A Modular Architecture for the Analysis of HTTP Payloads Based on Multiple Classifiers

  • Davide Ariu
  • Giorgio Giacinto
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6713)


In this paper we propose an Intrusion Detection System (IDS) for the detection of attacks against a web server. The system analyzes the requests received by a web server, and is based on a two-stages classification algorithm that heavily relies on the MCS paradigm. In the first stage the structure of the HTTP requests is modeled using several ensembles of Hidden Markov Models. Then, the outputs of these ensembles are combined using a one-class classification algorithm. We evaluated the system on several datasets of real traffic and real attacks. Experimental results, and comparisons with detection systems show the effectiveness of the proposed approach.


Anomaly Detection IDS HMM Payload Analysis 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    RFC 2616 - Hypertext Transfer Protocol – HTTP/1.1(1999)Google Scholar
  2. 2.
    Ariu, D., Tronci, R., Giacinto HMMPayl, G.:HMMPayl: An intrusion detection system based on Hidden Markov Models. In: Computers & Security (in Press, 2011)Google Scholar
  3. 3.
    Baum, L.E., Petrie, T., Soules, G., Weiss, N.: A maximization technique occurring in the statistical analysis of probabilistic functions of markov chains. The Annals of Mathematical Statistics 41(1), 164–171 (1970)CrossRefzbMATHGoogle Scholar
  4. 4.
    Biggio, B., Fumera, G., Roli, F.: Multiple classifier systems for adversarial classification tasks. In: Benediktsson, J.A., Kittler, J., Roli, F. (eds.) MCS 2009. LNCS, vol. 5519, pp. 132–141. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  5. 5.
    Corona, I., Ariu, D., Giacinto, G.: HMM-Web: A framework for the detection of attacks against web applications. In: IEEE International Conference on Communications, Dresden, Germany (2009)Google Scholar
  6. 6.
    Kruegel, C., Vigna, G.: Anomaly detection of web-based attacks. In: ACM conference on Computer and Communications Security, New York, USA (2003)Google Scholar
  7. 7.
    Kruegel, C., Vigna, G., Robertson, W.: A multi-model approach to the detection of web-based attacks. Computer Networks 48(5), 717–738 (2005)CrossRefGoogle Scholar
  8. 8.
    Marcialis, G.L., Roli, F., Didaci, L.: Personal identity verification by serial fusion of fingerprint and face matchers. Pattern Recognition 42(11), 2807–2817 (2009)CrossRefzbMATHGoogle Scholar
  9. 9.
    Perdisci, R., Ariu, D., Fogla, P., Giacinto, G., Lee, W.: McPAD: A multiple classifier system for accurate payload-based anomaly detection. Computer Networks 53(6), 864–881 (2009)CrossRefzbMATHGoogle Scholar
  10. 10.
    Rabiner, L.R.: A tutorial on hidden markov models and selected applications in speech recognition. Proceedings of the IEEE 77(2), 257–286 (1989)CrossRefGoogle Scholar
  11. 11.
    Song, Y., Keromytis, A.D., Stolfo, S.J.: Spectrogram: A mixture-of-markov-chains model for anomaly detection in web traffic. In: NDSS, The Internet Society (2009)Google Scholar
  12. 12.
    Friedman, J., Hastie, T., Tibshirani, R.: The Elements of Statistical Learning: Data Mining, Inference, and Prediction, 2nd edn. Springer, Heidelberg (2009)zbMATHGoogle Scholar
  13. 13.
    Wang, K., Stolfo, S.J.: Anomalous payload-based network intrusion detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 203–222. Springer, Heidelberg (2004)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Davide Ariu
    • 1
  • Giorgio Giacinto
    • 1
  1. 1.Department of Electrical and Electronic EngineeringUniversity of CagliariItaly

Personalised recommendations