Detecting zero-day attacks using context-aware anomaly detection at the application-layer |
| |
| Authors: | Patrick Duessel Christian Gehl Ulrich Flegel Sven Dietrich Michael Meier |
| |
| Affiliation: | 1.University of Bonn, Institute of Computer Science 4,Bonn,Germany;2.Trifense GmbH - Intelligent Network Defense,Velten,Germany;3.Infineon Technologies AG,Neubiberg,Germany;4.CUNY John Jay College of Criminal Justice, Mathematics and Computer Science Department,New York,USA |
| |
| Abstract: | Anomaly detection allows for the identification of unknown and novel attacks in network traffic. However, current approaches for anomaly detection of network packet payloads are limited to the analysis of plain byte sequences. Experiments have shown that application-layer attacks become difficult to detect in the presence of attack obfuscation using payload customization. The ability to incorporate syntactic context into anomaly detection provides valuable information and increases detection accuracy. In this contribution, we address the issue of incorporating protocol context into payload-based anomaly detection. We present a new data representation, called \({c}_n\)-grams, that allows to integrate syntactic and sequential features of payloads in an unified feature space and provides the basis for context-aware detection of network intrusions. We conduct experiments on both text-based and binary application-layer protocols which demonstrate superior accuracy on the detection of various types of attacks over regular anomaly detection methods. Furthermore, we show how \({c}_n\)-grams can be used to interpret detected anomalies and thus, provide explainable decisions in practice. |
| |
| Keywords: | |
| 本文献已被 SpringerLink 等数据库收录! |
|
