ISSN: 1985-3157 Vol. 4 No. 1 Jan-June 2010 Journal of Advanced Manufacturing and Technology 56

2.1 Fast Atack Framework

Shahrin et.al., 2007a has proposed a novel framework that explained the diferent view of fast atack by analyzing the nature of an atack based on number of new connection and derived features captured from network traic. Figure 2 shows the fast atack framework. gure 2 shows the fast attack framework. Figure 2: Framework of Fast attack detection Attack A Attacker A Victim V HostH ServiceS ConnectionC Figure 2: Framework of Fast atack detection The framework suggests that atack can be viewed from two perspectives which are the Atacker perspective and the Victim perspective. In the atacker perspective, the atack is caused by a single host and to make it more reliable the atack detection is divided into 2 subcategories. The host subcategories or AAH is detecting any scanning atack or speciically atack that is originating from single host and targeting multiple hosts. Meanwhile the subcategories Service or AAS is referring to an atack targeting on services ofered by victim. The main objective of this research is looking at the AVC perspective, in which the detection of the fast atack is based on the number of connection made by single atacker on the victim machine. The features used to detect the fast atack for this category is discussed in the next section.

2.2 Features selection

Intrusion Detection System can become an efective mechanism in detecting fast atack if the right features selection is chosen. Some researcher applies diferent names for the same subset of feature while others use the same name but diferent types Onut and Ghorbani, 2006. In order to avoid any redundancies on the features selection, researcher need to understand the relationship and the inluences of each features that the system is going to use for detecting the atacker especially the fast atacks. This is because the mechanism of a fast atack requires only a few seconds and the technique used by the atacker to launch the atack is also diferent Robertson et.al., 2003. Extraneous features inside network traic may contain false correlation which hinders the process of detecting intrusion Chebrolu et.al., 2005. Furthermore, some of the feature may be redundant since they are a subset of another feature. Therefore eliminating extra features and selecting important features ISSN: 1985-3157 Vol. 4 No. 1 Jan-June 2010 Statistical Approach for Validating Static Threshold in Fast Atack Detection 57 may help to decrease the computational issues such as time, memory and CPU time and increase the accuracy of detection Azanida et.al., 2006. Jung et.al ., 2004 used source IP, destination IP, and TCP lag as a feature to diferentiate between the benign host and scanner. The TCP lag was used to compute the connection status of each on the connection made by a single host. However, in order to identify if connection status is successful a sequence number is needed to trace the connection which belongs to a speciic host. Each of transmited connection, the value of the sequence number will be incremental to ensure the connectivity of the TCP connection Behrouz, 2004. The sequence number has not been used as one of the feature by the author inside his research. The trace of the status connection is not stated clearly by the author. Furthermore, the author only concentrated on detection technique and has not mentioned the reason behind the selection of the feature used in their research. To the best of our knowledge, there is no comprehensive classiication of features that intrusion detection system might use for detecting network based atacks especially fast atacks. Only Shahrin et.al., 2007a has constructed a minimum set of features by integrating the new features and features from the KDDCUP99 1999. The basic features used in detecting the fast atack are Timestamp, duration of connection, IP address of the victim, protocol used, the connection status lag and the source of the services destination. While the derive features shows the number of connection made to a single host. Table 1 describes the features involve in this research. Table 1: Feature selection Feature Description Category Timestamp Time the packet was send Basic Features Duration Duration of connection. IP Addresses of host Protocol type Connection protocol e.g tcp Flag Status flag of the connection Service Source and Destination services. Dest_count Number of connection having the same destination host AVC. Derived Features ISSN: 1985-3157 Vol. 4 No. 1 Jan-June 2010 Journal of Advanced Manufacturing and Technology 58 Dst_count is generated using the frequency episode technique as this technique can discover what time-based sequences of audit events frequently occur together Lee and Stolfo, 2004. Analyzing the relationship between features is also important to reduce the selection of the features because some features may cause or contain negative correlation Chebrolu et.al., 2004. This research found that by using these features, the system is still capable of detecting fast atack with a minimum false alarm. Furthermore, it also can speed up the detection time especially in detecting the fast atack.

2.3 Threshold analysis