A Formal Immune Network and Its Implementation for On-line Intrusion Detection - Computer Network Security

Information Technology Reference

In-Depth Information

Recognition

{

Get pattern; // "antigen"

Map the pattern to SFIN;

Find nearest cell of SFIN;

Assign class of the nearest cell to the pattern;

}

This IC algorithm has been implemented in a version of the immunochip emulator

using the following standard tools:

- MS Windows XP Operating System;

- MS Visual C++ 6.0 Developer Studio;

- OpenGL for three-dimensional (3D) visualization.

Screenshot of the emulator is shown in Fig. 1.

4 Test Data

The known UCI KDD archive has been used for testing the emulator. This is the data

set used for The Third International Knowledge Discovery and Data Mining Tools

Competition, which was held in conjunction with KDD-99 The Fifth International

Conference on Knowledge Discovery and Data Mining. The competition task was to

build a network intrusion detector, a predictive model capable of distinguishing

between "bad" connections, called intrusions or attacks, and "good" normal

connections.

The 1998 DARPA Intrusion Detection Evaluation Program was prepared and

managed by MIT Lincoln Labs. The objective was to survey and evaluate research in

intrusion detection. A standard set of data to be audited, which includes a wide variety

of intrusions simulated in a military network environment, was provided. The 1999

KDD intrusion detection contest uses a version of this dataset.

Lincoln Labs set up an environment to acquire nine weeks of raw transmission

control protocol (TCP) dump data for a LAN simulating a typical US Air Force LAN.

They operated the LAN as if it were a true Air Force environment, but peppered it

with multiple attacks.

The raw training data was about four gigabytes of compressed binary TCP dump

data from seven weeks of network traffic. This was processed into about five million

connection records. Similarly, the two weeks of test data yielded around two million

connection records.

A connection is a sequence of TCP packets starting and ending at some well

defined times, between which data flows to and from a source IP address to a target IP

address under some well defined protocol. Each connection is labeled as either

normal, or as an attack, with exactly one specific attack type. Each connection record

consists of about 100 bytes.

Attacks fall into 4 main categories:

- DOS: denial-of-service (e.g. "syn flood");

- R2L: unauthorized access from a remote machine (e.g. "guessing password");

Search WWH ::

Custom Search

Home