N-Gram against the machine: on the feasibility of the n-gram network analysis for binary protocols

Authors:
Dina Hadžiosmanović;Lorenzo Simionato;Damiano Bolzoni;Emmanuele Zambon;Sandro Etalle
Affiliations:
University of Twente, The Netherlands;Ca' Foscari University of Venice, Italy;University of Twente, The Netherlands;University of Twente, The Netherlands;University of Twente, The Netherlandechnical University of Eindhoven, The Netherlands
Venue:
RAID'12 Proceedings of the 15th international conference on Research in Attacks, Intrusions, and Defenses
Year:
2012

Citing 17
Cited 5

The base-rate fallacy and the difficulty of intrusion detection

ACM Transactions on Information and System Security (TISSEC)
The 1999 DARPA off-line intrusion detection evaluation

Computer Networks: The International Journal of Computer and Telecommunications Networking - Special issue on recent advances in intrusion detection systems
Space/time trade-offs in hash coding with allowable errors

Communications of the ACM
Self-Organizing Maps

Self-Organizing Maps
Intrusion Detection Testing and Benchmarking Methodologies

IEEE-IWIA '03 Proceedings of the First IEEE International Workshop on Information Assurance (IWIA'03)
A taxonomy of DDoS attack and DDoS defense mechanisms

ACM SIGCOMM Computer Communication Review
POSEIDON: a 2-tier Anomaly-based Network Intrusion Detection System

IWIA '06 Proceedings of the Fourth IEEE International Workshop on Information Assurance
Polymorphic blending attacks

USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
On the infeasibility of modeling polymorphic shellcode

Proceedings of the 14th ACM conference on Computer and communications security
BotHunter: detecting malware infection through IDS-driven dialog correlation

SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
McPAD: A multiple classifier system for accurate payload-based anomaly detection

Computer Networks: The International Journal of Computer and Telecommunications Networking
Comparing anomaly detection techniques for HTTP

RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
Outside the Closed World: On Using Machine Learning for Network Intrusion Detection

SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
Cyber-critical infrastructure protection using real-time payload-based anomaly detection

CRITIS'09 Proceedings of the 4th international conference on Critical information infrastructures security
A sense of self for Unix processes

SP'96 Proceedings of the 1996 IEEE conference on Security and privacy
Anagram: a content anomaly detector resistant to mimicry attack

RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
Defending embedded systems with software symbiotes

RAID'11 Proceedings of the 14th international conference on Recent Advances in Intrusion Detection

A close look on n-grams in intrusion detection: anomaly detection vs. classification

Proceedings of the 2013 ACM workshop on Artificial intelligence and security
Towards learning normality for anomaly detection in industrial control networks

AIMS'13 Proceedings of the 7th IFIP WG 6.6 international conference on Autonomous Infrastructure, Management, and Security: emerging management mechanisms for the future internet - Volume 7943
ProVeX: detecting botnets with encrypted command and control channels

DIMVA'13 Proceedings of the 10th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Towards the protection of industrial control systems: conclusions of a vulnerability analysis of profinet IO

DIMVA'13 Proceedings of the 10th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
A survey of intrusion detection techniques for cyber-physical systems

ACM Computing Surveys (CSUR)

Quantified Score

Hi-index	0.00

Visualization

Abstract

In recent years we have witnessed several complex and high-impact attacks specifically targeting "binary" protocols (RPC, Samba and, more recently, RDP). These attacks could not be detected by current --- signature-based --- detection solutions, while --- at least in theory --- they could be detected by state-of-the-art anomaly-based systems. This raises once again the still unanswered question of how effective anomaly-based systems are in practice. To contribute to answering this question, in this paper we investigate the effectiveness of a widely studied category of network intrusion detection systems: anomaly-based algorithms using n-gram analysis for payload inspection. Specifically, we present a thorough analysis and evaluation of several detection algorithms using variants of n-gram analysis on real-life environments. Our tests show that the analyzed systems, in presence of data with high variability, cannot deliver high detection and low false positive rates at the same time.