Packet Information Collection and Transformation for Network Intrusion

Detection and Prevention

Mohsen Beheshti, Jianchao Han, Kazimierz Kowalski

Joel Ortiz, Johnly Tomelden, Damian Alvillar
Computer Science Department, California State University Dominguez Hills
1000 E. Victoria Street, Carson, California, USA 90747
Emails: [email protected], [email protected], kkowalski}@csudh.edu

Abstract etc. Suspicious network activities are usually divided

into two main categories [1] [6]: misuse and anomaly.
Data mining and machine learning technology has Detecting misuses is to analyze the network traffic
been extensively applied in network intrusion information and compare to large databases of attack
detection and prevention systems by discovering signatures to find patterns signaling well known
user behavior patterns from the network traffic attacks that have already been documented. The
data. Some commercial tools for collecting obvious disadvantage of the misuse detection is that it
network traffic data exist, such as SNORT. The is not capable of detecting new attacks. On the other
traffic data collected from the network using these hand, detecting anomalies is to compare the actual
tools, however, usually doesn’t fit the format network traffic data to a profile of all allowed normal
requirement of the input data for data mining user behavior. Any deviation from the profile is
systems. Thus transforming the network traffic considered to be a suspicious action. Anomaly
data into the required format is mandate for a detection seems to be able to detect all kind of attacks,
data mining system to induce network intrusion including “novel” or “unknown” attacks. However, it
detection rules. In this paper, collecting the can only signal that some event is unusual, but not
network packet information using SNORT is necessarily hostile, thus generating false alarms [1].
introduced, storing the collected data into the This is why anomaly detection usually leads to a high
MySql database is presented, and selecting the rate of false positives. Intrusion detection systems
significant data in the database and transforming must be capable of distinguishing between normal
them to the format of input data for a data mining (not security-critical) and abnormal user activities, to
system See5 is discussed. The data collection, discover malicious attempts in time. However
selection, and transformation approaches translating user behaviors (or a complete user-system
illustrated in this paper have been used in the session) in a consistent security-related decision is
Information Fusion in Sensor Based Intrusion often not that simple, because many behavior patterns
Detection System that is being under development are unpredictable and unclear.
in our Computer Security Research Laboratory.
The system framework is briefly introduced and The processes in a typical intrusion detection system
the preliminary results for data collection from include data collection, data pre-processing, pattern
multiple resources are illustrated. detection, and response [6]. There many commercial
tools exist to collect data from the network traffic,
Keywords: Data collection and pre-processing, such as SNORT [8], Tcpdump, Dsniff [9], etc. [10].
data mining and machine learning, data The audit data collected this way may not be
transformation, information fusion, network intrusion understandable to other components of the detection
detection and prevention. system, and thus needs pre-processed. Data pre-
processing includes transforming data to
I. Introduction understandable format, handling noisy data and/or
missing data, mapping data type, and selecting
Various network intrusion detection and prevention significant data portion. Pattern detection is to find
systems have been used to monitor computer systems rules to recognize normal and abnormal activities.
for signs of security violations [1]-[7]. Basically, an Currently, data mining and machine learning
intrusion detection system collects information techniques have been extensively used to perform this
gathered from the network, host, or file systems and task [11]-[13], such as inducing classification rules to
analyzes the information to find suspicious activities. recognize anomalies, discovering temporal
The increased connectivity between computer systems association rules to detect time-related correlations,
has opened up many possibilities of attacks, such as finding short sequences of system calls to
attempted break-in, tempered executables, denial of
service, leakage, masquerade attack, malicious use,
discriminate between normal and abnormal operating individuals on that network segment of the LAN that
characteristics. the network sniffing device is located on by switching
the nic on that machine to promiscuous mode. The
We are developing an information fusion in sensor
segment of the LAN can be controlled by network
based intrusion detection system in our CSRL lab.
tools or hardware, from a bridge to a router these
The primary design of this network intrusion
devices will segment a network into smaller LAN's so
detection system is based on a machine learning
that a compromised computer can be isolated from the
system See5/C5.0 [14] which is the commercial
other transmitting systems and network segments.
version of C4.5 for decision tree and rule induction
[15]. See5 runs on a windows platform while C5.0 is To make the SNORT system operate, one need to
designed to run on Linux. The components of this understand the components of it as well as
system are described as follows: relationships among components [17].
1. Capture packet data in network traffic by using The first component is the SNORT database, which is
the tool SNORT; The SNORT system collects particularly important for our intrusion detection
packet information and stores in the audit logs; system, because it contains the traffic data for the
See5 system to work on. The SNORT database
2. Preprocess and transform the data into the
created by the SNORT installation includes many
suitable input format that are required by See5;
tables. There are four tables to record information of
3. Apply See5 to induce intrusion detection rules, network packets using the following protocols, icp,
a set of alert rules for recognizing malicious udp, icmp, and ip. Also two other important tables
activities; are acid_event and opt. These tables that will be used
in our data transformation are briefly described as
4. Integrate the detection rules into a firewall to
below:
prevent potential attacks.
acid_event consolidates all the logs of alerts that
In this paper, we present our implementation for the
SNORT captures and orders them by the cid field.
first two components of the information fusion and
intrusion detection system. Section 2 introduces the iphdr is the IP header table and used to log all
SNORT system and the setup of SNORE for use in network streams that have TCP/IP protocol. This table
our system is described in Section 3. The See5 system stores the IP header information of packets.
is presented in Section 4, including its input format
tcphdr is the TCP header table and collects the TCP
requirement. Section 5 illustrates the data
portion of the TCP/IP protocol that is not captured by
transformation from the SNORT logs to the See5
the iphdr table.
inputs. Section 6 briefly introduces the information
fusion and honeypots approach that we proposed to The opt table holds the optional data that can be part
combine information from multiple sources to make a of the TCP/IP protocol.
more informed decision, and shows our preliminary
udphdr is the UDP header table and contains the
findings. Finally, Section 7 is concluding remarks and
header information for the UDP protocol. This
our future work.
protocol has fewer details than the TCP/IP protocol
and is used for faster communication but less
II. The SNORT System reliability.
SNORT is a network sniffer developed by Martin Icmphdr is the ICMP header and used to log
Roesch in 1998 as a solution to a cross platform information about the network traffic between
sniffer problem [8]. The SNORT application is a network hardware.
combination of a network sniffer and a log that logs
packets per a rule system that works on the sniffer. These tables store all the information collected from
The SNORT can be applied to analyze current traffic the network communication, including flags, off sets,
and rule systems that capture the packet. and payload, while there are other tables that hold
information from the rules that will be tripped or
A network sniffer (or Packet Capture utility [16]) is evoked to create the log from the SNORT community
an application to collect the network traffic that is rules sid (signature id – the rule number from the rule
announced normally to a network segment that the set).
computer is on. This technology works on the security
vulnerability of trust. The early networks trusted all The database for SNORT has some elements from the
nodes on the network segment to only take the BASE system [18] that take information from the
massage that is meant for them, but modern networks SNORT database and adds one primary table called
use encryption to hide the content between the sender acid_event. The acid_event takes several of the
and the receiver. The use of such devices is as of a columns from other tables.
network monitoring service. The sniffer technology The acid_event table cumulates most of the
can also be used to gain privileged information from information that can be used to build target attributes
using the sig_class_id. If we need to investigate station with the SNORT system set in promiscuous
further any particular rule from the SNORT mode in order to excerpt network traffic.
community, we can look at the cid from the
When the SNORT system is setup during installation,
acid_event.sig_class_id => sig_sid, with the sig_sid
the MySql database management system [19] is used
value we can then look for the SNORT rule in the sig-
as the SNORT database.
msg.map in the /etc/SNORT/rules/ directory. In order
to look at the actual rule we need to match the first The first system is to gather information from the
part of the massage to the actual rules in that directory wide area network. The main point on this one is to
as the files split the rules into there attack fingerprint. get normal traffic and suspected intrusion traffic
This table also serves for now as a way to connect the recorded on to the network sniffer. We use two
other tables with the cid (event id) common to the servers running a Linux server and a Windows server
tables that we will be looking at. respectively in order to keep the gathering of
information more cross platform.
The most commonly used protocol in the data set is
TCP/IP and UDP but with SNORT. These protocols The second system is the testing system that is used to
are broken down to five tables, four header tables test the SNORT rules and to transfer databases in
iphdr, tcphdr, udphdr, opt, and a data table. The order to verify or investigate some of the performance
header information (tcp/ip/udp-hdr) resides in their of SNORT and its different components. This is
own tables, while the IP/TCP option field is put in the conducted in a closed network or LAN.
opt table, and their data or the actual datagram resides
To check if the SNORT rule added works, we have to
in the data table with opt and data tables having a text
use the signature table looking at the sig_sid column.
field. While analyzing the datagram is one thing that
The SNORT community has chosen to allocate
can be done, it is not the part we are looking at as it is
sig_sid in one millions local rules that will be used.
the header information by passing it through a data
The way that SNORT holds the IP addresses in the
mining application that can then give us some
database is using the aton form to make the IP address
information on what kind of rules we need to
an integer to hold and compare. Once that is complete
implement in order to stop attacks
we can then move on to the transfer of the database
The inclusion of the icmphdr table is used as a form for use by other applications such as
of back ground noise or a way to find a possible false JACED_IPTables.php [20] and see5 [14].
positive result. This field also has a potential of
We set up the network with taps to gather the
catching intruders that are looking to take over the
information then set the SNORT system up to collect
routers to create a false router table reference from an
the information that can be used.
HTTP command. The ICMP packet has router
information for next hop dead connections and other The SNORT system uses a rule set to set an action
connection specific information and is often over based on rules as to whether to capture a network
looked as a source for security attacks. packet or release it. The SNORT community keeps a
directory full of files that put over 2k rules for specific
The tables in the SNORT database share a primary
network intrusions. The full documentation of the
key cid (Alert id) that can be used to gather the related
snort rules can be found in [17].
information from the different tables to get a clear
picture of what was logged in the database. There are An example for us to look and dissect is:
two main sections of the database. The first one stores
all the information collected from the packet, while alert tcp any any  192.168.1.0/24 111
the second one holds information from the different (content:”|00 01 86 a5|”; msg:”mountd access”;)
SNORT rules. The main relationship between the two The first part of the rule is the login method there is
sections is its signature.sig_id and event.signature alert, log, pass, activate, dynamic, drop, reject, and
that are created by the SNORT system. Another sdrop.
relationship between these two sections is that the
SNORT rules that are stored in the files in the The second part of this example is the protocol type
SNORT directory /rules/ correlate their sid numbers that it detects TCP, UDP, ICMP, and IP are the
to the sig_sid numbers in the sid and msg sections of current protocols snort is able to detect.
the actual rules. The next part is for the IP address and port
information witch can be given a key word any for
III.The SNORT Setup any IP or any port. The directional  can be also <>
to specify any direction. The rule can treat incoming
The setup of the SNORT system is important in order or outgoing network packet information with the
to collect packets or test new SNORT rules as the directional switch (, , <>).
SNORT program can be used for either [17]. A tap is
set up to have the network traffic be repeated to the Using above packet protocol pattern, we can start
looking at the specifics enclosed in the parentheses.
This field has many options, e.g. sid to identify each – information that could be used for decision making.
rule, the msg option to add a comment to the database. Classification is a common technique used in data
mining and machine learning, and is the technique
Above login method can be changed. For this
that we are going to employ in our research.
purpose, we created a new type of method using the
Classification is the process of determination of a
following lines in the snort.config file:
predefined class, to which an example belongs to.
ruletype nonalert
See5/C5.0 [14] is the commercial version of C4.5
{
decision tree and rule induction product by Rulequest
type alert
developed by Ross Quinlan [15]. See5 is the software
output database: log, mysql, user=snort
that runs on a windows platform while C5.0 is
password=password dbname=snortTest
designed to run on Linux. In the intrusion detection
host=localhost
system that we are developing, See5 for Window XP
}
is applied.
This rule type creates an alert called nonalert to
Using classification techniques in conjunction with
capture incoming traffic into a database called
the data mining tool C5.0/See5, one can analyze the
snorttest.
SNORT database and IP Tables to identify any
The following are the rules that are added to the anomalies in the traffic patterns, thus giving us a
database using above rule type nonalert to log normal better understanding of how to detect and prevent
traffic security flaws in today’s networks and computer
Systems. Anomalies may include multiple attacks
pass tcp 0.0.0.0 any <> $HOME_NET any
from the same IP address, multiple occurrences of a
pass udp 0.0.0.0 any <> $HOME_NET any
certain type of attack, and can also detect clustered
pass icmp 0.0.0.0 any <> $HOME_NET any
ranges of IP addresses. Classifiers outputted by See5
pass ip 0.0.0.0 any <> $HOME_NET any
are generally in the form of decision trees or sets of if-
nonalert tcp $EXTERNAL_NET any <> then rules, which are usually easier to understand than
$HOME_NET any (msg:"Traffic CSRL 1.0 tcp"; other formats such as neural networks.
classtype:not-suspicious; sid: 1000001;)
However, the database that stores the SNORT audit
nonalert udp $EXTERNAL_NET any <> logs has the different format than the input of See5.
$HOME_NET any (msg:"Traffic CSRL 1.0 udp"; Basically, the data set from which See5 induces a
classtype:not-suspicious; sid: 1000002;) decision tree is a two-dimensional data table, where
each row represents an object, while each column
nonalert icmp $EXTERNAL_NET any <> characterizes an attribute or feature of objects. The
$HOME_NET any (msg:"Traffic CSRL 1.0 data table is described in two input files to the See5
icmp"; classtype:not-suspicious; sid: 1000003;) system, the .names file and the .data file. The .names
nonalert ip $EXTERNAL_NET any <> file describes the attributes and classes of the data
$HOME_NET any (msg:"Traffic CSRL 1.0 ip"; table that the See5 is going to work on. Such a file
classtype:not-suspicious; sid: 1000004;) would consist of the names of each column from a
data table with a description of the type of attribute
We add a rule in the file of local. Rules to the each column contains. The attribute type can be
community downloaded rules and check the SNORT continuous, label, date, time, timestamp, ignore, and
database in order to confirm implementation of the discrete N for some integer N. On the other hand, the
new rule. To get a view of the database stored in our .data file enumerates each object or case.
system under MySql, we use the describe command
on all tables. Then later when the system is populated
with logs, the select query finds what is in the tables.
V. Data Transformation
The .config and .conf files of the SNORT system are In order to adhere to the See5 system format of the
also used to find what is called and what is skipped data set, we need to convert various tables in the
from the file systems /etc/snort/ directory for the SNORE database. The transformation can be done by
SNORT system [17] either using a software program such as ODBC and
These rules filter out traffic from the routers and then JDBC or writing a transformation program such as a
log the incoming traffic into the nonalert database PHP script. The latter is chosen in the implementation
snorttest. of our system since the SNORE system is setup with
MySQL and it is to write PHP scripts to extract
information from the MySQL database [21].
IV. The See5 System
PHP (Personal Home Page) is a computer scripting
Data Mining is the process of analyzing large language originally designed for producing dynamic
amounts of data stored in data warehouses or web pages. In our implementation, we are using PHP
databases and summarizing it into useful information to communicate directly with the SNORT database so
that the data in MySql can be ported into a format that The implementation of data queries from the MySql
See5 will understand. While the PHP script is in database is implemented using PHP scripts. The
execution, it opens the SNORT database and stores it following is a snippet of PHP script that is used in our
in a buffer for manipulation. Storing the SNORT implementation to define the query from the
database into a buffer is an advantage because acid_event table.
manipulating the data in the database using PHP is
$eventQuery="select cid,sig_class_id, sig_priority,
faster and more efficient than manipulating the
timestamp, layer4_sport, layer4_dport, signature
SNORT database directly from the MySQL command
from acid_event order by cid;";
console. Once the SNORT database is stored in the
$resultEvent = mysql_query($eventQuery, $conn)
buffer, the PHP script begins to select the data via
or die("problemi " . mysql_error());
queries from multiple tables that we think are the
most important to our research. While the data is
$cidNum=mysql_num_rows($resultEvent) or
being selected, it is simultaneously being stored into a
die("snap"); echo $cidNum . "<br />";
new table within the SNORT database. Once the PHP
$resultIPHDR = mysql_query("select * from iphdr
script is finished selecting and adding the related data
order by cid;", $conn) or die("problem");
into the new table, it is now possible to directly export
echo mysql_num_rows($resultIPHDR). "<br />";
the new table into a flat file with the .data extension
$iphdrNum = 0;
that is needed to run See5.
$iphdrMax = mysql_num_rows($resultIPHDR);
Basically, the transformation of data from the SNORT
During the testing of see5 with the output of the table
database to the See5 system includes converting the
created above, it was found that MySql will export
database schema in to a .names file and selecting data
null values to the file with the '\n' space holder. See5
from tables to generate the .data file, both of which
did not process this and marked it as an error and
are required as the input See5 for its execution. The
stopped after many errors are encountered. To fix the
See5 system execution will output either a set of
problem, the following query was used to export the
classification rules or a decision tree.
data table from the SNORE database into a .data file
The MySql commands are embedded in the PHP for see5:
scripts to quickly generate the desired results.
select cid, ifnull(sig_class_id,'N/A'),
The common connection to the data tables in the ifnull(sig_priority,'N/A'), ifnull(timestamp,'N/A'),
SNORE database is that they all have a cid that can be ifnull(layer4_sport,'N/A'),
used to keep Cartesian products from being created. ifnull(layer4_dport,'N/A'), ifnull(signature,'N/A'),
The MySql command used is: ifnull(ip_src,'N/A'), ifnull(ip_dst,'N/A'),
ifnull(ip_ver,'N/A'), ifnull(ip_hlen,'N/A'),
create table s5
ifnull(ip_tos,'N/A'), ifnull(ip_len,'N/A'),
(select (acid_event.cid + 0) cid, sig_class_id,
ifnull(ip_id, 'N/A'), ifnull(ip_flags,'N/A'),
sig_priority,acid_event.timestamp,
ifnull(ip_off,'N/A'), ifnull(ip_ttl,'N/A'),
layer4_sport, layer4_dport,
ifnull(ip_proto,'N/A'), ifnull(ip_csum,'N/A'),
acid_event.signature, iphdr.ip_src,
ifnull(optid,'N/A'), ifnull(opt_proto,'N/A'),
iphdr.ip_dst, ip_ver, ip_hlen, ip_tos, ip_len,
ifnull(opt_code,'N/A'), ifnull(opt_len,'N/A'),
ip_id, ip_flags, ip_off, ip_ttl, iphdr.ip_proto,
ifnull(tcp_sport,'N/A'), ifnull(tcp_dport,'N/A'),
ip_csum, optid, opt_proto, opt_code,
ifnull(tcp_seq,'N/A'), ifnull(tcp_ack,'N/A'),
opt_len, opt_data, tcp_sport, tcp_dport,
ifnull(tcp_off,'N/A'), ifnull(tcp_res,'N/A'),
tcp_seq, tcp_ack, tcp_off, tcp_res, tcp_flags,
ifnull(tcp_flags,'N/A'), ifnull(tcp_win,'N/A'),
tcp_win, tcp_csum, tcp_urp, udp_sport,
ifnull(tcp_csum,'N/A'), ifnull(tcp_urp,'N/A'),
udp_dport, udp_len, udp_csum, icmp_type,
ifnull(udp_sport,'N/A'), ifnull(udp_dport,'N/A'),
icmp_code, icmp_csum, icmp_id, icmp_seq
ifnull(udp_len,'N/A'), ifnull(udp_csum,'N/A'),
from acid_event
ifnull(icmp_type,'N/A'), ifnull(icmp_code,'N/A'),
left join iphdr on acid_event.cid = iphdr.cid
ifnull(icmp_csum,'N/A'), ifnull(icmp_id,'N/A'),
left join tcphdr on acid_event.cid = tcphdr.cid
ifnull(icmp_seq,'N/A')
left join udphdr on acid_event.cid = udphdr.cid
into outfile 'see5test.data'
left join icmphdr on acid_event.cid=icmphdr.cid
FIELDS TERMINATED BY ','
left join opt on acid_event.cid = opt.cid
LINES TERMINATED BY '\n'
order by timestamp);
from stuff
This query uses left joins in order to replicate an outer order by timestamp;
join that first makes a table and populates it with the
This query dumps the table in to a file called
acid_event table then it compares the cid of
see5test.data that can be taken out of the database
acid_event with the proceeding tables in each left
directory by navigating to it.
join.
By embedding these queries into our intrusion desirable. If a new type of attack becomes known, the
detection system to get network traffic into a database system would detect it as a previously unseen pattern.
to be used for data mining this makes automation of
If there are multiple sources of information (sensors)
this process can be made with an interface, in order to
available that provide relevant information that can
have the process do the data set retrieval.
help identify an attack and distinguish between the
different types of attacks, and support from intrusion
VI. Information Fusion Framework for detection system then the system would be able to
Intrusion Detection update its functioning so as to be able to detect this
In this section we discuss our experience in analyzing attack type in the future.
benefits of using information fusion and honeynets for The current implementation of the framework shown
intrusion detection. Network-based distributed attacks in Figure 1 installs two sensors. The numbers of
are especially difficult to detect and require attacks per day collected from two sensors is
coordination among different intrusion detection collectively shown in Figure 2, and the number of
components. Using honeypots provides effective essential attacks per hour on two sensors is separately
solution to increase the security; and it is also a useful shown in Figure 3.
tool for network forensic. Our purpose for this work is
to examine how to integrate multiple intrusion
detection sensors and honeynets in order to minimize
the number of incorrect-alarms. Our implementation
framework for designing data fusion/honeynets based
project for network security analysis is illustrated in
Figure 1, which concerns of including all important
attributes and thus having all data available. On the
whole, our information fusion based intrusion
detection model is in fact a prototype and needs to
evolve into more mature and efficient model.

Figure 2: Essential Attacks Collected from Two

Sensors per Day

Figure 3: Essential Attacks Collected from Two

Sensors per Hour
Figure 1: Information Fusion-based Intrusion Our preliminary implementation has the capabilities
Detection Framework to fuse information from multiple sources and also
It is known that the information about a given traffic adapt itself to changing environments. It uses a
pattern being normal or malicious can be obtained multiple sensors approach to incorporate these
from multiple sources such as the traffic statistics, the capabilities.
content information and other basic information about
the connection. Our framework takes advantage of VII.Conclusion and Future Work
this fact, and attempts to build a system that is capable
An automatic computer system for information fusion
of combining information from multiple sources to
in sensor based intrusion detection is under
make a more informed decision. In real scenarios, the
development in our computer security research
traffic patterns change over time and a classification
laboratory. It uses the SNORE system to collect
system that is capable of adapting to these changes is
network traffic data, pre-processes data and transform
data into input format of a data mining and machine [8] M. Roesch, The Story of Snort: Past, Present and
learning system See5, which induces a set of Future. 2005, http://www.net-
classification rules or a decision tree from the input security.org/article.php?id=860 .
data. The outcome of the See5 system can be used to [9] D. Dittrich, Network “sniffers” and You,
recognize the suspicious network activities by http://staff.washington.edu/dittrich/misc/snif
discriminating normal user behaviours and abnormal fers/, 1998.
behaviours. Our intrusion detection and prevention [10] L. L. Peterson and S. B. Davie, Computer
system will automatically set these rules to a firewall Networks: A systems Approach, Morgan
to prevent malicious. Kaufmann Publisher. San Francisco, CA. 2003.
In this paper, the first two components of our [11] J. Gomez and D. Dasgupta, Evolving Fuzzy
intrusion detection and prevention are presented, Classifiers for Intrusion Detection, Proc. of IEEE
including the packet information collection and data Workshop on Information Assurance, New York,
transformation. The SNORE system and the See5 June, 2002.
system are briefly introduced. The framework of our [12] J. Han, K. Kowalski, M. Beheshti, Detecting
information fusion based system implementation is Network Intrusions Based on a Generalized
briefly introduced and the preliminary findings for Rough Set Model, Proc. of International
data collection from multiple resources are illustrated. Symposium on Telecommunications, 247-252,
Our future work is to complete the remaining two September 10-12, 2005, Shiraz, Iran.
components of the system under developed, including [13] K. Julisch and M. Dacier, Mining intrusion
application of See5 and the firewall automatic setting detection alarms for actionable knowledge. Proc.
of rules. The results and findings will be reported in of the 8th ACM SIGKDD, 366-375, 2002.
the near future. [14] Rulequest Research, See5: An Tutorial,
http://www2.cs.uh.edu/~ceick/ai/C5-
Acknowledgment Tutorial.html
[15] J. R. Quinlan, C4.5: Programs for Machine
This paper is based on work supported by the Learning, Morgan Kaufmann Publisher, 1993.
National Science Foundation (NSF) through grant [16] B. Richard, The Tao of Network Security
CNS-0540592 and NGA. Any opinions, findings, and Monitoring: Beyond Intrusion Detection.
conclusions or recommendations expressed in the Pearson Education, Inc., 2004, Boston, MA
paper are those of the authors and do not necessarily [17] B. Caswell and J. Hewlett, Snort Users Manual,
reflect the views of the NSF. 2003, Snort.org
http://www.snort.org/docs/snort_htmanuals/
References htmanual_281/
[18] F. Alejandro, F. James, G. Axton, H. Jon, J.
[1] R. G. Bace, Intrusion Detection, Sans Publishing,
Kevin, M. Dough, M. Sean, R. Tim, S. Christian,
1999.
and V. Max, BASE, Basic Analysis and Security
[2] H. Debar and A. Wespi, Aggregation and
Engine, 2000 – 2004,
Correlation of Intrusion-Detection Alerts. Proc.
of RAID, 2001. http://base.secureideas.net/
[3] W. Lee, J. Cabrera, A. Thomas, N. Balwalli, S. [19] MySQL A B, mysql, 1995-2008,
Saluja, and Y. Zhang, Performance Adaptation in http://www.mysql.com/
Real-Time Intrusion Detection Systems. Proc. of [20] J. Cerna and J. Tomelden,
RAID, 2002. JACED_IPTables.php, Department of Computer
[4] P. Ning, Intrusion Detection in Distributed Science, California State University Dominguez
Systems: An Abstraction-Based Approach, Hills, 2007
Springer, 2003. [21] L. Ullman, PHP and MySQL for Dynamic Web
[5] D. Wagner and D. Dean, Intrusion Detection via Sites, Peachpit Press, 2003
Static Analysis, Proceedings of the 2001 IEEE
Symposium on Security and Privacy, 2002.
[6] C. Y. Chung, M. Gertz, and K. Levitt,
"Discovery of Multi-Level Security Policies".
The Fourteenth Annual IFIP WG 11.3 Working
Conference on Database Security, 2000
[7] W. Lee and S. Stolfo, A Framework for
Constructing Features and Models for Intrusion
Detection Systems, ACM Transactions on
Information and System Security: 3 (4),
November 2000.