ISSN: 1985-3157 Vol. 2 No. 2 July-December 2008 Journal of Advanced Manufacturing Technology
44
Diot has combined some ield inside IP header and TCP header such as source IP, destination IP and source port Lakhina et al, 2005. Payload also has been
considered as a parameter that can be used to recognized the network anomalies Moore and Zuev 2005; Moore and Zuev, 2005. By inspecting the payload,
the hidden code that is suspicious can be identiied and comparison can be made to a normal packet. Therefore it is a good opportunity to investigate the
payload of the trafic to recognize the intruder Vandemant and Pras, 2003. Although examining the payload is a better approach, it is still not widely
used due to some restrictions such as security, privacy and legal issue Moore and Papagiannaki, 2005. From the previous research, non of the researchers
mention the usefulness of the features in identifying the attack and how the features can contribute to the detection of the attackers. Therefore this research
will investigate the inluence and usefulness of the features in identifying the attacker.
3.0 Feature Classiication
For intrusion to occur there must be both an overt act by the attacker and a manifestation from the victims. Therefore creating a taxonomy that organizes
intrusion from both perspectives; attacker perspective and victim perspective, may help to detect fast attack activities Mc Hugh et al. 2000. Therefore, the
detection process introduced in this research was motivated by the attacker perspective and victims perspective Shahrin et al. 2007. Understanding the
detection process of detecting a fast attack is important since it can inluence the selection of the features. Therefore, in order to achieve a good detection
ratio for fast attack, feature classiications have been done as follows:
3.1 Basic Feature
Mahoney and Chan, 2001, identiies this category under the name of Packet Header Features. Basic Feature can be derived from packet header without
inspecting the payload. The possible candidates for this feature category includes timestamp, source port, source IP, destination port, destination IP,
lag, to name a few.
3.2 Derived Feature
This feature can be characterized as multiple connection made by the hosts at the same time. This classiication can be divided into 2 categories such as
ISSN: 1985-3157 Vol. 2 No. 2 July-December 2008 Industrial Automation and Robotics
45
3.2.1 Time based trafic feature Time based trafic feature are designed to include all the derived feature
computed with respect to the past t seconds where t is the size of the time windows interval, for example one second or one minute Wenke Lee,
1999.
3.2.2 Connection based trafic feature Connection based trafic feature, which is also known as host-based trafic
feature. It will capture similar characteristic of the connection records in the last k connection where k is the number of connection Wenke Lee, 1999.
Based on this classiication, basic features can be used to detect an ongoing attack that uses only a single connection such as DoS. Meanwhile the derived
feature can be used to detect multiple attacks launched by the attacker such as DDoS and worms. Without basic feature, derived feature cannot be created.
Derived features are dependent on the basic feature. Unfortunately, KDDCUP99 KDDCUP99, 1999 does not mention some of the important basic features
which is necessary to create derived feature. This research will use time based feature which has capabilities to identify the fast attack category. Finally, for
detecting the slow attack category, the connection based trafic features are predominantly used. Table 2 describe the features involve in this research.
Table 2: Features Selection
ISSN: 1985-3157 Vol. 2 No. 2 July-December 2008 Journal of Advanced Manufacturing Technology
46
4.0 Methodology and Analysis