McPAD: A multiple classifier system for accurate payload-based anomaly detection

Authors:
Roberto Perdisci;Davide Ariu;Prahlad Fogla;Giorgio Giacinto;Wenke Lee
Affiliations:
Damballa, Inc., 817 West Peachtree St. NW, Suite A-110, Atlanta, 30308 GA, USA and College of Computing, Georgia Institute of Technology, Atlanta, 30308 GA, USA;Department of Electrical and Electronic Engineering, University of Cagliari, Piazza D'Armi, 09123 Cagliari, Italy;Google, Inc., Mountain View, CA 94043, USA;Department of Electrical and Electronic Engineering, University of Cagliari, Piazza D'Armi, 09123 Cagliari, Italy;College of Computing, Georgia Institute of Technology, Atlanta, 30308 GA, USA
Venue:
Computer Networks: The International Journal of Computer and Telecommunications Networking
Year:
2009

Citing 26
Cited 20

On Combining Classifiers

IEEE Transactions on Pattern Analysis and Machine Intelligence
The base-rate fallacy and its implications for the difficulty of intrusion detection

CCS '99 Proceedings of the 6th ACM conference on Computer and communications security
The 1999 DARPA off-line intrusion detection evaluation

Computer Networks: The International Journal of Computer and Telecommunications Networking - Special issue on recent advances in intrusion detection systems
Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory

ACM Transactions on Information and System Security (TISSEC)
Machine learning in automated text categorization

ACM Computing Surveys (CSUR)
Service specific anomaly detection for network intrusion detection

Proceedings of the 2002 ACM symposium on Applied computing
Text Categorization with Support Vector Machines. How to Represent Texts in Input Space?

Machine Learning
Defending Yourself: The Role of Intrusion Detection Systems

IEEE Software
Person Identification Using Multiple Cues

IEEE Transactions on Pattern Analysis and Machine Intelligence
Fusion of multiple classifiers for intrusion detection in computer networks

Pattern Recognition Letters
A divisive information theoretic feature clustering algorithm for text classification

The Journal of Machine Learning Research
Pattern Classification (2nd Edition)

Pattern Classification (2nd Edition)
Combining Pattern Classifiers: Methods and Algorithms

Combining Pattern Classifiers: Methods and Algorithms
The Shellcode Generation

IEEE Security and Privacy
Estimating the Support of a High-Dimensional Distribution

Neural Computation
Evading network anomaly detection systems: formal reasoning and practical techniques

Proceedings of the 13th ACM conference on Computer and communications security
Using an Ensemble of One-Class SVM Classifiers to Harden Payload-based Anomaly Detection Systems

ICDM '06 Proceedings of the Sixth International Conference on Data Mining
Polymorphic blending attacks

USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Intrusion detection in computer networks by a modular ensemble of one-class classifiers

Information Fusion
On the infeasibility of modeling polymorphic shellcode

Proceedings of the 14th ACM conference on Computer and communications security
The use of the area under the ROC curve in the evaluation of machine learning algorithms

Pattern Recognition
Accurate buffer overflow detection via abstract payload execution

RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
Comparing anomaly detection techniques for HTTP

RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
Anomalous payload-based worm detection and signature generation

RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
A fast static analysis approach to detect exploit code inside network flows

RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Anagram: a content anomaly detector resistant to mimicry attack

RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection

Network forensics based on fuzzy logic and expert system

Computer Communications
Active learning for network intrusion detection

Proceedings of the 2nd ACM workshop on Security and artificial intelligence
Multi-modality in one-class classification

Proceedings of the 19th international conference on World wide web
TokDoc: a self-healing web application firewall

Proceedings of the 2010 ACM Symposium on Applied Computing
Intrusion detection using GSAD model for HTTP traffic on web services

Proceedings of the 6th International Wireless Communications and Mobile Computing Conference
On mitigating sampling-induced accuracy loss in traffic anomaly detection systems

ACM SIGCOMM Computer Communication Review
Moving targets: when data classes depend on subjective judgement, or they are crafted by an adversary to mislead pattern analysis algorithms - the cases of content based image retrieval and adversarial classification

ICDM'10 Proceedings of the 10th industrial conference on Advances in data mining: applications and theoretical aspects
Approach based ensemble methods for better and faster intrusion detection

CISIS'11 Proceedings of the 4th international conference on Computational intelligence in security for information systems
Session-based classification of internet applications in 3G wireless networks

Computer Networks: The International Journal of Computer and Telecommunications Networking
Anomaly detection using ensembles

MCS'11 Proceedings of the 10th international conference on Multiple classifier systems
A modular architecture for the analysis of HTTP payloads based on multiple classifiers

MCS'11 Proceedings of the 10th international conference on Multiple classifier systems
An efficient local region and clustering-based ensemble system for intrusion detection

Proceedings of the 15th Symposium on International Database Engineering & Applications
N-Gram against the machine: on the feasibility of the n-gram network analysis for binary protocols

RAID'12 Proceedings of the 15th international conference on Research in Attacks, Intrusions, and Defenses
Scalable fine-grained behavioral clustering of HTTP-based malware

Computer Networks: The International Journal of Computer and Telecommunications Networking
Review Article: RePIDS: A multi tier Real-time Payload-based Intrusion Detection System

Computer Networks: The International Journal of Computer and Telecommunications Networking
Toward supervised anomaly detection

Journal of Artificial Intelligence Research
Configuration-based IDS for advanced metering infrastructure

Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
A close look on n-grams in intrusion detection: anomaly detection vs. classification

Proceedings of the 2013 ACM workshop on Artificial intelligence and security
Fusion of one-class classifiers for protocol-based anomaly detection in AODV-based mobile ad hoc networks

International Journal of Ad Hoc and Ubiquitous Computing
Classification of major construction materials in construction environments using ensemble classifiers

Advanced Engineering Informatics

Quantified Score

Hi-index	0.00

Visualization

Abstract

Anomaly-based network intrusion detection systems (IDS) are valuable tools for the defense-in-depth of computer networks. Unsupervised or unlabeled learning approaches for network anomaly detection have been recently proposed. Such anomaly-based network IDS are able to detect (unknown) zero-day attacks, although much care has to be dedicated to controlling the amount of false positives generated by the detection system. As a matter of fact, it is has been shown that the false positive rate is the true limiting factor for the performance of IDS, and that in order to substantially increase the Bayesian detection rate, P(Intrusion|Alarm), the IDS must have a very low false positive rate (e.g., as low as 10^-^5 or even lower). In this paper we present McPAD (multiple classifier payload-based anomaly detector), a new accurate payload-based anomaly detection system that consists of an ensemble of one-class classifiers. We show that our anomaly detector is very accurate in detecting network attacks that bear some form of shell-code in the malicious payload. This holds true even in the case of polymorphic attacks and for very low false positive rates. Furthermore, we experiment with advanced polymorphic blending attacks and we show that in some cases even in the presence of such sophisticated attacks and for a low false positive rate our IDS still has a relatively high detection rate.