Language models for detection of unknown attacks in network traffic

Rieck, Konrad; Laskov, Pavel

doi:10.1007/s11416-006-0030-0

Cited by 82 publications

(36 citation statements)

References 49 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…They have also been used for traffic analysis problems with success [21]. This technique combines the hostnames of n adjacent events to obtain a composite hostname.…”

Section: Transformation Of Frequency Vectorsmentioning

confidence: 99%

Tracking Users on the Internet with Behavioral Patterns: Evaluation of Its Practical Feasibility

Banse

Herrmann

Federrath

2012

IFIP Advances in Information and Communication Technology

View full text Add to dashboard Cite

Abstract. Traditionally, service providers, who want to track the activities of Internet users, rely on explicit tracking techniques like HTTP cookies. From a privacy perspective behavior-based tracking is even more dangerous, because it allows service providers to track users passively, i. e., without cookies. In this case multiple sessions of a user are linked by exploiting characteristic patterns mined from network traffic. In this paper we study the feasibility of behavior-based tracking in a real-world setting, which is unknown so far. In principle, behavior-based tracking can be carried out by any attacker that can observe the activities of users on the Internet. We design and implement a behavior-based tracking technique that consists of a Naive Bayes classifier supported by a cosine similarity decision engine. We evaluate our technique using a large-scale dataset that contains all queries received by a DNS resolver that is used by more than 2100 concurrent users on average per day. Our technique is able to correctly link 88.2 % of the surfing sessions on a day-to-day basis. We also discuss various countermeasures that reduce the effectiveness of our technique.

show abstract

“…They have also been used for traffic analysis problems with success [21]. This technique combines the hostnames of n adjacent events to obtain a composite hostname.…”

Section: Transformation Of Frequency Vectorsmentioning

confidence: 99%

Tracking Users on the Internet with Behavioral Patterns: Evaluation of Its Practical Feasibility

Banse

Herrmann

Federrath

2012

IFIP Advances in Information and Communication Technology

View full text Add to dashboard Cite

show abstract

“…Considering the global variety of development platforms and the mobility of threats facilitated by the Internet, ensuring the external validity of this study relies substantially on reaching a critical mass of CFL files which represents abundant development platforms. Furthermore, it often does not suffice for a signature to be available-deployed signatures must be managed, distributed and kept upto-date by security administrators [16].…”

Section: Resultsmentioning

confidence: 99%

Auto-Sign: an automatic signature generator for high-speed malware filtering devices

Tahan¹,

Glezer²,

Elovici³

et al. 2009

J Comput Virol

View full text Add to dashboard Cite

This research proposes a novel automatic method (termed Auto-Sign) for extracting unique signatures of malware executables to be used by high-speed malware filtering devices based on deep-packet inspection and operating in real-time. Contrary to extant string and tokenbased signature generation methods, we implemented Auto-Sign an automatic signature generation method that can be used on large-size malware by disregarding signature candidates which appear in benign executables. Results from experimental evaluation of the proposed method suggest that picking a collection of executables which closely represents commonly used code, plays a key role in achieving highly specific signatures which yield low false positives.

show abstract

“…Based on the results from [24], and [26], and our own experiments, a set of 20 boundary symbols that provides the highest percentage of meaningful words for HTTP is defined. These 20 delimiters are:…”

Section: Methodsmentioning

confidence: 99%

“…The frequency analysis of multiple consecutive bytes, ngrams, in payload has been proposed in [25]. The use of payload words, seen as consecutive bytes separated by delimiters, to make a language model was considered in [26]. Authors of [27] take a different view and use HTTP GET request parameters and their values as the starting point for the model: the length, character positions, the structure, the values and existence of parameters are considered.…”

Section: Related Workmentioning

confidence: 99%