SANA - Security Analysis in Internet Traffic through Artificial Immune Systems

SANA - Securit y Analysis in In ternet T raffic through Artificial Imm une Systems Michael Hilker 1 and Christoph Sc hommer 2 1 Universit y of Luxembourg, Campus Kirch b erg 1359, Luxembourg, 6, Rue Coudenhov e-Kalergi, Lu x em b ourg michael.hi lker@uni.lu 2 Universit y of Luxembourg, Campus Kirch b erg 1359, Luxembourg, 6, Rue Coudenhov e-Kalergi, Lu x em b ourg christoph. schommer@uni.lu Abstract. T h e Attac ks done by Viruses, W orms, H ac kers, etc. are a Netw ork Security-Problem in many Organisations. Current Intrusion De- tection Systems ha ve significant Disadv antages, e.g. the need of plenty of Computational P ow er or the Lo cal Installatio n . Therefore, we in tro duce a nove l F ramewo rk for Netw ork Security which is called S ANA. SANA conta ins an artificia l Immune System with artificial Cells which p erform certain T asks in order to to supp ort existing systems to better secure the Netw ork against I ntrusions. The Adv antages of SANA are that it is efficien t, ad ap t iv e, autonomous, and massive ly- distributed. In this Arti- cle, we describ e the Architecture of the artificial Immune Sy stem and th e F unctionality of the Comp onents. W e explain b riefly the I mplemen tation and discuss Results. Keywords. Artificial Immune Systems, Netw ork S ecurit y , Intrusion De- tection, Artificial Cell Comm unication, Biological-Inspired Computing, Complex Adaptive Systems 1 In tro duct ion Companies, Univ ersities, and other Organis a tions use connected Computers, Servers, etc. for W orking, Storing o f impo rtant Data, and Communication. These Net works are an Aim fo r A ttack er s in order to brea kdown the Net work Service or to ga in internal and secret Information. These Attac ks ar e In trusions which are e.g. W orms, Vir us es, Hack er -A ttacks. Net work Administra tors try to secure the Netw ork against these Intrusions using Int r usion Detection Systems (IDS). The Netw ork In tr usion Detection Systems (NIDS) are a lo cal System which is installed in o ne imp orta n t No de and which chec ks all Pac kets ro uted ov er this No de, e.g. SNOR T [ 1 ] or [ 2 , 3 , 4 , 5 , 6 ]. Hos t- based Intrusion Detection Systems (HIDS) are installed on ea c h Node and chec k each Pack et which is ro uted over this Node [ 7 , 8 , 9 ]. F urthermore, ther e are ap- proaches of distributed Intrusion Detection Systems (D-IDS) which install IDS on a ll ma chines a nd connect these; one ex a mple is SNOR TNET [ 10 ]. 2 M. Hilker, C. Schommer Unfortunately , these IDS hav e s e veral Disadv antages as for example the plent y of Computational Pow er, the need of Administra tion during Ex ecution, and lo ca l Installa tion. Additionally , the Intrusions are getting b oth more a nd more complex a nd intelligen t, so that the IDS hav e lots of Pr oblems to iden tify the In trusio ns , e.g . Camo uflage of Attac ks. Th us, novel Approaches for Net work Security are needed which s ho uld provide the following features: – Distributed: all No des should be s e cured and there should no t be any central Cent er – Autonomous : the System and all Comp onent s sho uld work autonomously; hereby , the num b er of false-p ositives should b e low – Adaptive: the System should have the abilit y to iden tify or reac t to mo dified or even no vel Attac ks – Co op erative: The Co mputational Po wer s hould b e sha red ov er the whole Net work In SANA, we in tro duce a n artificial Immune System whic h provides the fea- tures explained a bove. In the next Section, we discuss existing artificial Imm une Systems for the Applicatio n of Netw ork Secur it y . 2 Curren t Situation F o r the explanation of the differe n t existing ar tificial Imm une Sys tems fo r Net- work Secur it y , we will introduce briefly the Paradigm of artificial Immu ne Sys- tems [ 11 ]: An artificial Immune System tries to sim ula te the h uman Imm une System which secures the Human Bo dy ag ainst Pathogens [ 12 ]. An a r tificial Immune Sys- tem is a mass ively dis tributed Sys tem a nd Co mplex Adaptive System with lots of compo nen ts. In the h uman Imm une System, these Comp onents are e.g. Cells, Lymph-No des, Bone Marrow. All of these Comp onen ts work a utonomously , ef- ficient ly and are highly sp ecialised. Thes e Components co op erate using the Cell Communication with e.g. Cyto kines and Hormones. Additionally , there a re lots of cellular a nd imm unolo gical Pro cesses which mesh in the P rotection of the Human B ody . The a r tificial Immune Systems try to mo del these. Unfortunately , the human I mmune System and the Mo delling of it is so complex and par tly not understo o d. Therefore , artificial Immune Systems can only mo del a part of the hu ma n Immune System. There are several artificia l Imm une Systems for Netw ork Security . W e discuss some in teresting Approaches of artificial Imm une Systems for Netw o rk Security: Spafford and Zamboni intro duce in [ 13 ] a System for Intrusion Detection using autonomo us Agents. These Agent s coo pera te with T ransceivers and do not move through the Net work. Hofmeyr and F orre s ter [ 14 , 15 , 16 ] introduce an artificial Immune System for Netw ork Security (named AR TI S/ LISYS). The AIS models the Lifecycle of T- and B-Cells with positive and nega tiv e Selec- tion. The non-mobile Detector s chec k a T riple of Source-IP , Destination-IP and Destination-Port and ev a luate if a Pack et is malicious or no t. Additiona lly , in SANA - Secur ity Analys is in Internet T raffic 3 this Broa dcast-Netw ork, all Detectors see all Pack ets and rea ct to it. In [ 1 7 ] an artificial Imm une System a s a Multi-Agent System is in tro duced for Intrusion Detection. The system uses mobile Agents which co op erate with a centralised Database containing the Attac k- I nfo r mation. In the nex t Section we introduce the Architecture of the a rtificial Immune System SANA. In c on tr a st to the existing artificia l Immune Systems, SANA uses autonomo us, fully-mobile, and light weigh ted artificial Cells; additionally , SANA do es no t hav e an y centralised System. F urthermor e , SANA is no t a clo sed F r amework; it is p ossible to use ex is ting Net work Security Approa c hes in SANA. Thereafter, we take a closer lo ok o n the different Co mponents of the ar tificial Imm une System. 3 SANA - Architecture The artificial Immune System of SANA secur e s the who le Netw ork a g ainst In- trusions and provides the F eatures explained ab ov e. In SANA, we simulate a pack et-orie n ted Netw or k using a Netw or k Simulator (see Section 3.1 ). SANA is a collection of non-standard Approaches for Netw ork Security a nd we test if they increase the Performance of existing Net work Security Systems. An Adversaria l injects P a c kets with and without Attacks in order to stres s the Net work a nd the artificial Imm une System as w ell as to simulate A ttacks (Section 3.2 ). The artificial Immune System use s s ev er al Comp onents for the Sec ur it y of the Netw ork. All of these Compo nen ts work autonomous ly and there is no Center which is required b y any Co mponent. The main Comp onents are artificial Cells, Pac ket-Filters, IDS, etc. Pac ket-Filters ar e a lo cal System that c heck the Header of ea ch Pac ket. IDS ar e lo cal, non- mobile Systems which c heck Pac kets and ob- serve the Net work T raffic in or de r to secur e the No de where the IDS is installed. Artificial Cells (Section 3.3 ) are autonomous, fully-mobile, a nd lig ht weighted Entities which flow thr ough the Netw ork and p e rform cer tain T asks for Netw ork Security , e.g. Pac ket-Checking, Identification, of Infected No des or Monitoring of the Net work. F ur thermore, artificial Cell Communication (Section 3.4 ) is used to initialise Co op eration and Collab oration b etw een the artificial Cells and a Self- Management (Sectio n 3.5 ) is utilised for a Reg ulation of the ar tificial Immun e System. In the next Sections, w e take a clo ser look on the different Co mp onents of SANA. 3.1 Net work Si m ulator, Se curity F ramework and W orkflow The Net work Simulator simulates a Pack et-O rient ed Netw ork and is based on the Adversarial Queueing Theor y [ 18 , 19 , 20 ]. The Sim ula tor uses a FIF O (First In First Out) appro ach for Q ue ueing and for Ro uting the Shor test Path Routing with the Dijkstra-Alg orithm. It has a Quality of Service (Q oS) Manag emen t which prefers a rtificial Cells and other impo rtant Messa ges that are sent betw een certified Comp onents of the AIS. 4 M. Hilker, C. Schommer The Secur ity F ramework is the AIS which must b e installed on each No de of the Netw ork. F urthermore , this F ramework guar a n tees e.g. the ex ecution of the artificial Cells, the P resentation of Pac kets to a ll Sec urit y Comp onents, the Sending of Messages. The Des ig n o f the Security F ramework is fo cussed on Ex- pandability in order to enhance it and to use existing Appro aches in Netw ork Security . One exa mple of a Netw or k Security Approach is Malfor [ 21 ], a system for Identification of the Pro ces ses which are inv olved in the Installatio n o f an Int r usion. The W orkflow is that each P ack et is chec ked in eac h No de by every Securit y Comp onent - e.g. artificial Cells, Pac ket-Filters, a nd IDS - each Secur it y Co mpo- nent ca n per form other T asks - e.g. moving to other No des or sending Messages - a nd the Adversarial injects Pac kets into the Net work. 3.2 Adv ersarial and Atta cks An Adversaria l has the F unctio n to Str e ss the Netw or k and the AIS using Pac kets with and without Attac ks; it has to k eep in mind that the bandwidth of the connection is limited and that the queues have limited size. The Adv ersa rial injects Pac kets without Att a c ks in or de r to simulate a real Netw ork. The Pac kets with A ttacks try to infect No des with Attac ks; the infected No des then p erform certain T asks depending on the Attac k, e.g . sending Pac kets with A ttack to other No des. The Attac k is an abstract Definition for a ll Intrusions in SANA. So, nearly all Intrusions can b e mo delled, e.g. W orms, Viruses, and Hack er-Attac ks . 3.3 Artificial Cells Artificial Cells ar e the main Comp onent in the a rtificial Immune System of SANA. An artificial Cell is a highly sp ecialised, a uto nomous a nd efficient En- tit y which flows through the Net work and per fo rms certain T asks for Net work Security . In the Co op era tio n and with the enormous Number of ar tificial Cells, the whole System adapts quic kly to Attac ks and ev en to mo dified and no vel At- tacks; the idea of Complex Adaptive Sys tems (CAS) o r Mas siv ely -Distributed Systems. Each artificial Cell has the Job to p erfor m some certain T ask: – ANIMA for Intrusion Detection which is a type o f ar tificia l Cells for c hecking Pac kets whether they contain an Attac k o r not. F urthermore, it compre s ses the Information how to identif y and how to pro ceed if an A ttack is found in o rder to sav e Storag e-Space and Computationa l Po wer. More Infor mation ab out ANIMA-ID can b e found in [ 22 ]. – AGNOSCO which is a type of artificial Cells for the Iden tification of Infected No des us ing artificial Ant Colo nies. It is a distributed System which identifies the infected No de s q uic kly and prop erly . More Information can be found in [ 23 ]. – Monitor ing artificia l Cell which flows through the Netw o r k and co llects In- formation a b out the Status and send this back to some certain Comp onent, e.g. the Administrato r. SANA - Secur ity Analys is in Internet T raffic 5 – Using the E xpandability of SANA, it is easily p ossible to introduce no vel ar- tificial Cells. Thus, it is e.g. pos s ible to introduce a rtificial Cells for Anoma ly Detection or Chec king of the Sta tus o f a Netw ork No de. – Additionally , it is p ossible to use existing Appro a c hes for Netw or k Securit y . With the Ex pandabilit y of SANA, these Appr o aches can be used in an ar tifi- cial Ce ll; examples are Sy stems for Intrusion- [ 22 , 24 ] or Anomaly- Detectio n Systems [ 25 , 26 , 27 ]. 3.4 Artificial Cell Comm uni cation The idea in Complex Adaptive System (CAS) is that the Co mponents (here: ar ti- ficial Cells) p erfor m basic T asks, are highly s p ecialis ed and use basic Systems for Co op e ration. Only by Coo per ation and the high amount of these Comp onents, the System is adaptive and reaches the goal (here: Netw o r k Security). The who le Architecture in SANA is comp osed without any central System. Thu s , the a r tificial Cell Comm unication canno t use a Central Manag emen t Sys- tem like it is used in sev er al Multi Agent Systems or Ad-Ho c Net works. W e mo del pa rtly the Cell Communication of the Human Bo dy in or de r to build up Communication and, ther eafter, Co op era tion b etw een ar tificial Cells. W e introduce the T erm Recepto r whic h is a Public-K ey-Pair. Each Comp o- nent has Receptors and each Message is pack ed into a Substance w hich is an encrypted Message with Receptors. Only if a Receiver has the rig h t Set of Re- ceptors, it will receive the Message - the Idea of a Public-Key Infrastructure and widely used in Multi Agent System for the Disa rming of Bad-Agents/-artificia l Cells; how ever, in our Implementation, there is not any cen tr a lised Key-Ser v er . Additionally , we in tro duce artificia l Lymph Nodes and Central Nativit y a nd T raining Stations (CNTS). Artificia l Lymph Nodes supply the artificia l Cells with e.g. Knowledge, initia te other artificial Cells if an event o ccur s a nd artificial Lymph No des car e ab out the Ro uting of Substances. CNTS train and release new a rtificial Ce ll in or der to hav e a n evolutionary Set of artificia l Cells which are up-to-date. Bo th, ar tificial L y mph No des and Cen tral Nativity and T r aining Stations, a re r edundan t installed in the System. 3.5 Self-Management of the artificial Im m une System The Self-Mana g emen t of the Sys tem is currently only rudimentary . The a rtificial Cells are autonomous and th us they flow throug h the Netw or k a nd perfor m cer- tain T asks. How ever, one Problem of Massively-Distributed Systems or Complex Adaptive Sy stems is that they just do their T ask s but there is not any guar a n tee that the Systems will do the T asks successfully . O n the basis of the artificial Cell Communication and nov el Structures, we wan t to intro duce a distributed Self- Management of the artificial Imm une System in order to give a cer tain amo unt of Guarantee. Ho wev er , this is one of the Next Steps expla ined in the Section 6 . 6 M. Hilker, C. Schommer 4 SANA - Implemen tation The Pro ject SANA is implemen ted in Jav a. The Netw ork Sim ula tor, Adversarial, and the ar tificial Imm une System are implemented and running. Different Types of artificial Cells a re implemented. The Performance o f these a r tificial Cells is tested and they p erform the T a sks prop erly . A ttack-Scenarios ar e additionally implemen ted for T esting Pur pos es and one example is a r ealistic W orm-Attac k which will b e discussed in the Section 5.1 . The whole Implementation ha s the aim to give a Prototype for T esting and Ev a luation of the Appro aches. F ur thermore, the Implement a tion focuses mo re on Expa ndabilit y than on Performance; it is also p ossible to mode l nearly all Int r usions and nearly all imm unolo gical P ro cesses. It is a lso pos s ible to add common used Netw ork Security Solutions like SNOR T [ 1 ] or Malfo r [ 21 ]. With this, we can compare the Performance of SANA with common used IDS a nd we can mo del co op eration betw een SANA and IDS. 5 SANA - Results The Results w e gained a r e promising. SANA identifies most Attac ks - ab out 60%-85 % - depending o n the A ttack-Behaviour, the Netw or k T op ology and the Behaviour of the artificial Imm une System with the artificial Cells . The infected No des are identified q uic kly b y A GNOSCO and the System a dapts to Attac ks using lo ca l Immunization. If there a re IDS or esp ecially NIDS in the Netw ork which protect imp orta n t No des like the Int er net Gatewa y or the E -Mail-Server, there is co op eration b e- t ween SANA and the IDS with a go o d p erfor mance - ab out 8 0%-95% of the A ttack ar e preven ted. Th us, SANA do es not replace existing IDS, it enhance s them. In the next Section, we discuss the Results of a Sim ulatio n of a realistic W o rm-At tack. 5.1 Simulation of a W orm -A ttac k In this Section, w e discuss a Mo delling of a realistic W orm-Attac k ont o the Net- work. The W or m enters a Netw ork and uses a Security-Hole in a No de in order to install itself. After this, the W o rm tr ies to propag ate it to o ther Node s ; there- fore, it sends lots of Pac kets c o n taining a copy of it to other Nodes . SANA tries to identify and remov e these P acket s , identifies the infected No des and disinfects the identified infected No des. Therefor e, SANA uses the different types of arti- ficial Cells expla ined in the Section 3.3 and the artificial Cell Communication explained in the Section 3.4 . The Performance of SANA in this Sim ulatio n is pr omising. It s e c ures other No des from being infected by this W orm using ANIMA for Intrusion Detection [ 22 ]; only some Neighbour-No des are infected (ab out 2- 5 No des for each Infec- tion). It also iden tifies the infected No des using AGNOSCO [ 23 ] quickly (ab out SANA - Secur ity Analys is in Internet T raffic 7 50-15 0 Time-Steps for each infected No de) and using the ar tificial Ce ll Commu - nication (Section 3.4 ), A GNOSCO infor ms the ar tificial Lymph-No des (Section 3.4 ) whic h start an ar tificial Cell for Disinfection which disinfect the No de fast. T o sum up, SANA protects the Netw o r k against a W orm-Attac k prop erly . 5.2 Theoretical Analysis of distributed IDS In the theoretical Part o f the SANA-Pro ject, w e compa re the Performa nce and the Need of Resource o f distributed a nd centralised Netw or k Security Systems. Examples for cen tra lised are e.g . IDS and for distributed AIS. How ever, the Analysis shows quickly that the Performance of the b oth Approaches is highly depe ndent on the Netw ork T op ology and the Behaviour of the Intrusions. The Analysis for tunately shows that the Performance of IDS is increas e d if AIS are added a nd the additiona lly needed Resour c e s are limited. 6 SANA - Next Steps Next Steps in the SANA-Pro ject are to simulate realistic At ta cks on Netw ork s , e.g. different W orm, Virus and Malwar-A ttacks; also Attac ks which co nsists o f several different Attac ks. Additionally , another part is to increa se the Perfor- mance o f the a rtificial Cell Comm unica tion (Section 3.4 ) and analyse the Per- formance of it theor etically . F urthmore, we will introduce a Self-Management (Section 3.5 ) which guar ant ees a certain amo unt of Sec ur it y and we will p erfor m further theoretical Co mparison (Sectio n 5.2 ) b etw een dis tributed and centralised Net work Security Systems. 7 Conclusion Net work Security is still a challenging field. Unfortunately , the At ta cks are g et- ting both mo re co mplex and intelligen t. Therefor e, existing Netw or k Security Systems have problems to cope with these P roblems. W e in tro duce with SANA an artificial Imm une System with several non-standard Appro a c hes for Net work Security . With the gained Results, we are sure that SANA will enhance cur rent Net work Security Systems. One last w ord ab out SANA: SANA is Latin and s tands for health y . F urther- more, the W ork is done interdisciplinary in coo pera tion betw een Researchers from B io logy and Computer Science. Ac knowled gments The PhD-Pr o ject SANA is par t of the pro ject INTRA (= INternet TRAffic man- agement and analysis) that are financially s uppor ted b y the Universit y of Lux- embourg. W e would like to tha nk the Ministre Luxembourge ois de l’education et de la recherche for additiona l financial supp ort. 8 M. Hilker, C. Schommer References 1. Ro esc h, M.: Snort - light we ight intrusion detection for netw orks. LISA 13 (1999) 229–238 2. Debar, H., Dacier, M., W espi, A.: T o wards a taxonomy of in tru sion-d etection systems. Computer Netw orks 31 (1998) 805–822 3. Snapp, S.R., Brentano, J., Dias, G.V., Goan, T.L., Heb erlein, L.T., lin Ho, C., Levitt, K.N., Mu kherjee, B., Smaha, S.E., Grance, T., T eal, D.M., Mansur, D.: DIDS (distributed intrusion detection system) - motiv ation, arc hitectu re, and an early prototype. National Computer Secu rit y Conference 14 (1991) 167–176 4. Staniford-Chen, S., Cheung, S., Crawf ord, R., Dilger, M., F rank , J., Hoagland, J., Levitt, K., W ee, C., Yip, R., Zerkle, D.: Grids - a graph based in trusion detection system for large netw orks. National Information Systems Security Conference 19 (1996) 5. Janakiraman, R ., W aldvogel, M., Zhan g, Q.: Indra: A p eer-to-p eer app roac h to netw ork intrusio n detection and preven tion. Pro ceedings of IEEE WETICE 2003 (2003) 6. Antonatos, S., Anagnostakis, K., Pol y chronakis, M., Mark atos, E.: Perf ormance analysis of conten t matc h ing in tru sion detection systems. SAINT 4 (2004) 7. W agner, D., Dean, D.: Intrusion detection via static analysis. In I EEE Symp osium on Securit y and Priv acy (2001) 8. Lindqvist, U., P orras, P .A.: exp ert-b sm: A host-b ased intrusion detection solution for su n solaris. In Proceedings of the 17th Annual Computer Security Applications Conference (2001) 240–25 1 9. Chari, S.N., Cheng, P .C.: Blueb ox: A p olicy-driven, host-b ased intrusion d etection system. ACM T ransactions on I nformation and System Security 6 (200 3) 173–200 10. Fyodor, Y.: Snortn et’ - a distributed intrusion detection system. [On line]. Av ail- able: http://s nortn et.scorpions.net/snortnet.pdf (2000) 11. DeCastro, L.N .: Artificial Immune Systems: A New Compu tational I n telligence Approach. First edn . Springer (2002) 12. Janew ay , C.A., T rav ers, P ., W alport, M., Shlomchik, M.: I mm un obiology: the Immune System in H ealth and Disease. Sixth edn. Garland Publishing (2004) 13. Spafford, E.H., Zam b oni, D.: Intrusion d etection using auton omous agents. Com- puter Netw orks 34 (2000) 547–57 0 14. Hofmeyr, S.A., F orrest, S.: Immunit y by design: An artificial imm un e system. Proceedings of the Genetic and Evolutionary Computation Conference 2 (1999) 1289–12 96 15. Hofmeyr, S.A., F orrest, S .: A rc hitecture for an artificial imm un e system. Evolu- tionary Computation 8 (2000) 443–473 16. Hofmeyr, S.A., F orrest, S.: Immunology as informati on pro cessing. (2000) 17. Mac hado, R.B., Boukerc he, A ., Sobral, J.B.M., Juca, K.R .L., Notare, M.S.M.A.: A hybrid artificial immune and mobile agent intrusion detection b ased mo del for computer netw ork operations. IPDPS ’05: Proceedings of the 19th IEEE Interna- tional P arallel and D istributed Processing S y mp osium (IPDPS ’05) - W orkshop 6 19 (2005) 18. Andrews, Baruc h Awerbuc h, Antonio F ernnd ez, T om Leigh ton, Zh iy oun g Liu and Jon Kleinberg, M.: Universal-Stabilit y Results and Performance Bounds for Greedy Con tention-Resolution Protocols. Journal of the ACM 48 (2000) 39– 69 19. Hilker, M.: Queu eing Strategies in Internet R ou t ing. Diploma Thesis at the Johann W olfgang Goethe-U nivers ity F rankfurt/M., German y (2005) SANA - Secur ity Analys is in Internet T raffic 9 20. Hilker, M., Schommer, C.: A new queu eing strategy for the adversarial queu eing theory . IPSI-2005 Slov enia (2005) 21. Neuhaus, S., Zeller, A.: Isolating intrusions by automatic exp eriments. 13th A n nual Netw ork and Distributed System Security S ymp osium (2006) 22. Hilker, M., Sc hommer, C.: Description of bad-signatures for netw ork intrusion detection. AISW- NetSec 200 6 during AC S W 2006, CRPIT 54 (2006) 23. Hilker, M., S c hommer, C.: Agnosco - identification of infected n odes with artificial ant colonies. RASC 2006 (2006) 24. Finizio, I ., Mazzariell o, C., Sansone, C.: A temp oral-behavior knowledge space for detecting intrusions in compu ter netw orks. RASC 2006 (2006) 25. Sek ar, R., Gupt a, A., F rullo, J., S hanbhag, T., Tiw ari, A., Y ang, H ., Zhou, S .: Sp ecification-based anomaly d etection: a new approach for detecting n et work in- trusions. V olume 9. (2002) 265–274 26. Lazarevic, A., Ertoz, L., Ozgur, A., Sriv astav a, J., Kumar, V .: A comparativ e study of anomaly detection schemes in netw ork intrusion detection. Pro ceedin gs of Third SIAM Conference on Data Mining 3 (2003) 27. Leung, K., L eckie, C.: Unsup ervised anomaly detection in netw ork intrusion d e- tection using clusters. Au stralasia n Computer Science Conference 28 (2005)