Layered Higher Order N-grams for Hardening Payload Based Anomaly Intrusion Detection

Application based intrusion detection involves analysis of network packet payload data. Recently statistical methods for analyzing the payload are being used. Since behavior of every application is not same a different model is necessary for each application. Studies have revealed that higher order n-grams are good for capturing the network profile. In this paper we introduce a concept of layered version of n-gram for payload based anomaly network intrusion detection. Each layer works as an independent anomaly detection system. A packet is declared as normal after passing through all the layers. A packet is declared as anomalous if at any layer it is declared as anomalous and we stop further processing the packet. We create a set of bins and equally distribute the distinct n-grams to each bin. Each such n-gram is a 2 tulle where the first element is byte values of the n-gram and second is the frequency of gram in the entire training data. We assign an anomaly score to each bin based on the frequency of the individual gram in the bin and is termed as coverage of the bin.We evaluate the proposed scheme on normal traffic of DARLA 99 dataset mixed with a set of attacks. Experimental results shows the efficacy of the method with a false alarm rate as low as 0.001\%.