Academic Commons


Anomalous Payload-Based Network Intrusion Detection

Wang, Ke; Stolfo, Salvatore

We present a payload-based anomaly detector, we call PAYL, for intrusion detection. PAYL models the normal application payload of network traffic in a fully automatic, unsupervised and very efficient fashion. We first compute during a training phase a profile byte frequency distribution and their standard deviation of the application payload flowing to a single host and port. We then use Mahalanobis distance during the detection phase to calculate the similarity of new data against the pre-computed profile. The detector compares this measure against a threshold and generates an alert when the distance of the new input exceeds this threshold. We demonstrate the surprising effectiveness of the method on the 1999 DARPA IDS dataset and a live dataset we collected on the Columbia CS department network. In once case nearly 100% accuracy is achieved with 0.1% false positive rate for port 80 traffic.



Also Published In

More About This Work

Academic Units
Computer Science
Published Here
April 30, 2010


Recent advances in intrusion detection: 7th international symposium, RAID 2004, Sophia-Antipolis, France, September 15-17, 2004: proceedings, Lecture Notes in Computer Science, vol. 3224 (New York: Springer, 2004), pp. 203-222.

Academic Commons provides global access to research and scholarship produced at Columbia University, Barnard College, Teachers College, Union Theological Seminary and Jewish Theological Seminary. Academic Commons is managed by the Columbia University Libraries.