An Effective Payload Attribution Scheme for Cybercriminal Detection Using Compressed Bitmap Index Tables and Traffic Downsampling

Abstract: 1  Abstract-Payload Attribution Systems (PAS) are one of the most important tools of network forensics for detecting an offender after the occurrence of a cybercrime. A PAS stores the network traffic history in order to detect the source and destination pair of a certain data stream in case a malicious activity occurs on the network. The huge volume of information that is daily transferred in the network means that the data stored by a PAS must be as compact and concise as possible. Moreover, the investigatio… Show more

“…Unlike the previous studies [4]- [8], [11]- [13], [22], [23], [23]- [27], PayloadEmbeddings can extract contextual information from payloads. Each byte in a payload is transformed into a vector space by maximizing the log probability…”

“…Applying the CPP technique, PCNAD uses 62.64% of the full payload length, on average. Hosseini et al [23] proposed a payload-based attribution scheme named CBID (Compressed Bitmap Index and Traffic Downsampling). CBID extracts features from down-sampled traffic using the combination of bloom filters and compressed bitmap index table.…”

“…Our empirical results indicate that PayloadEmbeddings reaches 92%-99% accuracy, precision, recall, and F1-score on ISOT, UNSW-NB15, CICIDS-2017, and CIC DoS datasets, and 75%-82% accuracy, precision, recall, and F1score on the other datasets, using kNN. We compare our approach to ten other traditional and state-of-the-art techniques, including PAYL [4], McPAD [6], HMMPayl [9], AEIDS [12], HAST [11], OCPAD [7], EsPADA [22], CBID [23], PL-RNN [13], and Packet2Vec [24] over the same datasets and show that our approach performs better over most of the datasets.…”

Intrusion Detection Using Payload Embeddings

“…Unlike the previous studies [4]- [8], [11]- [13], [22], [23], [23]- [27], PayloadEmbeddings can extract contextual information from payloads. Each byte in a payload is transformed into a vector space by maximizing the log probability…”

“…Applying the CPP technique, PCNAD uses 62.64% of the full payload length, on average. Hosseini et al [23] proposed a payload-based attribution scheme named CBID (Compressed Bitmap Index and Traffic Downsampling). CBID extracts features from down-sampled traffic using the combination of bloom filters and compressed bitmap index table.…”

“…Our empirical results indicate that PayloadEmbeddings reaches 92%-99% accuracy, precision, recall, and F1-score on ISOT, UNSW-NB15, CICIDS-2017, and CIC DoS datasets, and 75%-82% accuracy, precision, recall, and F1score on the other datasets, using kNN. We compare our approach to ten other traditional and state-of-the-art techniques, including PAYL [4], McPAD [6], HMMPayl [9], AEIDS [12], HAST [11], OCPAD [7], EsPADA [22], CBID [23], PL-RNN [13], and Packet2Vec [24] over the same datasets and show that our approach performs better over most of the datasets.…”

Intrusion Detection Using Payload Embeddings

“…CBID is the most recent proposed PAS which is based on a combination of Bloom filter, Bitmap index table and a new traffic downsampling technique [13]. It outperforms the previous methods in terms of false positive rate.…”

“…Next studies have presented improved payload attribution systems in terms of false positive rate and data reduction ratio [10]- [13]. Nevertheless, an important problem that has not been adequately addressed by the previous works is wildcard queries.…”

Digesting Network Traffic for Forensic Investigation Using Digital Signal Processing Techniques

Network security using Bloom Filter