Domain specific example In this example we demonstrate the process of creating

Domain specific example in this example we

This preview shows page 47 - 50 out of 379 pages.

Domain-specific example : In this example, we demonstrate the process of creating attack profiles for the attacks in the DARPA intrusion detection dataset. Based on the domain expert categorization of the attacks shown in Table 2.5 , the features in the set G n i with low global entropy values are formulated for each attack category as shown in Table 2.6 . The number of features for each attack category is chosen according to a domain expert analysis conducted by Gupta et al. [ 24 ] who selected the most important features for each category based on attack semantics. Similarly, we select a new set of features L n i for each attack n i . Table 2.7 shows some related attacks in the R2L attack category and the set of features G n i \ L n i ð Þ for each attack (e.g., service , number of shells , number of files accessed , flags , is hot login , logged in for Warezclient attack). The value column ([V]) lists some values of these features. The occurrence of each feature with the corresponding attack is expressed as a conditional probability 2 A Framework for Contextual Information Fusion to Detect Cyber-Attacks 37
Image of page 47
in the column [P]. As shown in the table, the shaded feature values have been selected to create the attack profile entries for the corresponding attack. For instance, the final AP for Warezclient and Ftp_Write attacks is expressed as a set of feature value pairs: Table 2.6 Important features in Gn i for attacks in DARPA data/per category Feature name Attack category Gn Probe Gn DoS Gn R 2 L Gn U 2 R Duration protocol_type Service Flag src_bytes wrong_fragment Hot num_failed_logins logged_in num_compromised root_shell num_root num_file_creations num_shells num_access_files is_hot_login is_guest_login Count dst_host_same_srv_rate dst_host_serror_rate dst_host_srv_serror_rate dst_host_rerror_rate Number of features 6 9 14 8 Table 2.7 Sample attacks in R2L category and the corresponding features G n i \ L n i ð Þ Feature attack Service Number of shells Number of files accessed Flag Is hot login Logged in [V] [P] [V] [P] [V] [P] [V] [P] [V] [P] [V] [P] Warezclient Ftp_data 0.91 0 1 0 1 SF 1 0 0.96 1 0.98 Ftp 0.09 1 0 1 0 0 1 0.04 0 0.02 Ftp_Write 0 1 SF 1 0 0.95 1 0.90 1 0 0 1 0.05 0 0.10 Imap Imap4 1 0 1 0 1 0 0.98 0 0.92 0 1 0 1 0 1 0.02 1 0.08 38 A. AlEroud and G. Karabatis
Image of page 48
Service is Ftp data ð Þ , No of Shell 0 ð Þ , No of files accessed 0 ð Þ , flag 0 SF 0 ð Þ , is hot login 0 ð Þ ´ logged in 1 ð Þ ! warezclient e No of Shell 0 ð Þ , flag 0 SF 0 ð Þ , is hot login 0 ð Þ , logged in 1 ð Þ ! ftp write d e Based on the similarity of their profiles, Warezclient and Ftp_Write are contex- tually related. By looking at their profiles, the set of features which are selected to create AP ftp write is a subset of features used to create AP warezclient ; consequently, there is a high probability that these two attacks are initiated under similar circum- stances. APs are used to discard some predictions made by SLNs. The features of a connection c (for which a set of predictions N 0
Image of page 49
Image of page 50

You've reached the end of your free preview.

Want to read all 379 pages?

  • Winter '15
  • Anthony
  • The Land, Sula, Type I and type II errors, Attack!, attack, intrusion detection, IDSS, contextual information

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern

Stuck? We have tutors online 24/7 who can help you get unstuck.
A+ icon
Ask Expert Tutors You can ask You can ask You can ask (will expire )
Answers in as fast as 15 minutes