By Topic

Layered Higher Order N-grams for Hardening Payload Based Anomaly Intrusion Detection

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$31 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

3 Author(s)
Hubballi, N. ; Dept. of Comput. Sci. & Eng., Indian Inst. of Technol., Guwahati, India ; Biswas, S. ; Nandi, S.

Application based intrusion detection involves analysis of network packet payload data. Recently statistical methods for analyzing the payload are being used. Since behavior of every application is not same a different model is necessary for each application. Studies have revealed that higher order n-grams are good for capturing the network profile. In this paper we introduce a concept of layered version of n-gram for payload based anomaly network intrusion detection. Each layer works as an independent anomaly detection system. A packet is declared as normal after passing through all the layers. A packet is declared as anomalous if at any layer it is declared as anomalous and we stop further processing the packet. We create a set of bins and equally distribute the distinct n-grams to each bin. Each such n-gram is a 2 tulle where the first element is byte values of the n-gram and second is the frequency of gram in the entire training data. We assign an anomaly score to each bin based on the frequency of the individual gram in the bin and is termed as coverage of the bin.We evaluate the proposed scheme on normal traffic of DARLA 99 dataset mixed with a set of attacks. Experimental results shows the efficacy of the method with a false alarm rate as low as 0.001%.

Published in:

Availability, Reliability, and Security, 2010. ARES '10 International Conference on

Date of Conference:

15-18 Feb. 2010