Building features for Intrusion Detection System using JPCAP

Question

I am doing project on intrusion detection system. I am using JPCAP library to capture packet. Using JPCAP I am able to construct basic features of TCP Connections mentioned in KDD 99 dataset(e.g. Duration, protocol_type, Service, Source port, destination port). I want to construct content features like "hot indicators, num_failed_logins, su_attempted, is_hot_login, is_guest_login". And time based features like "count, serror_rate,rerror_rate, same service rate".

So please give me any hint about constructing such features from live traffic.

I'm guessing this is another student in the same class as the previous two or three people we had constantly asking about KDD99 on Security.SE — Polynomial, Jan 27 '13 at 23:32

score 1 · Answer 1 · answered Jan 27 '13 at 07:42

The features you have implemented are just network level features i.e. time Duration, protocol_type, Service, Source port, destination port which you can get by reading IP packets using JPCAP. The problem is that JPCAP/Libpcap is just a sniffer library and does not handle low-level protocol issues. For handling all TCP/IP stuff like

IP fragmentation
TCP Retransmission
Packet Reordering

I recommend integration of your code with Libnids which emulates the IP stack of Linux 2.0.x. and provides IP defragmentation, TCP stream assembly and review Justniffer as an implementation.

Building features for Intrusion Detection System using JPCAP

1 Answers1