Anagram: A Content Anomaly Detector Resistant to Mimicry Attack

  • Ke Wang
  • Janak J. Parekh
  • Salvatore J. Stolfo
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4219)


In this paper, we present Anagram, a content anomaly detector that models a mixture ofhigh-order n-grams (n > 1) designed to detect anomalous and “suspicious” network packet payloads. By using higher-order n-grams, Anagram can detect significant anomalous byte sequences and generate robust signatures of validated malicious packet content. The Anagram content models are implemented using highly efficient Bloom filters, reducing space requirements and enabling privacy-preserving cross-site correlation. The sensor models the distinct content flow of a network or host using a semi-supervised training regimen. Previously known exploits, extracted from the signatures of an IDS, are likewise modeled in a Bloom filter and are used during training as well as detection time. We demonstrate that Anagram can identify anomalous traffic with high accuracy and low false positive rates. Anagram’s high-order n-gram analysis technique is also resilient against simple mimicry attacks that blend exploits with “normal” appearing byte padding, such as the blended polymorphic attack recently demonstrated in [1]. We discuss randomized n-gram models, which further raises the bar and makes it more difficult for attackers to build precise packet structures to evade Anagram even if they know the distribution of the local site content flow. Finally, Anagram’s speed and high detection rate makes it valuable not only as a standalone sensor, but also as a network anomaly flow classifier in an instrumented fault-tolerant host-based environment; this enables significant cost amortization and the possibility of a “symbiotic” feedback loop that can improve accuracy and reduce false positive rates over time.


False Positive Rate Intrusion Detection Anomaly Detector Bloom Filter Content Flow 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Kolesnikov, O., Dagon, D., Lee, W.: Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic. In: USENIX Security Symposium, Vancouver, BC, Canada (2006)Google Scholar
  2. 2.
    Moore, D., et al.: Internet Quarantine: Requirements for Containing Self-Propagating Code. In: INFOCOM (2003)Google Scholar
  3. 3.
    Staniford-Chen, S., Paxson, V., Weaver, N.: How to 0wn the Internet in Your Spare Time. In: USENIX Security (2002)Google Scholar
  4. 4.
    Christodorescu, M., Jha, S.: Static Analysis of Executables to Detect Malicious Patterns. In: USENIX Security Symposium, Washington, D.C. (2003)Google Scholar
  5. 5.
    Vargiya, R., Chan, P.: Boundary Detection in Tokenizing Network Application Payload for Anomaly Detection. In: ICDM Workshop on Data Mining for Computer Security (DMSEC), Melbourne, FL (2003)Google Scholar
  6. 6.
    Kruegel, C., et al.: Polymorphic Worm Detection Using Structural Information of Executables. In: Symposium on Recent Advances in Intrusion Detection, Seattle, WA (2005)Google Scholar
  7. 7.
    Sekar, R., et al.: Specification-based Anomaly Detection: A New Approach for Detecting Network Intrusions. In: ACM Conference on Computer and Communications Security, Washington, D.C (2002)Google Scholar
  8. 8.
    Kruegel, C., Toth, T., Kirda, E.: Service Specific Anomaly Detection for Network Intrusion Detection. In: Symposium on Applied Computing (SAC), Madrid, Spain (2002)Google Scholar
  9. 9.
    Wang, X., et al.: SigFree: A Signature-free Buffer Overflow Attack Blocker. In: USENIX Security, Boston, MA (2006)Google Scholar
  10. 10.
    Wang, K., Stolfo, S.J.: Anomalous payload-based network intrusion detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 203–222. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  11. 11.
    Wang, K., Cretu, G., Stolfo, S.J.: Anomalous payload-based worm detection and signature generation. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 227–246. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  12. 12.
    SourceFire Inc. Snort rulesets (2006), [cited April 4, 2006 ], Available from:
  13. 13.
    Locasto, M.E., Sidiroglou, S., Keromytis, A.D.: Application Communities: Using Monoculture for Dependability. In: HotDep (2005)Google Scholar
  14. 14.
    Locasto, M.E., Sidiroglou, S., Keromytis, A.D.: Software Self-Healing Using Collaborative Application Communities. In: Internet Society (ISOC) Symposium on Network and Distributed Systems Security, San Diego, CA (2006)Google Scholar
  15. 15.
    Marceau, C.: Characterizing the Behavior of a Program Using Multiple-Length N-grams. In: New Security Paradigms Workshop, Cork, Ireland (2000)Google Scholar
  16. 16.
    Forrest, S., et al.: A Sense of Self for Unix Processes. In: IEEE Symposium on Security and Privacy (1996)Google Scholar
  17. 17.
    Tan, K.M.C., Maxion, R.A.: Why 6? Defining the Operational Limits of stide, an Anomaly-Based Intrusion Detector. In: IEEE Symposium on Security and Privacy, Berkeley, CA (2002)Google Scholar
  18. 18.
    Crandall, J.R., et al.: On Deriving Unknown Vulnerabilities from Zero-Day Polymorphic and Metamorphic Worm Exploits. In: ACM Conference on Computer and Communications Security, Alexandria, VA (2005)Google Scholar
  19. 19.
    Newsome, J., Karp, B., Song, D.: Polygraph: Automatically Generating Signatures for Polymorphic Worms. IEEE Security and Privacy, Oakland, CA (2005)Google Scholar
  20. 20.
    Singh, S., et al.: Automated Worm Fingerprinting. In: 6th Symposium on Operating Systems Design and Implementation (OSDI 2004), San Francisco, CA (2004)Google Scholar
  21. 21.
    Bloom, B.H.: Space/time trade-offs in Hash Coding with Allowable Errors. Communications of the ACM 13(7), 422–426 (1970)MATHCrossRefGoogle Scholar
  22. 22.
    Naor, M., Yung, M.: Universal One-Way Hash Functions and their Cryptographic Applications. In: ACM Symposium on Theory of Computing, Seattle, WA (1989)Google Scholar
  23. 23.
    Parekh, J.J., Wang, K., Stolfo, S.J.: Privacy-Preserving Payload-Based Correlation for Accurate Malicious Traffic Detection. In: Large-Scale Attack Detection, Workshop at SIGCOMM, Pisa, Italy (2006)Google Scholar
  24. 24.
    Detristan, T., et al.: Polymorphic Shellcode Engine Using Spectrum Analysis. Phrack (2003), [cited March 28, 2006 ], Available from:
  25. 25.
    Barreno, M., et al.: Can Machine Learning Be Secure? In: ASIACCS (2006)Google Scholar
  26. 26.
    Cowan, C., et al.: StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In: USENIX Security Symposium, San Antonio, TX (1998)Google Scholar
  27. 27.
    Sidiroglou, S., et al.: Building a Reactive Immune System for Software Services. In: USENIX, Anaheim, CA (2005)Google Scholar
  28. 28.
    Sidiroglou, S., Giovanidis, G., Keromytis, A.D.: A Dynamic Mechanism for Recovering from Buffer Overflow Attacks. In: 8th Information Security Conference, Singapore (2005)Google Scholar
  29. 29.
    Locasto, M.E., Wang, K., Keromytis, A.D., Stolfo, S.J.: FLIPS: Hybrid adaptive intrusion prevention. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 82–101. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  30. 30.
    Locasto, M.E., Burnside, M., Keromytis, A.D.: Bloodhound: Searching Out Malicious Input in Network Flows for Automatic Repair Validation. Columbia University Department of Computer Science, New York, NY (2006)Google Scholar
  31. 31.
    Kreibich, C., Crowcroft, J.: Honeycomb - Creating Intrusion Detection Signatures Using Honeypots. In: ACM Workshop on Hot Topics in Networks, Boston, MA (2003)Google Scholar
  32. 32.
    Singh, S., et al.: The EarlyBird System for Real-Time Detection of Unknown Worms. In: ACM Workshop on Hot Topics in Networks, Boston, MA (2003)Google Scholar
  33. 33.
    Kim, H.-A., Karp, B.: Autograph: Toward Automated, Distributed Worm Signature Detection. In: USENIX Security Symposium, San Diego, CA (2004)Google Scholar
  34. 34.
    Wang, H.J., et al.: Shield: Vulnerability-Driven Network Filters for Preventing Known Vulnerability Exploits. In: ACM SIGCOMM (2004)Google Scholar
  35. 35.
    Liang, Z., Sekar, R.: Fast and Automated Generation of Attack Signatures: A Basis for Building Self-Protecing Servers. In: ACM Conference on Computer and Communications Security, Alexandria, VA (2005)Google Scholar
  36. 36.
    K2. ADMmutate (2001), [cited March 29, 2006 ], Available from:
  37. 37.
    Wagner, D., Dean, D.: Intrusion Detection via Static Analysis. IEEE Security and Privacy, Oakland, CA (2001)Google Scholar
  38. 38.
    Wagner, D., Soto, P.: Mimicry Attacks on Host-Based Intrusion Detection Systems. In: ACM CCS (2002)Google Scholar
  39. 39.
    Tan, K.M.C., Killourhy, K.S., Maxion, R.A.: Undermining an anomaly-based intrusion detection system using common exploits. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, p. 54. Springer, Heidelberg (2002)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Ke Wang
    • 1
  • Janak J. Parekh
    • 1
  • Salvatore J. Stolfo
    • 1
  1. 1.Computer Science DepartmentColumbia UniversityNew York

Personalised recommendations