ISSN: 1985-3157 Vol. 2 No. 2 July-December 2008 Journal of Advanced Manufacturing Technology 40

1.0 Introduction

In recent years, the Internet and networks as a whole has seen a great increase in its role in our society especially in government and business sectors. During these times, we also witness more and more sophisticated attack launched by intruders, which of course are motivated by inancial and political objectives. The types of attacks are generated using tools and exploit scripts which are freely available on the internet and widely used by novice malicious users to launch an attack inside the network. Mc Hugh also provide further evidence by stating that “anyone can attack Internet site using readily made available intrusion tools and exploit script that capitalize on widely known vulnerabilities Mc Hugh et al, 2000. Therefore the increase in the number of the exploit tools may have inluenced the number of novice attackers inside the internet as shown in Figure 1. As a result it may give a signiicant impact to the number of reported incidence due to security breaches generated by Cybersecurity, Malaysia CyberSecurity, 2007 as depicted in Figure 2. Therefore ensuring security in term of conidentially, integrity and availability is necessary to protect the network infrastructure Mark Merkov and Jim Breithaupt, 2006. Figure 1: Trend of exploit script ISSN: 1985-3157 Vol. 2 No. 2 July-December 2008 Industrial Automation and Robotics 41 Figure 2: Incident Statistic on Quarter 3 and Quarter 4 in 2007 The introduction of intrusion detection systems IDS in a network can be used to counter this problem by placing it inside the network to help users to look for known and potential threats in the network trafic andor audit data recorded by the host Giacinto et al, 2003. An IDS can be classiied into two general types which are signature based system and anomaly based system Wang et al, 2006. Signature based system is a system which contains a number of attack description or signatures that are matched against a stream of audit data looking for evidence of modelled attack Wang et al, 2006. The audit data can be gathered from network trafic or an application log. Meanwhile, the anomaly based system identiies the intrusion by identifying trafic or application which is presumed to be different from normal activity on the network or host Wenke Lee, 1999. Both of these approaches have their own disadvantages. False alarms generated by both systems are a major concern and is identiied as a key issue and the cause of delay of further implementation of reactive intrusion detection system Karl Levitt, 2002. Before developing an intrusion detection system, understanding the axonomy of an attack is important. An attack can be disserted into 5 phases which are reconnaissance, scanning, gaining access and covering track Certiied Ethical Hacker, 2006. The irst two phases are the initial stages, whereby the attacker will try to gain information on the potential vulnerable machine. These phases can be classiied into two categories which are fast attack and slow attack. Fast attack can be deined as an attack that uses a large amount of packet or connection within a few seconds Shahrin et al, 2007 and Lazarevic et al, 2003. Meanwhile the slow attack can be deined as an attack that takes a few minutes or a few hours to complete Wenke et al, 1999. Detecting a fast attack is very useful to prevent any early attacks on the network and may help ISSN: 1985-3157 Vol. 2 No. 2 July-December 2008 Journal of Advanced Manufacturing Technology 42 to reduce the possibilities of gaining access, maintaining access and covering tracks. Therefore this paper focuses the research conducted on detecting fast attacks to protect the computer or network at an early stage. Before detecting a fast attack, selecting useful features may help in identifying them is also paramount to help the intrusion detection process to make better decision in identifying the attacker. Unfortunately, many attackers are knowledgeable and capable of altering the detail of many attacks to avoid the detection from such as system Caulkin. Lee and Wang,. 2005. As a result, the selection of useful feature is necessary to detect and identify the various threats that exist inside the network or application. Before selecting a feature, understanding the relationship between the feature and the attack type is also important. Identifying the signiicant contribution of the feature in detecting the attack is necessary to avoid selecting useless features. Furthermore, iltering huge amount of network trafic is very tedious especially the complexity of the protocols involved such as UDP and TCP and the number of incidents can only be studied if deep knowledge of the protocol detail is acquired Mellia, Meo and Muscariello, 2006. Therefore it is critical to overcome the problem of selecting the important features of the network trafic to identify an attack, especially fast attack. The principal goal of this paper is to present a minimum feature set that can be used to detect a fast attack and the inluence of the feature to the model in detecting the fast attack. Understanding the inluence of the feature is necessary to provide better selection of the features as one of the factors which may increase the accuracy of the detection for an intrusion detection system. Additionally, the researcher and system developer of the intrusion detection system can beneit from the results provided in selecting the useful features for the intrusion detection system.

2.0 Literature Review