Hybrid Detection of Application Layer Attacks Using Markov Models for Normality and Attacks

Hernández, Rolando Salazar; Díaz-Verdejo, Jesús E.

doi:10.1007/978-3-642-17650-0_29

Cited by 4 publications

(6 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Such values can be interpreted, for example, as a measure of the signature's accuracy or the confidence given to the suspicious payload from which the pattern was obtained [18]. Whatever the case, trust values in signatures can be helpful to reduce false positives and to prioritize rule application, among others.…”

Section: Analysis and Discussionmentioning

confidence: 98%

“…To evaluate our proposal, we have first gathered a dataset composed of normal, attack-free HTTP traffic collected during several weeks in an academic institution [18]. The traces, to which we will refer as PVH, contain traffic destined to a web server that offers information about teaching, degrees, and includes utilities supporting administrative tasks and other daily activities carried out by both students and university staff.…”

Section: Datasets and Evaluation Frameworkmentioning

confidence: 99%

See 1 more Smart Citation

Automatic generation of HTTP intrusion signatures by selective identification of anomalies

García-Teodoro

Díaz-Verdejo

Tapiador

et al. 2015

Computers & Security

View full text Add to dashboard Cite

Section: Analysis and Discussionmentioning

confidence: 98%

Section: Datasets and Evaluation Frameworkmentioning

confidence: 99%

Automatic generation of HTTP intrusion signatures by selective identification of anomalies

García-Teodoro

Díaz-Verdejo

Tapiador

et al. 2015

Computers & Security

View full text Add to dashboard Cite

“…A dataset has to be suited for the specific model and parameters used by the anomaly detector. In this regard, the findings of this work are limited to detectors of anomalous HTTP requests based on probabilistic models (e.g., n-gram [33], or Markov-based models [34]). In particular, the AIDS used in this work is based on 1-grammar since the authors are largely experienced in this technique (see [35]), which is simple enough as to let the reader stay focused on the contribution.…”

Section: Reference Aids and Terminologymentioning

confidence: 99%

How Much Training Data is Enough? A Case Study for HTTP Anomaly-Based Intrusion Detection

et al. 2020

View full text Add to dashboard Cite

Most anomaly-based intrusion detectors rely on models that learn from training datasets whose quality is crucial in their performance. Albeit the properties of suitable datasets have been formulated, the influence of the dataset size on the performance of the anomaly-based detector has received scarce attention so far. In this work, we investigate the optimal size of a training dataset. This size should be large enough so that training data is representative of normal behavior, but after that point, collecting more data may result in unnecessary waste of time and computational resources, not to mention an increased risk of overtraining. In this spirit, we provide a method to find out when the amount of data collected at the production environment is representative of normal behavior in the context of a detector of HTTP URI attacks based on 1-grammar. Our approach is founded on a set of indicators related to the statistical properties of the data. These indicators are periodically calculated during data collection, producing time series that stabilize when more training data is not expected to translate to better system performance, which indicates that data collection can be stopped. We present a case study with real-life datasets collected at the University of Seville (Spain) and a public dataset from the University of Saskatchewan. The application of our method to these datasets showed that more than 42% of one trace, and almost 20% of another were unnecessarily collected, thereby showing that our proposed method can be an efficient approach for collecting training data at the production environment. INDEX TERMS Anomaly-based intrusion detection, dataset assessment, training.

show abstract

“…One example of the sequence of transactions can be shown as llmhmlhm. The types of purchases such [13], [27], [43], [86], [93], [101], [107] [2], [34], [39], [50], [59], [113], [118] [30], [41], [77], [83] [4], [8], [17], [36], [38], [42] [6], [7], [18], [48], [74], [92] [28], [33], [40], [47], [53], [67], [71], [97], [105], [114], [116], [119] [54], [55], [112] [15], [70], [77], [95], [99], [102] [10], [44], [66] [41], [53], [56], [74],…”

Section: Credit Card Fraud Detectionmentioning

confidence: 99%

“…The K-means clustering method is used for determining different network states and calculating transitions between the states. Other research in this category includes [70,95] in which HMM behavioral models are created using the payloads of transmission control protocol (TCP)/internet protocol (IP) packets exchanged in the network to create malicious behavior. The data sources for creating these models are raw packets retrieved from the network.…”

Section: Network Levelmentioning

confidence: 99%

A systematic review on intrusion detection based on the Hidden Markov Model

Ramaki

Rasoolzadegan

Jafari

2018

Statistical Analysis

View full text Add to dashboard Cite

Apart from using traditional security solutions in software systems such as firewalls and access control mechanisms, utilizing intrusion detection systems are also necessary. Intrusion detection is a process in which a set of methods are used to detect malicious activities against the victims. Many techniques for detecting potential intrusions in software systems have already been introduced. One of the most important techniques for intrusion detection based on machine learning is using Hidden Markov Models (HMM). In recent decades, many research communities have been working toward HMM-based intrusion detection. Therefore, a large volume of research works has been published and hence, various research areas have emerged in this field. However, until now, there has been no systematic and up-to-date review of research works within the field. This paper aims to survey the research in this field and provide open problems and challenges based on the analysis of advantages, limitations, types of architectural models, and applications of current techniques. Six various architecture models for intrusion detection purposes are proposed in the literature. We compare these models based on performance criteria in order to select an appropriate type for a specific application. The results show that HMM-based intrusion detection techniques have 6 main advantages-precise intrusion detection, ability to detect new and unknown intrusions, prediction of the intruder's potential next steps, usage in real-time applications by processing data streams on-the-fly, usage of heterogeneous data sources as input, and visual representation of acquired knowledge relative to the other techniques of machine learning. KEYWORDSHidden Markov Model, intrusion detection, intrusion detection system, statistical learning, system and network security

show abstract

Hybrid Detection of Application Layer Attacks Using Markov Models for Normality and Attacks

Cited by 4 publications

References 10 publications

Automatic generation of HTTP intrusion signatures by selective identification of anomalies

Automatic generation of HTTP intrusion signatures by selective identification of anomalies

How Much Training Data is Enough? A Case Study for HTTP Anomaly-Based Intrusion Detection

A systematic review on intrusion detection based on the Hidden Markov Model

Contact Info

Product

Resources

About