Testing CAB-IDS Through Mutations: On the Identification of Network Scans

  • Emilio Corchado
  • Álvaro Herrero
  • José Manuel Sáiz
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4252)


This study demonstrates the ability of powerful visualization tools (based on the use of connectionist models) to identify network intrusion attempts in an effective and reliable manner. It presents a novel technique to test and evaluate a previously developed network-based intrusion detection system (IDS). This technique applies mutant operators and is intended to test IDSs using numerical data sets. It should be made clear that some mutations were discarded as they did not all provide real life situations. As an application example of the proposed testing model, it has been specially applied to the identification of network scans and mutations of these. The tested Connectionist Agent-Based IDS (CAB-IDS) is used as a method to investigate the traffic which travels along the analysed network, detecting anomalous traffic patterns. The specific tests performed in this study were based on the mutation of one or several variables analysed by CAB-IDS.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Goldring, T.: Scatter (and Other) Plots for Visualizing User Profiling Data and Network Traffic. In: ACM Workshop on Visualization and Data Mining for Computer Security, pp. 119–123 (2004)Google Scholar
  2. 2.
    Muelder, C., Ma, K.-L., Bartoletti, T.: Interactive Visualization for Network and Port Scan Detection. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 265–283. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  3. 3.
    Abdullah, K., Lee, C., Conti, G., Copeland, J.A.: Visualizing Network Data for Intrusion Detection. In: IEEE Workshop on Information Assurance and Security, pp. 100–108 (2002)Google Scholar
  4. 4.
    Herrero, A., Corchado, E., Sáiz, J.M.: Identification of Anomalous SNMP Situations Using a Cooperative Connectionist Exploratory Projection Pursuit Model. In: Gallagher, M., Hogan, J.P., Maire, F. (eds.) IDEAL 2005. LNCS, vol. 3578, pp. 187–194. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  5. 5.
    Corchado, E.S., Herrero, Á., Sáiz, J.M.: Detecting Compounded Anomalous SNMP Situations Using Cooperative Unsupervised Pattern Recognition. In: Duch, W., Kacprzyk, J., Oja, E., Zadrożny, S. (eds.) ICANN 2005. LNCS, vol. 3697, pp. 905–910. Springer, Heidelberg (2005)Google Scholar
  6. 6.
    Corchado, E., Herrero, A., Sáiz, J.M.: A Feature Selection Agent-Based IDS. In: First European Symposium on Nature-Inspired Smart Information Systems (2005)Google Scholar
  7. 7.
    Ranum, M.J.: Experiences Benchmarking Intrusion Detection Systems. NFR Security (2001)Google Scholar
  8. 8.
    Vigna, G., Robertson, W., Balzarotti, D.: Testing Network-Based Intrusion Detection Signatures Using Mutant Exploits. In: ACM Conference on Computer and Communication Security (ACM CCS), pp. 21–30 (2004)Google Scholar
  9. 9.
    Wooldridge, M.: Multiagent Systems: A Modern Approach to Distributed Artificial Intelligence, Gerhard Weiss (1999)Google Scholar
  10. 10.
    Friedman, J., Tukey, J.: A Projection Pursuit Algorithm for Exploratory Data Analysis. IEEE Transaction on Computers 23, 881–890 (1974)zbMATHCrossRefGoogle Scholar
  11. 11.
    Hyvärinen, A.: Complexity Pursuit: Separating Interesting Components from Time Series. Neural Computation 13(4), 883–898 (2001)zbMATHCrossRefGoogle Scholar
  12. 12.
    Corchado, E., Han, Y., Fyfe, C.: Structuring Global Responses of Local Filters Using Lateral Connections. Journal of Experimental and Theoretical Artificial Intelligence 15(4), 473–487 (2003)zbMATHCrossRefGoogle Scholar
  13. 13.
    Corchado, E., Fyfe, C.: Connectionist Techniques for the Identification and Suppression of Interfering Underlying Factors. International Journal of Pattern Recognition and Artificial Intelligence 17(8), 1447–1466 (2003)CrossRefGoogle Scholar
  14. 14.
    Corchado, E., Corchado, J.M., Sáiz, L., Lara, A.: Constructing a Global and Integral Model of Business Management Using a CBR System. In: Luo, Y. (ed.) CDVE 2004. LNCS, vol. 3190, pp. 141–147. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  15. 15.
    Corchado, E., MacDonald, D., Fyfe, C.: Maximum and Minimum Likelihood Hebbian Learning for Exploratory Projection Pursuit. In: Data Mining and Knowledge Discovery, vol. 8(3), pp. 203–225. Kluwer Academic Publishers, Dordrecht (2004)Google Scholar
  16. 16.
    Fyfe, C., Corchado, E.: Maximum Likelihood Hebbian Rules. In: European Symposium on Artificial Neural Networks, pp. 143–148 (2002)Google Scholar
  17. 17.
    Seung, H.S., Socci, N.D., Lee, D.: The Rectified Gaussian Distribution. Advances in Neural Information Processing Systems 10, 350–356 (1998)Google Scholar
  18. 18.
    Oja, E.: Neural Networks, Principal Components and Subspaces. International Journal of Neural Systems 1, 61–68 (1989)CrossRefMathSciNetGoogle Scholar
  19. 19.
    Hätönen, K., Höglund, A., Sorvari, A.: A Computer Host-Based User Anomaly Detection System Using the Self-Organizing Map. In: International Joint Conference of Neural Networks, pp. 411–416 (2000)Google Scholar
  20. 20.
    Zanero, S., Savaresi, S.M.: Unsupervised Learning Techniques for an Intrusion Detection System. In: ACM Symposium on Applied Computing, pp. 412–419 (2004)Google Scholar
  21. 21.
    Marty, R.: Thor: A Tool to Test Intrusion Detection Systems by Variations of Attacks. ETH Zurich. Diploma Thesis (2002)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Emilio Corchado
    • 1
  • Álvaro Herrero
    • 1
  • José Manuel Sáiz
    • 1
  1. 1.Department of Civil EngineeringUniversity of BurgosSpain

Personalised recommendations