Nabonarayan Jha, B R A Bihar University, Muzaffarppur, Bihar, India.
Dr. K. B. Singh, L. S. College, Muzaffarpur, Bihar, India.
Abstract
The next processing step is the attack and normal profile generation. The task is
accomplished by the Statistical Profiler Module. This module uses the provided
attack labels to filter out the intrusive and normal behavior of each individual feature,
and stores the corresponding statistical data into uniquely identifiable profiles. Each
profile keeps track of the mean μ and standard deviation σ statistics of a particular
feature during the normal or intrusive stages. It is known that the features tend to
have different values for different protocols. For instance, the size of the ICMP
packets is expected to be smaller than the size of the TCP packets.
Thus, instead of creating a single profile for the normal behavior of a feature, in
this paper our system creates individual normal profiles for each protocol that applies
to the current feature.
The module also evaluates the false positives that each feature produces. The
False Positive Evaluation sub-module is responsible for this task and the detail
algorithms that it implements are described. Once the evaluation is done, the false
positive predictions (i.e., FP(fi))are saved into False Positives DB. The database
keeps for each feature fithe corresponding FP(fi) value. The process of extracting
profiles and false positive prediction is repeated once for each TCP dump file and
tuning combinations, until all the possible combinations are exhausted.