An active network-based intrusion detection and response systems

Proceedings of the 2004 IEEE

International Conference on Networking, Senring & Control Taipei, Taiwan, March 21-23, 2004

An Active Network-Based

Intrusion Detection and Response Systems

Han-Pang Huang* and Chia-Mmg Chang

+

Robotics Laboratory, Deparbnent of Mechanical Engineering, National Taiwan University, Taipei, 10660, TAIWAN

TEUFAX:

(886) 2-23633875, Email: hanosneiantu.edu.m

'Profmor

and

wrteswndence addressee. chduate student , .I

Ahmu - The w o r k sea&

ir

gdling m r e WortanI keaurc of increasing wnm ond n d w r k

am& in meal yews. More rmd more scarity

nmh-m M intralrccd to p m u d f m n , attack, such a$

fvovoUs

and h i o n ddcdion sysicns

m.

This- pmposcr M &e nuwork pMgnuMling mdd

conpming m a mdidod w o r k , om'vc n m r k ~ . W S

the nods p m g n w m d k

e.

It &ph the cz&e

lMyork technobe. The mpomt-, s&e drproynrcnt nnd

senier updmc S C h a l K J

*

0" thiv tech-. The proposed infnrrion d&&n rmd m p m r

spm

(IDW m s r o p m t a e * r m r h c f t s r l i n c M d m p o d a $ f ~ a s possiMc to reduce the dmnagc MlUd

ay

inmrdus It

pmvids thr ebiMm of d a d o n , report and mponse The p m p e d pmtorvpr

spm

adope the

novel dma

Ddning

u c h o l o p u p p o ~ ¶ VeMI machine to enhance the damlion fundion

1

Introduction

1.1

Objectives and Motivation

With the wide spnad of internet, various hds of Internet S w i c e s are developed, such as e-wmmem, web

Senics. Nehwrk d l yis M important issue. According

to the repart of Cmegie Mellon Uni-ity's Computer Emergency Response Team's (CERn I211 Coordination Center, the sophisficatlon of attacks is dramatieally increasing and ihere

are

usually several stager involved in one attack The

firewalls

can protect a system from e x l e d mks, but it cannot keep up with new waeks. "he Urnusion detection system ( I D S ) is much more dynamic and m provide advance network defence mechanism. The previous

IDS

ammoslly focused on passive model, which a i m at deledon and al-. The present IDS me static and lack

the

functionality of adding new featlrns and system monfigunng. Active network

is

a novel approach to

network mhitechne in which the nodes of the network perform

customized wmputafions on the messages nowing

lhrough them. This paper p m p s a scalable inrmsion detection system bssed on active neouork technology. The system can tailor the detection mechanism to the system and replace them with improved detection model. Current IDSs have limited mechanism and emphasize on detecting attacks.

The delay tlme in alert and response may

atfen

the innuences af the attacks. Therefore, an automated intrusion response system combined with

ms

is necessary. Responding IIItime and taking appropriate measures ean

make the system immune to the

similar

?vpes of the attacks. Unlike the traditional network, which only passively

uansfom

the packets, active network allows the network node to exende the mobile w d e within packets. The proposed

IDS

combines distributed manibring and data mining approach (thraugh individual host and LAN monitors) with centralized data analysis (through the Intrusion Detection Center).

1 2

Background Knowledge Survey

Active network l11l21l41ll0lll51[16][l7][l9][20] is a novel approach to network a r c h i m in network nodes,

such as switches, mufers, hubs, btidger, gatnuay. The

network nodes perform customized wmputafian for the packets flowing through them The swnfial featun of active network is the programmability. New network feature and service ean be dpmically added to the nehwrk

infmstmchm on demand. Note that active nemork is difiemt fmm programmable networks [5][7][9][14]. Active networks carry executable ccde within packets, d e p r o g m m b l e networks are focused on a standard programming interface for network wntrol. Intrusion detection is defined as the p m of monitoring and analyzing even0 w d

in a computer or network and

e resulfs to the adminimtor. The related research z z o n detection started in the early 1980s. It

has

wntlnued through scveral major DARPA (and other GovemmeN) programs. In the b%uuung of the 19%, intrusion detection becomes red hot research topic and wmmercial IDS stvts to emerge.

2

Active

Network-Based

Intrusion

Detection System Design

In

this paper, an i n m i o n detection system is designed for d d s t l n g both well-hwn and unknown intrusion behaviors. The system is composed of i n m i o n detection system ( I D S ) , management center and intrusiop detecfion center (roc). The relatiomhip mong them is shown in Figure I.

I I

Figure 1 Swrce Management

If any surpeaed BCtlviner are dlseovered, the

correspndmg respomes of

ms

are

s ~ l t to

IDC

for furthm analyaw Management has the abllily to dmpateh m c c agents The achve node can gel the des& services form the Management center according to Its needs and enwoment It also allows the

IDC

to update the detechon model The

center is responsible for a subnd. Its duty is to deploy and update the services. It also maintains and monitors the

slam

of agents of the m k e d e .

In addition

to handling ulese eMllls,

IDC

provides the d d o n modules for

IDS.

It dispatches them by applying mobile agent technology to satisfy the need of different environments.

2.1

Intrusion Detection Systems

An i n m i o n deteman system

(IDS)

is composed of node manager, active network monitor, inmciion -on agent, inmciion response agent and m a r k management

agent. Each component will be introduced in the following d o n s .

21.1

Node Manager

A node manager is built in evey host to provide the m i e m agent execution enwOnment su that Vanous agents

can

paform tasks. It

can be

seen as

the

ampemtion of ageno that reside

within

the agent-based

EE.

A node manager atn

monitor agents. It has to chcek any illegal aperations and 6Iter out malicious behaviors. The main function of a node manager is to m p t e all agents according to the host system information

2.1.2

Active Network Monitor

Active network monitor (ANM) wiuch plays the impomt role in the system is a programmable tratfic monitor. It captlnes packets from in- according to the

mer's i n s r m C n ~ ~ . It allows the remote manager to dynamically specify the packel type. The manager can gel the analysis results and know the quality and tratfic of lhe whole network.

2.13

Intrusion Detection Agent

The inmionW o n Igent (IDA) implements data mining methods, e.g., neural network and suppon vector machine. It is responsible for the

achlal

inmciion d W o n job. There are

ovo

kinds of intrusion deledon agents: servius-spccikd mode and general mode, as shown in

Figurc3.

U

Figwe 3 Detection mode of Inrmsion Rsponw A g e

2.1.4 Intrusion Response Agent

Inbusion -me agent (IRA) j,like the commander in the

IDS.

It is an agent responsible

for

w h t action should

take when receiving an event or npan. It sends out the response eommands based on the murity policy. For those locally intrusions, it takes responses such as -nf& the film rules, terminating the connections. If no existing

knowle&-e or d e s are available. it will pass the message to

mc

in astandard format.

2.1.5 Network Management Agent

The purpose of the nsearch is to integrate the IDS and NMS in tams of audit s o w s , analysis techniques and deployment shategies. "his is the W n s i b i l i t y of the

Nefwork Management Agent (NMA). The inteption of intrusion deMlan and network management systems will provides a unified view of network security stam to the system manager and rignificanlly improve the d t y management.

~

2 2

Management Center

Management center is responsible for service deployment

and

service update. It is service-domain independent and performs tasks without knowing the detail of the service. It is like data warehouse which repositS the agents or mobile codes to deploy sewice. If

IDS

or other applications, such as video conference and network management, intend to update the agents, they jusl send

the

mid or new edition agent to the management center. It will automatically rehieve the related client s o k modules according to its node information.

2.3

Intrusion Detection Center

decision will be made based on the infomation, such as attack type and priority. Basically, the i n m i o n will k sent to detection module to compare

with

p i o u s l y known patterns. If the discovered pattern is indislincl, it may

oeed

other nrpcrts to idenhfy whether they are normal pallems 01

intrusion. If it is d l y an intrusion panem, it will update the knowledge base

2.4

Programming Model

The programming model is intended to support a

general class of active nemoorLs. It uses ANEP I31 as the

basic transformafion protocol. The pmgramming model adopts Java programming language in order to be operating

syslem independent. Besides, programs based on this model should be seamlssly executed on different execution ... environments. The user should inherit and o v d e the

ANPackI class of the model to define the unique

communieation mechanism. Therefore, every active packet can be cxemted to paform the --specified d o n on the active node which it has traveled through.

New

service

can

be developed by mending the abshact classes of the progamuing model. The hasic mmponents of the nehwrk m i s s in the propmmhg model me Acme Poc*ez Acnve

service

h e ,

Ah'Appliutim and ANDoemonFigure 4

illusb;ltes a general view of the pmgramming model.

A

new protocol and service can k dcvelopcd by extending ,4"ackef. ANEae, and Ah'Applicoflon. Based

on this

programming model, it provides a convenient way to c o ~ F t the active w o r k - b a s e d services. In ihis paper, the proposed active network-based inmciion d W a n system is baxd on

this

model.

~ ~~. ~. ...

. . ... .... . . . ~.

Figure 4 Active network pmpmning Model

2.5

IDS

based active network Model

Based on

the programming model mentioned in the p i o u s section, the proposed

IDS

is cons!m&. The user should overwite the A"acko, Ah'Bare and A h ' h l i O n to creafe and &@e cornpanems to p w d e the &&ce The ram classs based on Uus propammmg model are Dspockef, IOsBae, and lDsApp,carop*

r n s p d e t

repmnted by the speoitied

IDS.

The servicer

D

is used to i d e m senices In the pro@ prototype

mS,

only the

general model and web service are defined. The web savice is the only implementation of service specified services. Services T p is used to spiry the envimnment of the www

services. The C l m

ID

is used to identify the type of this Ah'Paket. According to the above infomation, the variation mobile wde or just data The user can handle and execute it in the ANBare or Ah'4plicatim.

IDSBase

part

can

be further processed. The variable pomon can be a

It mendsthe sbshan class Ah'iBare. The node manager has the implementation of the 1D-e. It pmvides the w n t m for the p r o w

that

inherits IDsqPPlicaion It also o ~ p o r l s the basic findion of the API far efliency.

msApplcation

It extends the abmact class ANApplicaiton. Active network monitor, intrusion detedion agent, inmuion response agOa, and network management agent are all the implementation of the IDS4ppl;dm. For the emtian of the IDS4pplimtim. it should designate thc ANBare. Then, the node manager can monitor and contml these components by the default mechanism of the and Ah'4p1;cdim Each component can easily commlrmcate with other wmponents to perform !risks

2.6

Protocol

Several protocals are used in our proposed prototype system. These protocols implemented for intemperability are described in the fallowing d o n .

O A N E P

The Adive Network Encapsulation Protowl

(A")

[31 is defined for interopability. The

ANEP

header

format is shown in Figure 5 .

The Intrusion Deteaion Mssage Exchange Formaf (lDhEF)[6] is M Fxtcmible uvkup Language (XML.) Dacwnent Type Defition

(om)

developed by the Inmuion Detedion &change Format Working %up (IDWG) [22] of the Internet Engineering Task Farce (IEIT), which is an El? working group aims at defining common data f o m t s and exchanging protocals far Lnformation

sharing among h i o n detection and response systems, and management system.

2.7

Intrusion Responses

Passive Response

Passive responses of the

IDS

are used to notify the proper authority. They

can

provide useful

infomation

to the manager. Sweral passive responses are used in the proposed prototype system and will be described as fallowed.

arm

are the mponses adopted in the

ms.

ney inform usm when attacks are detected. They provide the detailed information in the alann message about the events,

such as the s o w and target

IP

addresses of the

attack

the suspicious activities, and the event priority.

Active

Responses

Active IDS respanses are automated actions taken when the wmsponding suspicious behavior is detected. In

general, the

mss

will produce plenty of false a l m s . The false alm will waste system

reso-

and cause packet loss when the n m o r k traffic overloads. The prototype system will gatha the infomaion about the suspicious target and intluder hosts by increasing the sensitivity of damion. The additional information can help resolve the detection of inmuions. Anothm adive response is to stop the attack in p r o w s by bl-

the

subsequmt access of inlmder. The p m t o w system resides the t q e t hosf will discaMed all the connmim from the inmden, and notifies the routers and firewalls to blwk the nehvork

pack& from

the

atfacker When attacks occur, it is import to respond as fast as possible to reduce damage. The pmtotype ~ y s t e m will h-dee the inmder It will notify and update the active node services to isolate the lrmuder. The

IDS

system will follow the policy to take action according to

the

eveat. The pro@ prototype system repam the system mhu to the oetwork management system. The IDS contains the netmrk management agent that can send S N M P traps and messages to post alarm and alerts to the eenhal nawork management consoles. Hence, it is easy to d d m the abnormal events and repart to $e manager.

0

15 16

31

Version

I

Flag

I

Type

ID

1

I

ANEP Header Length

[

ANEP Packet Length

[

I

Payload

I

F i m e 5 Active Network Enca~sulatian Rotoeol

(A")

header f&nat

2.7.1

Deployment Scheme

The framework provides the flexibility and convenience far m i c e deployment. It adopts mobile agent

technology to construct the active network-based services. Each m i c e can negotiate to decide the format of the protacol and the parametes of the spsitied services. The deployment steps are r e p r e d below:

Step]: The node manager apdtes the mobile agent

according to the user configWafion and system

environment.

Skp2: The designed mobile agent is sent to the management colter. The mobile agent negotiates with the management center to get the specific

service.

The management colter whioh is respansible far providing services can dispatch the appropriate mobile agents to the client awarding to the infomation carried by the previous user's mobile

agolt.

When the mobile agenb arrive at the client host and reside into the node manager, they begin to

p e h r m the assigned tasks or m i c c s . Besides, they can communicate with the predefined protocol.

Step 3:

Skp4:

2.8

Service Update Scheme

Management center deploys the miw according to the user's demand and save the related information. When it is necessary to update the Agent versioc the Management

Center can &eve the s o hmadulc fmm other s m m

and check the databare. Then, the m e r search- the Management Table by wmponding System

m,

Service

m,

and Service Type to 6nd out the agent and its position to update the module.

3

Modeling and Methodology

3.1

Detection Models

The general model deals with the general sitcation and is independent of the System environment. The service speoifed model is for the s p i t i e d services. The attack approach of the IIS is quite diffeKm fmm Apache. If the host daes not have the web m e r , it is unnsessary to consttnlct the web attack detection services. The

IM:

will prepare the

web mhuslon detmian Of three different e d l h O N (nS,

Apache and others)

3 2

General Development Procedures

32.1

Data Format

General Model llstedbelow I 2 Tmebasedfeahlrer 3 C o ~ e c t i o n based features Service Specified Model

In case of m e e spauied model, oniy the content of the WMCC~OIIS are w n m e d The data format IS only w ma b u t keywords shown m Table 1 and Table 2

Three groups of feahlres defined by KDD Cup are Basic featuRs of mdivldval TCP W M ~ C ~ O ~

Table 1 General Keywords of WWW Server Specified

~~~~~

System,

winut,

Html

,GET,

HEAD, Host,

m ,

scripts

,

www, Exe, Couunection, Close,

Accept,

DLL,

ns,

MICROSOFT,Content,Seer,Ran

Table 2 Selected Individual b i o n Kevwords

In!msion

Keyword

WEB-IIS ISAPI .ida

1

Ida,

GetTickCouut,

I

attempt

I

LoadLibraryA

EXPERIMENTAL.

1

~ ; I I S .asp@"

1

Smartsaver,

:

;

a

1

overtlow attem

WEB-IIS

cmd.exe Lwrite, msadc,cmd

access

WEB-MISC

cross

mute.

buffer MSOFFICE9

WEB-MISC

v2 root.exe access

3 2 2

Data preprocessing

General Model

The five-fold mss

validation

ts used m

the

timnmg dataset to find out Wtuch parameters wiuch have better performance

S e m c e

Specified

Model

Every WM~CIIO~I betwea the diad and sewer can be newd as a d-ent Thm the text c a t e g o m m ldm~que uses the keyword as the farmre to represent the wnnahon So cach wnuahon can be ccded as a feahlre

v ~ a r dcpmdmg on the w n t a d 11 w n m the keyword h a m the feature llst In the service specmed model of WWW atrack, keywords are selcaed as features to represent every WMCChOn

Featum Selection

The word features mms form two pans: basic w m o n words and keywords h m intnrsion. Twenty words are

selected to rep-nt these kinds of features. Finally. the last keywords are selected according to the I D F ~ , ~ ) . The selectedmethodisbasedanthe

IDF(W,,d)

function.

D w m = w D F ~ ~ ~ F ( K $ (I) Here,

w;

is L e keyword. ~p(w,)represents the number of

C O M ~ ~ ~ ~ O W hat the word

W,

occurs in the total number of

Wining COnnFctions. ~ ~ ( ~ y , d ) r e p r e s e n t s the number of c o n n e ~ t i o ~ Ulat the word

w;

occurs in the speciiied inhusion. Intuitively,

the

inverse document frequency

(JDF)

of a word is low if it occurs in many C O M S t i O n S and ~ c c u r s

only few limes in the i n w i o n d

.

It is the highest one if it mum in few total connections and o m u s only every

i n w i o n d

32.3

Detection Algorithms

Different detection models are implemented by the

development procedure described in the previous Wenon. The delection algorithm lists below.

Stcpl: ReCnvenetwnk packetsofwnneztions.

Step2 For each detection model, prepmcess the packets to featme yecton according to the detection matel profile.

Stcp3: Classify t h e s specified feature vectors using data

mining algorithm such a.v support vector machine.

Stcpl: If the i n w i o n is idenlified by the service specified inhusion detection agent the relaled i n f o d o n will forward to Urnusion response apent. The intrusion response agem will handle the event.

4

Experimental Results

In this Wenon, we try to campare the differenl data mining mahods and data pnmssinp techniques that are implemented in IDC for wnshucting the detection model.

4.1

Performances Measures

Some expcnments made for verification of accunq (general

and

senice specifled detection model).

Firsf

we try to analyze the DARF'A KDD Cup 1999 data

and

compare the result with the champion. Second, the proposed service speciiied is venfed by accuracy and false alarm

me.

We use different data mining methods such as neural nelwok

and

support vector

machine

to wmpare

the

results. The SVM kernel adopts the LlBSVh4 -a simple and easy-t+use support vector machine tml for classification [23].

4 2

Experimental Resolts

Geueral model

wmpared to the Bagged Boasting [24]-the winner of the

KDDCUP. In summary, the final prediaor was an ensemble of 50x10 C5 decision mes [XI. The SVM is relatively -nsitive to the size of the damel and is less independent of dimensionality of feature space

[SI.

Therefore, there are some experiments made by using SVM [I 11[121[131 to IDS. The experiments show high accuracy and low 'mining lime. Although it has m e n d o u s high accu~dcy, the result can not wmpan with thechampion. Because it remanges the source

d a m the new datasct only has two classes: intrusion and normal. It does not imply that the SVM can not solve the multiclass problem. Hence, some nperkents are wnducted by applying SVM to the KDDCW multi-class

a d .

In addition, the general intrusion mode needs to iden@ probe, normal, D O S . These three clssses have similar attributes and am system indepndent lbat is why we use them to

eonstruef the general model. The SVM kernel function used in the experiment is radial basis funcum The m e t e r s used are that gsmma is 0.0XQI and cost is 55. N e d network is also usedb wmpare with the SVM. There are 40 hidden nodes used in the thw-layer neural network. Table3 and Table 4 show the wm- results. SVM har better result in the probe class and similar result. But NN has lower performance. In short, the SVM, winner’s a e c w and false

alarm

rate are close. It still has better perfommce because the testing examples are enonnous. The results show that SVM cao be applied to multiclass inmion d e t d o n model with excellent perfomance.

Table 3 Class Accuracy ofthe Algorithms inthe KDDCup

probe

1

83.30% 99 Data Set class

I

winner

I

SVM

I

86.89%

I

73.26% normal

I

99.475.

I

99.500/.

I

99.345.

WS

97.10% 97.09% 97.07%

Table 4 False Alarm Rate of the Al~orithms in the KDDCuo

Class

I

winner

1

SVM

I

NN

8.7907 9.99% 10.25%

31.16% 6.8%

8.44%

0.11% 0.25% 0.45%

Service specified model

Table 5 shows that both results are good. But it may be quwtomble whether the new i n m i o n cao be detected. It may med further evaluation. At last, the known mmions can be detected

tugorithms

SVM

I

100%

I

0

NN

I

100%

I

0

5.

Conclusions

l h s paper propass an actwe network model and develops the IDS based on the model ?he system IS flexlble and scalable It enables the dynarmc Y N U deployment and

update scheme The soffware components are Ir&twe,ght and dynamically updateable It also has the m s h a m m of automated response to mtrusmm It cao reduce the m a i o n

m e to lower the damage The system detection models CM

be divlded mto general model and S ~ N I C ~ specified model for the rapid development of the data mmmg detection mode1

References

N. Achir, M. S . P. Fonseca, Y.M. G h d Doudane, N. Agoulmine, and A. Mehaoua, “Active Nehvorldng System Evaluation: A Practical Experience,” 7th Intemikmd Workshap on Mobile Mulrimeda Contmmicatim, MoMuCZOOO, Tokyo, Japan, ocf.

zwo.

D. S. Alexander, M. Shaw, S. M. Nettles, and J.

M.

Smith “Active Bridging,” Prmeedings of the ACM S I G C O W 9 7 Co+me, C m a , Frame, Sep 1997

D. S. Alexander, B. Braden, C. A. Gunter, A. W. Iaelrson, A. D. Kemmytk, G. J . Minden, D. Wetherall, “Active Netwok Encapsulation Pmtoool (A”): Request forComments: DRAFT, July 1997.

K Calven, S. Bhattachaqee, E. 2 , s ~ and I. S t e r k “Duections in active networks,” IEKE Commrmiwtiom Mqmim, S@dd

Lwe

an

Frogrmmable Neworks On. 1998.

A. T. Campbell, H. G.

De

M m , M. E. Kouaavis, K Mki, 1. B. Vicente, and

D.

Villela, “A Survey

of

Rogmmable Networks.” ACM Compfer Communiwtiom. Rev., vol. 29, pp. 7-23,April 1999.

D. Cuny and H. &bar, ”Intrusion Detection Message Exchange Format Data Model and m i b l e u v k u p Language @ML) Document Type Defstion,” draft-ietf-idwg-idmef-d-03 (work in progress), Feb.

2001.

1. Gao, P. Steenluste, E. Takahashi, and Al. Fisher, “A R o m a b l e Router ArdutecIure Suppotting Contml Plane Extenaibili%“ E E K CommunrUmOnr Ahgazim, March Z O O .

T. Joachims, ‘F&matmg the Generalization P e r f o m c e of a SVM Efficiently,” Prmedings of

the INemofom~ c‘wfe-e on Moehrne Le&”g, Morgan Kaufma% 2000

R KeUer, I. Ramamirtham, T. Wolf, and

B.

Platlner, “Active Pipes: Service Composition for Pmgrammable Nework~”Mik0m 2001, Lean V& On. 2001. A. Kulkami, G. Minden, R Hill, Y. Wijata, S. Sheth, F. Wahhab, H. Pindi and A. N-jan,

“implemenmtion of a FmtotyW active netwok“ OPENARCH ‘98, San Francisco, CA, April 1998.

S. Mukkamala, G. Janowski and A. H. Sung, =Inmion Detection Using Suppmt Vector Machines,” P m e d n g s of he High Peffommze Cornpuling svnrpo.ilmr - HPC 2002, pp. 178-183, April 2002.

S. Mukkamalq G. Janowki, and A. H. Sung.

“Intrusion Detection Using Neural Neiworks and Suppan Vector Machines,” Prmedngs of IKKE UCW, pp. 1702-1707, May ZOOZ

S. M u k k d a and A. H Sung, “Feature

Ranking

and Selection for Inmion D e t m i q ” Proceedings of the Intemalional cof!ferme 0” 1”f-On rmd

KMwledge Engineering - IKE 2002. pp. 503-509, lune 2002.

L. Peterso% Y. Gofflieb, M Hibler, P. Tullmmn. 1.

L e p w S. Schmb, H. Dad&, A. PURell, and I. Hartman, “An OS Interface for Active Routen,”lEEE

Jamrol on SelecledArear in Commtmicmions, vol. 19, “0.3, March 2001.

K. Psouis, “Active Network Applications, Security, Safety and A r c h i t a s , ” E E E Commwriwtiom S w y s , vol. 2, no. I , 1999.

D. Tennenhoura and D. Wetherall, “Toward an active network ArchitecNre,” L C M SigComm’s Comm~icalion Mew, April 1996.

D. L. Tennmhouse, I.

M

Smith,

W.

D. Simskie, D. I. Wetherall, and G. I. men, “A Survey of active

network Research” IEEE C m m i a t i o n r Masm.ne,

val. 35, no. I, pp. 80-86, J a n 1997.

[MI. 0. Vigna and R A. Kernern, ’WetSTAT: a neouork-based lnrmsiandetecdon approach,” Proceed”@ of l e 141h CompUrer Secwily D. I. Wetherall and D. L. Tennenhausc. ‘Towards an active network Architecture”’, C o m p m CommuniuUionReview, pp. 5-18, April 1996.

[ZO].

D. J. Weherall, U. Lcgedza, and 1. Cuttap,

“htmducing New Intanel Services: W h y and How,” ffiEENetwork.M~garine, July 1998.

[21]. C m T mrdination center, hnp: //wwwefl.orp/

[U]. hrmsion DeMlon Exchange Format (idwg), hm:/iuww. r e r l o r P l n r m l . c h o r r e r ~ ~ ~ ~ ~ ~ i ~ ~ html

[23]. L I B S W - A Library for Suppal Vector Machines, h n p : / / ~ . e s i e . m u . e d u . t w / - c j l ~ i b s v m i m

[%I.

Wmmg the KUm Classiiication Cup,

http:/hvwwai.univle.ac.at/-bemhardlkddcup9

AppIicmionr confeeenee, pp. 25-34.199s. [19].