Information Technology Reference
In-Depth Information
Table 1.
Neural network performance
ADMMutate CLET JempiScodes EE1
EE2
EE3
ADMMutate
100%
38.8%
100%
79.2% 93% 75.9%
CLET
3.2%
100%
0%
1.7%
0%
3.5%
JempiScodes
26.6%
0%
100%
13%
0.1% 17.7%
EE1
17.4%
91.2%
0.8%
100% 100% 100%
EE2
2.3%
33%
0%
4.7% 100% 1.5%
EE3
20%
98.9%
0.8%
100% 97% 100%
Table 2.
ADMMutate-EE3 network performance (30 NOPS)
ADMMutate CLET JempiScodes EE1
EE2
EE3
100%
100%
71.4%
100% 98.3% 100%
Our SOM-based detection engine is virtually identical with the one described
in Section 2.1, except that SOMs are used instead of a neural network. There
are several reasons why choosing a SOM instead of a neural network could make
sense:
-
SOMs are based on unsupervised learning, neural networks use supervised
learning
-
SOMs can be trained with only positive examples
-
SOMs can be used to visualize high dimensional data
This detection engine was not implemented for Snort
TM
,becauseweonly
wanted to gather experience with SOMs. We made use of the SOMToolbox [6]
for Matlab
TM
, which we used for training and testing purposes.
Unfortunately, our achieved results lead to the conclusion that SOMs are
incapable of replacing NNs for anomalous code detection, the detection rates
were very poor even in simple test cases.
2.3
Finite Markov Chains
Another very promising approach in the field of abnormal code detection was the
use of Finite Markov Chains (FMC). First, we trained the FMC-transition matrix
by using ”normal” network trac. Thereafter, this transition matrix was used
to calculate the probability of a dedicated Markov sequence, to find differences
between the trained normal trac and characteristic parts of a polymorphic
shellcode.
By the knowledge of the intrinsic structure of the investigated engines, we
were able to adjust the transition matrix manually. This lead to much bet-
ter detection results. In addition, we applied some preprocessing functions due
to eciency and performance reasons (e.g. sequence preprocessing and NOP-
filtering).
