Detecting Unknown Network Attacks Using Language Models

Rieck, Konrad; Laskov, Pavel

doi:10.1007/11790754_5

Cited by 48 publications

(47 citation statements)

References 35 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Our method Zeta [44] is an anomaly score based on the concept of k-nearest neighbors; it extends the outlier detection methods proposed in [45,46]. The score is calculated as the mean distance of x to its k-nearest neighbors normalized by the mean inner-clique distance.…”

Section: Unsupervised Anomaly Detectionmentioning

confidence: 99%

See 1 more Smart Citation

Language models for detection of unknown attacks in network traffic

Rieck¹,

Laskov²

2006

J Comput Virol

Self Cite

View full text Add to dashboard Cite

In this paper we propose a method for network intrusion detection based on language models. Our method proceeds by extracting language features such as n-grams and words from connection payloads and applying unsupervised anomaly detection without prior learning phase or presence of labeled data. The essential part of this procedure is linear-time computation of similarity measures between language models of connection payloads. Particular patterns in these models decisive for discrimination of attacks and normal data can be traced back to attack semantics and utilized for automatic generation of attack signatures. Results of experiments conducted on two datasets of network traffic demonstrate the importance of higher-order n-grams and variable-length language models for detection of unknown network attacks. An implementation of our system achieved detection accuracy of over 80% with no false positives on instances of recent remote-to-local attacks in HTTP, FTP and SMTP traffic

show abstract

Section: Unsupervised Anomaly Detectionmentioning

confidence: 99%

“…1 Some explore local properties of the provided data for determining outliers, e.g. single-linkage clustering [32] and our k-nearest neighbor method Zeta [44], others analyze global properties, e.g. the simplified Mahalanobis distance [13] and quarter-sphere SVM [42], to identify instances deviating from the mass of data.…”

Section: Unsupervised Anomaly Detectionmentioning

confidence: 99%

Language models for detection of unknown attacks in network traffic

Rieck¹,

Laskov²

2006

J Comput Virol

Self Cite

View full text Add to dashboard Cite

show abstract

“…In addition, Latent Dirichlet Allocations are used for a similar purpose in [20]. NLP is also applied on network packet payloads for network intrusion detection in [18]. In [10], customers accesses to businesses URLs are analyzed using a word2vec-based method to propose better services to customers.…”

Section: Related Workmentioning

confidence: 99%

Experience Report: Log Mining Using Natural Language Processing and Application to Anomaly Detection

Bertero

Roy

Sauvanaud

et al. 2017

2017 IEEE 28th International Symposium on Software Reliability Engineering (ISSRE)

110

View full text Add to dashboard Cite

“…Such capability can only be provided by self-learning components which capture characteristics of observed normal data to flag anomalies as malicious events. Such methods have been previously proposed for general-purpose intrusion detection systems for IP networks, e.g., [5,7,11,12,21]. The peculiarities of the network protocols used in IMS, e.g., the Session Initiation Protocol, necessitate the development of specialized intrusion detection techniques tailored to their semantics.…”

Section: Introductionmentioning

confidence: 99%

Securing IMS against novel threats

et al. 2009

Self Cite

View full text Add to dashboard Cite

Fixed mobile convergence (FMC) based on the 3GPP IP Multimedia Subsystem (IMS) is considered one of the most important communication technologies of this decade. Yet this all-IP-based network technology brings about the growing danger of security vulnerabilities in communication and data services. Protecting IMS infrastructure servers against malicious exploits poses a major challenge due to the huge number of systems that may be affected. We approach this problem by proposing an architecture for an autonomous and self-sufficient monitoring and protection system for devices and infrastructure inspired by network intrusion detection techniques. The crucial feature of our system is a signature-less detection of abnormal events and zero-day attacks. These attacks may be hidden in a single message or spread across a sequence of messages. Anomalies identified at any of the network domain's ingresses can be further analyzed for discriminative patterns that can be immediately distributed to all edge nodes in the network domain

show abstract

Detecting Unknown Network Attacks Using Language Models

Cited by 48 publications

References 35 publications

Language models for detection of unknown attacks in network traffic

Language models for detection of unknown attacks in network traffic

Experience Report: Log Mining Using Natural Language Processing and Application to Anomaly Detection

Securing IMS against novel threats

Contact Info

Product

Resources

About