Anomaly Detection for Application Level Network Attacks Using Payload Keywords

Abstract

Network anomaly intrusion detection is designed to provide in-depth defense against zero-day attacks. However, attacks often occur at the application level, which means they are payload associated. Since traditional anomaly detection works by monitoring packet headers it provides little support for defending against such activities. In this paper, we will explore how the packet payload can be used for identifying application level attacks. First we will discuss the current status of network anomaly detection, and emphasize the importance of payload based detection research using existing problems. Then we provide a brief introduction to several related approaches on this topic. Based on the discussion, an efficient method to detect payload related attacks will then be proposed. The method is divided into a training phase and a detection phase. In the training phase, we will perform principal component analysis (PCA) on several important packet fields to reduce the data dimension, and then construct the most appropriate profile based on the PCA results. In the detection phase, an anomaly score will be assigned to each incoming packet based on the profile. We then present the experiment based on the DARPA '99 dataset with details to explain our approach. Comparison with other similar mechanisms demonstrates the advantage of the proposed method at identifying payload related attacks.