Internet has played a vital role in this modern world, the possibilities and opportunities offered are limitless. Despite all the hype, Internet services are liable to intrusion attack that could tamper the confidentiality and integrity of important information. An attack started with gathering the information of the attack target, this gathering of information activity can be done as either fast or slow attack. The defensive measure network administrator can take to overcome this liability is by introducing Intrusion Detection Systems (IDSs) in their network. IDS have the capabilities to analyze the network traffic and recognize incoming and on-going intrusion. Unfortunately the combination of both modules in real time network traffic slowed down the detection process. In real time network, early detection of fast attack can prevent any further attack and reduce the unauthorized access on the targeted machine. The suitable set of feature selection and the correct threshold value, add an extra advantage for IDS to detect anomalies in the network. Therefore this paper discusses a new technique for selecting static threshold value from a minimum standard features in detecting fast attack from the victim perspective. In order to increase the confidence of the threshold value the result is verified using Statistical Process Control (SPC). The implementation of this approach shows that the threshold selected is suitable for identifying the fast attack in real time.
Deep Dive into Threshold Verification Technique for Network Intrusion Detection System.
Internet has played a vital role in this modern world, the possibilities and opportunities offered are limitless. Despite all the hype, Internet services are liable to intrusion attack that could tamper the confidentiality and integrity of important information. An attack started with gathering the information of the attack target, this gathering of information activity can be done as either fast or slow attack. The defensive measure network administrator can take to overcome this liability is by introducing Intrusion Detection Systems (IDSs) in their network. IDS have the capabilities to analyze the network traffic and recognize incoming and on-going intrusion. Unfortunately the combination of both modules in real time network traffic slowed down the detection process. In real time network, early detection of fast attack can prevent any further attack and reduce the unauthorized access on the targeted machine. The suitable set of feature selection and the correct threshold value, add
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 2, No. 1, 2009
1
Threshold Verification Technique for Network
Intrusion Detection System
Faizal M. A., Mohd Zaki M., Shahrin S., Robiah Y, Siti Rahayu S., Nazrulazhar B.
Faculty of Information Technology and Communication
Univeristi Teknikal Malaysia Melaka,
Ayer Keroh, Melaka,
Malaysia
faizalabdollah@utem.edu.my,zaki.masud@utem.edu.my, shahrinsahib@utem.edu.my, robiah@utem.edu.my,
sitirahayu@utem.edu.my, nazrulazhar@utem.edu.my
Internet has played a vital role in this modern world, the
possibilities and opportunities offered are limitless. Despite all
the hype, Internet services are liable to intrusion attack that
could tamper the confidentiality and integrity of important
information. An attack started with gathering the information
of the attack target, this gathering of information activity can
be done as either fast or slow attack. The defensive measure
network administrator can take to overcome this liability is by
introducing Intrusion Detection Systems (IDSs) in their
network. IDS have the capabilities to analyze the network
traffic and recognize incoming and on-going intrusion.
Unfortunately the combination of both modules in real time
network traffic slowed down the detection process. In real time
network, early detection of fast attack can prevent any further
attack and reduce the unauthorized access on the targeted
machine. The suitable set of feature selection and the correct
threshold value, add an extra advantage for IDS to detect
anomalies in the network. Therefore this paper discusses a new
technique for selecting static threshold value from a minimum
standard features in detecting fast attack from the victim
perspective. In order to increase the confidence of the
threshold value the result is verified using Statistical Process
Control (SPC). The implementation of this approach shows
that the threshold selected is suitable for identifying the fast
attack in real time.
Keyword;fast attack detection, Intrusion detection system,
Statistical Process Control
I.
INTRODUCTION
Incidents of cyber attack on the Internet are increasing
every year [1] and most administrators are depending on
Intrusion Detection System (IDS) as the essential
component in protecting their network. These attacks are
generated using tools and exploits script which are freely
available on the internet. Mc Hugh also provide further
evidence by stating that anyone can attack Internet site using
readily made available intrusion tools and exploit script that
capitalize on widely known vulnerabilities [2]. Hence, the
increasing number of the exploit tools may have influence
on the number of novice attackers on the internet [3].
An attack can be divided into five phases which are
reconnaissance, scanning, gaining access, maintaining
access and covering tracks [4]. The first two phases is an
initial stage of an attack and it does involve scanning and
probing
network
traffic
for
information
on
the
vulnerabilities of the targeted machine. This initial stage of
attack can be categorized into two which are fast attack and
slow attack; [5] defined fast attack as an attack that uses a
large amount of packet or connection within a few second.
Meanwhile a slow attack is defined as an attack that takes a
few minutes or a few hours to complete [6]. This research
focuses on fast attack scenario as this can prevent any early
attack and may help to reduce the possibilities of further
attack on the organization network.
In this research we are focusing on detecting fast attack
based on the connection made by attacker on a single
victim. This early detection could help the administrator to
take action in preventing the next phase of the attack and
investigate the reason and how the attack happened. The
normal and the abnormal traffic are differentiated using a
threshold value that is acquired from the result of the
observation and experimental technique applied in the
implementation of this research. To make it more reliable,
the threshold value is verified using statistical control
process approach.
The rest of this paper, we will discuss the background
of this research in section 2. Section 3 will concentrate on
methodology and techniques used in producing the
threshold value and section 4 discuss the implementation
and result of the research. Finally section 5 conclude and
discuss the direction of this research.
II. BACKGROUND
Currently, most researcher concentrate on the individual
attack such as DDOS [7][8], Worm [9][10], portscanning
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 2, No. 1, 2009
2
[11] rather than intrusive behavior. [12] suggested the
intrusion detection should focus on behavior rather that
individual attack and by looking the intrusive behavior, it
might offer an opportunity to in
…(Full text truncated)…
This content is AI-processed based on ArXiv data.