Page | Figure | Caption | |
---|---|---|---|
53 | 4.3 | Graph of the lowest scoring requests | |
54 | 4.4 | Zoom on feature (Spam attack in this case) | |
55 | 4.5 | Zoom on feature (benign accesses forming a subgraph, isolated) | |
56 | 4.6 | Zoom on feature (benign accesses forming a subgraph, in vivo) | |
57 | 4.7 | Zoom on feature (benign accesses forming a not very clear subgraph) | |
60 | 4.8 | The remaining accesses deemed to be intrusion attempts, 2D graph | |
61 | 4.9 | The remaining accesses deemed to be intrusion attempts, 3D graph | |
75 | 5.1 | The Bayesvis tool | |
78 | 5.2 | The Bayesvis tool after retraining on false alarms | |
79 | 5.3 | The Bayesvis tool after having corrected under training | |
83 | 5.4 | False positives during the training phase | |
84 | 5.5 | Examples of false alarms in February log | |
86 | 5.6 | Generalized detection of Unicode attacks | |
93 | 6.1 | The Chi2vis tool after training one bad and one good | |
96 | 6.2 | The Chi2vis tool after training one bad and two good | |
97 | 6.3 | The Chi2vis tool after training two bad and two good | |
102 | 6.4 | Generalising the Unicode training to detect new instances | |
103 | 6.5 | False alarms: Example of the HEAD-pattern | |
104 | 6.6 | Results from training on syscall data | |
107 | 6.7 | All the false alarms of Bayesvis | |
108 | 6.8 | The "cgi-bin" pattern false alarms of Bayesvis | |
116 | 7.2 | A simple parallel coordinate plot | |
120 | 7.3 | A trellis of parallel coordinate plots | |
122 | 7.4 | A plot of the "Code-red" worm access pattern | |
123 | 7.5 | The six different requests made by pattern 1 from Figure 7.3 |