Information Technology Reference
In-Depth Information
The aforementioned protocols are basic ones. The auxiliary ones are as follows:
AttackLogTransmission
-the protocol performing transmission of the attack log
(the true labels of the attacks needed for the designed system testing);
•
OptionsProtocol
-the protocol performing adjusting of initial options determin-
ing the regime of the system operation.
3. Agent classes and roles to perform
The agent classes introduced in the IDS architecture and allocated the roles they
have to perform are as follows:
NetLevelAgent
-an agent class performing the
DataSensor
role intended for raw data
preprocessing and extraction of the events and secondary features;
BaseClassifiers
-an agent class assigned the
DecisionProvider
role performing source-
based classification; it produces decisions when it receives an event from "its" source.
This class is inherited by several subclasse that are as follows:
•
•
DOS_CB
: produces decisions when it receives the event
ConnectionEvent
us-
ing
ConnectionBased
features; it is trained to detect the
DoS
attack class;
DOS_TW
: produces decisions when it receives the event
TimeWindowEvent
and
TimeWindowFeatures
features; it is trained to detect
DoS
attack class;
•
DOS_TWT
: produces decisions after receiving
TimeWindowEvent
event and
TimeWindowTraficFeatures
features; it is trained to detect
DoS
attack class;
•
Prob_CB
: produces decisions after receiving
ConnectionEvent
event and
Con-
nectionBased
features; it is trained to detect attacks of the class
Probes
;
•
Prob_CW
: produces decisions after receiving the
ConnectionWindowEvent
event and
ConnectionWindowFeatures
features; it is trained to detect attacks
of the class
Probes
;
•
Prob_TWTr
: produces decisions after receiving
TimeWindowEvent
event and
TimeWindowTraficFeatures
features; it is trained to detect attacks of the class
Probes
;
•
R2U_CB
: produces decisions after receiving t
ConnectionEvent
event and
Con-
nectionBased
features; it is trained to detect the attacks of the class
R2U
;
•
R2U_CW
: produces decisions after receiving the
ConnectionWindowEvent
event and
ConnectionWindowFeatures
features; it is trained to detect attacks
of the class
R2U
;
•
R2U_CWT
: produces decisions after receiving the
ConnectionWindowEvent
event and
ConnectionWindowTraficFeatures
features; it is trained to detect the
attacks of the class
R2U
;
•
R2U_TWT
: produces decisions after receiving the
TimeWindowEvent
event
and
TimeWindowTraficFeatures
features; it is trained to detect attacks of the
class
R2U
.
Metaclassifiers
:-an agent class performing the roles
DecisionReceiver
and
Decision-
Provider
; it is responsible for combining decisions produced by its child classifiers
(Fig.2). It is replicated into the following instances:
•
DOS_MC
:
an agent instance of the
Metaclassifier
class correlating alerts of the
source-based classifiers trained for detection of
DoS
attack class;
•
Prob_MC
: an agent instance of the class
Metaclassifier
correlating alerts of the
source-based classifiers trained for detection of
Probes
attack class;
•
