Anomalous Packet Detection using Partitioned Payload
نویسندگان
چکیده
We present Anomalous Packet Detection using Partitioned Payload system, we call as AnPDPP. AnPDPP is an improvement to PAYL system which is considered one of the complete systems for payload based anomaly detection. PAYL takes into consideration the entire payload for profile calculation and effectively for anomaly detection. Payload length is very high on port numbers like 21 and 80. Hence it is difficult to apply PAYL on high speed, high bandwidth networks. We use CPP (Content based Payload Partitioning) technique which divides the payload into different partitions depending on content of payload. AnPDPP does payload based anomaly detection using a few CPP partitions. We demonstrate usefulness of the AnPDPP on the 1999 DARPA IDS data set. We observed 97.06% accuracy on port 80 using only 62.64% packet payload length with small false positive rate. This is a significant improvement over PAYL approach which uses 100% of the packet payload for anomaly detection.
منابع مشابه
Network packet payload analysis for intrusion detection
This paper explores possibility of detecting intrusions into computer networks using network packet payload analysis. Quick overview of current IDS state of the art is given. Issues with IDS are explained. Integrated approach to IDS building is suggested. Anomaly detection process improvements are recomended. Current prevailing methods for network intrusion detection based on packet meta data, ...
متن کاملKIDS - Keyed Intrusion Detection System
Since most current network attacks happen at the application layer, analysis of packet payload is necessary for their detection. Unfortunately malicious packets may be crafted to mimic normal payload, and so avoid detection if the anomaly detection method is known. This paper proposes keyed packet payload anomaly detection NIDS. Model of normal payload is key dependent. Key is different for eac...
متن کاملApproaches in anomaly-based intrusion detection systems
Anomaly-based network intrusion detection systems can take into consideration packet headers, the payload, or a combination of both. We argue that payload-based approaches are becoming the most effective methods to detect attacks. Nowadays, attacks aim mainly to exploit vulnerabilities at application level: thus, the payload contains the most important information to differentiate normal traffi...
متن کاملFeature Extraction to Identify Network Traffic with Considering Packet Loss Effects
There are huge petitions of network traffic coming from various applications on Internet. In dealing with this volume of network traffic, network management plays a crucial rule. Traffic classification is a basic technique which is used by Internet service providers (ISP) to manage network resources and to guarantee Internet security. In addition, growing bandwidth usage, at one hand, and limit...
متن کاملAnomalous Payload-Based Worm Detection and Signature Generation
New features of the PAYL anomalous payload detection sensor are demonstrated to accurately detect and generate signatures for zero-day worms. Experimental evidence demonstrates that site-specific packet content models are capable of detecting new worms with high accuracy in a collaborative security system. A new approach is proposed that correlates ingress/egress payload alerts to identify the ...
متن کامل