Exploiting n-gram location for intrusion detection

TL;DR

This paper introduces an anomaly-based intrusion detection method that uses n-gram location analysis on application layer protocol payloads to identify content-based attacks with high accuracy and low false positives.

Contribution

It develops a novel n-gram based model for protocol-specific anomaly detection that effectively identifies new and variant attacks at the application layer.

Findings

Achieves high detection accuracy

Maintains very low false positive rate

Effective for content-based network attacks

Abstract

Signature-based and protocol-based intrusion detection systems (IDS) are employed as means to reveal content-based network attacks. Such systems have proven to be effective in identifying known intrusion attempts and exploits but they fail to recognize new types of attacks or carefully crafted variants of well known ones. This paper presents the design and the development of an anomaly-based IDS technique which is able to detect content-based attacks carried out over application level protocols, like HTTP and FTP. In order to identify anomalous packets, the payload is split up in chunks of equal length and the n-gram technique is used to learn which byte sequences usually appear in each chunk. The devised technique builds a different model for each pair <protocol of interest, packet length> and uses them to classify the incoming traffic. Models are build by means of a semi-supervised approach. Experimental results witness that the technique achieves an excellent accuracy with a very low false positive rate.