ISSN: 1985-3157 Vol. 2 No. 2 July-December 2008 Industrial Automation and Robotics 47 Figure 3: Methodology for Fast Attack Detection

5.0 Feature Analysis

As mentioned earlier, the intrusion occurs from the attacker perspective and the victims’ perspective. The feature that has been constructed also was based on both of the perspectives. KDDCUP99 KDDCUP99, 1999 has constructed the feature and most of the features were concentrated on the victims perspective. For the attackers perspective, we generated two extra features which are src_ count and srv_count. Bro V.Paxson, 1999 has been using this feature but does not mention the how signiicant and strong the relation of the feature in predicting the result of the detection. In this research, we will explore and discuss how the feature can contributed to the model in predicting the result especially in detecting the fast attack.

5.1 Feature Analysis of the Victim Perspective

Most of the previous research particularly on data mining and neural network, used KDDCUP99 features in identifying the intrusion. For example, Chebrolu et al 2005 used CART and Ensemble techniques to classify the features and ISSN: 1985-3157 Vol. 2 No. 2 July-December 2008 Journal of Advanced Manufacturing Technology 48 manage to introduce 17 features in detecting fast attack. Meanwhile Sung and Mukkamala 2003 used PBRM and SVDFRM technique to classify the set of feature. Using PBRM, the researchers were able to classify 8 features for probe and 20 features for DoS which can be categorized as a fast attack. Meanwhile using SVDFRM, the researchers manage to classify 11 features for both of the attacks. Anazida 2006 used rough set RB theory to classify the features and manage to classify only 6 features to detect the fast attack Anazida et al, 2006. Although, they manage to classify 6 features, they fail to mention the featured used to detect the attack for each class of the attack. All the experiment explained earlier was done using the KDDCUP99 data and features introduced by KDDCUP99. By comparing the previous result from the previous research, we manage to identify the most useful features to detect the fast attack. Figure 4 and 5, illustrate the comparison between result obtained from previous research for DoS and Probing attack respectively. The description of the feature represent inside Figure 4 and 5 is given in Table 1. W, Y, Z AC S, AA, AB, AG,AI, AL,AN F, AJ, AM G, B H A, K, L N, Q AO V AD C E, X,AF SVM M PB RS CART Figure 4: DOS Comparison As depicted in Figure 4, feature E, X and AF are important and is constantly been selected by all of the four approachs. Feature A, W, Y and Z can also be considered important since it has been selected by 3 different approaches. For this research, we drop features Y and Z due to dificulties in identifying the SYN error using real time application. This constraint is due to the extra ISSN: 1985-3157 Vol. 2 No. 2 July-December 2008 Industrial Automation and Robotics 49 packet sent by windows environment which may effect the result of detection Amol et al, 2006. AC, A, B W F, AG L,G,H Y,A,B Z,K,N V,Q, AD E, X,AF, C D AO SVM M PB CART RS Figure 5: Probe Comparison. Figure 5 illustrates the features that are useful to detect the probe activities. Features E, X, AF and C are important features as it had constantly been selected by all four approaches. Feature W can also be considered useful since it had been selected by 3 different approaches. As a conclusion, in our research we only select features C, X, AF, A and W for detecting the fast attack. All of the features selected for use is useful in our victims perspectives.

5.2 Feature Analysis of the Attacker Perspective