Abstract
We propose an artificial intelligence membrane to detect network intrusion, which is analogous to a biological membrane that prevents viruses from entering cells. This artificial membrane is designed to monitor incoming packets and to prevent a malicious program code (e.g., a shellcode) from breaking into a stack or heap in a memory. While monitoring incoming TCP packets, the artificial membrane constructs a TCP segment of incoming packets, and derives the byte frequency of the TCP segment (from 0 to 255 bytes) as well as the entropy and size of the segment. These features of the segment can be classified by a data-mining technique such as a decision tree or neural network. If the data-mining method finds a suspicious byte sequence, the sequence is emulated to ensure that it is just a shellcode. If the byte sequence is a shellcode, the sequence is dropped. At the same time, an alert is communicated to the system administrator. Our experiments examined seven data-mining methods for normal and malicious network traffic. The malicious traffic included 114 shellcodes, provided by the Metasploit framework, and including 10 types of metamorphic or polymorphic shellcodes. In addition, real network traffic involving shellcodes was examined. We found that a random forest method outperformed all the other datamining methods and had a very high detection accuracy, including a true-positive rate of 99.6% and a false-positive rate of 0.4%.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Explore related subjects
Discover the latest articles, news and stories from top researchers in related subjects.References
Williamson MM (2002) Throttling viruses: restricting propagation to defeat malicious mobile code. ACSAC Security Conference 2002, pp 61–68
Okamoto T (2005) A worm filter based on the number of unacknowledged requests. kes′05, LNAI 3682:93–99
Okamoto T, Ishida Y (2006) Towards an immunity-based anomaly detection system for network traffic. kes′06, LNAI 4252:123–130
Roesch M (1999) Snort: lightweight intrusion detection for networks. LISA′99, 229–238
Pasupulati A, Coit J, Levitt K, et al (2004) Buttercup: on networkbased detection of polymorphic buffer overflow vulnerabilities. NOMS 1:235–248
Polychronakis M, Anagnostakis KG, Markatos EP (2007) Networklevel polymorphic shellcode detection using emulation. J Comput Virol 2(4):257–274
Payer U, Teufl P, Lamberger M (2005) Hybrid engine for polymorphic shellcode detection. LNC S 3548(200):19–31
Masud M, Khan L, Thuraisingham B, et al (2008) Detecting remote exploits using data mining. IFIP 285:177–189
Song Y, Locasto ME, Stavrou A, et al (2007) On the infeasibility of modeling polymorphic shellcode. Proceedings of the 14th ACM CCS′07, pp 541–551
Metasploit project (2006) http://www.metasploit.com/
Detristan T, Ulenspiegel T, Malcom Y, et al (2003) Polymorphic shellcode engine using spectrum analysis. Phrack 11(61)
Baecher P, Koetter M (2007) libemu. http://libemu.carnivore.it/
Witten IH, Frank E (2005) Data mining: practical machine learning tools and techniques. Morgan Kaufmann, Los Altos, 2nd edn
K2 (2001) ADMmutate. http://www.ktwo.ca/ADM mutate-0.8.4.tar. gz
Author information
Authors and Affiliations
Corresponding author
Additional information
This work was presented in part at the 15th International Symposium on Artificial Life and Robotics, Oita, Japan, February 4–6, 2010
About this article
Cite this article
Okamoto, T. An artificial intelligence membrane to detect network intrusion. Artif Life Robotics 16, 44–47 (2011). https://doi.org/10.1007/s10015-011-0880-5
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10015-011-0880-5