Variation, completeness and purity

4.2.1 The variation of the session extraction system

The definition of variation in this work is the complement of the probability of the extracted attack’s mode value. The mode value is the most frequent value. Therefore, the variation is defined by the equation

%

In our experiment, the different extracted attack sizes for each attack when they could classify as the same attacks come from the result of the comparing the attack size with the size that the most frequent size. The low variation of the session extraction system must be proved if we want to use the results of the session extraction system. In this experiment, we replay 100 attacks and the common real traffic at the same time.

We mixed the 100 attacks with 10 different real traffics to observe the variation.

Therefore, there are total 10 results (the extracted attacks) of the each attack and the total 1000 results by session extraction system.

Figure 7, 8 and 9 show the 3 case of the result that we extracted the attacks from the real traffic. The x-axis is 10 extracted attacks of each attack. Figure 7 shows the case one that is the different sizes of attacks less than 3. In this experiment, the 37% of the 100 attacks were in case one. Figure 8 shows the case two that is different sizes of attacks equal to 0. In this experiment, the 46% of the 100 attacks were in case two.

Figure 9 shows the case three that is the different sizes of attacks more than 3. In this experiment, the 17% of the 100 attacks were in case three. Figure 6 shows the accumulated number of the attacks of each variation by increasing. The 83% of the extracted attacks is less than 30% variation. The 30% variation could be easy to choose the attack size equal to the size that the most times in our experiment. But, there are also 17%

of the extracted attacks could be hard to choose the result of the experiment because they had highvariation.

Figure 6.The variation of extracted attacks 4.2.2 The completeness and purity of the session extraction system

By adding a new step in the experiment of variation, we can use to observer the completeness and purity. The new step is only playing and recording the 100 attacks without other traffic. therefore, we can get original attacks of the 100 attacks. In this experiment, we compared the 10 results of each attack from the experiment of variation with the original attacks.

The definition of completeness and purity are as following. If the size of the extracted attacks is less than the original attack size, we will say the extracted attack is

22

not completeness. If the size of the extracted attacks more than the original attacks size, we will say the extracted attack is not purity. If the size of the extracted attack equal to the original attack size, we will compare the extracted attack with the original attack by bits comparison. The bits comparison compares to the bits in the extracted attack file and in the original attack file individually. If the extracted attacks are different with the original attack, we will say the extracted attacks are not completeness and purity.

Figure 7.The different sizes of attacks less than 3

Figure 8.The different sizes of attacks equal to 0

nessus attack 1

Figure 9.The different sizes of attacks large than 3

For this definition, we consider an attack as completeness and purity by sizes comparison and bits comparison. However, because the different size between the extracted attacks and the original attack can not comparing the bits, we can not definition the completeness if the size of the extracted attack is large than the original attack size (they are not purity already). For this reason, we assumed they are

“Undefined”. We also assumed some attacks can not define the purity for the same reason.

By our definition, the total 370 attacks in the case one had 71% completeness ( 1%

not completeness by different size, 4% not completeness by comparing and 24% can not define ) and 71% purity ( 24% not purity by different size, 4% not purity by comparing and 1% can not define ). The total 460 attacks in the case two had 100%

completeness and 100% purity. The total 170 attacks in the case three had 12%

completeness ( 23% not completeness by different size, 29% not completeness by comparing and 36% can not define ) and 12% purity ( 36% not purity by different size, 29% not purity by comparing and 23% can not define ).. Table 3 shows the comparing of those three cases.

The completeness and purity of the case three was very interesting. By our

nessus attack 3

0 5000 10000 15000 20000 25000 30000 35000

1 2 3 4 5 6 7 8 9 10

times

size(KB)

nessus attack 3

24

observation, the 170 attacks (the 17 different types mix with the 10 real traffic) of the case three had 15 DDoS or DoS attacks. The size of DDoS and Dos attacks are not fixed. The 500 packets, 300 packets and 1000 packets of a DDoS or DoS attack all can say they are the attack. Therefore, the 11^th attack that we recorded by playing a DDoS or DoS attack can not be a standard because the smaller or larger one also can be considered as attack. For this reason, the completeness and purity are not good in case three and the variability also because the same reason.

Table 4. The completeness and purity of the extracted attacks (Variation)

4.3 Analysis of the difference between Nessus traffic and the real