Rangegram: A novel payload based anomaly detection technique against web traffic

Swarnkar, Mayank; Hubballi, Neminath

doi:10.1109/ants.2015.7413635

Cited by 10 publications

(5 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Unlike the previous studies [4]- [8], [11]- [13], [22], [23], [23]- [27], PayloadEmbeddings can extract contextual information from payloads. Each byte in a payload is transformed into a vector space by maximizing the log probability…”

Section: Other Techniquesmentioning

confidence: 98%

“…The authors propose a knowledge-based data structure named Probability Tree to store the occurrence probability range of n-grams from normal payloads. RANGEGRAM [8] considers the maximum and minimum occurrence frequency of n-grams to detect zero-day attacks against web traffic. A database is generated from the n-grams of normal traces.…”

Section: A Traditional Feature Extraction Techniquesmentioning

confidence: 99%

“…McPAD [6] uses a 2 v -gram technique to extract features from payloads. OCPAD [7], RANGEGRAM [8], HMMPayl [9] also use n-grams to extract features. Williams et al [10] extracted 22 traffic-related statistical features from payloads.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Intrusion Detection Using Payload Embeddings

et al. 2022

View full text Add to dashboard Cite

Attacks launched over the Internet often degrade or disrupt the quality of online services. Various Intrusion Detection Systems (IDSs), with or without prevention capabilities, have been proposed to defend networks or hosts against such attacks. While most of these IDSs extract features from the packet headers to detect any irregularities in the network traffic, some others use payloads alongside the headers. In this study, we propose a payload-based intrusion detection scheme, PayloadEmbeddings, using byte embeddings of the payloads of network packets. We employ a shallow neural network to generate vector representations for bytes and their corresponding payloads. Our feature extraction technique is coupled with the k-Nearest Neighbours (kNN) algorithm for the classification of packets as intrusive or non-intrusive.In our experiments, we evaluated 34 publicly available datasets, and used ten distinct payload-based, labeled intrusion detection datasets to train and evaluate our approach. Our empirical results show that PayloadEmbeddings reaches between 75% and 99% accuracy across all datasets. Finally, we compare our approach to other state-of-the-art and traditional intrusion detection techniques. Our findings suggest that PayloadEmbeddings demonstrates significant advantages over the other techniques on most of the datasets.

show abstract

Section: Other Techniquesmentioning

confidence: 98%

Section: A Traditional Feature Extraction Techniquesmentioning

confidence: 99%

See 1 more Smart Citation

Intrusion Detection Using Payload Embeddings

et al. 2022

View full text Add to dashboard Cite

show abstract

“…Gupta et al 19 analyzed that large-scale and Internet processing requirements usually make it more demanding to analyze anomalies than in non-sequential information. In Wang et al, 20 Swarnkar and Hubballi, 21 and Wang and Stolfo, 22 the sequential IDSs are suggested for the detection of anomalous sequences containing subsections of which their inherent frequency is unexpected. The latest is an IDS known as Rangegram, 23 which effectively produces a Normality model within ordinary sequences of the high-order n-grams with a maximum and minimum range of frequency.…”

Section: Related Workmentioning

confidence: 99%

Soft-computing-based false alarm reduction for hierarchical data of intrusion detection system

Singh

Krishnamoorthy

Nayyar

et al. 2019

International Journal of Distributed Sensor Networks

View full text Add to dashboard Cite

A false alarm rate of online anomaly-based intrusion detection system is a crucial concern. It is challenging to implement in the real-world scenarios when these anomalies occur sporadically. The existing intrusion detection system has been developed to limit or decrease the false alarm rate. However, the state-of-the-art approaches are attack or algorithm specific, which is not generic. In this article, a soft-computing-based approach has been designed to reduce the false-positive rate for hierarchical data of anomaly-based intrusion detection system. The recurrent neural network model is applied to classify the data set of intrusion detection system and normal instances for various subclasses. The designed approach is more practical, reason being, it does not require any assumption or knowledge of the data set structure. Experimental evaluation is conducted on various attacks on KDDCup’99 and NSL-KDD data sets. The proposed method enhances the intrusion detection systems that can work with data with dependent and independent features. Furthermore, this approach is also beneficial for real-life scenarios with a low occurrence of attacks.

show abstract

“…(ii) Intrusion Detection Systems: These systems model HTTP requests either by breaking them into short sequences or by generating signatures corresponding to various attacks. PAYL [9], Anagram [8], Layergram [4], Rangegram [7] are anomaly detection systems which model short sequences (n-grams) generated from web requests and use a rating function to rate web requests to classify them as belonging to attacks or normal. PAYL [9] generates a score using frequency count of each possible byte (256) as features.…”

Section: Introductionmentioning

confidence: 99%

POSTER: Towards Automating Detection of Anomalous HTTP Requests with Joint Probability Estimation of Characters

Khandait

Hubballi

Franke

2020

Proceedings of the 15th ACM Asia Conference on Computer and Communications Security

Self Cite

View full text Add to dashboard Cite

Web applications are often exploited using different techniques like injection, buffer overflow, etc. An HTTP request carrying such malicious content will be different from a normal request. In this paper we propose to detect such anomalous HTTP requests using regular expression based signatures. These signatures are generated using character combinations specifically identified from known malicious requests. We identify certain characters which are useful for differentiating normal and anomalous requests using their frequency value comparison and subsequently select those combinations which have high chances of appearing together by estimating their joint probability values. We experiment with few sample attack types and show that proposed method can identify anomalous HTTP requests.

show abstract

Rangegram: A novel payload based anomaly detection technique against web traffic

Cited by 10 publications

References 22 publications

Intrusion Detection Using Payload Embeddings

Intrusion Detection Using Payload Embeddings

Soft-computing-based false alarm reduction for hierarchical data of intrusion detection system

POSTER: Towards Automating Detection of Anomalous HTTP Requests with Joint Probability Estimation of Characters

Contact Info

Product

Resources

About