Beruflich Dokumente
Kultur Dokumente
CHAPTER 2
Each attack type falls into one of the four following main
categories:
perlmagic - Perl attack which sets the user id to root in a perl script and
creates a root shell.
phf - Exploitable CGI script which allows a client to execute arbitrary
commands on a machine with a misconfigured web server.
pod - Denial-of-service ping-of-death.
portsweep- Surveillance sweep through many ports to determine which
services are supported on a single host.
rootkit - Multi-day scenario where a user installs one or more components
of a rootkit.
satan - Network probing tool which looks for well-known weaknesses.
operates at three different levels. Level 0 is light.
smurf - Denial-of-service icmp-echo reply flood.
spy - Multi-day scenario in which a user breaks into a machine with the
purpose of finding important information where the user tries to
avoid detection. Uses several different exploit methods to gain
access.
syslog - Denial of service for the syslog service connects to port 514 with
unresolvable source ip.
teardrop - Denial of service where mis-fragmented UDP packets cause some
systems to reboot.
warez - User logs into anonymous FTP site and creates a hidden directory.
warezclient - Users downloading illegal software which was previously
posted via anonymous FTP by the warezmaster.
warezmaster - Anonymous FTP upload of Warez (usually illegal copies of
copyrighted software) onto FTP server.
50
The ‘KDDCUP99 Data’ (Irvine 1999) are the data sets, which were
issued for use in the KDDCUP ’99 Classifier-Learning Competition. These
sets of training and test data were made available by Stolfo and Lee (http://
kdd.ics.uci.edu/ databases/kddcup99/task.htm. 1999) and consisted of a pre-
processed version of the 1998 DARPA Evaluation Data. This team’s IDS had
performed particularly well in the Intrusion-Detection Evaluation Program of
that year, using data mining even as a ‘pre-processing’ stage to extract
characteristic intrusion features from raw TCP/IP audit data. The original raw
training data were about four gigabytes of compressed binary tcpdump data
obtained from the first seven weeks of network traffic at MIT. This was pre-
processed with the feature-construction framework MADAM ID (Mining
Audit data for automated models for Intrusion Detection) to produce about
five-million connection records. A connection is defined to be a sequence of
TCP packets starting and ending at some well-defined times, between which
data flow to and fro from a source IP address to a destination IP address,
under some well-defined protocol. Each connection is labelled as either
‘normal’ or with the name of its specific attack type. A connection record
consists of about 100 bytes. Ten percent of the complementary two-weeks of
the test data were, likewise, pre-processed to yield a further less than half-a-
million connection records. For the information of contestants, it was stressed
that these test data were not from the same probability distribution as the
training data, and that they included specific attack types which are not found
in the training data. The full amount of labeled test data with some two
million records was not included in this data set.
51
warezmaster. 20 R2L
imap. 12 R2L
ftp_write. 8 R2L
multihop. 7 R2L
phf. 4 R2L
spy 2 R2L
buffer_overflow. 30 U2R
rootkit. 10 U2R
loadmodule. 9 U2R
perl. 3 U2R
53