Information Technology Reference
In-Depth Information
A substantial improvement of performance could be achieved be introducing
the concept of
Genetic Algorithms
for the automatic training sequence of the
FMC approach. Genetic algorithms are adequate tools if just little knowledge
about the search space is available and the complexity of the problem is very
hard (NP-complete).
The performance of a GA-improved transition matrix is shown in Figure 1.
Normal traffic probability
10
−68
10
−70
10
−72
10
−74
10
−76
10
−78
10
−80
10
−82
10
−84
10
−86
10
−88
0
50
100
150
200
250
300
Fig. 1.
Conditional probability of a 30-byte sequences with a GA-trained transition
matrix
In Figure 1 we can see that the optimized transition matrix is highly qualified
to detect deciphering engines. This is, since just deciphering-engines are used for
the GA-algorithm.
Table 3 was generated by calculating the conditional probability of 37.785.600
30-byte sequences. After setting an empirically determined threshold we tested
real network injected with shellcode examples. What we can see in Table 3 is that
FMC produces no false-negatives. This is due to the fact that the GA-optimized
transition matrix was tested by using the same category of shellcode as we used
for the training process. We know that due to the relatively small number of test-
sequences and the use of a single shellcode generator the presented results are
not very significant. On the other hand, we just want to show that the number
of false-positives can be reduced dramatically by the use of optimized transition
matrices. Table 3 we can also reflects the fact that the GA modification process
is much better than the manual process. (In Table 3, P1 denotes the case of a
