An artificial intelligence membrane to detect network intrusion
Pages 44 - 47
Abstract
We propose an artificial intelligence membrane to detect network intrusion, which is analogous to a biological membrane that prevents viruses from entering cells. This artificial membrane is designed to monitor incoming packets and to prevent a malicious program code (e.g., a shellcode) from breaking into a stack or heap in a memory. While monitoring incoming TCP packets, the artificial membrane constructs a TCP segment of incoming packets, and derives the byte frequency of the TCP segment (from 0 to 255 bytes) as well as the entropy and size of the segment. These features of the segment can be classified by a data-mining technique such as a decision tree or neural network. If the data-mining method finds a suspicious byte sequence, the sequence is emulated to ensure that it is just a shellcode. If the byte sequence is a shellcode, the sequence is dropped. At the same time, an alert is communicated to the system administrator. Our experiments examined seven data-mining methods for normal and malicious network traffic. The malicious traffic included 114 shellcodes, provided by the Metasploit framework, and including 10 types of metamorphic or polymorphic shellcodes. In addition, real network traffic involving shellcodes was examined. We found that a random forest method outperformed all the other datamining methods and had a very high detection accuracy, including a true-positive rate of 99.6% and a false-positive rate of 0.4%.
References
[1]
Williamson MM (2002) Throttling viruses: restricting propagation to defeat malicious mobile code. ACSAC Security Conference 2002, pp 61-68.
[2]
Okamoto T (2005) A worm fi lter based on the number of unacknowledged requests. KES'05, LNAI 3682:93-99.
[3]
Okamoto T, Ishida Y (2006) Towards an immunity-based anomaly detection system for network traffi c. KES'06, LNAI 4252:123-130.
[4]
Roesch M (1999) Snort: lightweight intrusion detection for networks. LISA'99, 229-238.
[5]
Pasupulati A, Coit J, Levitt K, et al (2004) Buttercup: on networkbased detection of polymorphic buffer overfl ow vulnerabilities. NOMS 1:235-248.
[6]
Polychronakis M, Anagnostakis KG, Markatos EP (2007) Networklevel polymorphic shellcode detection using emulation. J Comput Virol 2(4):257-274.
[7]
Payer U, Teufl P, Lamberger M (2005) Hybrid engine for polymorphic shellcode detection. LNC S 3548(200):19-31.
[8]
Masud M, Khan L, Thuraisingham B, et al (2008) Detecting remote exploits using data mining. IFIP 285:177-189.
[9]
Song Y, Locasto ME, Stavrou A, et al (2007) On the infeasibility of modeling polymorphic shellcode. Proceedings of the 14th ACM CCS'07, pp 541-551.
[10]
Metasploit project (2006) http://www.metasploit.com/
[11]
Detristan T, Ulenspiegel T, Malcom Y, et al (2003) Polymorphic shellcode engine using spectrum analysis. Phrack 11(61).
[12]
Baecher P, Koetter M (2007) libemu. http://libemu.carnivore.it/
[13]
Witten IH, Frank E (2005) Data mining: practical machine learning tools and techniques. Morgan Kaufmann, Los Altos, 2nd edn.
[14]
K2 (2001) ADMmutate. http://www.ktwo.ca/ADM mutate-0.8.4.tar.gz.
Recommendations
Botzilla: detecting the "phoning home" of malicious software
SAC '10: Proceedings of the 2010 ACM Symposium on Applied ComputingHosts infected with malicious software, so called malware, are ubiquitous in today's computer networks. The means whereby malware can infiltrate a network are manifold and range from exploiting of software vulnerabilities to tricking a user into ...
Enhancing byte-level network intrusion detection signatures with context
CCS '03: Proceedings of the 10th ACM conference on Computer and communications securityMany network intrusion detection systems (NIDS) use byte sequences as signatures to detect malicious activity. While being highly efficient, they tend to suffer from a high false-positive rate. We develop the concept of contextual signatures as an ...
Agent-oriented network intrusion detection system using data mining approaches
Most of the existing commercial Network Intrusion Detection System (NIDS) products are signature-based but not adaptive. In this paper, an adaptive NIDS using data mining technology is developed. Data mining approaches are used to accurately capture the ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
Copyright © Copyright © 2011 International Symposium on Artificial Life and Robotics (ISAROB).
Publisher
Springer-Verlag
Berlin, Heidelberg
Publication History
Published: 01 June 2011
Author Tags
Qualifiers
- Article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 04 Jan 2025