Exploiting n-gram location for intrusion detection
This work addresses the limitation of existing IDS in recognizing novel attacks for network security, though it appears incremental as it builds on anomaly-based methods with specific protocol and length modeling.
The paper tackles the problem of detecting new or variant content-based network attacks by developing an anomaly-based intrusion detection system that models payload byte sequences using n-grams for protocols like HTTP and FTP, achieving excellent accuracy with a very low false positive rate.
Signature-based and protocol-based intrusion detection systems (IDS) are employed as means to reveal content-based network attacks. Such systems have proven to be effective in identifying known intrusion attempts and exploits but they fail to recognize new types of attacks or carefully crafted variants of well known ones. This paper presents the design and the development of an anomaly-based IDS technique which is able to detect content-based attacks carried out over application level protocols, like HTTP and FTP. In order to identify anomalous packets, the payload is split up in chunks of equal length and the n-gram technique is used to learn which byte sequences usually appear in each chunk. The devised technique builds a different model for each pair <protocol of interest, packet length> and uses them to classify the incoming traffic. Models are build by means of a semi-supervised approach. Experimental results witness that the technique achieves an excellent accuracy with a very low false positive rate.