Mahalanobis - An IDS algorithm implementing an approximation of the IDS by Wang and Stolfo (See the "SEE ALSO" section for the reference).
A usage synopsis would go here. Since it is not here, read on.
DIFFERENCE: Wang and Stolfo correlated packet length with character frequencies. Since my data does not have original packets, I am applying their method to the whole request (which often comes in a single packet).
See IDS::Algorithm.pm docs for any functions not described here
ASSUMPTION: characters are 0..255; unicode (etc) not yet supported.
Turn on extra messages as the algorithm runs.
The value of the constant alpha in the simplified Mahalanobis distance. See page 7 in the Wang and Stolfo paper.
The file to load the saved state from.
Most of these methods are required by IDS::Algorithm; see documentation there for additional information.
Sets all of the default values for the parameters. Normally called by new() or one of its descendents.
Provides the parameters to use with Getopt::Long.
Called by Super::new(). We set up the data structures here for storing the mean, mean**2, and number of observations for each character.
Save the current state to the file or filehandle provided. find_fname (in IDS::Algorithm) handles figuring out the destination.
Load the current state from the file or filehandle provided. find_fname (in IDS::Algorithm) handles figuring out the source.
- add(tokenref, string, n)
Update the character frequency statistics. For calculating the Mahalanobis distance, these stats are the mean and the mean**2, as well as a count of the number of observations. The array is indexed by ord(chr) to improve performance.
This function only uses the string version of the data. The tokens and instance are ignored.
- freq_calc(data, freqref)
Calculate character frequencies in the data string provided. The result is returned in the array referenced by freqref.
- test(tokenref, string, n)
Test the string to see how similar its character distribution is to the distribution we have learned. This function only uses the string version of the data. The tokens and instance are ignored.
Copyright 2005-2007, Kenneth Ingham. All rights reserved.
This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself.
Address bug reports and comments to: ids_test at i-pi.com. When sending bug reports, please provide the versions of IDS::Test.pm, IDS::Algorithm.pm, IDS::DataSource.pm, the version of Perl, and the name and version of the operating system you are using. Since Kenneth is a PhD student, the speed of the response depends on how the research is proceeding.
Please report them.
"Anomalous Payload-based Network Intrusion Detection" by Ke Wang and Salvatore J. Stolfo, pages 203--222 in Recent Advances in Intrusion Detection: 7th International Symposium, RAID 2004, Sophia Antipolis, France, September 15-17, 2004. Proceedings. Published as Lecture Notes in Computer Science 3224, ISBN 3-540-23123-4.