measures have been used to evaluate the consistency of anynew sample (which is to be categorized) with various classrulesets and the label of the sample has been declared as theclass that is analogous to the best matched ruleset. A methodwhich decreases the items that may be included in extractedrules has also been proposed to reduce the time taken by therule induction algorithm. The framework has been assessedusing KDD-99 dataset. The results have shown that theachieved total detection rate and detection rate of knownattacks are large and false positive rate is small, though theresults are not bright for unknown attacks.Zhenwei Yu
 have presented an automaticallytuning intrusion detection system (ATIDS). According to thefeedback supplied by the system operator, when falsepredictions are detected, the proposed system automaticallytunes the detection model on-the-fly. The KDDCup'99intrusion detection dataset has been used to assess the system.In the experimental results, the system has demonstrated a35% enhancement with regard to misclassification costcompared to a system that is not using the tuning feature. If the model has been tuned using only 10% false predictionsstill a 30% improvement is achieved by the system. Moreover,the model tuned using only 1.3% of the false predictions havebeen capable of achieving about 20% improvement providedthe tuning is not delayed too long. Building a practical systembased on ATIDS has been proved to be feasible by the resultsof the experiments: Because predictions ascertained to be falsehave been used for tuning the detection model, systemoperators can concentrate on confirmation of predictions withlow confidence.III.
In 1998, DARPA in concert with Lincoln Laboratory atMIT launched the DARPA 1998 dataset for evaluating IDS. The DARPA 1998 dataset contains seven weeks of training and also two weeks of testing data. In total, there are38 attacks in training data as well as in testing data. Therefined version of DARPA dataset which contains onlynetwork data (i.e. Tcpdump data) is termed as KDD dataset. The Third International Knowledge Discovery and DataMining Tools Competition were held in colligation with KDD-99, the Fifth International Conference on KnowledgeDiscovery and Data Mining. KDD dataset is a datasetemployed for this Third International Knowledge Discoveryand Data Mining Tools Competition. KDD training datasetconsists of relatively 4,900,000 single connection vectorswhere each single connection vectors consists of 41 featuresand is marked as either normal or an attack, with exactly oneparticular attack type . These features had all forms of continuous and symbolic with extensively varying rangesfalling in four categories:• In a connection, the first category consists of the
features which comprises of the fundamental features of eachindividual TCP connections. Some of the features for eachindividual TCP connections are duration of the connection, thetype of the protocol (TCP, UDP, etc.) and network service(http, telnet, etc.).• The
features suggested by domain knowledge areused to assess the payload of the original TCP packets, such asthe number of failed login attempts.• Within a connection, the
features observe therecognized connections that have the same destination host aspresent connection in past two seconds and the statisticsrelated to the protocol behavior, service, etc are estimated.• The
similar same service
features scrutinize theconnections that have the same service as the currentconnection in past two seconds.A variety of attacks incorporated in the dataset fall intofollowing four major categories:
Denial of Service Attacks:
A denial of service attack is an attack where the attackerconstructs some computing or memory resource fullyoccupied or unavailable to manage legitimate requirements, orreject legitimate users right to use a machine.
User to RootAttacks:
User to Root exploits are a category of exploitswhere the attacker initiate by accessing a normal user accounton the system (possibly achieved by tracking down thepasswords, a dictionary attack, or social engineering) and takeadvantage of some susceptibility to achieve root access to thesystem.
Remote to User Attacks:
A Remote to User attack takes place when an attacker who has the capability to sendpackets to a machine over a network but does not have anaccount on that machine, makes use of some vulnerability toachieve local access as a user of that machine.
Probing is a category of attacks where an attacker examines anetwork to collect information or discover well-knownvulnerabilities. These network investigations are reasonablyvaluable for an attacker who is staging an attack in future. Anattacker who has a record, of which machines and services areaccessible on a given network, can make use of thisinformation to look for fragile points.Table I illustrates a number of attacks falling into fourmajor categories and table II presents a complete listing of aset of features characterized for the connection records.
ARIOUS TYPES OF ATTACKS DESCRIBED IN FOUR MAJOR CATEGORIES
Denial of Service AttacksBack, land, neptune, pod, smurf, teardropUser to RootAttacksBuffer_overflow, loadmodule, perl, rootkit,Remote toLocal AttacksFtp_write, guess_passwd, imap, multihop,phf, spy, warezclient, warezmasterProbes Satan, ipsweep, nmap, portsweep
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 8, November 2010187http://sites.google.com/site/ijcsis/ISSN 1947-5500