Detecting zero-day attacks using context-aware anomaly detection at the application-layer

  • Patrick Duessel
  • Christian Gehl
  • Ulrich Flegel
  • Sven Dietrich
  • Michael Meier
Regular Contribution

DOI: 10.1007/s10207-016-0344-y

Cite this article as:
Duessel, P., Gehl, C., Flegel, U. et al. Int. J. Inf. Secur. (2016). doi:10.1007/s10207-016-0344-y


Anomaly detection allows for the identification of unknown and novel attacks in network traffic. However, current approaches for anomaly detection of network packet payloads are limited to the analysis of plain byte sequences. Experiments have shown that application-layer attacks become difficult to detect in the presence of attack obfuscation using payload customization. The ability to incorporate syntactic context into anomaly detection provides valuable information and increases detection accuracy. In this contribution, we address the issue of incorporating protocol context into payload-based anomaly detection. We present a new data representation, called \({c}_n\)-grams, that allows to integrate syntactic and sequential features of payloads in an unified feature space and provides the basis for context-aware detection of network intrusions. We conduct experiments on both text-based and binary application-layer protocols which demonstrate superior accuracy on the detection of various types of attacks over regular anomaly detection methods. Furthermore, we show how \({c}_n\)-grams can be used to interpret detected anomalies and thus, provide explainable decisions in practice.


Intrusion detection Machine learning Anomaly detection Protocol analysis Deep packet inspection 

Copyright information

© Springer-Verlag Berlin Heidelberg 2016

Authors and Affiliations

  1. 1.University of Bonn, Institute of Computer Science 4BonnGermany
  2. 2.Trifense GmbH - Intelligent Network DefenseVeltenGermany
  3. 3.Infineon Technologies AGNeubibergGermany
  4. 4.CUNY John Jay College of Criminal Justice, Mathematics and Computer Science DepartmentNew YorkUSA

Personalised recommendations