Advanced Payload Analyzer Preprocessor

被引:6
作者
Garcia Villalba, Luis Javier [1 ]
Sandoval Orozco, Ana Lucila [1 ]
Maestre Vidal, Jorge [1 ]
机构
[1] Univ Complutense Madrid, GASS, Dept Software Engn & Artificial Intelligence DISI, Fac Informat Technol & Comp Sci, Off 431,Calle Prof Jose Garcia Santesmases 9, E-28040 Madrid, Spain
来源
FUTURE GENERATION COMPUTER SYSTEMS-THE INTERNATIONAL JOURNAL OF ESCIENCE | 2017年 / 76卷
关键词
APAP; Bloomfilter; n-gram; NIDS; PayLoad; Snort; ATTACKS; SYSTEMS;
D O I
10.1016/j.future.2016.10.032
中图分类号
TP301 [理论、方法];
学科分类号
081202 ;
摘要
Advanced Payload Analyzer Pre-processor (APAP) is an intrusion detection system by analysis of Payload from network traffic looking for malware. APAP implements its detection algorithm as "dynamic preprocessor" of Snort. By working together, a highly effective system to known attacks (by passing Snort rules) and equally effective against new and unknown attacks is obtained. APAP consists of two phases: training and detection. During training, a statistical model of legitimate network traffic through the techniques Bloom filter and n-grams is created. Then results obtained by analyzing a dataset of attacks with this model are compared. Consequently, a set of rules able to determine whether a payload corresponds to malware or otherwise legitimate traffic is obtained. During detection, monitored traffic is passed by the Bloom filter which is created in the training phase, and the obtained results are compared with rules. Training requires two datasets: a collection of habitual and legitimate traffic and samples of malicious traffic. This approach offers various improvements compared with similar proposals. The most outstanding is a new method for filling Bloom filters and thereby building usage models. The implementation of a rule system based on Ks speeds up decision-making. Results obtained by analyzing real FITI? traffic prove a high hit rate (95%) and a low false positive rate (0.1%). (C) 2016 Elsevier B.V. All rights reserved.
引用
收藏
页码:474 / 485
页数:12
相关论文
共 29 条
[1]  
[Anonymous], 2015, Darpa intrusion detection data sets - mit lincoln laboratory
[2]  
[Anonymous], 2015, CAIDA DDOS ATTACK DA
[3]  
[Anonymous], 2015, DDOSIM LAYER 7 DDOS
[4]   HMMPayl: An intrusion detection system based on Hidden Markov Models [J].
Ariu, Davide ;
Tronci, Roberto ;
Giacinto, Giorgio .
COMPUTERS & SECURITY, 2011, 30 (04) :221-241
[5]   Network Anomaly Detection: Methods, Systems and Tools [J].
Bhuyan, Monowar H. ;
Bhattacharyya, D. K. ;
Kalita, J. K. .
IEEE COMMUNICATIONS SURVEYS AND TUTORIALS, 2014, 16 (01) :303-336
[6]   POSEIDON: a 2-tier anomaly-based network intrusion detection system [J].
Bolzoni, Damiano ;
Etalle, Sandro ;
Hartel, Pieter ;
Zambon, Emmanuele .
FOURTH IEEE INTERNATIONAL WORKSHOP ON INFORMATION ASSURANCE, PROCEEDINGS, 2006, :144-+
[7]   Adversarial attacks against intrusion detection systems: Taxonomy, solutions and open issues [J].
Corona, Igino ;
Giacinto, Giorgio ;
Roli, Fabio .
INFORMATION SCIENCES, 2013, 239 :201-225
[8]  
ENISA, 2015, THREAT LANDSC 2014
[9]  
Fogla P, 2006, USENIX ASSOCIATION PROCEEDINGS OF THE 15TH USENIX SECURITY SYMPOSIUM, P241
[10]  
Garcia Villalba L.J., 2012, LECT NOTES COMPUTER, V7462, P397