ISSN: 1985-3157 Vol. 4 No. 1 Jan-June 2010 Statistical Approach for Validating Static Threshold in Fast Atack Detection 53 StatiStical approach for Validating Static threShold in faSt attack detection faizal, M.a., Zaki, M.M., Shahrin, S., robiah, Y., rahayu, S.S. Faculty of Information and Communication Technology Univeristi Teknikal Malaysia Melaka, Karung Berkunci 1200, 75450 Ayer Keroh, Melaka. Tel : 06-2332510, Fax : 06-2332508 Author’s Email: faizalabdollahutem.edu.my aBStract: Network has grows to a mammoth size and becoming more complex, thus exposing the services it ofers towards multiple types of intrusion vulnerabilities. One method to overcome intrusion is by introducing Intrusion Detection System IDS for detecting the threat before it can damage the network resources. IDS have the ability to analyze network traic and recognize incoming and on-going network atack. In detecting intrusion atack, Information gathering on such activity can be classiied into fast atack and slow atack. Yet, majority of the current intrusion detection systems do not have the ability to diferentiate between these two types of atacks. Early detection of fast atack is very useful in a real time environment; in which it can help the targeted network from further intrusion that could let the intruder to gain access to the vulnerable machine. To address this challenge, this paper introduces a fast atack detection framework that set a threshold value to diferentiate between the normal network traic and abnormal network traic on the victim perspective. The threshold value is abstract with the help of suitable set of feature used to detect the anomaly in the network. By introducing the threshold value, anomaly based detection can build a complete proile to detect any intrusion threat as well as at the same time reducing it false alarm alert. keYWordS : Intrusion detection system, fast atack, Statistical Process control.

1.0 introdUction

Internet technology evolution has brought together it own threats. As network increases in size, network has become more complex and diicult to handle thus exposing the services it ofers towards multiple types of intrusion vulnerabilities. Besides that, network itself has become the place to share information on how to launch an atack together with the tools that can be used to atack network. Mc Hugh ISSN: 1985-3157 Vol. 4 No. 1 Jan-June 2010 Journal of Advanced Manufacturing and Technology 54 et.al ., 2000 also provide further evidence by stating that anyone can atack Internet site using readily made available intrusion tools and exploit script that capitalize on widely known vulnerabilities. Depicted in Figure 1 is a statistic that shown the advancement and the easiness to launch an atack since 1990 till 2001 cert. Figure 1: The level of sophistication and knowledge needed in an Figure 1: The level of sophistication and knowledge needed in an atack. Understanding the taxonomy of an atack is necessary before developing tools to protect the organization. An atack can be disserted into ive phases which are reconnaissance, scanning, gaining access, maintaining access and covering tracks CEH, 2005. Reconnaissance and Scanning phase or called the information gathering phase is the initial stage of an atack and atacker spent a lot of time on these two activities. The information gather revealed the vulnerabilities that they can exploits, information such as services ofered, open port and type of sotware used are gathered in this early stage. From these information atacker can easily detect the vulnerabilities of the network. Hence, the atacker can decide what tools and methods are going to be used in the next stage. These initial phases can be classiied into two categories which are fast atack and slow atack. Lazarevic et.al., 2003 deined Fast atack as an atack that make connection within few second and uses a large amount of packet whereas atack that take few minutes or hours is considered as slow atack. Existing intrusion detection system such as Snort Snort, 2007 uses preprocessor module to detect the fast atack and slow atack. Another intrusion tool which combines both of these atacks into one module is Bro Paxson, 1999. By combining the detection of these atacks into one module may cause late detection especially for ISSN: 1985-3157 Vol. 4 No. 1 Jan-June 2010 Statistical Approach for Validating Static Threshold in Fast Atack Detection 55 the fast atack. Moreover, detecting the fast atack on the network is very helpful to prevent any early atack and may help to reduce the possibilities of gaining access, maintaining access and covering track. By reducing the further step in atacks, the losses due to the security breach can be minimized. To address this challenge, this paper presents a novel framework on detecting atack its initial stage. The propose framework of fast atack detection is focusing on the victim perspective by monitoring the number of connection made by an atacker towards a single victim whereby the information gathered can help the administrator to detect an atack and gives feedback on valuable information regarding the level of security of the compromised machine. Therefore investigating and make necessary action is a must to secure the machine from future atack. The rest of the paper is structured as follows. Section 2 discuses the background of fast atack framework, Section 3 presents the methodologies and the technique use in creating the fast atack module. Section 4 elaborates on the result validation. Finally, section 5 conclude and discuss the future directions of this work.

2.0 BackgroUnd