Abstract
Previous works has shown that Markov modelling can be used to model the payloads of the observed packets from a selected protocol with applications to anomaly-based intrusion detection. The detection is made based on a normality score derived from the model and a tunable threshold, which allows the choice of the operating point in terms of detection and false positive rates. In this work a hybrid system is proposed and evaluated based on this approach. The detection is made by explicit modelling of both the attack and the normal payloads and the joint use of a recognizer and a threshold based detector. First, the recognizer evaluates the probabilities of a payload being normal or attack and a probability of missclassification. The dubious results are passed through the detector, which evaluates the normality score. The system allows the choice of the operating point and improves the performance of the basic system.
Chapter PDF
Similar content being viewed by others
References
García-Teodoro, P., Díaz-Verdejo, J.E., Maciá-Fernández, G., Vázquez, E.: Anomaly-based Network Intrusion Detection: Techniques, Systems and Challenges. Computers & Security 28, 18–28 (2009)
Axelsson, S.: Intrusion Detection Systems: a Taxonomy and Survey, Technical Report 99-15, Department of Computer Engineering, Chalmers University of Technology, Goteborg (1999)
Sobh, T.S.: Wired and Wireless Intrusion Detection System: Classifications, Good Characteristics and State-of-the-art. Computer Standards & Interfaces 28, 670–694 (2006)
Depren, O., Topallar, M., Anarim, E., Kemal Ciliz, M.: An intelligent intrusion detection system (IDS) for anomaly and misuse detection in computer networks. Expert Systems with Applications 29(4), 713–722 (2005)
Reis, M., Paula, F., Fernandes, D., Geus, P.: A Hybrid IDS Architecture Based on the Immune System. In: Anais do Wseg 2002: Workshop em Seguranca de Sistemas Computacionais, Buzios (2002), http://www.las.ic.unicamp.br/paulo/papers/2002-WSeg-marcelo.reis-fabricio.paula-diego.fernandes-IDS.imuno.pdf
Tombini, E., Debar, H., Me, L., Ducasse, M.: A serial combination of anomaly and misuse IDSes applied to HTTP traffic. In: 20th Annual Computer Security Applications Conference (2004)
Fontenelle, M.F., Siqueira, G., Holanda, R., Bessa Maia, J., Neuman, J.: Using Statistical Discriminators and Cluster Analysis to P2P and Attack Traffic Monitoring. In: LANOMS, pp. 68–77 (2007)
Estévez-Tapiador, J.M., García-Teodoro, P., Díaz-Verdejo, J.E.: Detection of Web-based Attacks Through Markovian Protocol Parsing. In: 10th Symposium on Computers and Communications, pp. 457–462 (2005)
Estévez-Tapiador, J.M.: Detección de intrusiones en redes basada en anomalías mediante técnicas de modelado de protocolos (Anomaly-based Network Intrusion Detection using protocol modelling techniques), Ph.D Thesis, Univ. of Granada (2003)
Symantec, Symantec Global Internet Security Threat Report, Trends for July-December 07, Volume XII (2008), http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xiii_04-2008.en-us.pdf
Feller, W.: An Introduction to Probability Theory and its Applications, 3rd edn., vol. 1. John Wiley & Sons, Chichester (1968)
Berners-Lee, T., Fielding, R., Frystyk, H.: Hypertext Transfer Protocol – HTTP/1.0, RFC1945 (1996)
Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Berners-Lee, T.: Hypertext Transfer Protocol – HTTP/1.1, RFC2068 (1997)
Berners-Lee, T., Fielding, R., Masinter, L.: Uniform Resource Identifiers, RFC2396 (1998)
Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., Berners-Lee, T.: Hypertext Transfer Protocol – HTTP/1.1, RFC2616 (1996)
Rabiner, L.R.: A Tutorial on Hidden Markov Models and Selected Applications in Speech Recognition. Proceedings of the IEEE 77(2), 257–285 (1989)
Bermúdez-Edo, M., Salazar-Hernández, R., Díaz-Verdejo, J.E., García-Teodoro, P.: Proposals on Assessment Environments for Anomaly-based Network Intrusion Detection Systems. In: López, J. (ed.) CRITIS 2006. LNCS, vol. 4347, pp. 210–221. Springer, Heidelberg (2006)
McHugh, J.: Testing Intrusion Detection Systems: a Critique of the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory. ACM Transactions on Information and System Security 3(4), 262–294 (2000)
Athanasiades, N., Abler, R., Levine, J., Owen, H., Riley, G.: Intrusion Detection Testing and Benchmarking Methodologies. In: Proc. 1st IEEE International Workshop on Information Assurance IWIA, pp. 63–72 (2003)
Duda, R., Hart, P.: Pattern Classification and Scene Analysis. John Wiley and Sons, Chichester (1973)
Provost, F., Fawcett, T., Kohavi, R.: The case against accuracy estimation for comparing induction algorithms. In: Proc. of the 15th International Conference on Machine Learning (ICML 1998). Morgan Kaufmann, San Mateo (1998)
Security Focus, Bugtraq (1998-2009), http://www.securityfocus.com
Kouns, J., Sullo, C., Martin, B., Shettler, D., Torino, S.: Open Source Vulnerability Data Base (2002-2009), http://osvdb.org
Salazar-Hernández, R., Díaz-Verdejo, J.: Generación de tráfico de ataque para la evaluación de sistemas de detección de intrusos. In: Actas de las VIII Jornadas de Ingeniería Telemática (JITEL 2009), pp. 439–442 (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Salazar-Hernández, R., Díaz-Verdejo, J.E. (2010). Hybrid Detection of Application Layer Attacks Using Markov Models for Normality and Attacks. In: Soriano, M., Qing, S., López, J. (eds) Information and Communications Security. ICICS 2010. Lecture Notes in Computer Science, vol 6476. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-17650-0_29
Download citation
DOI: https://doi.org/10.1007/978-3-642-17650-0_29
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-17649-4
Online ISBN: 978-3-642-17650-0
eBook Packages: Computer ScienceComputer Science (R0)