ariu - workshop on applications of pattern analysis
TRANSCRIPT
HMMPayl: an application of HMM to the analysis of the HTTP payload University of
Cagliari - Italy
Davide Ariu - Giorgio Giacinto
Dept. of Electrical and Electronic Engineering
WAPA 2010 Workshop on Applica/ons of Pa2ern Analysis
[email protected] [email protected]
Pattern Recognition and Applications Group http://prag.diee.unica.it
Group This research was sponsored by the Autonomous Region of Sardinia through a grant financed with the ”Sardinia PO FSE 2007‐2013” funds and provided according to the L.R. 7/2007
Anomaly detec2on for Computer Security • Tradi'onally, Intrusion Detec2on Systems (IDS) are based on a database of signatures that describe known a3acks.
Problem: never‐seen‐before a3acks can not be detected!!!
• Anomaly based IDS use a sta's'cal model of the legi'mate pa3erns. Any pa3ern whose sta's'cal model deviates from that stored in the system is labeled as an a3acks.
Advantage: zero‐days aHacks can be detected!!!
HTTP Payload analysis • The analysis of the bytes’ distribu'on in the HTTP payload of requests toward a web server allows to detect a3acks against the web server • Several solu'ons based on this approach (e.g. PAYL1, McPAD2)have been proposed but they suffer of limita2ons due to:
• Too high size of the features space • Coarse representa2on of the payload
1 K. Wang et al. ”Anomalous Payload‐Based Network Intrusion Detec2on" , RAID, 2004. 2 R. Perdisci et. Al. ” McPAD: A mul/ple classifier system for accurate payload‐based anomaly detec/on”, Computer Networks, 2009.
University of Cagliari - Italy
Davide Ariu - Giorgio Giacinto
Dept. of Electrical and Electronic Engineering
WAPA 2010 Workshop on Applica/ons of Pa2ern Analysis
[email protected] [email protected]
Pattern Recognition and Applications Group http://prag.diee.unica.it
Group This research was sponsored by the Autonomous Region of Sardinia through a grant financed with the ”Sardinia PO FSE 2007‐2013” funds and provided according to the L.R. 7/2007
HMMPayl: an application of HMM to the analysis of the HTTP payload
HMMPayl: a simplified scheme
University of Cagliari - Italy
Davide Ariu - Giorgio Giacinto
Dept. of Electrical and Electronic Engineering
WAPA 2010 Workshop on Applica/ons of Pa2ern Analysis
[email protected] [email protected]
Pattern Recognition and Applications Group http://prag.diee.unica.it
Group This research was sponsored by the Autonomous Region of Sardinia through a grant financed with the ”Sardinia PO FSE 2007‐2013” funds and provided according to the L.R. 7/2007
HMMPayl: an application of HMM to the analysis of the HTTP payload
1 ‐ Increased Classifica2on Accuracy
2 – Benefits of the MCS approach
3 – Possibility of reducing the
computa2onal cost
Experimental Results and Conclusions