training
and testing of the classifiers composing the
decision structure depicted in Fig.2 is pre-
sented in Table 1.
Type of OS:
Redhat
Number
of cases
Attack Class
Attack name
back
4
land
22
Denial of
Service (DoS)
Attacks
pod
35
3 Models of Data Ageing
smurf
11
teardrop
7
According to the used alert correlation
strategy, decisions of meta-classifiers are
updated at any time when new input
("event") produced by some source-based
classifier incomes. Let us recall that while
receiving an updated decision from a
source-based classifier, the meta-classifier
updates its decision using the newly re-
ceived decision and also on the decisions
produced previously by other source-based
classifiers at various time instants. The lat-
ter decisions have different "ages" and
therefore different relevancies to the current
computer security status. Thus, potential
data
ageing
is one of the important peculi-
arities of the alert correlation system in question. Let us consider the models of data
ageing.
Two data ageing models were explored. The
first
of them assumes that each data
incoming to the alert correlation layer is assigned certain "age" at the moment of the
computer security status update and if this "age" is less than a fixed threshold (it is in-
dividual for each data source) then the corresponding data are used in the alert corre-
lation "as is". Otherwise, these data are assumed
missing
:
(
DoS
) attacks in total
79
ipsweep
7
Probes
attacks
portsweep
5
satan
5
Probes
attacks in total
17
dict
1
guest
1
Remote to User
(R2U)
attacks
imap
3
phf
5
R2U
attacks in total
10
User to Root
attacks (
U2R
perl
5
⎧
Ag
D
(
t
),
if
t
≤
t
≤
t
+
T
⎨
k
k
k
+
1
k
i
D
(
t
))
=
i
k
+
1
∅
,
otherwise
.
⎩
where
D
i
(
t
)
-stands for the decision of a base classifier associated with the
i-th
data
t
stands for the time instant at which the decision
source produced at time instant
t
;
T
stands for the threshold value of life time of the de-
cision
D
produced by the source #
i
; and ∅ stands for the missing value.
This model was experimentally investigated and the results were in full described
in [5, 8]. The advantages of this model are twofold. On the other hand, this model is
simple enough. On the other hand, if some sensors or data sources fail, i.e. do not
1
Training and testing procedures used in design of classifiers are not considered in the paper.
Ag
income into meta-classifier;
