Towards Self-Organizing Maps based Computational ... - IEEE Xplore

Towards Self-Organizing Maps based Computational Intelligent System for Denial of Service Attacks Detection M.A. Pérez del Pino*, P. García Báez**, P. Fernández López*, C.P. Suárez Araújo* *

Instituto Universitario de Ciencias y Tecnologías Cibernéticas, Universidad de Las Palmas de Gran Canaria, Las Palmas de Gran Canaria, Islas Canarias, España, {[email protected], [email protected]} ** Departamento de Estadística, Investigación Operativa y Computación, Universidad de La Laguna. La Laguna, Islas Canarias, España, {[email protected]} possible damage and guaranteeing the continuity of offered services. Different models have been proposed for detection, early alert and rapid decision making against this type of attacks using different approaches: expert systems, probabilistic systems, heuristics systems, Petri networks, automata and artificial neural networks usually under some type of supervision. Most of these proposals present weaknesses in the efficiency required for a complex implementation and difficult level of maintenance [2,3]. There are two main reasons for this situation: 1) the difficulty in defining precise behavior patterns of attacks, and 2) the frequent appearance of new attacking techniques. On the other hand, it is rather difficult to determine when a denial of service attack is taking place in real time. A follow-up analysis of the captured data is required to exactly determine what occurred; a process that also requires numerous computational and human resources. Thus, this study faces two important challenges. First, it seeks to offer an important contribution in obtained results (that is, higher success rates); and second, the development of data analysis methods that are less computationally expensive. In this paper we propose to tackle this problem of computer security using an unsupervised neural computation approach. This approach is appropriate in this problem because complex data analysis is required in real time, where information overlapping is present, in addition to data noise and the absence of explicit knowledge of the situation. We present a flexible model that is capable of effectively tackling and overcoming the challenge of DoS attacks using a CISDAD (Computer Intelligent System for DoS Attacks Detection); a hybrid intelligent system with a modular structure: a pre-processing module (non-neural) and a processing module based on unsupervised artificial neural networks, concretely Kohonen’s Self-Organizing Maps[4]. One of the strong points of our proposed CISDAD is that it introduces an automatic non bi-modal detection, quite different than the majority of the ones that are available today [2,3,5,6]. If we regard that any kind of attack that can be considered to be a denial of service attack must be classified as a function of the communication protocols that are used as a basis for its action procedure and of the congestion of the network

Abstract— Denial of Service (DoS) attacks are some of the biggest problems for computer security. Detection and early alert of these attacks would be helpful information which could be used to make appropriate decisions in order to minimize their negative impact. This paper proposes a new approach based on SOM-type unsupervised artificial neural networks for detection of this type of attacks at an early stage. We present a SOMbased Computational Intelligent System for DoS Attacks Detection (CISDAD) and a new representation scheme for information. A study has been carried out on real traffic from a healthcare environment based on web technologies. Results show effectiveness in the detection of toxic traffic and congestion regarding abuse in communication networks.

I. INTRODUCTION Several services of socio-economic interest in society today, many of them involving critical considerations, are offered over the Internet 24/7. Their exposure to the global networking environment leaves them vulnerable to different types of computer attacks, among which DoS (Denial of Service) attacks, due to their high corresponding catastrophic index, are highlighted. These attacks cause an interruption in services of a specific computer system by taking advantage of the weak points in communication protocols and/or in their implementation in the machines involved in the communication, and whose intent is to provoke an overload on resources and/or network congestion in the network of the system under attack, generating in this last instance a loss of connectivity of the victim. As such, recently well known businesses in the technological sector have been subject to important costly DoS attacks. Until recently, monitoring and auditing of computer systems were based on individual and independent systems. However, the most common organization needs to defend a distributed set of systems in interconnected communication networks. Although it is possible to increase computer security by using isolated and independent monitoring systems, experience has shown that cooperation and coordination among these systems guarantee a more effective defense [1]. Thus, a set of monitoring, auditing and data analysis systems oriented towards the defense of computer systems have appeared, all of which must be capable of detecting any illegal action against a protected system, minimizing

978-1-4244-7652-7/10/$26.00 ©2010 IEEE

– 151 –

INES 2010 • 14th International Conference on Intelligent Engineering Systems • May 5–7, 2010 Las Palmas of Gran Canaria, Spain

that encourages it, this architecture has been designed to detect toxic traffic, distinguishing it from the normal traffic above the Network Level according to the Internet Protocols Stack (specifically above the IP protocol): TCP transport control protocol referents (TTTCP); those based on ICMP packet flooding (TTICMP); and those based on flooding employing UDP protocol (TT-UDP). Obtained results in the first stage of CISDAD show a high level of effectiveness in the detection process, with a low rate of false negatives, which is probably the most important feature in any security system, in addition to offering a high level of performance, which is based on low resource consumption and a fast real-time processing and analysis.

Buffer PFB [IV.A] store

Sniffer

Capture no

size(PFB)=M?

traffic forwarding

yes

Extract Features [IV.B]

PM-SOM

II. METHOD We designed a hybrid intelligent system with a modular structure, for Denial of Service Attacks Detection (CISDAD) Fig.1. CISDAD is formed by a pre-processing module (PPM), which provides feature vectors that make up the input of the processing module (PM-SOM), based on Kohonen’s Self Organizing Maps [9]. This artificial neural map is responsible for identifying any potential DoS attack flowing over the communications network. The information environment used in our development is real networking traffic data, made up of captured Normal Traffic packets (NT) and three classes of Toxic Traffic according to the main three protocols above the Internet Stack Network Level (specifically above the IP protocol): (1) TCP Traffic packets (TTTCP); (2) UDP Traffic packets (TT-UDP); and (3) ICMP Traffic packets (TT-ICMP).

Normalization & Packing [IV.C]

PFB

detection

PPM Figure 1. CISDAD Structural Diagram

tion representation, with the objective of obtaining patterns that can indicate a potential flooding attack. The proposed representation is not based on the packet content payload [6]; however, we focus on the management of specific network session data, given that the management of complete data (packet headers + data content) does not present relevant semantics to improve the detection of a possible denial of service attack. This is essentially owing to the following facts: 1) The information used by systems to establish point-to-point connections, manage control flow, etc. is defined in the protocol headers that operate above the Network Level (according to the Internet Protocols Stack), that is, mainly the protocols that operate at the Transport Level.

A. CISDAD Pre-Processing Module (PPM) Captured traffic is input sequentially and in real time (online) to the PPM, which carries out three tasks to obtain a feature vector to be analyzed by the PM-SOM: time representation of network traffic (1), information representation (2), normalization and packing (3), Fig.1. Time correlation of packets is of vital interest in the domain of the posed problem. Several studies have analyzed this characteristic, proposing essentially two completely different approaches [1,2,3,5,9]: a) the use of the timestamp of each packet; b) to determine a time window, represented by a FIFO queue and a maximum threshold of packets to deal with the set. Our PPM implements approach b). We use the term PFB for Packet Flow Block, which is defined as the set of M packets that, based on order of arrival, will be treated together by the PPM. Let M be the size of the window from a time representation point of view. It was determined empirically that the optimal value for M was 50. When M50, the gathered results are not significantly better and the consumption of computational resources is much greater than when using the established empirical threshold M=50. On a different note, we consider the data representation showing the CISDAD effectiveness to be extremely important and quite revealing. The PPM from our system presents important changes in the informa-

2) A DoS attack, by definition, reflects an excess or abuse of specific requests by the attacking systems to the victim systems. Consequently, and exactly opposite of what occurs with other vulnerabilities (virus, trojans, exploitation of software services, etc.), we think that the data content of packets is not relevant for the posed problem. Several studies consider that the IP addresses represent valuable information with respect to potential attacking systems [3] or protected systems [8]. A DoS attack can be carried out by any system that is connected to a network, even inside a protected one. In addition, the attack can be accompanied by an identity spoofing by the sender/s in sent packets (IP address spoofing) or even a distributed attack method could be employed. Thus, we consider that the IP addresses representation does not provide additional information to the detector. Conversely, it will be useful to temporarily store these addresses during the preprocessing and processing stages. The objective is to gather and then provide information to the network traffic processing systems (routers, firewalls, etc.) in the early stage of a potential flooding attack, with the intent of minimizing the damage that could take place.

– 152 –

M. A. Pérez del Pino et al. • Towards Self-Organizing Maps based Computational Intelligent System for Denial of Service Attacks Detection

The next step was to select which features of the data packets could be relevant for early detection of potential attacks. The influence of the 25 leading indicators of network level (IP), transport level (TCP, UDP) and ICMP control protocol was analyzed. Performed studies show that there is a high dependency in the underlying protocol the attack is based on. In the cases of ICMP and UDP, the increase in the number of these types of packets was immediately apparent. In the case of TCP, and due to its connection orientation, a change in the tendency of several of the protocol featuring indicators (ACK, PSH, RST, SYN) was noted. Our focus proposes an analysis of the tendency of these packet features which make up the PFB, because it is this tendency that could indicate a potential current flooding attack. Regarding data normalization and packing, PPM extracts the previously commented indicators from each input packet , resulting in a 9-component vector

competitive, being the winner unit of such process the detector with the best adjustment to the input vector; that is, the one that is closer to this pattern, or in other words, the detector whose distance to the input vector is minimal. The winner unit, and those that are found to be topographically close, will learn something from the input vector , increasing the degree of pairing with it.

(2) The training process allows a global ordering to be obtained, where the implementation takes place by the process with the equation given in (3). Thus, it can be said that the SOM module acts as a quantifying system that is adapted to the input space [10]. Equation (3) describes the variance that is motivated in the weights and refers to the SOM architecture learning law, where is the learning rate, usually implemented by monotonically decreasing functions of time, such as

, where the compo-nent stores the protocol indicator according to the following:

, and is a function that defines the neighbourhood centered in c, between the winner unit c and any other unit l. can be seen as a function that decreases as long as l is further from c and, at the same time, this decrease is highlighted according to the learning time elapses. The used in this research work has been a rectangular function.

and the components store the activation state, , for each one of the 8 studied TCP flags. Once the window size M is reached, the PPM will carry out a normalization and packing process of the data according to (1).

(3) In order to carry out the training process and quantify the obtained results, we have used as a measure the average quantification error Q [10], or reconstruction error, expressed in (4), where the differences between each pattern and the weights corresponding to unit , winner unit for that pattern, are averaged.

(1) The result of this stage will constitute the information space of the PM-SOM module, serving as input vector of the neural network. B. CISDAD Processing Module (PM-SOM) The proposed Processing Module detector is implemented using a Kohonen’s Self-Organizing Map (SOM). This neural architecture carries out a non-linear mapping of an n-dimensional input space, features space, into a bi-dimensional space. One of the reasons why this neural network was used was its specific advantage: the creation of feature maps that preserve the topological order and approximate the probability distribution of input data using a self-organizing process that can produce feature detectors [4,10]. It is also a first step in the search for meaning and structure in both input data and the classification process. The proposed SOM structure is made up of an input layer of 9 units and a bi-dimensional competitive layer of 10x10 neurons, using a total connectivity topology. The comparative process between existing entries and detectors used different similarity measures; the more noteworthy include Euclidean and Scalar Product distances. Our implementation uses the Euclidean distance according to (2), where is the input feature vector and is the weights vector between the input . The SOM training process is and detector

(4) III. SIMULATION A Linux gateway with IPv4 forwarding enabled was used to gather the networking traffic data sets. The main network interface was set to promiscuous mode, capturing all the characteristics of data packets that flow over the communication network using a sniffer-type tool, Fig. 2.

– 153 –

INES 2010 • 14th International Conference on Intelligent Engineering Systems • May 5–7, 2010 Las Palmas of Gran Canaria, Spain

TT-ICMP Packets TT-UDP Packets

10000 5000

200 100

650 700

13 14

TABLE II. AVERAGE QUANTIFICATION ERRORS, QT AND QV, ACCORDING TO THE OPTIMAL CONFIGURATIONS OF THE SOM NETWORK R

Dim

Top

Vec

α

r

Cycles

Qt

Qv

1 2 3 4 5

10x10 10x10 10x10 10x10 10x10

hex hex hex hex hex

rect rect rect rect rect

0,05 0,05 0,08 0,05 0,05

3 3 2 3 3

75000 30000 80000 45000 85000

0,0495 0,0503 0,0511 0,0500 0,0491

0,0707 0,0722 0,0807 0,0730 0,0815

Figure 2. Proposed Probe System into Networking Environment for Data-Gathering and Data-Analysis

A variable volume of users ranging from 2 to 20 was simulated using the load balancing tool WAPT [7], creating different http-requests against a web server placed in the network. At the same time, different flooding attacks against this service were performed using the hping [8] tool, in a controlled manner, using different computer nodes, gathering all the traffic activity. Our training data set was made up of 63200 captured packets, of which 38200 were considered normal traffic packets (NT), 10000 were SYN-type flooding attacks (TT-TCP), 10000 were ICMP-type flooding attacks (TT-ICMP) and 5000 were UDP-type flooding attacks (TT-UDP). Regarding our validation data set, it was made up of 4550 data packets, of which 2150 were NT, 1050 were TT-TCP, 650 were TT-ICMP and 700 were TT-UDP (Table I). Regarding the SOM, SOM_PACK, a public-domain software package that implements the Self Organizing Algorithm [9], was used on a Linux platform. During the simulation period, results of each SOM configuration were automatically stored in a database for later exploitation of obtained results.

TABLE III. CONFUSION MATRIX FOR PM-SOM (R=1) NT TT-TCP TT-ICMP TT-UDP

TABLE I. BREAKDOWN OF VOLUME OF CAPTURED PACKETS VERSUS OBTAINED PFBS FOR M=50

NT Packets TT-TCP Packets

Training Packets PFBs 38200 764 10000 200

TT-TCP 0 20 0 0

TT-ICMP 0 0 13 0

TT-UDP 0 0 0 14

According to the values and , the parameterization of the R=1 network reveals the best map for the studied problem (PM-SOM), Table II. The R=5 network offers a value which is slightly lesser than the same value for the R=1 configuration, not following this tendency its . Once the training period was finished, the R=1 network detected 4 different clusters in our dataset. Obtained results in the validation process show that PM-SOM was able to detect the different existing clusters in the analyzed real data with a high level of accuracy by each class. A review of the confusion matrix in Table III shows 100% detection accuracy for normal traffic. Identical results were obtained for UDPand ICMP-type flooding traffic. Regarding TCP toxic traffic, the proposed system reached 95.24% accuracy for the corresponding classes based on SYN attacks. The remaining 4.76% of the TT-TCP packets were misclassified as normal traffic. Once the components of the studied traffic were represented and the incorrectly classified PFB has been placed, it can be observed that this pattern is located in an area prior to the existence of toxic flows, although it was classified as normal traffic by the neural network, demonstrating this event as the only false positive detected, Fig.3.When the mentioned PFB produces the false positive, it appears as a greater ACK index than usual in the TT-TCP traffic analysis. High ACK content indicates acknowledgments by one of the peers (the receiver) during transport flow control and it is very common in normal traffic transactions (established connections in which there exist data transactions between two extremes). In addition, an analysis of the previous and subsequent PFBs reveals that the false positive has the highest ACK rate of all the traffic flow prior and during the DoS attack, Fig. 3. The values of ACK and PSH suggest that this PFB contains a combination of NT and TT-TCP, where there is greater tendency for NT indicators than usual in TTTCP traffic.

IV. RESULTS AND DISCUSSION A total of 38800 different SOM configurations were trained to tackle the proposed problem. The following SOM configuration parameters were varied: dimension (Dim.), topology (Top.), neighborhood function (Vec.), training rate (α), neighborhood radius (r) and number of training steps (Cycles). Patterns were presented in a random way. The tendency of the gathered results has a great value of acceptability, revealing a set of 5 optimal configurations with highly satisfactory throughput. These performance levels are shown based on the quantification errors in the training and the validation stages of these 5 configurations (Table II) as well as through one of the most clarifying validation functions for clustering quality, the confusion matrix, (Table III).

Traffic Type

NT 43 1 0 0

Validation Packets PFBs 2150 43 1050 21

– 154 –

M. A. Pérez del Pino et al. • Towards Self-Organizing Maps based Computational Intelligent System for Denial of Service Attacks Detection

Figure 3. Diagram of the SYN, ACK, RST and PSH signals for the study of false positives. The first part of the figure (left side) defines the section prior to the SYN attack (NT/TT-TCP combination), while the second (right side) defines the window of pure SYN toxic traffic. The false positive is identified approximately in the middle of the left area, displaying its values with squares for the four visual signals.

Additional support for this hypothesis is found in the diminishing amount of SYN and RST indicators in the PFB, producing the false positive the lowest toxicity rate in the entire attack. V.

APPLICATION INTO HEALTHCARE INFORMATION SYSTEMS

Figure 4. EDEVITALZH Distributed Infrastructure: Web Application Servers, Database Servers, Intelligent Diagnosis Servers

Healthcare Information Systems are critical due to their role in service to patients. The wide variety of data that they manage and store are always subject to potential computer attacks, being one of the most common type of attacks the denial-of-service ones, whose consequences can be catastrophic. According to data from the U.S. consulting firm SecureWorks, in the first nine months of the year 2009 there were approximately 6,500 registered attacks per day on hospital information systems, while this same tendency doubled in the last three months of the same year, exceeding 13,400 registered attacks per day. What is more revealing is that other industries that are also protected by the same firm did not report any change in the tendency of these security incidents. Currently in use Healthcare information systems centralize patient data in a HIS (Healthcare Information System), the central warehouse of the electronic clinical records, and encourage the sharing of information between a set of interconnected departmental systems with this one: Laboratory Information System, Radiology Information System, Pharmacological Prescription Information System, etc. The communication schemes used today to interconnect these systems are based on the protocols of the Internet architecture, namely TCP/IP. Healthcare communication protocols HL7 and DICOM, widely extended in the health arena, are clear samples [13,14].

An example of this type of systems to some degree is EDEVITALZH, a clinical virtual environment focused on the diagnosis and prognosis of Cognitive Impairment (CI), Alzheimer’s Disease (AD) and other dementias. This environment implements the Global Clinical Protocol for Dementias (GCPD), which reflects the specific data of interest channeled towards the diagnosis of theses neuropathologies. It allows electronic medical records to be set up, creating a database of the patients’ clinical records, [12]. EDEVITALZH is made of a HIS for the storage of electronic medical records of these kind of patients and is based on a three-layer web application model (Presentation Layer, Business Logic Layer and Data Layer), and a set of systems that serve as support to assist the diagnosis by the physician, based on HUMANN [11], a hierarchical hybrid unsupervised neural architecture. EDEVITALZH has been developed using a distributed architecture, which makes the communication between the systems one of its critical points, since it requires reliability and security in the transmissions between the involved components, Fig.4. The logical distribution of EDEVITALZH was the result of its design-level requirements, since it was conceived as a system that had to function in geographically separated areas and take advantage of the http protocol and its extension, https, over the Internet. This feature allows the appropriate technological tools and patients’ medical records to be available to health centers, specialized care centers and hospitals in a virtual context, offering 24/7 availability and quality of service among satellite clients (which work over the Internet) and the EDEVITALZH data center, geographically separated by hundreds of kilometers. Any departmental system that requires information of a specific patient or wants to update their electronic

– 155 –

INES 2010 • 14th International Conference on Intelligent Engineering Systems • May 5–7, 2010 Las Palmas of Gran Canaria, Spain

addition, the dynamic training capacity of our study fulfills the functions of a robust system in constantly changing conditions of the operating environment. CISDAD can offer specific adaptation to the healthcare environment, satisfying the underlying need to protect systems against unwanted attacks, assisting in the creation of security procedures with minimum investment in human resources while providing a high level of effectiveness. The development of reliable, fast and low-cost strategies against DoS attacks is one of the desired achievements from this proposal. The simplicity and efficiency could allow CISDAD to be integrated, in the near future, as part of gateway, routing and/or security devices with great ease, increasing the robustness of decisions these devices make to maintain the interconnectivity of the networks. Future work will focus on the feasibility of the SNMP protocol as a support of network data summaries and traffic data statistics, due to its wide application in all kinds of communication devices, and the employment of more effective neural architectures in blind clustering processes, more robust with noise, such as HUMANN, in the Processing Module, leading our research towards an analysis of mixes of data traffic.

medical records history with new data must request and/or transmit data to the EDEVITALZH HIS. This task implies specific security risks and reliability of the involved systems. Any DoS attack against EDEVITALZH data center could result in the underutilization of the global system with important consequences for quality care of the patients. According to SecureWorks, it can be said that the worst attacks that can be produced in a clinical setting are those whose finality results in a denial of service. In addition, their study reveals that more than 50% of all large hospitals in 2009 were subject to security breaches of these characteristics. It is necessary to have available tools and policies that protect systems that store patient information and guarantee 24/7 availability of service care. The proposed system in this study is capable of solving this type of problems, incorporating it to network topologies and data communications, Fig.5. Our CISDAD has the capacity to alert at an early stage of any unusual flooding congestion that is produced inside and outside of the organization. This feature helps managers to consider contingency plans such as traffic redirection schemes over other routes, increasing security levels in their firewalls, knowledge in real time and about transactions that affect their networks and, especially important, to respond in time to potential attacks against their information systems.

ACKNOWLEDGMENT We would like to thank Canary Islands Government, the Science and Innovation Ministry of the Spanish Government and EU Funds (FEDER) for their support under Research Projects “SolSubC200801000347” and “TIN2009-1389” respectively. REFERENCES [1] S. Zanero, “Analyzing TCP Traffic Patterns Using SelfOrganizing Maps,” in Image Analysis and Processing – ICIAP 2005, ser. LNCS, 2005, pp. 83-90.

Figure 5. Proposed architecture for a Datacenter that offers Critical Services, such as a Hospital Information System

[2] P. Lichodzijewski, A. Nur Zincir-Heywood and M.I. Heywood, “Dynamic Intrusion Detection Using Self-Organizing Maps,” Proceedings of the 14th Annual CITASS, Ottawa, Canada, May 2002.

The fact that data transactions in health centers are carried out using the commented protocols makes CISDAD an ideal tool to monitor, detect and early alert against actions that can place in potential risk the security and availability of the protected healthcare information systems. VI.

[3] P. Lichodzijewski, A. Nur Zincir-Heywood and M.I. Heywood, “Host-Based Intrusion Detection Using Self-Organizing Maps”, Proceedings of the 14th Annual CITASS, Ottawa, Canada, May 2002.

CONCLUSIONS

[4] T. Kohonen, Self-Organization and Associative Memory (Springer Series in Information Sciences), 3rd ed. Springer, 1989.

Our study presents advances in the area of computer security against denial of service attacks. We present a hybrid, intelligent and modular traffic congestion networking analyzer that works exclusively with session data in its pre-processing level. Our proposal, a solution based on unsupervised neural computation, is able to distinguish among normal traffic and the three main Internet Stack protocols–based floods just above the Network Level, that is, TCP, UDP and ICMP, without previous knowledge of the information that it receives, and with a high level of effectiveness in the detection of these problematic events. The obtained results from this study show the effectiveness of CISDAD managing traffic in distributed environments under different load levels and different types of traffic, including toxic traffic. In

[5] K. Labib and R. Vemuri, “NSOM: A Real-Time Network-Based Intrusion Detection System Using Self-Organazing Maps,” Department of Applied Science, University of California, Davis, USA, 2002.

[6] A. Bivens, C. Palagiri, R. Smith, B.K. Szymanski and M. Embrechts, “Network Based Intrusion Detection Using Neural Network,” in Intelligent engineering systems through artificial neural networks: Proceedings of ANNIE, vol. 12, 2002.

[7] S.

Sanfilippo, hping. [Online]. http://www.hping.org/. [Accessed: Feb. 10, 2010].

Available:

[8] SoftLogica

TM, WAPT. [Online]. Available: http://www.loadtestingtool.com/. [Accessed: Feb. 10, 2010].

[9] Department of Information and Computer Science, Helsinki University of Technology, SOM_PACK. [Online]. Available:

– 156 –

M. A. Pérez del Pino et al. • Towards Self-Organizing Maps based Computational Intelligent System for Denial of Service Attacks Detection

http://www.cis.hut.fi/research/som-research/nnrcprograms.shtml. [Accessed: Feb. 10, 2010]

[10] M. Amini, R. Jalili, and H. R. Shahriari, RT-UNNID: A Practical Solution to Real-time Network-based Intrusion Detection Using Unsupervised Neural Networks,” Computers & Security, vol. 25, no. 6, pp. 459-468, September 2006.

[11] P. García Báez, “HUMANN: Una Nueva Red Neuronal Artificial Adaptativa, No Supervisada, Modular y Jerárquica. Aplicaciones en Neurociencia y Medioambiente”, Ph.D. thesis, Univ. of Las Palmas de Gran Canaria, Las Palmas de Gran Canaria, Spain, 2005.

[12] C.P. Suárez Araujo, M.A. Pérez del Pino, P. García Báez and P. Fernández López, “Clinical Web Environment to Assist the Diagnosis of Alzheimer’s Disease and other Dementias,” WSEAS Transactions on Computers, vol. 6, pp. 2083–2088, December 2004.

[13] Health Level 7 International, HL7 Protocol. [Online]. Available: http://www.hl7.org. [Accessed: Feb. 10, 2010].

[14] NEMA, Medical Imaging & Technology Alliance, DICOM. [Online]. Available: http:// medical.nema.org/. [Accessed: Feb. 10, 2010].

– 157 –