An artificial intelligence membrane to detect network intrusion |
| |
Authors: | Takeshi Okamoto |
| |
Affiliation: | 1.Department of Information Network and Communication,Kanagawa Institute of Technology,Kanagawa,Japan |
| |
Abstract: | We propose an artificial intelligence membrane to detect network intrusion, which is analogous to a biological membrane that
prevents viruses from entering cells. This artificial membrane is designed to monitor incoming packets and to prevent a malicious
program code (e.g., a shellcode) from breaking into a stack or heap in a memory. While monitoring incoming TCP packets, the
artificial membrane constructs a TCP segment of incoming packets, and derives the byte frequency of the TCP segment (from
0 to 255 bytes) as well as the entropy and size of the segment. These features of the segment can be classified by a data-mining
technique such as a decision tree or neural network. If the data-mining method finds a suspicious byte sequence, the sequence
is emulated to ensure that it is just a shellcode. If the byte sequence is a shellcode, the sequence is dropped. At the same
time, an alert is communicated to the system administrator. Our experiments examined seven data-mining methods for normal
and malicious network traffic. The malicious traffic included 114 shellcodes, provided by the Metasploit framework, and including
10 types of metamorphic or polymorphic shellcodes. In addition, real network traffic involving shellcodes was examined. We
found that a random forest method outperformed all the other datamining methods and had a very high detection accuracy, including
a true-positive rate of 99.6% and a false-positive rate of 0.4%. |
| |
Keywords: | |
本文献已被 SpringerLink 等数据库收录! |
|