[Snort-devel] [SNORT-devel] Snort with anomaly detection

Nguyen Kien kiennguyen1101 at ...2499...
Mon Apr 11 10:35:11 EDT 2011

Hi all,

I'm currently working on a research on using Artificial Immune System 
(AIS) approach to intrusion detection with  Negative Selection Algorithm 
(NSA). The algorithm by Forrest et al [1] is as follow:
1, Define self-profile.
2, Generate random candidate detectors
3, Match candidate detectors with self-data. If match-> discarded; 
otherwise it is added to detector set. The detector set is used to 
detect anomalous traffics.

I'm trying to port the algorithm into Snort, using a custom preprocessor 
(is it better to use dynamic preprocessor?). The self-data is collected 
from the IP packet headers and stored in the database to generate the 
detector set. I'm planning to use the DARPA data set for the self-data. 
I've written a helloworld preprocessor to collect header data from the 
DARPA data set. However, I'm having a few technical problems that i 
would like to ask.
- Where should i put my code to generate the detector set in Snort 
preprocessor? At the exit function after data collect in helloworld 
preprocessor? At the initialize of a new preprocessor?
- Is it ok to check each packet against around 100 detectors? Does it 
destroy the performance of Snort?

Best Regards.

1. S. Forrest, A. Perelson, et al. Self Nonself Discrimination in a 
Computer, 1994.

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: spp_helloworld.c
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20110411/702c2a8e/attachment.c>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: spp_helloworld.h
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20110411/702c2a8e/attachment.h>

More information about the Snort-devel mailing list