Powered by GitBook

McPAD : A Multiple Classifier System for Accurate Payload-based Anomaly Detection

Goals and Contributions
Architecture
Data
Limitation
References and Recommended Readings

Goals and Contributions

Improve $2$ -grams

Architecture

One-class SVM

Introduction to One-class Support Vector Machines

Fusion rules

Combine all different One-Class SVM
Min, Max, Mean, Product, Majority voting
Applied to a-posteriori class probabilities under different models, $p_i(\mathrm{x}|\omega)$
Assuming uniform distribution for outliers can turn these rules into class-conditional probabilities

McPAD

Feature Extraction
- $2_v$ $2^{ v }$ -grams, $65536$ $65536$ dimensions
  - $n$ -grams, $256^n$ dimensions
  - For $v = 0$ , $2$ -gram model (of PAYL)
  - Size of sliding window, $v + 2$
- No auto way to derive $2_(v-1)$ $2^{ ( } v - 1)$ -grams, $2_(v-2)$ $2^{ ( } v - 2)$ -grams from $2_v$ $2^{ v }$ -grams
  - Not like $n$ -grams
  - Different $v$ cause different structural information about the payload
Feature Reduction
- Feature clustering algorithm

Attacks

Generic attacks
Shell-code attacks
CLET attacks
PBA(Polymorphic Blending Attack) attacks

Data

Normal
- DARPA
- GATECH
Attacks
- Public non-polymorphic HTTP attack
- Create polymorphic HTTP attack
- Hard to collect a sufficient amount of attack traffic

Limitation

High FP rate

References and Recommended Readings

McPAD : A Multiple Classifier System for Accurate Payload-based Anomaly Detection, Perdisci et al, 2009
HMMPayl: An intrusion detection system based on Hidden Markov Models, Ariu, 2011
McPAD and HMMPayl Two Multiple-Classifier Payload-based Anomaly Detectors
CS 259D Lecture 15

results matching ""

No results matching ""