Information Technology Reference
In-Depth Information
decisions produced by alert correlation agents. The basic services of these agent
classes structured as it is depicted in Fig.7 are the followings:
IncomingDecision
-service responsible for processing of the incoming deci-
sions of the child classifiers of the lower layer;
•
IncomingOption
- service responsible for adjusting of the agent class options;
•
DecisionQueueParser
- service responsible for processing of the incoming de-
cisions stored in the queue;
•
QM
-service implementing alert correlation (meta-classification functionality).
Detailed specification of the state machines implementing the aforementioned ser-
vices is omitted due to the lack of the paper space.
•
4.2.3 Source-Based Classifier Agent Class
The basic services of
the Source-based classifier
agent class are as follows:
•
IncomingData
-service implementing the incoming events and data processing;
•
IncomingOption
-service responsible for adjusting of the agent class options;
•
ConnQueueParser
-service responsible for processing of the incoming deci-
sions stored in queue (
Connection
-based,
Windows
-based);
QConn
- service responsible for producing decisions (
Alert
or
Normal
).
Like all the services, the aforementioned ones are specifies and implemented in
terms of state machines, whose description is omitted. due to lack of the paper space.
•
5 Experimental Results
The multi-alert correlation IDS MAS designed according to the above described prin-
ciples and architecture was implemented using MASDK 3.0 platform providing sup-
port of the MAS technology [7]. All the classifiers composing the proposed homoge-
neous alert correlation structure were trained using VAM [9] and GK2 [6] algorithms.
The resulting system as a whole was tested using DARPA data [3].
Some testing results are illustrated in Fig.8. These figures present information
about performance quality (probabilities of correct classifications and probabilities of
false alarms and signal missing) of the alert correlation classifiers dealing with inputs
produced by the source-based classifiers trained for detection of attacks of particular
classes. At that, data used in training procedures as "counter class" include basically
normal traffic. But, if, for a source-based classifier, the difference between the sums
of the weights of rules voting in favor of
Alert
and
Normal
decision is less than a se-
lected threshold (it is computed for each particular classifier experimentally in testing
procedure) then the classifier refuses to classify input data. Analysis proved that as a
rule, such kind of situation actually corresponds to some other class of attacks. Fig.8
illustrates the performance quality of the alert correlation meta-classifier destined for
detection of the
DoS
class of attacks. It illustrates graphically the probability distribu-
tions of correct alert detection and various types of errors. An important observation
is that even if the source-based classifiers operate not very precise, at the meta-layer,
where the decisions of the particular source-based classifiers are combined, the
