ISSN: 1985-3157 Vol. 2 No. 2 July-December 2008 Journal of Advanced Manufacturing Technology
42
to reduce the possibilities of gaining access, maintaining access and covering tracks. Therefore this paper focuses the research conducted on detecting fast
attacks to protect the computer or network at an early stage. Before detecting a fast attack, selecting useful features may help in identifying them is also
paramount to help the intrusion detection process to make better decision in identifying the attacker. Unfortunately, many attackers are knowledgeable and
capable of altering the detail of many attacks to avoid the detection from such as system Caulkin. Lee and Wang,. 2005. As a result, the selection of useful
feature is necessary to detect and identify the various threats that exist inside the network or application.
Before selecting a feature, understanding the relationship between the feature and the attack type is also important. Identifying the signiicant contribution
of the feature in detecting the attack is necessary to avoid selecting useless features. Furthermore, iltering huge amount of network trafic is very tedious
especially the complexity of the protocols involved such as UDP and TCP and the number of incidents can only be studied if deep knowledge of the protocol
detail is acquired Mellia, Meo and Muscariello, 2006. Therefore it is critical to overcome the problem of selecting the important features of the network
trafic to identify an attack, especially fast attack.
The principal goal of this paper is to present a minimum feature set that can be used to detect a fast attack and the inluence of the feature to the model
in detecting the fast attack. Understanding the inluence of the feature is necessary to provide better selection of the features as one of the factors which
may increase the accuracy of the detection for an intrusion detection system. Additionally, the researcher and system developer of the intrusion detection
system can beneit from the results provided in selecting the useful features for the intrusion detection system.
2.0 Literature Review
The success of an Intrusion Detection System depends on the decision upon a set of features that the system is going to use for detecting the attacker
especially the fast attacks. This is because the mechanism of a fast attack requires only a few second and the technique used by the attacker to launch
the attack is also different Robertson et al, 2003. Extraneous features inside
a network trafic may contain false correlation which hinder the process of detecting intrusion Chebrolu et al, 2005. Furthermore, some of the feature
may be redundant since they are a subset of another feature Chebrolu et al, 2005. Therefore eliminating extra features and selecting important features
ISSN: 1985-3157 Vol. 2 No. 2 July-December 2008 Industrial Automation and Robotics
43
may help to decrease the computational issues such as time, memory and CPU time and increase the accuracy of detection.
To the best of our knowledge, there is no comprehensive classiication of features that intrusion detection system might use for detecting network based
attacks especially fast attacks. Different researchers use different names for the same subset of feature while others used the same name but different type
Vinot and Ghorbani, 2006. Furthermore, understanding the relation as well as the inluence of the features in detecting the fast attack is also necessary
to avoid any redundant features selected for the intrusion detection system. Therefore this research will focus on the probing and DoS attack which can be
categorized as a fast attack. This research will also expose on how the feature inluence the detection of the attacker especially fast attacks.
KDDCUP99 has introduced a set of features that can be used to detect the intrusion KDDCUP99, 1999. There are some researchers who are
concentrated on feature classiication by using a set of features that have been constructed by KDDCUP99 Kayacik et al, 2005; Sung and Mukkamala,
2005. Special techniques have been used in classifying the features and they produced dissimilar results. Table 1 shows the labeling of features used by
KDDCUP99.
Table 1: Network Data Feature Labels
Besides using the set of features introduced by KDDCUP99, there are researchers who used different sets of features in their research. Christopher
ISSN: 1985-3157 Vol. 2 No. 2 July-December 2008 Journal of Advanced Manufacturing Technology
44
Diot has combined some ield inside IP header and TCP header such as source IP, destination IP and source port Lakhina et al, 2005. Payload also has been
considered as a parameter that can be used to recognized the network anomalies Moore and Zuev 2005; Moore and Zuev, 2005. By inspecting the payload,
the hidden code that is suspicious can be identiied and comparison can be made to a normal packet. Therefore it is a good opportunity to investigate the
payload of the trafic to recognize the intruder Vandemant and Pras, 2003. Although examining the payload is a better approach, it is still not widely
used due to some restrictions such as security, privacy and legal issue Moore and Papagiannaki, 2005. From the previous research, non of the researchers
mention the usefulness of the features in identifying the attack and how the features can contribute to the detection of the attackers. Therefore this research
will investigate the inluence and usefulness of the features in identifying the attacker.
3.0 Feature Classiication