[SNORT-devel] Snort with anomaly detection

[Nguyen Kien <kiennguyen1101 () gmail com>]

Hi all,

I'm currently working on a research on using Artificial Immune System 
(AIS) approach to intrusion detection with  Negative Selection Algorithm 
(NSA). The algorithm by Forrest et al [1] is as follow:
1, Define self-profile.
2, Generate random candidate detectors
3, Match candidate detectors with self-data. If match-> discarded; 
otherwise it is added to detector set. The detector set is used to 
detect anomalous traffics.

I'm trying to port the algorithm into Snort, using a custom preprocessor 
(is it better to use dynamic preprocessor?). The self-data is collected 
from the IP packet headers and stored in the database to generate the 
detector set. I'm planning to use the DARPA data set for the self-data. 
I've written a helloworld preprocessor to collect header data from the 
DARPA data set. However, I'm having a few technical problems that i 
would like to ask.
- Where should i put my code to generate the detector set in Snort 
preprocessor? At the exit function after data collect in helloworld 
preprocessor? At the initialize of a new preprocessor?
- Is it ok to check each packet against around 100 detectors? Does it 
destroy the performance of Snort?


Best Regards.


1. S. Forrest, A. Perelson, et al. Self Nonself Discrimination in a 
Computer, 1994.

Attachment: spp_helloworld.c
Description:

Attachment: spp_helloworld.h
Description:

------------------------------------------------------------------------------
Xperia(TM) PLAY
It's a major breakthrough. An authentic gaming
smartphone on the nation's most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel