ISSN: 1985-3157 Vol. 2 No. 2 July-December 2008 Journal of Advanced Manufacturing Technology 42 to reduce the possibilities of gaining access, maintaining access and covering tracks. Therefore this paper focuses the research conducted on detecting fast attacks to protect the computer or network at an early stage. Before detecting a fast attack, selecting useful features may help in identifying them is also paramount to help the intrusion detection process to make better decision in identifying the attacker. Unfortunately, many attackers are knowledgeable and capable of altering the detail of many attacks to avoid the detection from such as system Caulkin. Lee and Wang,. 2005. As a result, the selection of useful feature is necessary to detect and identify the various threats that exist inside the network or application. Before selecting a feature, understanding the relationship between the feature and the attack type is also important. Identifying the signiicant contribution of the feature in detecting the attack is necessary to avoid selecting useless features. Furthermore, iltering huge amount of network trafic is very tedious especially the complexity of the protocols involved such as UDP and TCP and the number of incidents can only be studied if deep knowledge of the protocol detail is acquired Mellia, Meo and Muscariello, 2006. Therefore it is critical to overcome the problem of selecting the important features of the network trafic to identify an attack, especially fast attack. The principal goal of this paper is to present a minimum feature set that can be used to detect a fast attack and the inluence of the feature to the model in detecting the fast attack. Understanding the inluence of the feature is necessary to provide better selection of the features as one of the factors which may increase the accuracy of the detection for an intrusion detection system. Additionally, the researcher and system developer of the intrusion detection system can beneit from the results provided in selecting the useful features for the intrusion detection system.

2.0 Literature Review

The success of an Intrusion Detection System depends on the decision upon a set of features that the system is going to use for detecting the attacker especially the fast attacks. This is because the mechanism of a fast attack requires only a few second and the technique used by the attacker to launch the attack is also different Robertson et al, 2003. Extraneous features inside a network trafic may contain false correlation which hinder the process of detecting intrusion Chebrolu et al, 2005. Furthermore, some of the feature may be redundant since they are a subset of another feature Chebrolu et al, 2005. Therefore eliminating extra features and selecting important features ISSN: 1985-3157 Vol. 2 No. 2 July-December 2008 Industrial Automation and Robotics 43 may help to decrease the computational issues such as time, memory and CPU time and increase the accuracy of detection. To the best of our knowledge, there is no comprehensive classiication of features that intrusion detection system might use for detecting network based attacks especially fast attacks. Different researchers use different names for the same subset of feature while others used the same name but different type Vinot and Ghorbani, 2006. Furthermore, understanding the relation as well as the inluence of the features in detecting the fast attack is also necessary to avoid any redundant features selected for the intrusion detection system. Therefore this research will focus on the probing and DoS attack which can be categorized as a fast attack. This research will also expose on how the feature inluence the detection of the attacker especially fast attacks. KDDCUP99 has introduced a set of features that can be used to detect the intrusion KDDCUP99, 1999. There are some researchers who are concentrated on feature classiication by using a set of features that have been constructed by KDDCUP99 Kayacik et al, 2005; Sung and Mukkamala, 2005. Special techniques have been used in classifying the features and they produced dissimilar results. Table 1 shows the labeling of features used by KDDCUP99. Table 1: Network Data Feature Labels Besides using the set of features introduced by KDDCUP99, there are researchers who used different sets of features in their research. Christopher ISSN: 1985-3157 Vol. 2 No. 2 July-December 2008 Journal of Advanced Manufacturing Technology 44 Diot has combined some ield inside IP header and TCP header such as source IP, destination IP and source port Lakhina et al, 2005. Payload also has been considered as a parameter that can be used to recognized the network anomalies Moore and Zuev 2005; Moore and Zuev, 2005. By inspecting the payload, the hidden code that is suspicious can be identiied and comparison can be made to a normal packet. Therefore it is a good opportunity to investigate the payload of the trafic to recognize the intruder Vandemant and Pras, 2003. Although examining the payload is a better approach, it is still not widely used due to some restrictions such as security, privacy and legal issue Moore and Papagiannaki, 2005. From the previous research, non of the researchers mention the usefulness of the features in identifying the attack and how the features can contribute to the detection of the attackers. Therefore this research will investigate the inluence and usefulness of the features in identifying the attacker.

3.0 Feature Classiication