ISSN: 1985-3157 Vol. 2 No. 2 July-December 2008 Industrial Automation and Robotics 49 packet sent by windows environment which may effect the result of detection Amol et al, 2006. AC, A, B W F, AG L,G,H Y,A,B Z,K,N V,Q, AD E, X,AF, C D AO SVM M PB CART RS Figure 5: Probe Comparison. Figure 5 illustrates the features that are useful to detect the probe activities. Features E, X, AF and C are important features as it had constantly been selected by all four approaches. Feature W can also be considered useful since it had been selected by 3 different approaches. As a conclusion, in our research we only select features C, X, AF, A and W for detecting the fast attack. All of the features selected for use is useful in our victims perspectives.

5.2 Feature Analysis of the Attacker Perspective

For src_count and srv_count, we asses the contribution of the feature using likelihood Ratio Test in equation 1 inside logistic regression. The likelihood ratio test is used by comparing the model with and without a particular predictor. If the value of the likelihood ratio model without the predictor decrease when the predictor is included inside the model, it means that adding the predictor give a signiicant contribution to the model in predicting the outcome. Besides the likelihood ratio statistic test, Cox and Snell’s R²cs in equation 2 ISSN: 1985-3157 Vol. 2 No. 2 July-December 2008 Journal of Advanced Manufacturing Technology 50 Cox and Snell, 1989 and Nagelkerke’s R²N in equation 3 can also be used to indicate whether the feature gives a good prediction on the result or outcome variable. Nagelkerke’s is the amendment of the Cox and Snell because the lack of Cox and Snell to reach its theoretical maximum of 1. Now we will discuss the result based on the statistical value from likelihood ratio, Cox and Snell and Nigelkerke’s. This discussion will concentrate on src_count and srv_count respectively. i Assessing the Inluence of the Src_count Feature This feature is used for detecting fast attack launched by single host to multiple hosts. By selecting this feature, it may help to detect the attacker at the initial stages because host scanning is one of the tools that can be used to launch reconnaissance and scanning activity. Furthermore, there is a question on how the feature can inluence the result of the detection of the attacker. This can be validated using statistical value from likelihood ratio test, Cox and Snell and Nigelkerke’s respectively. Table 3 shows the value of the likelihood ratio statistic after the feature include inside the model. Meanwhile, Table 4 show the chi-square x² value of the new model. Therefore by referring to 1, the value of the baseline model without the predictor can be computed. When only the constant was included, -2LL = 509.721. but when src_count had been included this value has been reduced to 85.211. This reduction means that the features has a signiicant inluence at predicting the outcomeattack. Table 3 : Model Summary -2 Log likelihood Cox Snell R Square Nagelkerke R Square 85.211 .328 .869 Table 3 also show the Nigelkerke’s value for the new model which is 0.869. If the value is close to one, it indicated that the predictor gives good inluence to the model in predicting the outcome Andy Field, 2005. From the result, it shows that the value is close to one which means that the feature selected in this research gives a good inluence to the model in predicting the outcome. ISSN: 1985-3157 Vol. 2 No. 2 July-December 2008 Industrial Automation and Robotics 51 Table 4: Model Coeficient Chi-square df Sig. 424.510 1 .000 Beside the likelihood ratio test and Nigelkerke’s test, chi-square test also can be used to verify whether the feature give a signiicant contribution to the model or not. This can be done by generating hypothesis which are Ho, feature does not effect the model prediction and H1, feature effect the model prediction. Table 4 show the chi-square value is 424.510 and the value is signiicant at a 0.05 and 0.01 level. Therefore the H1 hypothesis has been accepted. As a conclusion, the src_count gives a effect to the model in predicting the outcome. ii Assessing the Inluence of Srv_count Feature Srv_count had also been selected as one of the features in this research. This feature also gives a signiicant inluence to the research and the validation is made using the same test with the previous feature. Table 5 shows the value of the likelihood ratio statistic after the features were included inside the model. Meanwhile, Table 6 show the chi-square x² value of the new model. When only the constant was included, the value of the baseline model is ,-2LL = , 528.700 but when src_count was included inside the model and this value has been reduce to 133.213. This reduction means that the feature has a signiicant inluence at predicting the outcome attack. Table 5 : Model Summary -2 Log likelihood Cox Snell R Square Nagelkerke R Square 133.213 .298 .791 Table 5 also shows the Nigelkerke’s value for the new model which is 0.791. The Nigelkerke’s value is very close to one which means that the feature selected in this research gives good inluence to the model in predicting the outcome. Table 6: Model Coeficient Chi-square df Sig. 395.487 1 .000 For srv_count feature, Chi-square test can also be used to verify whether the feature gives a signiicant contribution to the model or not. This can be done by generating hypothesis which are Ho, feature does not effect the model prediction and H1, feature effect the model prediction. Table 6 shows that the ISSN: 1985-3157 Vol. 2 No. 2 July-December 2008 Journal of Advanced Manufacturing Technology 52 chi-square value is 395.487 and the value is signiicant at a 0.05 and 0.01 level. Therefore the H1 hypothesis has been accepted. As a conclusion, the srv_count gives an effect to the model in predicting the outcome.

6.0 Result