Anomalous Payload-Based Network Intrusion Detection
- Anomalous Payload-Based Network Intrusion Detection
- Wang, Ke
- Computer Science
- Persistent URL:
- Recent advances in intrusion detection: 7th international symposium, RAID 2004, Sophia-Antipolis, France, September 15-17, 2004: proceedings, Lecture Notes in Computer Science, vol. 3224 (New York: Springer, 2004), pp. 203-222.
- We present a payload-based anomaly detector, we call PAYL, for intrusion detection. PAYL models the normal application payload of network traffic in a fully automatic, unsupervised and very efficient fashion. We first compute during a training phase a profile byte frequency distribution and their standard deviation of the application payload flowing to a single host and port. We then use Mahalanobis distance during the detection phase to calculate the similarity of new data against the pre-computed profile. The detector compares this measure against a threshold and generates an alert when the distance of the new input exceeds this threshold. We demonstrate the surprising effectiveness of the method on the 1999 DARPA IDS dataset and a live dataset we collected on the Columbia CS department network. In once case nearly 100% accuracy is achieved with 0.1% false positive rate for port 80 traffic.
- Computer science
- Publisher DOI:
- Item views
text | xml
- Suggested Citation:
- Ke Wang, Salvatore Stolfo, 2004, Anomalous Payload-Based Network Intrusion Detection, Columbia University Academic Commons, https://doi.org/10.7916/D8PK0NV5.