IEEE Transactions on Pattern Analysis and Machine Intelligence
The base-rate fallacy and its implications for the difficulty of intrusion detection
CCS '99 Proceedings of the 6th ACM conference on Computer and communications security
The 1999 DARPA off-line intrusion detection evaluation
Computer Networks: The International Journal of Computer and Telecommunications Networking - Special issue on recent advances in intrusion detection systems
ACM Transactions on Information and System Security (TISSEC)
Machine learning in automated text categorization
ACM Computing Surveys (CSUR)
Service specific anomaly detection for network intrusion detection
Proceedings of the 2002 ACM symposium on Applied computing
Person Identification Using Multiple Cues
IEEE Transactions on Pattern Analysis and Machine Intelligence
Fusion of multiple classifiers for intrusion detection in computer networks
Pattern Recognition Letters
A divisive information theoretic feature clustering algorithm for text classification
The Journal of Machine Learning Research
Pattern Classification (2nd Edition)
Pattern Classification (2nd Edition)
Combining Pattern Classifiers: Methods and Algorithms
Combining Pattern Classifiers: Methods and Algorithms
IEEE Security and Privacy
Estimating the Support of a High-Dimensional Distribution
Neural Computation
Evading network anomaly detection systems: formal reasoning and practical techniques
Proceedings of the 13th ACM conference on Computer and communications security
Using an Ensemble of One-Class SVM Classifiers to Harden Payload-based Anomaly Detection Systems
ICDM '06 Proceedings of the Sixth International Conference on Data Mining
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
On the infeasibility of modeling polymorphic shellcode
Proceedings of the 14th ACM conference on Computer and communications security
Accurate buffer overflow detection via abstract payload execution
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
Comparing anomaly detection techniques for HTTP
RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
Anomalous payload-based worm detection and signature generation
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
A fast static analysis approach to detect exploit code inside network flows
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Anagram: a content anomaly detector resistant to mimicry attack
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
Network forensics based on fuzzy logic and expert system
Computer Communications
Active learning for network intrusion detection
Proceedings of the 2nd ACM workshop on Security and artificial intelligence
Multi-modality in one-class classification
Proceedings of the 19th international conference on World wide web
TokDoc: a self-healing web application firewall
Proceedings of the 2010 ACM Symposium on Applied Computing
Intrusion detection using GSAD model for HTTP traffic on web services
Proceedings of the 6th International Wireless Communications and Mobile Computing Conference
On mitigating sampling-induced accuracy loss in traffic anomaly detection systems
ACM SIGCOMM Computer Communication Review
ICDM'10 Proceedings of the 10th industrial conference on Advances in data mining: applications and theoretical aspects
Approach based ensemble methods for better and faster intrusion detection
CISIS'11 Proceedings of the 4th international conference on Computational intelligence in security for information systems
Session-based classification of internet applications in 3G wireless networks
Computer Networks: The International Journal of Computer and Telecommunications Networking
Anomaly detection using ensembles
MCS'11 Proceedings of the 10th international conference on Multiple classifier systems
A modular architecture for the analysis of HTTP payloads based on multiple classifiers
MCS'11 Proceedings of the 10th international conference on Multiple classifier systems
An efficient local region and clustering-based ensemble system for intrusion detection
Proceedings of the 15th Symposium on International Database Engineering & Applications
N-Gram against the machine: on the feasibility of the n-gram network analysis for binary protocols
RAID'12 Proceedings of the 15th international conference on Research in Attacks, Intrusions, and Defenses
Scalable fine-grained behavioral clustering of HTTP-based malware
Computer Networks: The International Journal of Computer and Telecommunications Networking
Review Article: RePIDS: A multi tier Real-time Payload-based Intrusion Detection System
Computer Networks: The International Journal of Computer and Telecommunications Networking
Toward supervised anomaly detection
Journal of Artificial Intelligence Research
Configuration-based IDS for advanced metering infrastructure
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
A close look on n-grams in intrusion detection: anomaly detection vs. classification
Proceedings of the 2013 ACM workshop on Artificial intelligence and security
International Journal of Ad Hoc and Ubiquitous Computing
Advanced Engineering Informatics
Hi-index | 0.00 |
Anomaly-based network intrusion detection systems (IDS) are valuable tools for the defense-in-depth of computer networks. Unsupervised or unlabeled learning approaches for network anomaly detection have been recently proposed. Such anomaly-based network IDS are able to detect (unknown) zero-day attacks, although much care has to be dedicated to controlling the amount of false positives generated by the detection system. As a matter of fact, it is has been shown that the false positive rate is the true limiting factor for the performance of IDS, and that in order to substantially increase the Bayesian detection rate, P(Intrusion|Alarm), the IDS must have a very low false positive rate (e.g., as low as 10^-^5 or even lower). In this paper we present McPAD (multiple classifier payload-based anomaly detector), a new accurate payload-based anomaly detection system that consists of an ensemble of one-class classifiers. We show that our anomaly detector is very accurate in detecting network attacks that bear some form of shell-code in the malicious payload. This holds true even in the case of polymorphic attacks and for very low false positive rates. Furthermore, we experiment with advanced polymorphic blending attacks and we show that in some cases even in the presence of such sophisticated attacks and for a low false positive rate our IDS still has a relatively high detection rate.