{"title":"基于负载关键字的应用层网络攻击异常检测","authors":"Like Zhang, G. White","doi":"10.1109/CISDA.2007.368151","DOIUrl":null,"url":null,"abstract":"Network anomaly intrusion detection is designed to provide in-depth defense against zero-day attacks. However, attacks often occur at the application level, which means they are payload associated. Since traditional anomaly detection works by monitoring packet headers it provides little support for defending against such activities. In this paper, we will explore how the packet payload can be used for identifying application level attacks. First we will discuss the current status of network anomaly detection, and emphasize the importance of payload based detection research using existing problems. Then we provide a brief introduction to several related approaches on this topic. Based on the discussion, an efficient method to detect payload related attacks will then be proposed. The method is divided into a training phase and a detection phase. In the training phase, we will perform principal component analysis (PCA) on several important packet fields to reduce the data dimension, and then construct the most appropriate profile based on the PCA results. In the detection phase, an anomaly score will be assigned to each incoming packet based on the profile. We then present the experiment based on the DARPA '99 dataset with details to explain our approach. Comparison with other similar mechanisms demonstrates the advantage of the proposed method at identifying payload related attacks.","PeriodicalId":403553,"journal":{"name":"2007 IEEE Symposium on Computational Intelligence in Security and Defense Applications","volume":"20 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2007-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"24","resultStr":"{\"title\":\"Anomaly Detection for Application Level Network Attacks Using Payload Keywords\",\"authors\":\"Like Zhang, G. White\",\"doi\":\"10.1109/CISDA.2007.368151\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Network anomaly intrusion detection is designed to provide in-depth defense against zero-day attacks. However, attacks often occur at the application level, which means they are payload associated. Since traditional anomaly detection works by monitoring packet headers it provides little support for defending against such activities. In this paper, we will explore how the packet payload can be used for identifying application level attacks. First we will discuss the current status of network anomaly detection, and emphasize the importance of payload based detection research using existing problems. Then we provide a brief introduction to several related approaches on this topic. Based on the discussion, an efficient method to detect payload related attacks will then be proposed. The method is divided into a training phase and a detection phase. In the training phase, we will perform principal component analysis (PCA) on several important packet fields to reduce the data dimension, and then construct the most appropriate profile based on the PCA results. In the detection phase, an anomaly score will be assigned to each incoming packet based on the profile. We then present the experiment based on the DARPA '99 dataset with details to explain our approach. Comparison with other similar mechanisms demonstrates the advantage of the proposed method at identifying payload related attacks.\",\"PeriodicalId\":403553,\"journal\":{\"name\":\"2007 IEEE Symposium on Computational Intelligence in Security and Defense Applications\",\"volume\":\"20 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2007-04-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"24\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2007 IEEE Symposium on Computational Intelligence in Security and Defense Applications\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/CISDA.2007.368151\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2007 IEEE Symposium on Computational Intelligence in Security and Defense Applications","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CISDA.2007.368151","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Anomaly Detection for Application Level Network Attacks Using Payload Keywords
Network anomaly intrusion detection is designed to provide in-depth defense against zero-day attacks. However, attacks often occur at the application level, which means they are payload associated. Since traditional anomaly detection works by monitoring packet headers it provides little support for defending against such activities. In this paper, we will explore how the packet payload can be used for identifying application level attacks. First we will discuss the current status of network anomaly detection, and emphasize the importance of payload based detection research using existing problems. Then we provide a brief introduction to several related approaches on this topic. Based on the discussion, an efficient method to detect payload related attacks will then be proposed. The method is divided into a training phase and a detection phase. In the training phase, we will perform principal component analysis (PCA) on several important packet fields to reduce the data dimension, and then construct the most appropriate profile based on the PCA results. In the detection phase, an anomaly score will be assigned to each incoming packet based on the profile. We then present the experiment based on the DARPA '99 dataset with details to explain our approach. Comparison with other similar mechanisms demonstrates the advantage of the proposed method at identifying payload related attacks.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
