Service specific anomaly detection for network intrusion detection
Proceedings of the 2002 ACM symposium on Applied computing
Content Based File Type Detection Algorithms
HICSS '03 Proceedings of the 36th Annual Hawaii International Conference on System Sciences (HICSS'03) - Track 9 - Volume 9
Enhancing byte-level network intrusion detection signatures with context
Proceedings of the 10th ACM conference on Computer and communications security
POSEIDON: a 2-tier Anomaly-based Network Intrusion Detection System
IWIA '06 Proceedings of the Fourth IEEE International Workshop on Information Assurance
SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
SigFree: a signature-free buffer overflow attack blocker
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Statistical Disk Cluster Classification for File Carving
IAS '07 Proceedings of the Third International Symposium on Information Assurance and Security
BotHunter: detecting malware infection through IDS-driven dialog correlation
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
ULISSE, a network intrusion detection system
Proceedings of the 4th annual workshop on Cyber security and information intelligence research: developing strategies to meet the cyber security and information intelligence challenges ahead
A Study of Malcode-Bearing Documents
DIMVA '07 Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Embedded Malware Detection Using Markov n-Grams
DIMVA '08 Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Anagram: a content anomaly detector resistant to mimicry attack
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
Predicting the types of file fragments
Digital Investigation: The International Journal of Digital Forensics & Incident Response
| Hi-index | 0.00 |
Many existing schemes for malware detection are signature-based. Although they can effectively detect known malwares, they cannot detect variants of known malwares or new ones. Most network servers do not expect executable code in their in-bound network traffic, such as on-line shopping malls, Picasa, Youtube, Blogger, etc. Therefore, such network applications can be protected from malware infection by monitoring their ports to see if incoming packets contain any executable contents. This paper proposes a content-classification scheme that identifies executable content in incoming packets. The proposed scheme analyzes the packet payload in two steps. It first analyzes the packet payload to see if it contains multimedia-type data (such as $${{\tt avi, wmv, jpg})}$$ . If not, then it classifies the payload either as text-type (such as $${{\tt txt, jsp, asp})}$$ or executable. Although in our experiments the proposed scheme shows a low rate of false negatives and positives (4.69% and 2.53%, respectively), the presence of inaccuracies still requires further inspection to efficiently detect the occurrence of malware. In this paper, we also propose simple statistical and combinatorial analysis to deal with false positives and negatives.