HMMPayl: an application of HMM to the analysis of the HTTP Payload

Davide Ariu, Giorgio Giacinto
Proceedings of the First Workshop on Applications of Pattern Analysis, PMLR 11:81-87, 2010.

Abstract

Zero-days attacks are one of the most dangerous threats against computer networks. These, by definition, are attacks never seen before. Thus, defense tools based on a database of rules (usually referred as “signatures”) that describe known attacks cannot do anything against them. Recently, defense tools based on machine learning algorithms have gained an increasing popularity as they offer the possibility to fight off also zero-days attacks. In this paper we propose HMMPayl, an anomaly based Intrusion Detection System for the protection of a web server and of the applications the server hosts. HMMPayl analyzes the network traffic toward the web server and it is based on Hidden Markov Models. With this paper we provide for several contributions. First, the algorithm implemented by HMMPayl allows to carefully model the payload increasing the classification accuracy with respect to previously proposed solutions. Second, we show that an approach based on multiple classifiers leads to an increased classification accuracy with respect to the case where a single classifier is used. Third, exploiting the redundancy within the information extracted from the payload we propose a solution to reduce the computational cost of the algorithm.

Cite this Paper


BibTeX
@InProceedings{pmlr-v11-ariu10a, title = {HMMPayl: an application of HMM to the analysis of the HTTP Payload}, author = {Ariu, Davide and Giacinto, Giorgio}, booktitle = {Proceedings of the First Workshop on Applications of Pattern Analysis}, pages = {81--87}, year = {2010}, editor = {Diethe, Tom and Cristianini, Nello and Shawe-Taylor, John}, volume = {11}, series = {Proceedings of Machine Learning Research}, address = {Cumberland Lodge, Windsor, UK}, month = {01--03 Sep}, publisher = {PMLR}, pdf = {http://proceedings.mlr.press/v11/ariu10a/ariu10a.pdf}, url = {https://proceedings.mlr.press/v11/ariu10a.html}, abstract = {Zero-days attacks are one of the most dangerous threats against computer networks. These, by definition, are attacks never seen before. Thus, defense tools based on a database of rules (usually referred as “signatures”) that describe known attacks cannot do anything against them. Recently, defense tools based on machine learning algorithms have gained an increasing popularity as they offer the possibility to fight off also zero-days attacks. In this paper we propose HMMPayl, an anomaly based Intrusion Detection System for the protection of a web server and of the applications the server hosts. HMMPayl analyzes the network traffic toward the web server and it is based on Hidden Markov Models. With this paper we provide for several contributions. First, the algorithm implemented by HMMPayl allows to carefully model the payload increasing the classification accuracy with respect to previously proposed solutions. Second, we show that an approach based on multiple classifiers leads to an increased classification accuracy with respect to the case where a single classifier is used. Third, exploiting the redundancy within the information extracted from the payload we propose a solution to reduce the computational cost of the algorithm.} }
Endnote
%0 Conference Paper %T HMMPayl: an application of HMM to the analysis of the HTTP Payload %A Davide Ariu %A Giorgio Giacinto %B Proceedings of the First Workshop on Applications of Pattern Analysis %C Proceedings of Machine Learning Research %D 2010 %E Tom Diethe %E Nello Cristianini %E John Shawe-Taylor %F pmlr-v11-ariu10a %I PMLR %P 81--87 %U https://proceedings.mlr.press/v11/ariu10a.html %V 11 %X Zero-days attacks are one of the most dangerous threats against computer networks. These, by definition, are attacks never seen before. Thus, defense tools based on a database of rules (usually referred as “signatures”) that describe known attacks cannot do anything against them. Recently, defense tools based on machine learning algorithms have gained an increasing popularity as they offer the possibility to fight off also zero-days attacks. In this paper we propose HMMPayl, an anomaly based Intrusion Detection System for the protection of a web server and of the applications the server hosts. HMMPayl analyzes the network traffic toward the web server and it is based on Hidden Markov Models. With this paper we provide for several contributions. First, the algorithm implemented by HMMPayl allows to carefully model the payload increasing the classification accuracy with respect to previously proposed solutions. Second, we show that an approach based on multiple classifiers leads to an increased classification accuracy with respect to the case where a single classifier is used. Third, exploiting the redundancy within the information extracted from the payload we propose a solution to reduce the computational cost of the algorithm.
RIS
TY - CPAPER TI - HMMPayl: an application of HMM to the analysis of the HTTP Payload AU - Davide Ariu AU - Giorgio Giacinto BT - Proceedings of the First Workshop on Applications of Pattern Analysis DA - 2010/09/30 ED - Tom Diethe ED - Nello Cristianini ED - John Shawe-Taylor ID - pmlr-v11-ariu10a PB - PMLR DP - Proceedings of Machine Learning Research VL - 11 SP - 81 EP - 87 L1 - http://proceedings.mlr.press/v11/ariu10a/ariu10a.pdf UR - https://proceedings.mlr.press/v11/ariu10a.html AB - Zero-days attacks are one of the most dangerous threats against computer networks. These, by definition, are attacks never seen before. Thus, defense tools based on a database of rules (usually referred as “signatures”) that describe known attacks cannot do anything against them. Recently, defense tools based on machine learning algorithms have gained an increasing popularity as they offer the possibility to fight off also zero-days attacks. In this paper we propose HMMPayl, an anomaly based Intrusion Detection System for the protection of a web server and of the applications the server hosts. HMMPayl analyzes the network traffic toward the web server and it is based on Hidden Markov Models. With this paper we provide for several contributions. First, the algorithm implemented by HMMPayl allows to carefully model the payload increasing the classification accuracy with respect to previously proposed solutions. Second, we show that an approach based on multiple classifiers leads to an increased classification accuracy with respect to the case where a single classifier is used. Third, exploiting the redundancy within the information extracted from the payload we propose a solution to reduce the computational cost of the algorithm. ER -
APA
Ariu, D. & Giacinto, G.. (2010). HMMPayl: an application of HMM to the analysis of the HTTP Payload. Proceedings of the First Workshop on Applications of Pattern Analysis, in Proceedings of Machine Learning Research 11:81-87 Available from https://proceedings.mlr.press/v11/ariu10a.html.

Related Material