Anomalous Payload-Based Network Intrusion Detection
We present a payload-based anomaly detector, we call PAYL, for intrusion detection. PAYL models the normal application payload of network traffic in a fully automatic, unsupervised and very efficient fashion. We first compute during a training phase a profile byte frequency distribution and their standard deviation of the application payload flowing to a single host and port. We then use Mahalanobis distance during the detection phase to calculate the similarity of new data against the pre-computed profile. The detector compares this measure against a threshold and generates an alert when the distance of the new input exceeds this threshold. We demonstrate the surprising effectiveness of the method on the 1999 DARPA IDS dataset and a live dataset we collected on the Columbia CS department network. In once case nearly 100% accuracy is achieved with 0.1% false positive rate for port 80 traffic.
- RAID4.pdf application/pdf 285 KB Download File
Recent advances in intrusion detection: 7th international symposium, RAID 2004, Sophia-Antipolis, France, September 15-17, 2004: proceedings, Lecture Notes in Computer Science, vol. 3224 (New York: Springer, 2004), pp. 203-222.