Information Processing Letters
An FSM-Based Approach for Malicious Code Detection Using the Self-Relocation Gene
ICIC '08 Proceedings of the 4th international conference on Intelligent Computing: Advanced Intelligent Computing Theories and Applications - with Aspects of Theoretical and Methodological Issues
PE-Miner: Mining Structural Information to Detect Malicious Executables in Realtime
RAID '09 Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection
RAID'12 Proceedings of the 15th international conference on Research in Attacks, Intrusions, and Defenses
Concurrency optimization for NIDS (poster abstract)
RAID'12 Proceedings of the 15th international conference on Research in Attacks, Intrusions, and Defenses
Real-time malware detection framework in intrusion detection systems
Proceedings of the 2013 Research in Adaptive and Convergent Systems
Hi-index | 0.00 |
NIDS based on Payload Analysis detect the malicious code by analyzing the payload of packets flowing through the network. Typically consist of a training phase and another one of detection. The training phase is done with clean traffic so that it represents statistically the usual traffic of the system. Thus, a pattern of such traffic is established. On the other hand, during the detection, traffic analysis is modeled and compared these patterns to determine if it can be classified as dangerous. Then, various proposals that make analysis of the payload to detect malicious code are explicated. In general, all are variants of PAYL [1], one of the first proposals that used this technique successfully. PAYL system classifies traffic based on three characteristics: the port, packet size and flow direction (input or output). Using these three parameters, payloads are classified creating a series of patterns to define what would be normal behavior within each class. Poseidon [2] was developed to correct the errors that arise in building models in PAYL when clustering about the size of packets is applied. The combination of multiple classifiers of a class, also based on PAYL, was developed to eliminate the original system's vulnerability in the face of mimicry attacks. PCNAD [3] appears to correct the defect PAYL that could not process large packets on fast networks with enough speed. Anagram is another evolution of PAYL, developed by the same authors to correct the deficiencies that had the original system. As in the PAYL, the system is based on n-grams to process the packets and create patterns of behavior. However, it employed Bloom Filters to divide the packets in n-grams of sizes larger than one without the cost in space and system performance will be injured.