Contents 1 The intrusion detection problem
In 1998, the DARPA intrusion detection program has been developed by simulating a LAN of United States air force for gathering the raw TCP/IP data. The LAN was working like a normal network but was exposed to several intrusions. For each TCP/IP connection, 41 variables have been extracted. A subset of 494061 data has been used from this database, which about 70% of them are normal patterns. The four different intrusion patterns are as follows.[6].
Probing
The probing is a class of intrusion that an intruder checks a network for collecting data and detecting known vulnerabilities. An infiltrator, who has a map of machines and services available in the network, can use his information for infiltrating to the system. There are different kinds of probe: some of them use allowed characteristics of system and others use social engineering. The latter class is the most usual among the attacks and doesn't need so much technical experience.
Denial of service attacks
This set is a class of attacks in which the intruder occupies some computational resources or memory in a way that the system lost its capability to respond to normal requests and this leads to denial or services requested by allowed users. There are different ways for using these kinds of attacks: abusing the normal allowed services of computer, targeting system's implementation bugs or targeting incorrect system's configuration. These services are categorized regarding the services that are taken from normal users.
User to root attacks
This class is a class of intrusions in which the intruder starts his job with his normal access to system and then will access to root of system by system's vulnerabilities. Most of misusing in this class are the usage of buffer overflow, which is the result of usual programming mistakes.
Remote to user attack
The R2L is a class of intrusions in which the intruder sends some packets to the network and then uses system's vulnerabilities for unauthorized access to the system. There are different kinds of these attacks and most of them take place by using social engineering techniques.
