"STATISTICAL PROFILER MODULE, FEATURE PERFORMANCE TESTING MODULE ANDFEATURE EVALUATION MODULE FORNETWORK INTRUSION DETECTION"

The next processing step is the attack and normal profile generation. The task is accomplished by the Statistical Profiler Module. This module uses the provided attack labels to filter out the intrusive and normal behavior of each individual feature, and stores the corresponding statistical data into uniquely identifiable profiles. Each profile keeps track of the mean μ and standard deviation σ statistics of a particular feature during the normal or intrusive stages. It is known that the features tend to have different values for different protocols. For instance, the size of the ICMP packets is expected to be smaller than the size of the TCP packets. Thus, instead of creating a single profile for the normal behavior of a feature, in this paper our system creates individual normal profiles for each protocol that applies to the current feature. The module also evaluates the false positives that each feature produces. The False Positive Evaluation sub-module is responsible for this task and the detail algorithms that it implements are described. Once the evaluation is done, the false positive predictions (i.e., FP(fi))are saved into False Positives DB. The database keeps for each feature fithe corresponding FP(fi) value. The process of extracting profiles and false positive prediction is repeated once for each TCP dump file and tuning combinations, until all the possible combinations are exhausted.