Anomalous Payload-Based Network Intrusion Detection

Wang, Ke; Stolfo, Salvatore J.

doi:10.1007/978-3-540-30143-1_11

Cited by 587 publications

(511 citation statements)

References 14 publications

Supporting

Mentioning

501

Contrasting

Unclassified

Order By: Relevance

“…Past researches reveal that anomaly based intrusion detection has several flaws, namely a high false positive rate and misjudging a correct data packet as attack packet. PAYL [20] and MCPAD [21] have tried to address these issues. In this research we will also focus on reducing these issues using both supervised and unsupervised anomaly-based intrusion detection.…”

Section: Intrusion Detection Systemmentioning

confidence: 99%

Adaptive Hybrid Model for Network Intrusion Detection and Comparison among Machine Learning Algorithms

Haque¹,

Al-Kharobi²

2015

IJMLC

View full text Add to dashboard Cite

Abstract-In this paper, we propose a novel method using ensemble learning scheme for classifying network intrusion detection from the most renowned KDD cup dataset. We have shown that reducing the dimensionality of the large dataset provides most accurate detection. Additionally, several machine learning algorithms are used to generate the accuracy metrics and analyzed further for proper comparison. Our approach found out that this algorithm outperforms all other learning techniques. Our goal is to analyze the network intrusion data and find out the best components and use them for the attack analysis. This scheme can be used in parallel with the intrusion detection system to augment its prediction performance for the future data packets. Empirical results show that the input dimensionality reduction can provide lightweight intrusion detection system that can be embedded with the vulnerable system for generating correct classification with significance improvement in execution time.

show abstract

Section: Intrusion Detection Systemmentioning

confidence: 99%

Adaptive Hybrid Model for Network Intrusion Detection and Comparison among Machine Learning Algorithms

Haque¹,

Al-Kharobi²

2015

IJMLC

View full text Add to dashboard Cite

show abstract

“…(b) an analysis of the eigenvalue spectrum of the vectors in the training set revealed that almost all the energy was contained in a six dimensional subspace; training and test samples were therefore projected to that subspace and the minimal l 2 norm between the current observation vector and the set of training prototypes was computed in the lower dimensional space; (c) instead of the l 2 norm, we computed the Mahalanobis distances (since it takes into account higher moments, it is frequently considered the method of choice in present day anomaly detection systems [25,26]); again, distance computation was carried out in in the low dimensional subspace; (d) self organizing maps (SOMs) were fitted to the six-dimensional approximations of the training data; the minimal distances of test vectors were computed w.r.t. the weights of the SOM neurons; (e) our algorithm presented in the previous section was applied; training and classification were based on feature vectors in R 40 .…”

Section: Smartphone System Data Set and Experimentsmentioning

confidence: 99%

“…Consequently, anomaly-based detection algorithms usually require a training (learning) phase before the actual detection (monitoring). Over the years, a large number of anomaly detection schemes have been proposed, most of them relying on a variety of machine learning and data mining techniques [19,25,26]. Decentralized malware detection schemes as well as deployment of filtering mechanisms have been studied in [6,18,24,4,5].…”

Section: Introductionmentioning

confidence: 99%

A Probabilistic Diffusion Scheme for Anomaly Detection on Smartphones

Alpcan

Bauckhage

Schmidt

2010

Information Security Theory and Practices. Security and Privacy of Pervasive Systems and Smart Devices

View full text Add to dashboard Cite

Abstract. Widespread use and general purpose computing capabilities of next generation smartphones make them the next big targets of malicious software (malware) and security attacks. Given the battery, computing power, and bandwidth limitations inherent to such mobile devices, detection of malware on them is a research challenge that requires a different approach than the ones used for desktop/laptop computing. We present a novel probabilistic diffusion scheme for detecting anomalies possibly indicating malware which is based on device usage patterns. The relationship between samples of normal behavior and their features are modeled through a bipartite graph which constitutes the basis for the stochastic diffusion process. Subsequently, we establish an indirect similarity measure among sample points. The diffusion kernel derived over the feature space together with the Kullback-Leibler divergence over the sample space provide an anomaly detection algorithm. We demonstrate its applicability in two settings using real world mobile phone data. Initial experiments indicate that the diffusion algorithm outperforms others even under limited training data availability.

show abstract

“…Anti-honeypot technology [23] Statistics-Based Payload Detection [38] Normal traffic has different byte-level statistics than worm infested traffic Blend into normal traffic [22] the aim of distinguishing data and program-like code. In this regard, we answer the following two questions.…”

Section: Honeypots/honeyfarmsmentioning

confidence: 99%

“…We do not focus on the return address component and changes in software do not impact our approach. Wang et al [38] proposed a payload based anomaly detection system called PAYL which works by first training with normal network flow traffic and subsequently using several byte-level statistical measures to detect exploit code. But it is possible to evade detection by implementing the exploit code in such a way that it statistically mimics normal traffic [22].…”

Section: Related Workmentioning

confidence: 99%

A Fast Static Analysis Approach to Detect Exploit Code Inside Network Flows

Chinchani

Berg²

2006

Lecture Notes in Computer Science

103

View full text Add to dashboard Cite

Abstract.A common way by which attackers gain control of hosts is through remote exploits. A new dimension to the problem is added by worms which use exploit code to self-propagate, and are becoming a commonplace occurrence. Defense mechanisms exist but popular ones are signature-based techniques which use known byte patterns, and they can be thwarted using polymorphism, metamorphism and other obfuscations. In this paper, we argue that exploit code is characterized by more than just a byte pattern because, in addition, there is a definite control and data flow. We propose a fast static analysis based approach which is essentially a litmus test and operates by making a distinction between data, programs and program-like exploit code. We have implemented a prototype called styx and evaluated it against real data collected at our organizational network. Results show that it is able to detect a variety of exploit code and can also generate very specific signatures. Moreover, it shows initial promise against polymorphism and metamorphism.

show abstract

Anomalous Payload-Based Network Intrusion Detection

Cited by 587 publications

References 14 publications

Adaptive Hybrid Model for Network Intrusion Detection and Comparison among Machine Learning Algorithms

Adaptive Hybrid Model for Network Intrusion Detection and Comparison among Machine Learning Algorithms

A Probabilistic Diffusion Scheme for Anomaly Detection on Smartphones

A Fast Static Analysis Approach to Detect Exploit Code Inside Network Flows

Contact Info

Product

Resources

About