Media storage efficiency and level fingerprint similarity in network forensic analysis using winnowing multihashing method

Đăng ngày 4/2/2019 4:01:16 PM | Thể loại: | Lần tải: 0 | Lần xem: 2 | Page: 8 | FileSize: 0.94 M | File type: PDF
Media storage efficiency and level fingerprint similarity in network forensic analysis using winnowing multihashing method. This research is focused on the calculation of the efficiency of the storage medium and the optimum point combination fingerprint length, degree of similarity and storage media.
International Journal of Computer Networks and Communications Security
VOL. 3, NO. 3, MARCH 2015, 95–102
Available online at: www.ijcncs.org
E-ISSN 2308-9830 (Online) / ISSN 2410-0595 (Print)
Media Storage Efficiency and Level Fingerprint Similarity in
Network Forensic Analysis using Winnowing Multihashing
Method
Irwan Sembiring1, Jazi Eko Istiyanto2, Edi Winarko3 and Ahmad Ashari4
1 Satya Wacana Christian University, Salatiga, Indonesia
2, 3, 4 Department of Computer Science and Electronics, Faculty of Mathematics and Natural Sciences,
GadjahMada, University, Yogyakarta, Indonesia
E-mail: 1irwan@ staff.uksw.edu, 2jazi@ugm.ac.id, 3ewinarko@ugm.ac.id, 4ashari@ugm.ac.id
ABSTRACT
Network forensics is a developing network security models that focused on the capture, recording, and
analysis of network traffic, for the purposes of investigation. One of the problems in the Network forensics
is the quantity or volume of data problems. Winnowing Multi hashing method can be used to conduct an
investigation of attacks on the network forensic analysis. Value of Fingerprint is generated on Winnowing
method Multi hashing (WMH), can be used as a marker of an attack that was captured by the Intrusion
Detection System (IDS). WMH is a method that only takes excerpt of a payload. With this algorithm, the
payload volume will be much more efficient because it only stores the fingerprint alone. This research is
focused on the calculation of the efficiency of the storage medium and the optimum point combination
fingerprint length, degree of similarity and storage media.
Keywords: Winnowing Multi hashing, Jaccard Similarity, Network Forensic.
1
INTRODUCTION
second. Storage in a day it takes 10 GB, and 300
GB a month to reach 300 units by the number of
According
to
the
agency
Digital
Forensics
hosts. On a scale WAN requires storage media as
Research
Workshop
(DFRWS),
digital
forensic
much as 1 TB / day. If this is maintained, certainly
activities
include
preservation,
collection,
not efficient in terms of time and of storage media
validation,
identification,
analysis,
interpretation,
needs. The collection and storage of evidence in
documentation and presentation [1]. Because the
large volumes is a challenge. Many irrelevant data
equipment connected to the internet is increasingly
but still collected [6].Another way to analyze the
a lot, then a forensic investigator will analyze the
payload is to find the unique pattern or feature
existing equipment, including Firewall, Intrusion
extraction in a payload [7]. The pattern is then
Detection System (IDS), web server, and the real
matched
to
obtain
the
degree
of
similarity.
time traffic monitoring such as tcp dump or wire
Winnowing Multi hashing method can be used to
shark [2] [3]. There are five major problems on the
conduct an investigation of attacks on the network
complexity of digital forensic problems, problems
forensic analysis [8]. Fingerprint value generated
of diversity, consistency and correlation, quantity
on Winnowing method Multi hashing (WMH) can
or
volume
problems
and
Unified
Time-lining
be used as a marker of an attack that was captured
problem [4]. An aspect of the volume (volume
by the intrusion detection system (IDS). WMH is a
problem) becomes the focus in this research. Giura
method
that
only
takes
excerpt
(excerpt)
of
a
and
Memon
[5],
the
concluded
research
on
payload [9]. The main purpose of the method is to
capturing traffic on average 1300 flow in 1 second /
get
the
size
of
WMH
more
efficient
storage
96
I. Sembiring et. al / International Journal of Computer Networks and Communications Security, 3 (3), March 2015
medium
and
fingerprint
on
the
similarity
organizational
policies,
laws
and
existing
percentage level alerts. Systematic in this paper
include 1 Introduction, 2 Research Method, 3
Results and Anaysis and 4 Conclusion.
businesses.
D. Collection of Network Traces
Data
obtained
from
the
sensor
used
in
2
RESEARCH METHOD
capturing data traffic. The sensor should be safe,
Network forensics is a developing network
security models that focused on the capture,
recording, and analysis of network traffic, for the
purposes of investigation [10]. Once the recording
have limited access and should be able to avoid
compromise. A standard procedure with reliable
equipment, both hardware and software, should
be placed to gather the maximum evidence.
process is done, and then forwarded to the analysis.
Generic network forensic models can be seen as
Figure 1 [11].
E. Protection and Preservation
The original data were obtained in the form of
traces and logs are stored in memory secondary.
A hash of the data traces captured and protected.
The standard procedure is used to ensure the
accuracy and reliability of the data to perform
preservation.
Chain
of
custody
must
be
maintained strictly so that no unauthorized use or
tampering.
F.
Examination
Analysis
of
reconstruction
will
be
done
thoroughly and integrated sensor data sources.
Mapping and time lining needs to be done, so the
most important data is not lost and does not mix.
Data is hidden and camouflaged to be returned
and classified in clustering in a group [12]. This
mechanism facilitates the process of analysis in
Fig. 1. Model Network forensics.
addition to also reduce the burden on storage
A.
Preparation and Authorization.
media.
Network forensic analysis focuses on network
G.
Analysis
security
devices
such
as
Intrusion
Detection
Evidence
has
been
collected
and
extracted.
System,
Packet
analysis,
firewalls,
and
other
Indicator there is classified and correlated, to
support
software. Network
equipment security
conclude an examination of patterns and types of
devices placed at strategic points of computer
attacks. Data mining and statistical approaches
networks.
are often made reference to conduct this analysis.
B. Detection of Incident / Crime.
Alert as a product network security tools that
inform any abnormal traffic is a security breach
or anomalies. Category and type of attack is
determined based on certain parameters.
Some important parameters examined closely,
such as fingerprint and DNS traffic. Attack
patterns to be reconstructed simultaneously
studied with a view to know who carried out the
attack method.
Important validation of the alarm is false or not.
H.
Investigation and attribution
C. Incident Response
The response to crime or intrusion was
detected beginning at the time the information is
collected and validated. The response depends on
the type of attack that is identified and
The information obtained from the trace
evidence is used to identify who, what, where,
when, how and why it happened. This will help
in tracing back the source, the attack scenario
reconstruction and attribution of sources. The
most difficult part of network forensic analysis is
to determine the identity of the attacker.
97
I. Sembiring et. al / International Journal of Computer Networks and Communications Security, 3 (3), March 2015
I. Presentation and review
The results will be presented with a good
observation to be easily understood by managers
sequence excerpt on the overlap of existing blocks.
Anomaly detection data packets can be seen from
its payload. Most IDS to detect attacks on computer
networks based on packet headers alone [14]
of the organization. Explanation of all procedures
used, displayed graphically, statistically, to
support a conclusion.
proposed a data packet. .Anomaly focused on OSI
layer. Payload is the actual data in the beyond data
packet header. Header attached to the payload for
transport purposes, and will be discarded after the
In forensic analysis in accordance as in Figure 1,
the method of trace back commonly used to find the
attacker source . Analysis of the current trace back
developed by considering the legitimacy,
authenticity and integrity, such as trace back
techniques Network Forensic Evidence Acquisition
(NFEA) [13]. The trace back technique has two
authentication schemes, known as Evidence
Marking Scheme (AEMS) and Flow-based Select-
ion Marking Scheme (FSMS) [13]. Winnowing
algorithm is a derivative of the digital fingerprint-
ting [14]. This algorithm was originally used for the
benefit of copyright on the internet communication
with XML. From the results of experiments
conducted, which is the main characteristic of the
package arrived at the destination. Payload data is
collected and stored for offline processing. Actual
historical data can be used for this purpose if it is
available. From the entire data payload, the HTTP
protocol is the threat of the highest candidate to be
analyzed [16]. Winnowing algorithm is the basis of
the reconstruction algorithm multi hashing. In
internet crime, multi hashing winnowing algorithm
used to extract the payload in the form excerpt
called fingerprint. The purpose of this extraction is
to measure the efficiency of the storage medium
and the degree of similarity alerts. Experiments are
conducted to extract useful information payload to
detect an attack. This method has a better detection
mechanism [17].
winnowing is digital fingerprinting hide evenly on
each partition. There are four basic properties are
2.1 Winnowing Multihashing
summarized in this study [14]:
Winnowing Multi Hashing method is one of the
1.Invisibility: By applying winnowing the
data distortion will occur, however still
provide useful and correct information to the
user.
many methods that can be applied to this
experiment of result payload efficiency show that
this method produces a more significant
improvement in the accuracy of quotations and data
storage requirements compared to previous
2.Preventing illegal embedding and
verification: In winnowing algorithm,
embedding and verification process is
managed by a number of keys and data
methods [16]. This method shows the best
technique for selection on boundary block payload.
At WMH method of determining the fingerprint
using the following grammar:
partition.
1.
Given a Hex, this is generally given as follows
3.Blind
verification:
The
original
XML
= ………….(1)
documents are
not required in fingerprint
Where n is a lot of data.
verification.
4.Localization: By set up a fingerprinting,
2.
The next step, to determine the size of k = k-
gram, which is then used to form the Hash
capable
of
detecting
and
narrow
the
(2)
modifications on a partition [12].
Looking
for
Hash
value,
by
taking
a
prime
Winnowing with modifying the Rabin
fingerprinting techniques [15], can detect all or
most of the key documents. Each sequence of
characters is stored in the storage array. Hashing is
number (p), then the calculation is given in
Equation (3).
= ( ∙16+ ) + ( ∙16+ )
+ ⋯ + ( ∙16+ )
used to determine the marker as in Rabin
fingerprinting. Winnowing Multi Hashing (WMH)
is expected to reduce false positive circumstances
existing on the query excerpt [9]. WMH not only
= ( ∙16+ ) + ( ∙16+ )
+ ⋯ + ( ∙16+ )
provide good control on the size of the block, but
also provide greater confidence to the query
( ) = ( ) ∙16+ ( )
HƯỚNG DẪN DOWNLOAD TÀI LIỆU

Bước 1:Tại trang tài liệu slideshare.vn bạn muốn tải, click vào nút Download màu xanh lá cây ở phía trên.
Bước 2: Tại liên kết tải về, bạn chọn liên kết để tải File về máy tính. Tại đây sẽ có lựa chọn tải File được lưu trên slideshare.vn
Bước 3: Một thông báo xuất hiện ở phía cuối trình duyệt, hỏi bạn muốn lưu . - Nếu click vào Save, file sẽ được lưu về máy (Quá trình tải file nhanh hay chậm phụ thuộc vào đường truyền internet, dung lượng file bạn muốn tải)
Có nhiều phần mềm hỗ trợ việc download file về máy tính với tốc độ tải file nhanh như: Internet Download Manager (IDM), Free Download Manager, ... Tùy vào sở thích của từng người mà người dùng chọn lựa phần mềm hỗ trợ download cho máy tính của mình  
2 lần xem

Media storage efficiency and level fingerprint similarity in network forensic analysis using winnowing multihashing method. This research is focused on the calculation of the efficiency of the storage medium and the optimum point combination fingerprint length, degree of similarity and storage media..

Nội dung

International Journal of Computer Networks and Communications Security VOL. 3, NO. 3, MARCH 2015, 95–102 Available online at: www.ijcncs.org E-ISSN 2308-9830 (Online) / ISSN 2410-0595 (Print) Media Storage Efficiency and Level Fingerprint Similarity in Network Forensic Analysis using Winnowing Multihashing Method Irwan Sembiring1, Jazi Eko Istiyanto2, Edi Winarko3 and Ahmad Ashari4 1 Satya Wacana Christian University, Salatiga, Indonesia 2, 3, 4 Department of Computer Science and Electronics, Faculty of Mathematics and Natural Sciences, GadjahMada, University, Yogyakarta, Indonesia E-mail: 1irwan@ staff.uksw.edu, 2jazi@ugm.ac.id, 3ewinarko@ugm.ac.id, 4ashari@ugm.ac.id ABSTRACT Network forensics is a developing network security models that focused on the capture, recording, and analysis of network traffic, for the purposes of investigation. One of the problems in the Network forensics is the quantity or volume of data problems. Winnowing Multi hashing method can be used to conduct an investigation of attacks on the network forensic analysis. Value of Fingerprint is generated on Winnowing method Multi hashing (WMH), can be used as a marker of an attack that was captured by the Intrusion Detection System (IDS). WMH is a method that only takes excerpt of a payload. With this algorithm, the payload volume will be much more efficient because it only stores the fingerprint alone. This research is focused on the calculation of the efficiency of the storage medium and the optimum point combination fingerprint length, degree of similarity and storage media. Keywords: Winnowing Multi hashing, Jaccard Similarity, Network Forensic. 1 INTRODUCTION According to the agency Digital Forensics Research Workshop (DFRWS), digital forensic activities include preservation, collection, validation, identification, analysis, interpretation, documentation and presentation [1]. Because the equipment connected to the internet is increasingly a lot, then a forensic investigator will analyze the existing equipment, including Firewall, Intrusion Detection System (IDS), web server, and the real time traffic monitoring such as tcp dump or wire shark [2] [3]. There are five major problems on the complexity of digital forensic problems, problems of diversity, consistency and correlation, quantity or volume problems and Unified Time-lining problem [4]. An aspect of the volume (volume problem) becomes the focus in this research. Giura and Memon [5], the concluded research on capturing traffic on average 1300 flow in 1 second / second. Storage in a day it takes 10 GB, and 300 GB a month to reach 300 units by the number of hosts. On a scale WAN requires storage media as much as 1 TB / day. If this is maintained, certainly not efficient in terms of time and of storage media needs. The collection and storage of evidence in large volumes is a challenge. Many irrelevant data but still collected [6].Another way to analyze the payload is to find the unique pattern or feature extraction in a payload [7]. The pattern is then matched to obtain the degree of similarity. Winnowing Multi hashing method can be used to conduct an investigation of attacks on the network forensic analysis [8]. Fingerprint value generated on Winnowing method Multi hashing (WMH) can be used as a marker of an attack that was captured by the intrusion detection system (IDS). WMH is a method that only takes excerpt (excerpt) of a payload [9]. The main purpose of the method is to get the size of WMH more efficient storage 96 I. Sembiring et. al / International Journal of Computer Networks and Communications Security, 3 (3), March 2015 medium and fingerprint on the similarity percentage level alerts. Systematic in this paper include 1 Introduction, 2 Research Method, 3 Results and Anaysis and 4 Conclusion. 2 RESEARCH METHOD Network forensics is a developing network security models that focused on the capture, recording, and analysis of network traffic, for the purposes of investigation [10]. Once the recording process is done, and then forwarded to the analysis. Generic network forensic models can be seen as Figure 1 [11]. organizational policies, laws and existing businesses. D. Collection of Network Traces Data obtained from the sensor used in capturing data traffic. The sensor should be safe, have limited access and should be able to avoid compromise. A standard procedure with reliable equipment, both hardware and software, should be placed to gather the maximum evidence. E. Protection and Preservation The original data were obtained in the form of traces and logs are stored in memory secondary. A hash of the data traces captured and protected. The standard procedure is used to ensure the accuracy and reliability of the data to perform preservation. Chain of custody must be maintained strictly so that no unauthorized use or tampering. F. Examination Analysis of reconstruction will be done Fig. 1. Model Network forensics. A. Preparation and Authorization. thoroughly and integrated sensor data sources. Mapping and time lining needs to be done, so the most important data is not lost and does not mix. Data is hidden and camouflaged to be returned and classified in clustering in a group [12]. This mechanism facilitates the process of analysis in addition to also reduce the burden on storage media. Network forensic analysis focuses on network G. Analysis security devices such as Intrusion Detection Evidence has been collected and extracted. System, Packet analysis, firewalls, and other support software. Network equipment security devices placed at strategic points of computer networks. B. Detection of Incident / Crime. Alert as a product network security tools that inform any abnormal traffic is a security breach or anomalies. Category and type of attack is determined based on certain parameters. Indicator there is classified and correlated, to conclude an examination of patterns and types of attacks. Data mining and statistical approaches are often made reference to conduct this analysis. Some important parameters examined closely, such as fingerprint and DNS traffic. Attack patterns to be reconstructed simultaneously studied with a view to know who carried out the attack method. Important validation of the alarm is false or not. H. Investigation and attribution C. Incident Response The response to crime or intrusion was detected beginning at the time the information is collected and validated. The response depends on the type of attack that is identified and The information obtained from the trace evidence is used to identify who, what, where, when, how and why it happened. This will help in tracing back the source, the attack scenario reconstruction and attribution of sources. The most difficult part of network forensic analysis is to determine the identity of the attacker. 97 I. Sembiring et. al / International Journal of Computer Networks and Communications Security, 3 (3), March 2015 I. Presentation and review The results will be presented with a good observation to be easily understood by managers of the organization. Explanation of all procedures used, displayed graphically, statistically, to support a conclusion. In forensic analysis in accordance as in Figure 1, the method of trace back commonly used to find the attacker source . Analysis of the current trace back developed by considering the legitimacy, authenticity and integrity, such as trace back techniques Network Forensic Evidence Acquisition (NFEA) [13]. The trace back technique has two authentication schemes, known as Evidence Marking Scheme (AEMS) and Flow-based Select-ion Marking Scheme (FSMS) [13]. Winnowing algorithm is a derivative of the digital fingerprint-ting [14]. This algorithm was originally used for the benefit of copyright on the internet communication with XML. From the results of experiments conducted, which is the main characteristic of the winnowing is digital fingerprinting hide evenly on each partition. There are four basic properties are summarized in this study [14]: 1.Invisibility: By applying winnowing the data distortion will occur, however still provide useful and correct information to the user. 2.Preventing illegal embedding and verification: In winnowing algorithm, embedding and verification process is managed by a number of keys and data sequence excerpt on the overlap of existing blocks. Anomaly detection data packets can be seen from its payload. Most IDS to detect attacks on computer networks based on packet headers alone [14] proposed a data packet. .Anomaly focused on OSI layer. Payload is the actual data in the beyond data packet header. Header attached to the payload for transport purposes, and will be discarded after the package arrived at the destination. Payload data is collected and stored for offline processing. Actual historical data can be used for this purpose if it is available. From the entire data payload, the HTTP protocol is the threat of the highest candidate to be analyzed [16]. Winnowing algorithm is the basis of the reconstruction algorithm multi hashing. In internet crime, multi hashing winnowing algorithm used to extract the payload in the form excerpt called fingerprint. The purpose of this extraction is to measure the efficiency of the storage medium and the degree of similarity alerts. Experiments are conducted to extract useful information payload to detect an attack. This method has a better detection mechanism [17]. 2.1 Winnowing Multihashing Winnowing Multi Hashing method is one of the many methods that can be applied to this experiment of result payload efficiency show that this method produces a more significant improvement in the accuracy of quotations and data storage requirements compared to previous methods [16]. This method shows the best technique for selection on boundary block payload. At WMH method of determining the fingerprint using the following grammar: partition. 3.Blind verification: The original XML 1. Given a Hex, this is generally given as follows = ⋯ ………….(1) documents are not required in fingerprint verification. 4.Localization: By set up a fingerprinting, capable of detecting and narrow the Where n is a lot of data. 2. The next step, to determine the size of k = k-gram, which is then used to form the Hash (2) modifications on a partition [12]. Winnowing with modifying the Rabin fingerprinting techniques [15], can detect all or most of the key documents. Each sequence of characters is stored in the storage array. Hashing is used to determine the marker as in Rabin fingerprinting. Winnowing Multi Hashing (WMH) is expected to reduce false positive circumstances existing on the query excerpt [9]. WMH not only provide good control on the size of the block, but also provide greater confidence to the query Looking for Hash value, by taking a prime number (p), then the calculation is given in Equation (3). = ( ∙16+ ) + ( ∙16+ ) + ⋯ + ( ∙16+ ) = ( ∙16+ ) + ( ∙16+ ) + ⋯ + ( ∙16+ ) ( ) = ( ) ∙16+ ( ) 98 I. Sembiring et. al / International Journal of Computer Networks and Communications Security, 3 (3), March 2015 +( ( ) ∙16+ ( )∙ + ⋯ + ( ( ) ∙16+ ( ))∙ (3) If taken r = n - (k -1), then the value obtained Hashing Furthermore, by using n-array relation (read: ener) consisting of 2 tuple (K, Q) represents the relationship between different hash value and position. So it can be written as = ⊆ × (10) = , ,⋯ , } (4) or result in general will form Each value in A, will be substituted on a function that is f (x) = xQ, where Q = (min A) - 1 then obtained = ℎ ,ℎ ,⋯ ,ℎ } (5) Determining the value of a fingerprint based on Equation (5), which then each hash value will be the most sought smallest of any group Hash value (window size). Suppose a large window size is w. = {ℎ ,ℎ ,⋯ ,ℎ } = {ℎ ,ℎ ,⋯ ,ℎ } = {ℎ ,ℎ ,⋯ ,ℎ } ⋮ ( ) = ..(11) A false positive occurs when querying against the elements x in hashing h1 ... hk applied to the value of x values obtained filtering is worth 1 If the hash value is assumed to be independent, then the probability to calculate the false positive rate (f) is as equation (13). = 1 − 1 − ≈ 1 − (12) or can be reduced to the equation (13) (13) ℎ ( ),ℎ ( ),⋯ ,ℎ ( ) (6) 2.2 Detection of Similarity Window size (N) will be in the partition as much r- (w-1) with r is much value Hash formed, and w is a lot of members in the U. Determining the value of fingerprint = min = min {ℎ ,ℎ ,⋯ ,ℎ } = min = min {ℎ ,ℎ ,⋯ ,ℎ } = min = min {ℎ ,ℎ ,⋯ ,ℎ } ⋮ .(7) Fingerprint is chosen is appropriate Hashing value on f_i taken as a fingerprint value, but need to be adjusted based on the hashing position starting from scratch. So that H in Equation , each sequence of numbers corresponding to H Hash will be = 0,1,3,⋯ ( − 1) (8) With regard to the order of different hash values (y_i) in Equation (8) and adjusted the order position based on Equation (9), it will obtain the sequence position numbers (9) Measurement of similarity fingerprint new payload degree as a new fingerprint with the fingerprint database that already exists. This percentage can be measured by the Jaccard Similarity Coefficient as in equation (15) [18] (15) Equation (15) describes the value of D (A, B) is the value of likeness or similarity, | A∩B | a pair of fingerprint intersection. | A∪B | is a number or a pair of fingerprint union. Similarities in the set S and T is the ratio between the slices and the union on the S and T so that it can be lowered by following equation (16) (16) For example if known c1 = {1, 2, 3} c2 = {1, 3, 4, 5} then the degree of similarity is = 40%. 2.3 Line of the Research The line of this research is described as Figure 2 Payload captured by IDS in hexadecimal format will be extracted by the algorithm WMH. The output of WMH will generate a fingerprint mark as a keyword in a type of attack. Fingerprint stored for a false positive rate is calculated by considering k-grams and the window size to be determined by the user. 99 I. Sembiring et. al / International Journal of Computer Networks and Communications Security, 3 (3), March 2015 3 RESULTS AND ANALYSIS 3.1 Measurement of the storage media efficiency The basic idea of this measurement is how much efficiency is gained using fingerprint, as a representation of the method of WMH. In accordance with the framework of network forensic preservation and collection stages as identified in Figure 1 Data derived from IP address 124.81.113.178, this data has been validated with a checksum. Additional information supporting the attack time is 11:29:07 on the 25th November 2013. Fig. 2. Scheme Research Each traffic of data captured by the IDS will have a fingerprint value. Each fingerprint will be matched with others fingerprint to measure the degree of similarity. Similarity values used in this study using Jaccard Similarity techniques. The process of matching a fingerprint on the alert with all alerts is limited to one type of attack classification. The attack Classification type was captured by IDS as shown in Figure 3. Fig. 4. Metadata Web Attacks Examples of Web attacks is shown in Figure 4. Bootnet is in the category of Trojan attacks. The volume of data in a single alert is 1187 Bytes. The format of the data captured in the form of a hexadecimal representation of the data link layer, shown in Figure 5. Fig. 3. Classification of Attacks In Figure 3, all the traffic captured by the IDS within a period of 1 year from a total of 209 341 alerts are categorized into 17 types include DOS attacks, Trojans, Web Attack, ICMP Attack, Scanning and others. If not detected as an attack that has been registered in the database, the IDS will be categorized as unclassified. Fig. 5. Footage Payload of Web attacks 100 I. Sembiring et. al / International Journal of Computer Networks and Communications Security, 3 (3), March 2015 The Results of extraction with WMH produce false positive rate is the maximum combined 0:01, with k g = 6, the window size is set to a value trend graph 128 false positive rate with the combination of k-gram values can be seen in Figure 6 payload capacity of 1187 bytes. between unique alerts, fingerprint and total alerts successfully captured by IDS is the basis of high and low levels of efficiencies gained. Value of 98% obtained from the magnitude of the difference between the number of alerts that compared with the 209 712 unique alerts (signature) of = 125 Trial Results as Figure 6 describes the combination of total alerts (A) / number of unique alerts (U) .From experimental and simulation results performed if the total alerts (a) ≥4% of the amount of unique alerts, it will acquire a positive value efficiency trends. 100 90 80 70 Fig. 6. Combination of False Positive Rate Fingerprint 60 50 Results winnowing algorithm that will generate 40 the fingerprint is 30 Percentage of Media Storage Efficiency 8788.79 .50.20.7 72 77 81 64 47 [1,119][104553,245][116565,280][151550,298][17 2332,300][494933,357][831935,427][78622,516][1 2965,586][255330,587][710899,630][72943,734][1 24637,748][125704,844][39141,911][270559,969][ 494385,1062][285890,1103][39372,1152][542490, 1153][6077940,1154][15742365,1156][15932474,1 158] 20 10 -3.8 -10 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Quantity of Percentage of Fig. 7. Trends in Media Storage Efficiency The fingerprint in hexadecimal format is: Figure 7, describes the trend of the efficiency 30: 20: 30: 20: 70: 20: 70: 20: 30: 30: 20: 30: 30: magnitude obtained with the ratio between the total 30: 30: 30: 30: 20: 70: 50: 72: 78: 29 alerts and unique alerts. For example if the total One fingerprint block is formed consisting of a alert is five times larger than the unique alerts, fingerprint value and offset value. From 23 bytes experiments carried out, if the fingerprint length = capacity of the payload (payload length) is (P), for 23 bytes, then the efficiency will soccur if lthe total length of the fingerprint (F) is 23, while the total storage efficiency on type attack classification also alerts (A) The amount of the Storage media contained a total of 661 attacks in web attacks category, with unique alerts = 1 If the fingerprint length is 23 bytes and the length of the alerts that are detected is 1187 bytes, the efficiency of the = ( ) ( ( )) ( ) 10 (17) obtained is 98%. = ( ) ( ) 100 ( ) ( ) ) ( ) 100 = 243953518 /248928144 = 0.98 =98 % Equation (17), illustrates the level of efficiency obtained by using WMH method. Comparison = 768194 /784607 = 0.98 =98 % From equation (17), if the condition of the payload length is not the same then the equation can be derived as equation (18). 101 I. Sembiring et. al / International Journal of Computer Networks and Communications Security, 3 (3), March 2015 value of the fingerprint on the payload length of ∑ − ( + ∑ ) 10 1187 bytes as shown in Table 1. (18) 3.2 Percentage of Similarity Table 1: Relationship between Similarity, Fingerprint and Efficiency in Web Attack Measuring the similarity percentage level is an important part in this research. In experiments initotal web alerts attack 661 times. If the alerts such as alerts numbers 10382 compared to 660 alerts the others, then found the amount of alerts that have a similarity score> = 80 percent is as much as 68 alerts. Window Fingerprint False Efficiency Similarity size Positive (%) >80 % 128 23 0.016 98 68 100 25 0.005 97,8 68 80 30 0,002 97,4 72 64 38 0.0007 96,7 72 In Table 1, the variations in windows size are tested randomly. This value will affect the length of the fingerprint. With value k-gram = 6 then the combination of the efficiency and value of similarity can be seen as Table 1 In Table 2 the results of an experiment to search for the inherent similarity and minimal alerts efficiency .Total (A) ≥4% of unique alerts. If the alert is unique (U) is obtained from this experiment is 125, then A = 130 intersection point between similarity and efficiency as Table 2 and Figure 8.

Tài liệu liên quan