Abstract
We present PCkAD, a novel semisupervised anomaly-based IDS (Intrusion Detection System) technique, detecting application-level content-based attacks. Its peculiarity is to learn legitimate payloads by splitting packets into chunks and determining the within-packet distribution of n-grams. This strategy is resistant to evasion techniques as blending. We prove that finding the right legitimate content is NP-hard in the presence of chunks. Moreover, it improves the false-positive rate for a given detection rate with respect to the case where the spatial information is not considered. Comparison with well-known IDSs using n-grams highlights that PCkAD achieves state-of-the-art performances.
- Elizabeth Shawt Adams. 1992. A Study of Trigrams and Their Feasibility as Index Terms in a Full Text Information Retrieval System. Ph.D. Dissertation. Washington, DC. UMI Order No. GAX92-12700.Google Scholar
- Brandie Anderson, Sue Barsamian, Dustin Childs, Jason Ding, Joy Marie Forsythe, Brian Gorenc, Angela Gunn, Alexander Hoole, Howard Miller, Sasi Siddharth Muthurajan, Yekaterina Tsipenyuk O’Neil, John Park, Oleg Petrovsky, Barak Raz, Nidhi Shah, Vanja Svajcer, Ken Tietjen, and Jewel Timpe. 2016. Cyber Risk Report 2016. Technical Report. Hewlett Packard Enterprise.Google Scholar
- Fabrizio Angiulli, Luciano Argento, and Angelo Furfaro. 2015. Exploiting N-gram location for intrusion detection. In IEEE International Conference on Tools with Artificial Intelligence (ICTAI’15). 1093--1098. Google Scholar
Digital Library
- Fabrizio Angiulli, Luciano Argento, and Angelo Furfaro. 2017. PCkAD source code. Retrieved from https://github.com/F3nDis/PCkAD.Google Scholar
- Stefan Axelsson. 2000. Intrusion Detection Systems: A Survey and Taxonomy. Technical Report.Google Scholar
- Salem Benferhat, Tayeb Kenaza, and Aicha Mokhta2ri. 2008. A naive Bayes approach for detecting coordinated attacks. In IEEE International Conference on Computer Software and Applications (COMPSAC’08). 704--709. Google Scholar
Digital Library
- Battista Biggio, Igino Corona, Zhi-Min He, Patrick P.K. Chan, Giorgio Giacinto, Daniel S. Yeung, and Fabio Roli. 2015. One-and-a-half-class multiple classifier systems for secure learning against evasion attacks at test time. In International Workshop on Multiple Classifier Systems. Springer, 168--180.Google Scholar
Cross Ref
- Battista Biggio, Giorgio Fumera, and Fabio Roli. 2014. Security evaluation of pattern classifiers under attack. IEEE Transactions on Knowledge and Data Engineering 26, 4 (2014), 984--996. Google Scholar
Digital Library
- Leyla Bilge, Davide Balzarotti, William Robertson, Engin Kirda, and Christopher Kruegel. 2012. Disclosure: Detecting botnet command and control servers through large-scale netflow analysis. In Proceedings of the 28th Annual Computer Security Applications Conference. ACM, 129--138. Google Scholar
Digital Library
- Leyla Bilge, Engin Kirda, Christopher Kruegel, and Marco Balduzzi. 2011. EXPOSURE: Finding malicious domains using passive DNS analysis. In 8th Annual Network and Distributed System Security Symposium.Google Scholar
- Leyla Bilge, Sevil Sen, Davide Balzarotti, Engin Kirda, and Christopher Kruegel. 2014. EXPOSURE: A passive DNS analysis service to detect and report malicious domains. ACM Transactions on Information and System Security (TISSEC) 16, 4 (2014), 14. Google Scholar
Digital Library
- Misty Blowers and Jonathan Williams. 2014. Machine learning applied to cyber operations. In Network Science and Cybersecurity. Springer, 155--175.Google Scholar
- Nathaniel Boggs, Senyao Du, and Salvatore J Stolfo. 2014a. Measuring drive-by download defense in depth. In Research in Attacks, Intrusions and Defenses. Springer, 172--191.Google Scholar
- Nathaniel Boggs, Hang Zhao, Senyao Du, and Salvatore J. Stolfo. 2014b. Synthetic data generation and defense in depth measurement of web applications. In Research in Attacks, Intrusions and Defenses. Springer, 234--254.Google Scholar
- Damiano Bolzoni, Sandro Etalle, and Pieter Hartel. 2006. POSEIDON: A 2-tier anomaly-based network intrusion detection system. In Proceedings of the IEEE International Workshop on Information Assurance (IWIA’06). 144--156. Google Scholar
Digital Library
- Peter F. Brown, Peter V. Desouza, Robert L. Mercer, Vincent J. Della Pietra, and Jenifer C. Lai. 1992. Class-based n-gram models of natural language. Computational Linguistics 18, 4 (1992), 467--479. Google Scholar
Digital Library
- Michael Brückner, Christian Kanzow, and Tobias Scheffer. 2012. Static prediction games for adversarial learning problems. Journal of Machine Learning Research 13, (2012), 2617--2654. Google Scholar
Digital Library
- Gabriela F. Cretu, Angelos Stavrou, Michael E. Locasto, Salvatore J. Stolfo, and Angelos D. Keromytis. 2008. Casting out demons: Sanitizing training data for anomaly sensors. In IEEE Symposium on Security and Privacy. 81--95. Google Scholar
Digital Library
- Nilesh Dalvi, Pedro Domingos, Mausam, Sumit Sanghai, and Deepak Verma. 2004. Adversarial classification. In Proceedings of the 10th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. ACM, 99--108. Google Scholar
Digital Library
- Jonathan J. Davis and Andrew J. Clark. 2011. Data preprocessing for anomaly based network intrusion detection: A review. Computers 8 Security 30, 6 (2011), 353--375. Google Scholar
Digital Library
- Theo Detristan, Tyll Ulenspiegel, Yann Malcom, and Mynheer Underduk. 2003. Polymorphic shellcode engine using spectrum analysis. Volume 11, issue 61. http://phrack.org/issues/61/9.html.Google Scholar
- Prahlad Fogla, Monirul Sharif, Roberto Perdisci, Oleg Kolesnikov, and Wenke Lee. 2006. Polymorphic blending attacks. In Proceedings of the 15th USENIX Security Symposium. Vancouver, B.C., Canada, 241--256. Google Scholar
Digital Library
- John Gallant, David Maier, and James Astorer. 1980. On finding minimal length superstrings. Journal of Computer and System Sciences 20, 1 (1980), 50--58.Google Scholar
Cross Ref
- Pedro Garcia-Teodoro, J. Diaz-Verdejo, Gabriel Maciá-Fernández, and Enrique Vázquez. 2009. Anomaly-based network intrusion detection: Techniques, systems and challenges. Computers 8 Security 28, 1 (2009), 18--28. Google Scholar
Digital Library
- Amir Globerson and Sam Roweis. 2006. Nightmare at test time: Robust learning by feature deletion. In Proceedings of the 23rd International Conference on Machine Learning. ACM, 353--360. Google Scholar
Digital Library
- IETF. 1999. Hypertext Transfer Protocol -- HTTP/1.1. Retrieved from https://tools.ietf.org/html/rfc2616.Google Scholar
- Kenneth L. Ingham and Hajime Inoue. 2007. Comparing anomaly detection techniques for http. In International Symposium on Recent Advances in Intrusion Detection (RAID’07). 42--62. Google Scholar
Digital Library
- John Felix Charles Joseph, Amitabha Das, Bu-Sung Lee, and Boon-Chong Seet. 2010. CARRADS: Cross layer based adaptive real-time routing attack detection system for MANETS. Computer Networks 54, 7 (2010), 1126--1141. Google Scholar
Digital Library
- Latifur Khan, Mamoun Awad, and Bhavani Thuraisingham. 2007. A new intrusion detection system using support vector machines and hierarchical clustering. VLDB Journal 16, 4 (2007), 507--521. Google Scholar
Digital Library
- Amit Klein. 2005. Exploiting the XmlHttpRequest object in IE. Retrieved from http://www.securityfocus.com/archive/1/411585.Google Scholar
- Levent Koc, Thomas A. Mazzuchi, and Shahram Sarkani. 2012. A network intrusion detection system based on a Hidden naïve Bayes multiclass classifier. Expert Systems with Applications 39, 18 (2012), 13492--13500. Google Scholar
Digital Library
- Yinhui Li, Jingbo Xia, Silan Zhang, Jiakai Yan, Xiaochuan Ai, and Kuobin Dai. 2012. An efficient intrusion detection system based on support vector machines and gradually feature removal method. Expert Systems with Applications 39, 1 (2012), 424--430. Google Scholar
Digital Library
- Richard Lippmann, Joshua W. Haines, David J. Fried, Jonathan Korba, and Kumar Das. 2000. The 1999 DARPA off-line intrusion detection evaluation. Computer Networks 34, 4 (2000), 579--595. Google Scholar
Digital Library
- Matthew V. Mahoney and Philip K. Chan. 2001. PHAD: Packet Header Anomaly Detection for Identifying Hostile Network Traffic. Technical Report CS-2001-04. Florida Institute of Technology. Retrieved from https://cs.fit.edu/media/TechnicalReports/cs-2001-04.pdf.Google Scholar
- MITRE Corporation. 2012. Common Vulnerabilities and Exposures. CVE 2012-0911. Retrieved from http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0911.Google Scholar
- MITRE Corporation. 2014. Common Vulnerabilities and Exposures. CVE 2014-6271. Retrieved from http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271.Google Scholar
- OWASP. 2016. Open Web Application Security Project. Retrieved from https://www.owasp.org.Google Scholar
- Roberto Perdisci, Davide Ariu, Prahlad Fogla, Giorgio Giacinto, and Wenke Lee. 2009. McPAD: A multiple classifier system for accurate payload-based anomaly detection. Computer Networks 53, 6 (2009), 864--881. Google Scholar
Digital Library
- The Snort Project. 2016. Snort® Users Manual. Software. Cisco.Google Scholar
- Yingbo Song, Angelos D. Keromytis, and Salvatore Stolfo. 2009. Spectrogram: A mixture-of-Markov-chains model for anomaly detection in web traffic. In Proceedings of the Network and Distributed System Security Symposium 2009. Internet Society, 121--135.Google Scholar
- Stuart Staniford, James A. Hoagland, and Joseph M. McAlerney. 2002. Practical automated detection of stealthy portscans. Journal of Computer Security 10, 1--2 (2002), 105--136. Google Scholar
Digital Library
- Dafydd Stuttard and Marcus Pinto. 2011. The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws. John Wiley 8 Sons.Google Scholar
- Choon H. Teo, Amir Globerson, Sam T. Roweis, and Alex J. Smola. 2007. Convex learning with invariances. In Advances in Neural Information Processing Systems. 1489--1496. Google Scholar
Digital Library
- Alvarez Torrano-Gimenez and Perez-Villegas. 2010. HTTP dataset CSIC. Retrieved from http://www.isi.csic.es/dataset/.Google Scholar
- Juan Wang, Qiren Yang, and Dasen Ren. 2009. An intrusion detection algorithm based on decision tree technology. In IEEE Asia-Pacific Conf. on Information Processing (APCIP’09), Vol. 2. 333--335. Google Scholar
Digital Library
- Ke Wang, Gabriela F. Cretu, and Salvatore J. Stolfo. 2005. Anomalous payload-based worm detection and signature generation. In International Symposium on Recent Advances in Intrusion Detection (RAID’05). 227--246. Google Scholar
Digital Library
- Ke Wang, Janak J. Parekh, and Salvatore J. Stolfo. 2006. Anagram: A content anomaly detector resistant to mimicry attack. In Recent Advances in Intrusion Detection. Springer, 226--248. Google Scholar
Digital Library
- Cheng Xiang, Png Chin Yong, and Lim Swee Meng. 2008. Design of multiple-level hybrid classifier for intrusion detection system using Bayesian clustering and decision trees. Pattern Recognition Letters 29, 7 (2008), 918--924. Google Scholar
Digital Library
- Jun Xu, Zbigniew Kalbarczyk, and Ravishankar K. Iyer. 2003. Transparent runtime randomization for security. In Proceedings of the 22nd International Symposium on Reliable Distributed Systems. 260--269.Google Scholar
- Thiago Zaninotti. 2006. Unfiltered Header Injection in Apache 1.3.34/2.0.57/2.2.1. Retrieved from http://www.securityfocus.com/archive/1/433280.Google Scholar
- Jiong Zhang, Mohammad Zulkernine, and Anwar Haque. 2008. Random-forests-based network intrusion detection systems. IEEE Transactions on Systems, Man, and Cybernetics, Part C 38, 5 (2008), 649--659. Google Scholar
Digital Library
- Yan Zhou, Murat Kantarcioglu, Bhavani Thuraisingham, and Bowei Xi. 2012. Adversarial support vector machine learning. In ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. 1059--1067. Google Scholar
Digital Library
Index Terms
Exploiting Content Spatial Distribution to Improve Detection of Intrusions
Recommendations
Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episodes
This paper reports the design principles and evaluation results of a new experimental hybrid intrusion detection system (HIDS). This hybrid system combines the advantages of low false-positive rate of signature-based intrusion detection system (IDS) and ...
Design of a Snort-Based Hybrid Intrusion Detection System
IWANN '09: Proceedings of the 10th International Work-Conference on Artificial Neural Networks: Part II: Distributed Computing, Artificial Intelligence, Bioinformatics, Soft Computing, and Ambient Assisted LivingComputer security has become a major problem in our society. In particular, computer network security is concerned with preventing the intrusion of an unauthorized person into a network of computers. An intrusion detection system (IDS) is a tool to ...
An Intrusion-Tolerant Mechanism for Intrusion Detection Systems
ARES '08: Proceedings of the 2008 Third International Conference on Availability, Reliability and SecurityIn accordance with the increasing importance of intrusion detection systems (IDS), users justifiably demand the trustworthiness of the IDS. However, sophisticated attackers attempt to disable the IDS before they launch a thorough attack. Therefore, to ...






Comments