Abstract
Since most current network attacks happen at the application layer, analysis of packet payload is necessary for their detection. Unfortunately malicious packets may be crafted to mimic normal payload, and so avoid detection if the anomaly detection method is known. This paper proposes keyed packet payload anomaly detection NIDS. Model of normal payload is key dependent. Key is different for each implementation of the method and is kept secret. Therefore model of normal payload is secret although detection method is public. This prevents mimicry attacks. Payload is partitioned into words. Words are defined by delimiters. Set of delimiters plays a role of a key. Proposed design is implemented and tested. Testing with HTTP traffic confirmed the same detection capabilities for different keys.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Rash, M., Orebaugh, A.D., Clark, G., Pinkard, B., Babbin, J.: Intrusion Prevention and Active Response: Deploying Network and Host IPS, Syngress (2005)
Mrdovic, S., Perunicic, B.: Kerckhoffs’ Principle for Intrusion Detection. In: The 13th International Telecommunications Network Strategy and Planning Symposium, Networks 2008, pp. 1–14 (2008)
Mrdovic, S., Perunicic, B.: NIDS Based on Payload Word Frequencies and Anomaly of Transitions. In: Third International Conference on Digital Information Management, ICDIM 2008, pp. 334–339 (2008)
Sekar, R., Gupta, A., Frullo, J., Shanbhag, T., Tiwari, A., Yang, H., Zhou, S.: Specification-based anomaly detection: a new approach for detecting network intrusions, pp. 265–274. ACM, Washington (2002)
Mahoney, M.V.: Network traffic anomaly detection based on packet bytes, pp. 346–350. ACM, Melbourne (2003)
Zanero, S., Savaresi, S.M.: Unsupervised learning techniques for an intrusion detection system, pp. 412–419. ACM, Nicosia (2004)
Kruegel, C., Vigna, G.: Anomaly detection of web-based attacks, pp. 251–261. ACM, Washington D.C (2003)
Kruegel, C., Vigna, G., Robertson, W.: A multi-model approach to the detection of web-based attacks. Computer Networks 48, 717–738 (2005)
Robertson, W., Vigna, G., Kruegel, C., Kemmerer, R.A.: Using Generalization and Characterization Techniques in the Anomaly-based Detection of Web Attacks (2006)
Ingham, K., Somayaji, A., Burge, J., Forrest, S.: Learning DFA representations of HTTP for protecting web applications. Computer Networks 51, 1239–1255 (2007)
Akritidis, P., Markatos, E.P., Polychronakis, M., Anagnostakis, K.: Stride: Polymorphic sled detection through instruction sequence analysis (2005)
Kruegel, C., Kirda, E., Mutz, D., Robertson, W., Vigna, G.: Polymorphic Worm Detection Using Structural Information of Executables (2005)
Wang, X., Pan, C., Liu, P., Zhu, S.: SigFree: a signature-free buffer overflow attack blocker, p. 16. USENIX Association, Vancouver (2006)
Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Emulation-based Detection of Non-self-contained Polymorphic Shellcode
Song, Y., Locasto, M.E., Stavrou, A., Keromytis, A.D., Stolfo, S.J.: On the infeasibility of modeling polymorphic shellcode, pp. 541–551. ACM, Alexandria (2007)
Wang, K., Stolfo, S.J.: Anomalous Payload-Based Network Intrusion Detection (2004)
Wang, K., Cretu, G., Stolfo, S.J.: Anomalous Payload-Based Worm Detection and Signature Generation (2005)
Wang, K., Parekh, J., Stolfo, S.: Anagram: A Content Anomaly Detector Resistant to Mimicry Attack, pp. 226–248 (2006)
Vargiya, R., Chan, P.: Boundary Detection in Tokenizing Network Application Payload for Anomaly Detection (2003)
Rieck, K., Laskov, P.: Language models for detection of unknown attacks in network traffic. Journal in Computer Virology 2, 243–256 (2007)
Wagner, D., Soto, P.: Mimicry attacks on host-based intrusion detection systems, pp. 255–264. ACM, Washington (2002)
Tan, K., Killourhy, K., Maxion, R.: Undermining an Anomaly-Based Intrusion Detection System Using Common Exploits. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 54–73. Springer, Heidelberg (2002)
Kolesnikov, O., Lee, W.: Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic, College of Computing, Georgia Tech. (2005)
Fogla, P., Sharif, M., Perdisci, R., Kolesnikov, O., Lee, W.: Polymorphic blending attacks, p. 17. USENIX Association, Vancouver (2006)
Fogla, P., Lee, W.: Evading network anomaly detection systems: formal reasoning and practical techniques, pp. 59–68. ACM, Alexandria (2006)
SANS Institute, SANS Top-20 2007, Security Risks, Annual Update (2007)
Internet Security Threat Report, Symantec Corporation (2008)
Ingham, K., Inoue, H.: Comparing Anomaly Detection Techniques for HTTP. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 42–62. Springer, Heidelberg (2007)
Lippmann, R., Fried, D., Graf, I., Haines, J., Kendall, K., McClung, D., Weber, D., Webster, S., Wyschogrod, D., Cunningham, R., Zissman, M.: Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation, vol. 2, pp. 12–26 (2000)
Richard, L., Haines, J.W., Fried, D.J., Korba, J., Das, K.: The 1999 DARPA off-line intrusion detection evaluation. Computer Networks 34, 579–595 (2000)
Gates, C., Taylor, C.: Challenging the anomaly detection paradigm: a provocative discussion, pp. 21–29. ACM, Germany (2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Mrdovic, S., Drazenovic, B. (2010). KIDS – Keyed Intrusion Detection System. In: Kreibich, C., Jahnke, M. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2010. Lecture Notes in Computer Science, vol 6201. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-14215-4_10
Download citation
DOI: https://doi.org/10.1007/978-3-642-14215-4_10
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-14214-7
Online ISBN: 978-3-642-14215-4
eBook Packages: Computer ScienceComputer Science (R0)