BotHunter: detecting malware infection through IDS-driven dialog correlation
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Detecting worm variants using machine learning
CoNEXT '07 Proceedings of the 2007 ACM CoNEXT conference
Principled reasoning and practical applications of alert fusion in intrusion detection systems
Proceedings of the 2008 ACM symposium on Information, computer and communications security
Classification of packed executables for accurate computer virus detection
Pattern Recognition Letters
Traffic Aggregation for Malware Detection
DIMVA '08 Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Improving Transductive Support Vector Machine by Ensembling
AI '08 Proceedings of the 21st Australasian Joint Conference on Artificial Intelligence: Advances in Artificial Intelligence
Adversarial Pattern Classification Using Multiple Classifiers and Randomisation
SSPR & SPR '08 Proceedings of the 2008 Joint IAPR International Workshop on Structural, Syntactic, and Statistical Pattern Recognition
A data damage tracking quarantine and recovery (DTQR) scheme for mission-critical database systems
Proceedings of the 12th International Conference on Extending Database Technology: Advances in Database Technology
McPAD: A multiple classifier system for accurate payload-based anomaly detection
Computer Networks: The International Journal of Computer and Telecommunications Networking
Ensemble Based Data Fusion for Gene Function Prediction
MCS '09 Proceedings of the 8th International Workshop on Multiple Classifier Systems
Stacking for Ensembles of Local Experts in Metabonomic Applications
MCS '09 Proceedings of the 8th International Workshop on Multiple Classifier Systems
Multi-modality in one-class classification
Proceedings of the 19th international conference on World wide web
HMM-web: a framework for the detection of attacks against web applications
ICC'09 Proceedings of the 2009 IEEE international conference on Communications
Mimimorphism: a new approach to binary code obfuscation
Proceedings of the 17th ACM conference on Computer and communications security
Detecting algorithmically generated malicious domain names
IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
A survey of recent trends in one class classification
AICS'09 Proceedings of the 20th Irish conference on Artificial intelligence and cognitive science
Opcode-sequence-based semi-supervised unknown malware detection
CISIS'11 Proceedings of the 4th international conference on Computational intelligence in security for information systems
Exposing invisible timing-based traffic watermarks with BACKLIT
Proceedings of the 27th Annual Computer Security Applications Conference
Multiple classifier systems under attack
MCS'10 Proceedings of the 9th international conference on Multiple Classifier Systems
Cluster-based one-class ensemble for classification problems in information retrieval
SIGIR '12 Proceedings of the 35th international ACM SIGIR conference on Research and development in information retrieval
A fine-grained classification approach for the packed malicious code
ICICS'12 Proceedings of the 14th international conference on Information and Communications Security
Detecting algorithmically generated domain-flux attacks with DNS traffic analysis
IEEE/ACM Transactions on Networking (TON)
Adversarial attacks against intrusion detection systems: Taxonomy, solutions and open issues
Information Sciences: an International Journal
A close look on n-grams in intrusion detection: anomaly detection vs. classification
Proceedings of the 2013 ACM workshop on Artificial intelligence and security
A novel hybrid intrusion detection method integrating anomaly detection with misuse detection
Expert Systems with Applications: An International Journal
Efficient and effective realtime prediction of drive-by download attacks
Journal of Network and Computer Applications
| Hi-index | 0.00 |
Unsupervised or unlabeled learning approaches for network anomaly detection have been recently proposed. In particular, recent work on unlabeled anomaly detection focused on high speed classification based on simple payload statistics. For example, PAYL, an anomaly IDS, measures the occurrence frequency in the payload of n-grams. A simple model of normal traffic is then constructed according to this description of the packets' content. It has been demonstrated that anomaly detectors based on payload statistics can be "evaded" by mimicry attacks using byte substitution and padding techniques. In this paper we propose a new approach to construct high speed payload-based anomaly IDS intended to be accurate and hard to evade. We propose a new technique to extract the features from the payload. We use a feature clustering algorithm originally proposed for text classification problems to reduce the dimensionality of the feature space. Accuracy and hardness of evasion are obtained by constructing our anomaly-based IDS using an ensemble of one-class SVM classifiers that work on different feature spaces.