A Formal Immune Network and Its Implementation for On-line Intrusion Detection - Computer Network Security

Information Technology Reference

In-Depth Information

Apoptosis and Immunization ( h =0.001, end cells = 811). Total training time (for

AMD Athlon 1.53 GHz) is 98.7 seconds including 8.03 s for the 1st stage (SVD) and

90.64 s for the 2nd stage (Apoptosis and Immunization).

During the recognition of the records of File 1.1 and File 2, the emulator writes test

results into the output file in the format: Record # - attack_type. For example, four

records (## 744-747) with test results for File 1.1 are as follows (see also Tab. 2):

744 - normal.

745 - buffer_overflow. !!!

746 - buffer_overflow. !!!

747 - normal.

The emulator also shows the on-line projection of any pattern to 3D SFIN (see bold

skew cross in both screens) and write the recognition result on the bottom panel (see

"Class: back !!!").

Test results in Tab. 2 correspond completely to the correct attack types (parameter

42) of File 1.

Table 2. Test results for File 1.1

Records ##

attack_type

Records ##

attack_type

745-746

buffer_overflow

38036-38051

ipsweep

3095-7373

smurf

38052-38151

back

9520-9523

buffer_overflow

38302-38311

ipsweep

9590-9591

rootkit

42498-42519

ipsweep

9928-10007

neptune

42548-42567

ipsweep

10072

satan

42593-42594

ipsweep

10320

phf

42706-42708

ipsweep

13340-13519

portsweep

42730-42761

ipsweep

13569

land

42762-42770

buffer_overflow

13845-13864

pod

42771-42772

land

16326-16327

pod

42773-43385

neptune

17446-37902

neptune

44451-44470

neptune

37929-37939

ipsweep

44800-48452

smurf

37959-37963

ipsweep

48453-48552

teadrop

38005-38012

ipsweep

All other

normal

Another test has been performed over File 2 to check whether the emulator is able

to detect unknown intrusions, which had not been presented in the training data of

File 1. The intrusion is treated as unknown if the projection of corresponding pattern

to SFIN lies outside of the unit cube, according to Proposition 1. The emulator has

recognized 13 unknown intrusions as the following records ## of File 2:

417, 12674, 97891, 139795, 170498, 176201, 177958, 232570, 236975,

296561, 296657, 96796, 297658.

According to Tab. 1, any unknown intrusion can correspond to one of the

following types of attack that had not been presented in the training data:

apache2, guess_passwd, multihop, named, saint, sendmail, snmpgetattack,

udpstorm, xlock, xsnoop.

Computer Network Security

Search WWH ::

Custom Search

Home