Beruflich Dokumente
Kultur Dokumente
www.elsevier.com/locate/asoc
Abstract
Probing tools are widely used to discover system information. Once the information is known, attackers can launch computer attacks against the
vulnerable services running on the system. Even though current computer systems are protected against known attacks by implementing a number
of access restriction policies, protection against novel attacks still remains as an elusive goal for the researchers. Attackers defeat current protection
and detection mechanisms by exploiting unknown weakness and bugs in system and application software. Stealthy and low profile probes that
include only a few carefully crafted packets over an extended period of time are used to delude firewalls and intrusion detection systems (IDS).
Building effective IDSs, unfortunately, has remained an elusive goal owing to the great technical challenges involved and applied AI techniques
are increasingly being utilized in attempts to overcome the difficulties. This paper presents computational intelligent agents-based approach to
detect computer probes at the originating host. We also investigate and compare the performance of different classifiers used for detecting probes,
with respect to the data collected on a real network that includes a variety of simulated probe attacks and the normal activity.
Through a variety of experiments and analysis, it is found that with appropriately chosen network features computer probes can be detected in
real time or near real time at the originating host. Using the detection information, an effective response mechanism can be implemented at the
boundary controllers.
# 2006 Elsevier B.V. All rights reserved.
1. Introduction compared with the set of recognized misuse and attack patterns to
identify possible security violations. Further, the stored patterns
Intrusion detection is a problem of great significance to need be continually updated, which would normally involve
protecting information systems security, especially in view of human expertise. Constructing probing signatures is a bit more
the worldwide increasing incidents of cyber attacks on the complex as the attackers use carefully crafted packets over a
critical infrastructures. Since the ability of an IDS to classify a period of time that appear to be like normal network traffic.
large variety of intrusions in real time or in near real time with Traditional port scan detectors look for packets coming from
accurate results is important, we will consider performance several IP addresses with combination of different ports with in a
measures in critical aspects like training and testing times; defined time to a target machine, which involves computation to
scalability; and classification accuracy. analyze packet headers to search for signatures. In this paper, we
One of the main problems with IDSs is the overhead, which present a novel approach of detecting probes at the originating
can become unacceptably high. To analyze system logs, the machine using computational intelligent agent-based techniques
operating system must keep information regarding all the actions that reduces the computation at the server and efficiently deal
performed, which invariably results in huge amounts of data, with distributed attacks.
requiring disk space and CPU resource. Next, the logs must be Several artificial intelligence techniques have been utilized
processed and converted into a manageable format and then to automate the intrusion detection process to reduce human
intervention; several such techniques include neural networks
[1–6], fuzzy inference systems, evolutionary computation
* Corresponding author at. Institute for Complex Additive Systems Analysis,
New Mexico Tech, USA. Tel.: +1 505 835 5036; fax: +1 505 835 5587. machine learning [7,8], and so on. Several data mining
E-mail address: srinivas@cs.nmt.edu (S. Mukkamala). techniques have been introduced to identify key features or
1568-4946/$ – see front matter # 2006 Elsevier B.V. All rights reserved.
doi:10.1016/j.asoc.2005.12.002
632 S. Mukkamala et al. / Applied Soft Computing 7 (2007) 631–641
parameters that define intrusions [9–12]. A summary of classifying normal activity and probes. In Section 4, we briefly
intrusion detection techniques is given by several research describe the offline data analysis and feature extraction for real
works [13,14]. Some works applied neural networks as time detection of probes at the originating host. Real-time data
classifiers to detect low level probes and a summary of collection and feature extraction are described in Section 5.
different port-scan detection techniques is also available Implementation details of the computationally intelligent
[15,16]. multi-agent system are given in Section 6. Experimental
In this paper, we implement and evaluate the performance of results of using SVM, MARS and LGP as classifiers are given
computational intelligent multi-agent system to detect computer in Section 7. The summary and conclusions of our work are
probes at the originating host. Intelligent agents were given in Section 8.
encapsulated with different AI paradigms involving support
vector machines (SVM), multi-variate adaptive regression 2. Computational intelligent agents (CIA)-based
splines (MARS) and linear genetic programming (LGP) for architecture
detecting probes. Performance metrics include critical aspects of
intrusion detection such as scalability, real time detection and The CIA-based architecture for detecting computer attacks
accuracy. The IDS metric of real-time performance capability is consists of several modules that will be executed by the agents
not considered directly since it depends on the actual in a distributed manner. Communication among the agents is
implementation. The data we use in our experiments is collected done utilizing the TCP/IP sockets. Agent modules running on
on a real performing network at New Mexico Technology, USA the host computers consist of data collection agents, data
that includes normal activity and several classes of probing analysis agents and response agents. Agents running on the
attacks generated using an open source tool Network Mapper secure devices consist of the agent control modules that include
(Nmap). We perform experiments to classify the network traffic agent regeneration, agent dispatch, maintaining intrusion
sessions into ‘‘Normal’’ and ‘‘Probe’’. With appropriately chosen signatures and information of the features and feature ranking
population size, program size, crossover rate and mutation rate, algorithms that help identify the intrusions (Fig. 1).
linear genetic programs outperform other artificial intelligent
techniques in terms of detection accuracy. The experimental 2.1. Host agents
results of overall classification accuracy- and class-specific
accuracies using SVM, MARS and LGP are reported. Reside on the hosts of the internal network and perform the
A brief introduction to our computational intelligent agents- tasks specified by the master agent. These agents are
based architecture is given in Section 2. Data generation and implemented to be read only and fragile. In the event of
collection is described in Section 3 of this paper. Section 3 also tampering or modification, the agent reports to the server agent
briefly explains the different AI paradigms we used for and automatically ends its life (Fig. 2).
2.2. Server agents should be used depending on the information collected by the
monitoring agent.
Reside on the secure server of the network. Controls the Response module: Decides weather a proactive (honey pots,
individual host agents for monitoring the network and manages decoys, traps) or a reactive (block the activity at the
communication between the agents if necessary. These agents boundary) response mechanism should be implemented
manage the life cycle and also update the host agents with new depending on the intensity of the intrusion.
detection, feature extraction, response and trace mechanisms Trace back initiation: Initiates trace back with the help of the
(Fig. 3). controller agent and the device they are residing on. In the
The two diagrams above contain a variety of modules, as event of a network attack, they use the information of the
described below: router tables and try to reach the boundary router of the
attackers source by verifying the path at each boundary.
Agent controller: Manages the agents’ functionality, life
cycle, communication with other agents and the response Advantages of the proposed model:
mechanisms.
Attack signatures module: Maintains all the attack signatures with prior knowledge of the device and user profiles of the
and updates monitoring agents in the event of a new attack network, specific agents can be designed and implemented in
signature. a distributed fashion;
Data collection: Extracts features required by the detection highly optimized parallel algorithms can be designed and
algorithm to decide whether the activity is malicious or implemented independently for data collection agents, data
normal. analysis agents and response agents;
Intrusion detection module: Consists of soft computing, rule analysis for computationally limited devices can be offloaded
based and expert systems for classifying intrusions. Includes to cooperating systems and run in parallel to provide
a decision module that decides which classification algorithm capabilities not otherwise available on such devices;
Fig. 4. MARS data estimation using spines and knots (actual data on the right) [20].
attack-specific agents can be implemented and dispatched to predictors in place of the original data. The basis function
respond to specific new threats; transform makes it possible to selectively blank out certain
efficient detection algorithms can be implemented with less regions of a variable by making them zero, and allows MARS to
overhead; focus on specific sub-regions of the data. It excels at finding
rapid intrusion response and trace back can be performed optimal variable transformations and interactions, and the
more easily with the agents communicating with each other; complex data structure that often hides in high-dimensional
adjustable detection thresholds can be implemented. data [18,19] (Fig. 4).
Given the number of records in most data sets, it is infeasible
3. Data mining: a computational intelligence approach to approximate the function y = f(x) by summarizing y in each
distinct region of x. For some variables, two regions may not be
Data mining (also known as knowledge discovery in enough to track the specifics of the function. If the relationship
databases, KDD) has been defined by Frawley as ‘‘The of y to some x’s is different in three or four regions, for example,
nontrivial extraction of implicit, previously unknown and the number of regions requiring examination is even larger than
potentially useful information from data’’. Data mining 34 billion with only 35 variables. Given that the number of
techniques use machine learning, statistical and visualization regions cannot be specified a priori, specifying too few regions
techniques to discover and present knowledge from the raw in advance can have serious implications for the final model. A
information in a easily comprehensible form to humans. In the solution is needed that accomplishes the following two criteria:
field of intrusion detection data mining programs are used to
analyze audit trails and provide knowledge (features) that help judicious selection of which regions to look at and their
in distinguishing intrusive patterns from normal activity [9– boundaries;
12]. judicious determination of how many intervals are needed for
It is well known that the intelligent systems, which can each variable.
provide human like expertise such as domain knowledge, Given these two criteria, a successful method will essentially
uncertain reasoning and adaptation to a noisy and time varying need to be adaptive to the characteristics of the data. Such a
environment, are important in tackling practical computing solution will probably ignore quite a few variables (affecting
problems. To detect stealthy probes, we investigated the variable selection) and will take into account only a few var-
classification performance of support vector machines (SVM), iables at a time (also reducing the number of regions). Even if
multi-variate adaptive regression splines (MARS) and linear the method selects 30 variables for the model, it will not look at
genetic programming (LGP). all 30 simultaneously. Such simplification is accomplished by a
decision tree at a single node, only ancestor splits are being
3.1. Multi-variative adaptive regression splines considered; thus, at a depth of six levels in the tree, only six
variables are being used to define the node [19].
Splines can be considered as an innovative mathematical
process for complicated curve drawings and function approx-
imation. To develop a spline, the x-axis is broken into a 3.2. Support vector machines (SVMs)
convenient number of regions. The boundary between regions
is also known as a knot. With a sufficiently large number of The SVM approach transforms data into a feature space F
knots virtually any shape can be well approximated. While it is that usually has a huge dimension. It is interesting to note that
easy to draw a spline in two-dimensions by keying on knot SVM generalization depends on the geometrical characteristics
locations (approximating using linear, quadratic or cubic of the training data, not on the dimensions of the input space
polynomial, etc.), manipulating the mathematics in higher [21,22]. Training a support vector machine (SVM) leads to a
dimensions is best accomplished using basis functions. The quadratic optimization problem with bound constraints and one
MARS model is a regression model using basis functions as linear equality constraint. Vapnik shows how training a SVM
S. Mukkamala et al. / Applied Soft Computing 7 (2007) 631–641 635
the adversary identify services running, operating system, improving the overall performance of IDS. In cases where
and known vulnerabilities on the network and the target there are no useless features, by concentrating on the most
machine. Looking for connection requests to multiple important ones we may well improve the time performance of
services within a specific time window can help detect this an IDS without affecting the accuracy of detection in
attack. statistically significant ways.
Saint: Security Administrator’s Integrated Network Tool is The feature selection problem for intrusion detection is
used to gather information about remote hosts (all operating similar in nature to various engineering problems that are
systems) using multiple services; an adversary uses a few characterized by:
network services such as finger, ftp, tftp, statd, rpc, NIS, NFS
and other relevant network services. This attack helps the Having a large number of input variables x = (x1, x2,. . ., xn) of
adversary identify network services running, system flaws, varying degrees of importance to the output y; i.e., some
critical security flaws on the victims’ machine. Looking for elements of x are essential, some are less important, some of
connections requests to specific network services from a them may not be mutually independent, and some may be
machine other than an authorized machine within in a useless or irrelevant (in determining the value of y).
specific time window can help detect this attack. Lacking an analytical model that provides the basis for a
Satan: Probing tool used to perform scans against all mathematical formula that precisely describes the input–
operating systems using a few network services; where an output relationship, y = F(x).
adversary uses legitimate network services to gather Having available a finite set of experimental data, based on
information on particular vulnerabilities on the victims’ which a model (e.g., intelligent systems) can be built for
machine. Looking for connections requests to specific simulation and prediction purposes.
vulnerable network services from a machine other than an
authorized machine within in a specific time window can Due to the lack of an analytical model, one can only seek
help detect this attack. to determine the relative importance of the input variables
through empirical methods. A complete analysis would
4.2. Input feature selection require examination of all possibilities, e.g., taking two
variables at a time to analyze their dependence or correlation,
Feature selection is an important issue in intrusion then taking three at a time, etc. This, however, is both
detection. Of the large number of features that can be infeasible (requiring 2n experiments!) and not infallible
monitored for intrusion detection purpose, which are truly (since the available data may be of poor quality in sampling
useful, which are less significant, and which may be useless? the whole input space). Features are ranked based on their
The question is relevant because the elimination of useless influence towards the final classification. Description of most
features (the so-called audit trail reduction) enhances the important features as ranked by three feature-ranking
accuracy of detection while speeding up the computation, thus algorithms (SVDF, LGP, MARS) is given in Table 2. The
Table 2
Most important feature description as ranked by (SVDF, LGP, MARS)
Ranking algorithm Feature description
SVDF Source bytes: number of bytes sent from the host system to the destination system
dst_host_srv_count:: number of connections from the same host with same service
to the destination host during a specified time window
Count: number of connections made to the same host system in a given interval of time
Protocol type: type of protocol used to connect (e.g., tcp, udp, icmp, etc.)
srv_count: number of connections to the same service as the current connection
during a specified time window
Flag: normal or error status of the connection
LGP dst_host_diff_srv_rate: % of connections to different services from a destination host
rerror_rate: % of connections that have REJ errors
srv_diff_host_rate: % of connections that have same service to different hosts
Logged in: binary decision
Service: type of service used to connect (e.g., fingure, ftp, telnet, ssh, etc.)
Source bytes: number of bytes sent from the host system to the destination system
MARS dst_host_diff_srv_rate: % of connections to different services from a destination host
dst_host_srv_count:: number of connections from the same host with same service to
the destination host during a specified time window
Source bytes: number of bytes sent from the host system to the destination system
dst_host_same_srv_rate: % of connections to same service ports from a destination host
srv_count:: number of connections to the same service as the current
connection during a specified time window
rerror_rate: % of connections that have REJ errors
S. Mukkamala et al. / Applied Soft Computing 7 (2007) 631–641 637
5. Real-time data collection and feature extraction possible machines on a network, can help detect this attack.
FIN stealth scan: Probing attack performed against all
Experiments are performed on a real network using two operating systems except Windows 95/NT; when SYN
clients and the server that serves the New Mexico Tech scanning isn’t clandestine enough. By theory closed ports
Computer Science Department network. The clients had CIA are required to reply to a probe packet with a RST, while
installed on them to identify or detect probes that are targeted to open ports must ignore the packets. An adversary abuses the
the server we are protecting. Our primary goal in these feature; to determine what services are running on a network
experiments is to detect probes targeting the server we are or a host system. This scan bypasses the traditional firewalls
trying to protect. Our network parser gives the summary of each and network filters. This attack helps the adversary identify
connection made from a host to the server and constructs a active services and the hosts’ operating system. Looking for
feature set to input into a classifier for classification. The output connection requests to closed services within in a specific
from a classifier is either normal or probe for each connection. time window can help detect this attack.
Nmap an open source tool is used to collect probe data [28]. Ping sweep: Snooping performed against all operating
Probing is a class of attacks where an attacker scans a network systems using ICMP where an adversary performs a
to gather information or find known vulnerabilities. An attacker surveillance sweep to determine which hosts are responding
with a map of machines and services that are available on a on a network. Information obtained from surveillance is
network can use the information to look for exploits. There are useful to an adversary in launching automated attacks or in
different types of probes: some of them abuse the computer’s making the vulnerable hosts as stepping stones for future
legitimate features; some of them use social engineering distributed attacks. This attack helps the adversary identify
techniques. This class of attacks is the most commonly heard active machines on the network and might degrade services
and requires very little technical expertise. Nmap is installed on for legitimate users. Ping sweep if repeated continuously or
the clients that have CIA installed. A variety of probes SYN launched in a coordinated fashion might result into a low
stealth, FIN stealth, ping sweep, UDP scan, null scan, xmas level denial of service attack. Looking for multiple ping
tree, IP scan, idle scan, ACK scan, window scan, RCP scan and requests, destined for all possible machines on a network, all
list scan with several options are targeted at the server. Table 4 coming from the same host or within a specific time window
describes the probing attacks performed on a live performance from multiple hosts can help detect this attack.
network. Normal data included multiple sessions of ftp, telnet, UDP scan: Probing attack performed against all operating
SSH, http, SMTP, pop3 and imap. Network data originating systems using UDP where an adversary sends 0 byte UDP
from a host to the server that included both normal and probes is packets to each UDP service on the target machine to
collected for analysis; for proper labeling of data for training determine which services are running on the victims’
the classifiers normal data and probe data are collected at machine. This attack helps the adversary identify vulnerable
different times: UDP services on victims’ network. This information is
mostly used to launch automated distributed and coordi-
SYN stealth scan: Probing attack performed against all nated denial of service attacks. Looking for multiple UDP
operating systems using multiple TCP services where an packets with 0 bytes within a specific time window, can help
adversary performs surveillance to determine which hosts detect this attack.
are responding to specific services on a network. Informa- Null scan: Probing attack performed against all operating
tion obtained from surveillance is useful to an adversary in systems except Window 95/NT where an adversary turns off
launching automated attacks, in making the vulnerable hosts all flag options (FIN, URG, PUSH, etc.). This attack helps
as stepping stones for future distributed attacks or for identify victims’ operating system; by sending connection
launching future denial of service attacks. This attack helps requests to services running on the host machine. Looking
the adversary identify active machines on the network and for multiple connection requests with all the flags turned off
might degrade services for legitimate users. Looking for within a specific time window, destined for all possible
multiple half open TCP connection requests, destined for all machines on a network, can help prevent this attack.
Table 4
Probe attacks used in CIA implementation and evaluation
Attack type Service Mechanism Effect of the attack
SYN stealth Multiple Abuse of feature Identifies active machines
FIN stealth Multiple Abuse of feature Identifies active services
Ping sweep ICMP Abuse of feature Identifies active machines
UDP scan Multiple Abuse of feature Identifies active UDP services
Null scan Multiple Abuse of feature Identifies active services
IP scan Multiple Abuse of feature Identifies active protocols
ACK Scan Multiple Abuse of feature Identifies the firewall mechanism (stateful or simple network filter)
Window scan Multiple Misconfiguration Identifies active services
RCP scan Multiple Abuse of feature Identifies active remote procedure call ports (RPC)
S. Mukkamala et al. / Applied Soft Computing 7 (2007) 631–641 639
Table 7 8. Conclusions
LGP parameter settings
Parameter Setting Computational intelligent agents-based system that is capable
Population size 512 of detecting stealthy probes at the host level is being
Tournament size 4 implemented and the results obtained are demonstrated in this
Max no of tournaments 120,000 paper. A comparison of different computational intelligent
Mutation frequency 90.94% techniques is also given. Linear genetic programming technique
Crossover frequency 34.21%
outperformed SVM and MARS with a 100% detection rate on the
No of demes 10
Max program size 128 test dataset.
Target subset size 100 The proposed multi-agent framework can operate asyn-
chronously and in parallel, and hence could be useful in
monitoring huge networks. By adding new agents, the system
Table 8 can be easily adapted to an increased problem size. Due to the
Performance of LGP interaction of different agents, failure of one agent may not
Class Normal Probe Accuracy (%) degrade the overall detection performance of the network.
Normal 2036 0 100.00 When compared to a centralized system, the proposed
Probe 0 3297 100.00 distributed framework might be also more cost effective and
efficient.
Our future work will be targeted towards multiple agent-
summarize the overall classification accuracy of CIA using based intrusion detection systems that can detect different types
MARS, SVM and LGP. of attacks at the host and developing active response
mechanisms in an event of intrusion.
7.1. Experiments using MARS as a classifier
Acknowledgments
We use five basis functions and selected a setting of
minimum observation between knots as 10. The MARS training Support for this research received from Institute for
mode is being set to the lowest level to gain higher accuracy Complex Additive Systems Analysis (ICASA, a division of
rates. A MARS model is employed to perform binary New Mexico Tech), Department of Defense and NSF IASP
classification (normal and probe). The objective is to separate capacity building grant is gratefully acknowledged.
normal and probe patterns. Table 5 summarizes the results of
MARS as a classifier. References
7.2. Experiments using SVMs as a classifier [1] A.K. Ghosh, Learning program behavior profiles for intrusion detection,
in: Proceedings of the First USENIX Workshop on Intrusion Detection and
Network Monitoring, 1999.
We used the radial basis function (RBF) kernel function that [2] J. Cannady, Applying neural networks for misuse detection, in: Proceed-
defines the feature space in which the training set examples will ings of the 21st National Information Systems Security Conference, 1998,
be classified. Table 6 summarizes the results of the experiments pp. 368–381.
using SVMs. [3] J. Ryan, M-J. Lin, R. Miikkulainen, Intrusion detection with neural
networks, in: Advances in Neural Information Processing Systems, vol.
10, MIT Press, Cambridge, MA, 1998.
7.3. Experiments using LGPs as a classifier [4] H. Debar, M. Becke, D. Siboni, A neural network component for an
intrusion detection system, in: Proceedings of the IEEE Computer Society
The settings of various linear genetic programming system Symposium on Research in Security and Privacy, 1992, pp. 240–250.
parameters are of utmost importance for successful perfor- [5] H. Debar, B. Dorizzi, An application of a recurrent network to an intrusion
detection system, in: Proceedings of the IEEE International Joint Con-
mance of the system. The population space has been subdivided
ference on Neural Networks, 1992, pp. 78–83.
into multiple subpopulation or demes. Migration of individuals [6] S. Mukkamala, G. Janoski, A.H. Sung, Intrusion detection using neural
among the subpopulations causes evolution of the entire networks and support vector machines, in: Proceedings of the IEEE
population. It helps to maintain diversity in the population, as International Joint Conference on Neural Networks, 2002, pp. 1702–1707.
migration is restricted among the demes. Moreover, the [7] J. Luo, S.M. Bridges, Mining fuzzy association rules and fuzzy frequency
tendency towards a bad local minimum in one deme can be episodes for intrusion detection, International Journal of Intelligent Sys-
tems, John Wiley & Sons, vol. 15, no. 8, pp. 687–704, 2000.
countered by other demes with better search directions. The [8] M. Cramer, et al., New methods of intrusion detection using control-loop
various LGP search parameters are the mutation frequency, measurement, in: Proceedings of the Technology in Information Security
crossover frequency and the reproduction frequency: the Conference (TISC), 1995, pp. 1–10.
crossover operator acts by exchanging sequences of instruc- [9] J. Stolfo, F. Wei, W. Lee, A. Prodromidis, P.K. Chan, Cost-based modeling
tions between two tournament winners. Steady state genetic and evaluation for data mining with application to fraud and intrusion
detection, Results from the JAM Project by Salvatore, 1999.
programming approach was used to manage the memory more [10] S. Mukkamala, A.H. Sung, Identifying key features for intrusion detection
effectively. After a trial and error approach, the following using neural networks, in: Proceedings of the ICCC International Con-
parameter settings were used for the experiments (Table 8). ference on Computer Communications, 2002, pp. 1132–1138.
S. Mukkamala et al. / Applied Soft Computing 7 (2007) 631–641 641
[11] S. Mukkamala, A.H. Sung. Feature selection for intrusion detection [19] D. Steinberg, P.L. Colla, M. Kerry, MARS User Guide, Salford Systems,
using neural networks and support vector machines, to appear in Journal San Diego, CA, 1999.
of the Transportation Research Board (of the National Academies), [20] A. Abraham, D. Steinberg, MARS: still an alien planet in soft computing?
2003. In: Vassil N. Alexandrov, et al. (Eds.), Lecture Notes in Computer Science
[12] S. Mukkamala, A.H. Sung, Identifying significant features for network 2074, Springer–Verlag Germany, USA, pp. 235–244, 2001.
forensic analysis using artificial intelligence techniques, International [21] T. Joachims, Making large-scale SVM learning practical, LS8-Report,
Journal on Digital Evidence, IJDE vol. 1, issue 4, 2003. University of Dortmund, LS VIII-Report, 1998.
[13] D. Denning, An intrusion-detection model, IEEE Trans. Software Eng. [22] T. Joachims, SVMlight is an implementation of support vector machines
SE-13 (2) (1987) 222–232. (SVMs) in C, http://ais.gmd.de/thorsten/svm_light, University of Dort-
[14] S. Kumar, E.H. Spafford, An application of pattern matching in intrusion mund, Collaborative Research Center on Complexity Reduction in Multi-
detection, Technical Report CSD-TR-94-013, Purdue University, 1994. variate Data (SFB475), 2000.
[15] S. Staniford, J. Hoagland, J. McAlerney, Practical automated detection of [23] V.N. Vladimir, The Nature of Statistical Learning Theory, Springer, 1995.
stealthy port scans, J. Computer Security 10 (1/2) (2002) 105–136. [24] W. Banzhaf, P. Nordin, R.E. Keller, F.D. Francone, Genetic Programming:
[16] R. Basu, K.R. Cunningham, S.E. Webster, P.R. Lippmann, Detecting low- An Introduction on the Automatic Evolution of Computer Programs and
profile probes and novel denial of service attacks, in: Proceedings of the Its Applications, Morgan Kaufmann Publishers, Inc., 1998.
2001 IEEE Workshop on Information Assurance, US Military Academy, [25] K. Kendall, A database of computer attacks for the evaluation of intrusion
(2001. detection systems, Master’s Thesis, Massachusetts Institute of Technol-
[17] S. Mukkamala, A.H. Sung, A. Abraham, Distributed multi-intelligent ogy, 1998.
agent framework for detection of stealthy probes, in: Third International [26] S.E. Webster, The development and analysis of intrusion detection algo-
Conference on Hybrid Intelligent Systems, Design and Application of rithms, S.M. Thesis, Massachusetts Institute of Technology, 1998.
Hybrid Intelligent Systems, IOS Press, Amsterdam, The Netherlands, [27] K. Krawiec, Genetic programming-based construction of features for
(2003), pp. 116–125. machine learning and knowledge discovery tasks, Genet. Program. Evolv.
[18] J.H. Friedman, Multivariate adaptive regression splines, Anal. Stat. 19 Machines 3 (4) (2002) 329–343.
(1991) 1–141. [28] Network mapper, http://www.insecure.org/nmap/.