Exploiting content spatial distribution to improve detection of intrusions
|Title||Exploiting content spatial distribution to improve detection of intrusions|
|Publication Type||Journal Article|
|Year of Publication||2018|
|Authors||Angiulli, F, Argento, L, Furfaro, A|
|Journal||ACM Transactions on Internet Technology|
We present PCkAD, a novel semisupervised anomaly-based IDS (Intrusion Detection System) technique, detecting application-level content-based attacks. Its peculiarity is to learn legitimate payloads by splitting packets into chunks and determining the within-packet distribution of n-grams. This strategy is resistant to evasion techniques as blending. We prove that finding the right legitimate content is NP-hard in the presence of chunks. Moreover, it improves the false-positive rate for a given detection rate with respect to the case where the spatial information is not considered. Comparison with well-known IDSs using n-grams highlights that PCkAD achieves state-of-the-art performances.