Snort mailing list archives
[SNORT-devel] Snort with anomaly detection
From: Nguyen Kien <kiennguyen1101 () gmail com>
Date: Mon, 11 Apr 2011 21:35:11 +0700
Hi all,I'm currently working on a research on using Artificial Immune System (AIS) approach to intrusion detection with Negative Selection Algorithm (NSA). The algorithm by Forrest et al [1] is as follow:
1, Define self-profile. 2, Generate random candidate detectors3, Match candidate detectors with self-data. If match-> discarded; otherwise it is added to detector set. The detector set is used to detect anomalous traffics.
I'm trying to port the algorithm into Snort, using a custom preprocessor (is it better to use dynamic preprocessor?). The self-data is collected from the IP packet headers and stored in the database to generate the detector set. I'm planning to use the DARPA data set for the self-data. I've written a helloworld preprocessor to collect header data from the DARPA data set. However, I'm having a few technical problems that i would like to ask. - Where should i put my code to generate the detector set in Snort preprocessor? At the exit function after data collect in helloworld preprocessor? At the initialize of a new preprocessor? - Is it ok to check each packet against around 100 detectors? Does it destroy the performance of Snort?
Best Regards.1. S. Forrest, A. Perelson, et al. Self Nonself Discrimination in a Computer, 1994.
Attachment:
spp_helloworld.c
Description:
Attachment:
spp_helloworld.h
Description:
------------------------------------------------------------------------------ Xperia(TM) PLAY It's a major breakthrough. An authentic gaming smartphone on the nation's most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- [SNORT-devel] Snort with anomaly detection Nguyen Kien (Apr 11)
- Re: [SNORT-devel] Snort with anomaly detection Martin Holste (Apr 11)