article

McPAD: A multiple classifier system for accurate payload-based anomaly detection

Authors:

Roberto Perdisci,

Giorgio Giacinto,

Wenke LeeAuthors Info & Claims

Computer Networks: The International Journal of Computer and Telecommunications Networking, Volume 53, Issue 6

Pages 864 - 881

https://doi.org/10.1016/j.comnet.2008.11.011

Published: 23 April 2009 Publication History

Abstract

Anomaly-based network intrusion detection systems (IDS) are valuable tools for the defense-in-depth of computer networks. Unsupervised or unlabeled learning approaches for network anomaly detection have been recently proposed. Such anomaly-based network IDS are able to detect (unknown) zero-day attacks, although much care has to be dedicated to controlling the amount of false positives generated by the detection system. As a matter of fact, it is has been shown that the false positive rate is the true limiting factor for the performance of IDS, and that in order to substantially increase the Bayesian detection rate, P(Intrusion|Alarm), the IDS must have a very low false positive rate (e.g., as low as 10^-^5 or even lower). In this paper we present McPAD (multiple classifier payload-based anomaly detector), a new accurate payload-based anomaly detection system that consists of an ensemble of one-class classifiers. We show that our anomaly detector is very accurate in detecting network attacks that bear some form of shell-code in the malicious payload. This holds true even in the case of polymorphic attacks and for very low false positive rates. Furthermore, we experiment with advanced polymorphic blending attacks and we show that in some cases even in the presence of such sophisticated attacks and for a low false positive rate our IDS still has a relatively high detection rate.

References

[1]

Arce, I., The shellcode generation. IEEE Security and Privacy. v2 i5. 72-76.

[2]

S. Axelsson, The base-rate fallacy and its implications for the difficulty of intrusion detection, in: CCS'99: Proceedings of the Sixth ACM Conference on Computer and Communications Security, 1999, pp. 1-7.

[3]

Bradley, A.P., The use of the area under the roc curve in the evaluation of machine learning algorithms. Pattern Recognition. v30 i7. 1145-1159.

[4]

Brunelli, R. and Falavigna, D., Person identification using multiple cues. IEEE Transaction on Pattern Analysis and Machine Intelligence. v17 i10. 955-966.

[5]

R. Chinchani, E.V.D. Berg, A fast static analysis approach to detect exploit code inside network flows, in: Recent Advances in Intrusion Detection (RAID), 2005.

[6]

L.P. Cordella, A. Limongiello, C. Sansone, Network intrusion detection by a multi-stage classification system, in: Multiple Classifier Systems (MCS), 2004, pp. 324-333.

[7]

C. Cortes, M. Mohri, Confidence intervals for the area under the roc curve, in: NIPS 2004: Advances in Neural Information Processing Systems, 2004.

[8]

T. Detristan, T. Ulenspiegel, Y. Malcom, M. Underduk, Polymorphic shellcode engine using spectrum analysis, Phrack Issue 0x3d, 2003.

[9]

Dhillon, I.S., Mallela, S. and Kumar, R., A divisive information-theoretic feature clustering algorithm for text classification. Journal of Machine Learning Research. v3. 1265-1287.

[10]

T.G. Dietterich, Ensemble methods in machine learning, in: Multiple Classifier Systems (MCS), 2000.

[11]

Duda, R.O., Hart, P.E. and Stork, D.G., Pattern Classification. 2000. Wiley.

[12]

Eskin, E., Arnold, A., Prerau, M., Portnoy, L. and Stolfo, S., A geometric framework for unsupervised anomaly detection: detecting intrusions in unlabeled data. In: Barbara, D., Jajodia, S. (Eds.), Applications of Data Mining in Computer Security, Kluwer.

[13]

P. Fogla, W. Lee, Evading network anomaly detection systems: formal reasoning and practical techniques, in: CCS'06: Proceedings of the 13th ACM Conference on Computer and Communications Security, 2006, pp. 59-68.

[14]

P. Fogla, M. Sharif, R. Perdisci, O.M. Kolesnikov, W. Lee, Polymorphic blending attack, in: USENIX Security Symposium, 2006.

[15]

Giacinto, G., Perdisci, R., Del Rio, M. and Roli, F., Intrusion detection in computer networks by a modular ensemble of one-class classifiers. Information Fusion. v9 i1. 69-82.

[16]

Giacinto, G., Roli, F. and Didaci, L., Fusion of multiple classifiers for intrusion detection in computer networks. Pattern Recognition Letters. v24 i12. 1795-1803.

[17]

K.L. Ingham, H. Inoue, Comparing anomaly detection techniques for HTTP, in: Recent Advances in Intrusion Detection (RAID), 2007.

[18]

Kittler, J., Hatef, M., Duin, R.P.W. and Matas, J., On combining classifiers. IEEE Transactions Pattern Analysis and Machine Intelligence. v20 i3. 226-239.

[19]

C. Kruegel, T. Toth, E. Kirda, Service specific anomaly detection for network intrusion detection, in: ACM Symposium on Applied Computing (SAC), 2002.

[20]

Kuncheva, L.I., Combining Pattern Classifiers: Methods and Algorithms. 2004. Wiley.

[21]

Leopold, E. and Kindermann, J., Text categorization with support vector machines. How to represent texts in input space?. Machine Learning. v46. 423-444.

[22]

Lippmann, R., Haines, J.W., Fried, D.J., Korba, J. and Das, K., The 1999 darpa off-line intrusion detection evaluation. Computer Networks. v34 i4. 579-595.

[23]

M.V. Mahoney, P.K. Chan, An analysis of the 1999 darpa lincoln laboratory evaluation data for network anomaly detection, in: Recent Advances in Intrusion Detection (RAID), 2003.

[24]

McHugh, J., Testing intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory. ACM Transactions on Information and System Security. v3 i4. 262-294.

[25]

McHugh, J., Christie, A. and Allen, J., Defending yourself: The role of intrusion detection systems. IEEE Software. 42-51.

[26]

R. Perdisci, G. Gu, W. Lee, Using an ensemble of one-class svm classifiers to harden payload-based anomaly detection systems, in: ICDM'06: Proceedings of the Sixth International Conference on Data Mining, 2006, pp. 488-498.

Digital Library

[27]

L. Portnoy, E. Eskin, S. Stolfo, Intrusion detection with unlabeled data using clustering, in: ACM CSS Workshop on Data Mining Applied to Security, 2001.

[28]

Schölkopf, B., Platt, J., Shawe-Taylor, J., Smola, A.J. and Williamson, R.C., Estimating the support of a high-dimensional distribution. Neural Computation. v13. 1443-1471.

[29]

Sebastiani, F., Machine learning in automated text categorization. ACM Computing Surveys. v34 i1. 1-47.

[30]

Y. Song, M.E. Locasto, A. Stavrou, A.D. Keromytis, S.J. Stolfo, On the infeasibility of modeling polymorphic shellcode, in: CCS'07: Proceedings of the 14th ACM Conference on Computer and Communications Security, 2007.

Digital Library

[31]

D.M.J. Tax, One-Class Classification, Concept Learning in the Absence of Counter Examples. Ph.D. Thesis, Delft University of Technology, Delft, Netherland, 2001.

[32]

D.M.J. Tax, R.P.W. Duin, Combining one-class classifiers, in: Multiple Classifier Systems (MCS), 2001.

[33]

T. Toth, C. Kruegel, Accurate buffer overflow detection via abstract payload execution, in: Recent Advances in Intrusion Detection (RAID), 2002.

[34]

Vapnik, V., Statistical Learning Theory. 1998. Wiley.

[35]

K. Wang, S. Stolfo, Anomalous payload-based network intrusion detection, in: Recent Advances in Intrusion Detection (RAID), 2004.

[36]

K. Wang, S. Stolfo, Anomalous payload-based worm detection and signature generation, in: Recent Advances in Intrusion Detection (RAID), 2005.

[37]

K. Wang, S. Stolfo, Anagram: a content anomaly detector resistant to mimicry attack, in: Recent Advances in Intrusion Detection (RAID), 2006.

Cited By

Zhou PLi CChen CWu DFei M(2023)P³ AD: Privacy-Preserved Payload Anomaly Detection for Industrial Internet of ThingsIEEE Transactions on Network and Service Management10.1109/TNSM.2023.327386020:4(5103-5114)Online publication date: 1-Dec-2023
https://dl.acm.org/doi/10.1109/TNSM.2023.3273860
S. LK. R(2022)Traffic Monitoring and Malicious Detection Multidimensional PCAP Data Using Optimized LSTM RNNInternational Journal of Information Security and Privacy10.4018/IJISP.30831216:2(1-22)Online publication date: 9-Sep-2022
https://dl.acm.org/doi/10.4018/IJISP.308312
Swamy TRucker AShahbaz MGaur IOlukotun KFalsafi BFerdman MLu SWenisch T(2022)Taurus: a data plane architecture for per-packet MLProceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems10.1145/3503222.3507726(1099-1114)Online publication date: 28-Feb-2022
https://dl.acm.org/doi/10.1145/3503222.3507726
Show More Cited By

Index Terms

McPAD: A multiple classifier system for accurate payload-based anomaly detection

Recommendations

Filtering False Positives Based on Server-Side Behaviors

Reducing the rate of false positives is of vital importance in enhancing the usefulness of signature-based network intrusion detection systems (NIDSs). To reduce the number of false positives, a network administrator must thoroughly investigate a ...
Utilizing Threat Partitioning for More Practical Network Anomaly Detection
SACMAT 2024: Proceedings of the 29th ACM Symposium on Access Control Models and Technologies

Anomaly-based network intrusion detection would appear on the surface to be ideal for detection of zero-day network threats. Yet in practice, their often unacceptably high false positive rates keep them on the sideline in favor of signature-based methods,...
HMMPayl: An intrusion detection system based on Hidden Markov Models

Nowadays the security of Web applications is one of the key topics in Computer Security. Among all the solutions that have been proposed so far, the analysis of the HTTP payload at the byte level has proven to be effective as it does not require the ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

Copyright © Elsevier B.V. © 2008.

Publisher

Elsevier North-Holland, Inc.

United States

Publication History

Published: 23 April 2009

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

61
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 28 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Zhou PLi CChen CWu DFei M(2023)P³ AD: Privacy-Preserved Payload Anomaly Detection for Industrial Internet of ThingsIEEE Transactions on Network and Service Management10.1109/TNSM.2023.327386020:4(5103-5114)Online publication date: 1-Dec-2023
https://dl.acm.org/doi/10.1109/TNSM.2023.3273860
S. LK. R(2022)Traffic Monitoring and Malicious Detection Multidimensional PCAP Data Using Optimized LSTM RNNInternational Journal of Information Security and Privacy10.4018/IJISP.30831216:2(1-22)Online publication date: 9-Sep-2022
https://dl.acm.org/doi/10.4018/IJISP.308312
Swamy TRucker AShahbaz MGaur IOlukotun KFalsafi BFerdman MLu SWenisch T(2022)Taurus: a data plane architecture for per-packet MLProceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems10.1145/3503222.3507726(1099-1114)Online publication date: 28-Feb-2022
https://dl.acm.org/doi/10.1145/3503222.3507726
Soltani MSiavoshani MJahangir A(2022)A content-based deep intrusion detection systemInternational Journal of Information Security10.1007/s10207-021-00567-221:3(547-562)Online publication date: 1-Jun-2022
https://dl.acm.org/doi/10.1007/s10207-021-00567-2
Ma QSun CCui B(2021)A Novel Model for Anomaly Detection in Network Traffic Based on Support Vector Machine and ClusteringSecurity and Communication Networks10.1155/2021/21707882021Online publication date: 1-Jan-2021
https://dl.acm.org/doi/10.1155/2021/2170788
Pratomo BBurnap PTheodorakopoulos G(2020)BLATTASecurity and Communication Networks10.1155/2020/88260382020Online publication date: 1-Jan-2020
https://dl.acm.org/doi/10.1155/2020/8826038
Molina-Coronado BMori UMendiburu AMiguel-Alonso J(2020)Survey of Network Intrusion Detection Methods From the Perspective of the Knowledge Discovery in Databases ProcessIEEE Transactions on Network and Service Management10.1109/TNSM.2020.301624617:4(2451-2479)Online publication date: 1-Dec-2020
https://dl.acm.org/doi/10.1109/TNSM.2020.3016246
Folino GPisani FPontieri L(2020)A GP-based ensemble classification framework for time-changing streams of intrusion detection dataSoft Computing - A Fusion of Foundations, Methodologies and Applications10.1007/s00500-020-05200-324:23(17541-17560)Online publication date: 1-Dec-2020
https://dl.acm.org/doi/10.1007/s00500-020-05200-3
Alaiz-Moreton HAveleira-Mata JOndicol-Garcia JMuñoz-Castañeda AGarcía IBenavides CKrzemień A(2019)Multiclass Classification Procedure for Detecting Attacks on MQTT-IoT ProtocolComplexity10.1155/2019/65162532019Online publication date: 7-Apr-2019
https://dl.acm.org/doi/10.1155/2019/6516253
Kozik RPawlicki MChoraś MPedrycz WSánchez Lasheras F(2019)Practical Employment of Granular Computing to Complex Application Layer Cyberattack DetectionComplexity10.1155/2019/58267372019Online publication date: 1-Jan-2019
https://dl.acm.org/doi/10.1155/2019/5826737
Show More Cited By

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Issue’s Table of Contents