N3: A Geometrical Approach for Network Intrusion Detection at the Application Layer
In this work, a novel approach for the purpose of anomaly-based network intrusion detection at the application layer is presented. The problem of identifying anomalous payloads is addressed by using a technique based on the modelling of short sequences of adjoining bytes in the requests destined to a given service. Upon this theoretical framework, we propose an algorithm that assigns an anomaly score to each service request on the basis of its similarity with a previously established model of normality. The introduced approach has been evaluated by considering datasets composed of HTTP and DNS traffic. Thus, a large amount of attacks related with such services has been gathered, and detailed experimental results concerning the detection capability of the proposed system are shown. The experiments demonstrate that our approach yields a very high detection rate with a low level of false alarms.
Unable to display preview. Download preview PDF.
- 2.Project OASIS: Organically Assured and Survivable Information System, Available online at: http://www.tolerantsystems.org/
- 3.Project MAFTIA: Malicious and Accidental Fault Tolerance for Internet Applications, Available online at: http://www.newcastle.research.ec.org/maftia/index.html
- 5.Kemmerer, R.A., Vigna, G.: Intrusion Detection: A Brief History and Overview. IEEE Computer 35(4), 27–30 (2002)Google Scholar
- 6.Allen, J., Christie, A., Fithen, W., McHugh, J., Pickel, J., and Stoner, E.: State of the Practice of Intrusion Detection Technologies. Technical Report CMU/SEI- 99-TR-028, Software Engineering Institute, Carnegie Mellon (January 2000) Google Scholar
- 7.Axelsson, S.: Intrusion Detection Systems: A Survey and Taxonomy. Technical Report 99-15, Department of Computer Engineering, Chalmers University of Technology, Goteborg Google Scholar
- 8.Krügel, C., Toth, T., Kirda, E.: Service Specific Anomaly Detection for Network Intrusion Detection. In: Proceedings of the 17th ACM Symposium on Applied Computing (SAC), Madrid (Spain), pp. 201–208 (2002)Google Scholar
- 9.Mahoney, M.V., Chan, P.K.: Learning Nonstationary Models of Normal Network Traffic for Detecting Novel Attacks. In: Proceedings of the 8th International Conference on Knowledge Discovery and Data Mining, pp. 376–385 (2002)Google Scholar
- 10.Mahoney, M.V., Chan, P.K.: An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection. Florida Institute of Technology Technical Report CS-2003-02 (2003) Google Scholar
- 11.Mahoney, M.V.: Network Traffic Anomaly Detection Based on Packet Bytes. In: Proceedings of the 18th ACM Symposium on Applied Computing (SAC), Melbourne, FL (USA), pp. 346–350 (2003)Google Scholar
- 12.Estevez-Tapiador, J.M., Garcia-Teodoro, P., Diaz-Verdejo, J.E.: Stochastic Protocol Modeling for Anomaly-Based Network Intrusion Detection. In: Proceedings of the 1st IEEE International Workshop on Information Assurance (IWIA 2003), Darmstadt (Germany), March 2003, pp. 3–12 (2003)Google Scholar
- 13.Gusfield, D.: Algorithms on Strings, Trees, and Sequences: Computer Science and Computational Biology. Cambridge University Press, Cambridge (1997) ISBN: 0521585198Google Scholar
- 16.arachNIDS: Advanced Reference Archive of Current Heuristics for Network Intrusion Detection Systems, Available online at: http://www.whitehats.com/ids