A Modular Architecture for the Analysis of HTTP Payloads Based on Multiple Classifiers
In this paper we propose an Intrusion Detection System (IDS) for the detection of attacks against a web server. The system analyzes the requests received by a web server, and is based on a two-stages classification algorithm that heavily relies on the MCS paradigm. In the first stage the structure of the HTTP requests is modeled using several ensembles of Hidden Markov Models. Then, the outputs of these ensembles are combined using a one-class classification algorithm. We evaluated the system on several datasets of real traffic and real attacks. Experimental results, and comparisons with state-of.the.art detection systems show the effectiveness of the proposed approach.
KeywordsAnomaly Detection IDS HMM Payload Analysis
Unable to display preview. Download preview PDF.
- 1.RFC 2616 - Hypertext Transfer Protocol – HTTP/1.1(1999)Google Scholar
- 2.Ariu, D., Tronci, R., Giacinto HMMPayl, G.:HMMPayl: An intrusion detection system based on Hidden Markov Models. In: Computers & Security (in Press, 2011)Google Scholar
- 5.Corona, I., Ariu, D., Giacinto, G.: HMM-Web: A framework for the detection of attacks against web applications. In: IEEE International Conference on Communications, Dresden, Germany (2009)Google Scholar
- 6.Kruegel, C., Vigna, G.: Anomaly detection of web-based attacks. In: ACM conference on Computer and Communications Security, New York, USA (2003)Google Scholar
- 11.Song, Y., Keromytis, A.D., Stolfo, S.J.: Spectrogram: A mixture-of-markov-chains model for anomaly detection in web traffic. In: NDSS, The Internet Society (2009)Google Scholar