SlideShare ist ein Scribd-Unternehmen logo

HTTP Payload Analysis Using Multiple Classifiers

Pluribus One
Pluribus One

The document proposes a modular architecture for analyzing HTTP payloads using multiple classifiers to detect anomalies and intrusions. It trains ensembles of hidden Markov models on different lines of HTTP payloads like the request line, host, and user agent. The HMM outputs are then used as features for a one-class classifier to classify the full payload. The approach is evaluated on real traffic datasets and shown to outperform similar systems with high detection rates while being computationally efficient.

Technologie
1 von 24
Downloaden Sie, um offline zu lesen
University of Cagliari Department of Electric and Electronic Engineering A modular architecture for the analysis of HTTP payloads based on Multiple Classifiers Davide Ariu Giorgio Giacinto davide.ariu@diee.unica.it giacinto@diee.unica.it Napoli, 17 Giugno 2011 This research was sponsored by the  Pattern Recognition and Applications Group Autonomous Region of Sardinia through a grant  Group  http://prag.diee.unica.it financed with the ”Sardinia PO FSE 2007‐2013”  funds and provided according to the L.R. 7/2007 
Outline •  Motivations •  The proposed system •  Experimental Setup and Results •  Conclusions Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 2
The objective Design of an anomaly based Intrusion Detection System for the protection of Web Servers and Applications. The HTTP traffic toward the web servers is inspected by a multiple classifier system. Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 3
Why Web Applications? Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 4
Why Anomaly Detection? Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 5
A legitimate Payload... GET /pra/ita/home.php HTTP/1.1 Host: prag.diee.unica.it Accept: text/*, text/html User-Agent: Mozilla/4.0 Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 6
A legitimate Payload... Request Line GET /pra/ita/home.php HTTP/1.1 Host: prag.diee.unica.it Accept: text/*, text/html User-Agent: Mozilla/4.0 Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 7
A legitimate Payload... Request Line GET /pra/ita/home.php HTTP/1.1 Host: prag.diee.unica.it Accept: text/*, text/html User-Agent: Mozilla/4.0 Request Headers Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 8
...and some attacks •  Long Request Buffer Overflow HEAD / aaaaaaa…aaaaaaaaaaaa •  URL Decoding Error GET /d/winnt/sys32/cmd.exe?/c+dir HTTP/1.0 Host: www Connection: close Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 9
Why Payload Analysis? •  Detection of Web-based attacks based on the –  Analysis of the Request-Line •  Allows detecting only attacks that exploit input-validation flows e.g. Spectrogram ([Song,2009]), HMM-Web ([Corona,2009]) –  HTTP Payload Analysis •  Takes into account the whole HTTP-request, and thus it can (in principle) detect any kind of attack Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 10
SOA - Payload Analysis •  Payl [Wang,2004] –  n-grams to represent byte statistics •  McPAD [Perdisci,2009] –  Ensemble of one-class SVM trained on ν-grams •  Spectrogram [Wang,2009] –  Ensemble of Markov Chains to analyze the request-Line •  HMMPayl [Ariu,2011] –  Ensemble of HMM to analyze sequences of bytes from the whole payload None of the above techniques represented the structure of the payload Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 11
The proposed system Basic Idea •  We propose to take into account the structure of HTTP payloads – For each line of the payload, an ensemble of HMM is used to model the sequences of bytes. – The final decision is obtained by using the HMM outputs as features. The payload is thus classified by a one-class classifier trained on the outputs of the HMM ensembles. Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 12
The proposed system A scheme HMM Ensemble  HTTP Payload  Request‐Line  IDS  HMM Ensemble  GET /pra/index.php HTTP/1.1 Accept‐Language  0.62  Host: prag.diee.unica.it ‐1  User-Agent: Mozilla/5.0 Output Score   One‐Class  Accept-Encoding: gzip, deflate HMM Ensemble  0.53  or  Classifier  Host  Class‐Label  0.34  HMM Ensemble  0.49  User‐Agent  HMM Ensemble  Accept‐Encoding  Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 13
Missing Features •  Each request typically does not contain all the headers –  Training phase: the value of the feature related to a missing header has been set to the average value –  Testing phase: the value of the feature related to a missing header has been set to -1 Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 14
Experimental Setup - 1 •  2 Datasets of Real legitimate traffic –  DIEE, collected at the University of Cagliari –  GT, collected at Georgia Tech Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 15
Experimental Setup - 2  •  3 Datasets of Real Attacks – Generic, 66 Attacks – Shell-code, 11 Attacks – XSS-SQL Injection,38 Attacks •  Training: 1 day of traffic •  Test: the remaining traffic plus attacks – K-fold CV 16 
Experimental Setup - 3 •  4 One-class classification algorithms with default setting of parameters –  Gauss - Gaussian distribution –  Mog – Mixture of Gaussians –  Parzen – Parzen density estimator –  SVM – SVM with RBF Kernel •  Performance evaluated using the Partial AUC –  Computed in the FP range [0,0.1] –  Normalized dividing by 0.1 Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 17
Experimental Results Partial AUC – DIEE Dataset Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 18
Experimental Results Multiple HMM – DIEE Dataset – Shellcode Attacks Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 19
Experimental Results Partial AUC – GT Dataset Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 20
Experimental Results Comparison with similar IDS Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 21
Computational Cost Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 22
Conclusions •  We proposed an anomaly based IDS for the protection of Web-Servers and Web- Applications •  We exploited the MCS paradigm –  To analyze the structure of the HTTP payload –  By combining the outputs through a One-class classifier •  Compared to similar systems, our propoal –  Provides high performance in attack detection –  Is fast Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 23
Thank You!  

Empfohlen

口試投影片(詹智傑) Final
口試投影片(詹智傑) Final口試投影片(詹智傑) Final
口試投影片(詹智傑) Final詹智傑
 
Video Quality Measurements
Video Quality MeasurementsVideo Quality Measurements
Video Quality MeasurementsYoss Cohen
 
Dynamic Adaptive Streaming over HTTP: From Content Creation to Consumption
Dynamic Adaptive Streaming over HTTP: From Content Creation to ConsumptionDynamic Adaptive Streaming over HTTP: From Content Creation to Consumption
Dynamic Adaptive Streaming over HTTP: From Content Creation to ConsumptionAlpen-Adria-Universität
 
ARM LPC2300/LPC2400 TCP/IP Stack Porting
ARM LPC2300/LPC2400 TCP/IP Stack PortingARM LPC2300/LPC2400 TCP/IP Stack Porting
ARM LPC2300/LPC2400 TCP/IP Stack PortingMathivanan Elangovan
 
report
reportreport
reportChristian Uldall Pedersen
 
Technology Update: MPEG-Dash
Technology Update: MPEG-DashTechnology Update: MPEG-Dash
Technology Update: MPEG-DashMedia Perspectives
 
Microsoft PowerPoint - WirelessCluster_Pres
Microsoft PowerPoint - WirelessCluster_PresMicrosoft PowerPoint - WirelessCluster_Pres
Microsoft PowerPoint - WirelessCluster_PresVideoguy
 
Common Pitfalls of Functional Programming and How to Avoid Them: A Mobile Gam...
Common Pitfalls of Functional Programming and How to Avoid Them: A Mobile Gam...Common Pitfalls of Functional Programming and How to Avoid Them: A Mobile Gam...
Common Pitfalls of Functional Programming and How to Avoid Them: A Mobile Gam...gree_tech
 

Empfohlen

口試投影片(詹智傑) Final
口試投影片(詹智傑) Final口試投影片(詹智傑) Final
口試投影片(詹智傑) Final詹智傑
 
Video Quality Measurements
Video Quality MeasurementsVideo Quality Measurements
Video Quality MeasurementsYoss Cohen
 
Dynamic Adaptive Streaming over HTTP: From Content Creation to Consumption
Dynamic Adaptive Streaming over HTTP: From Content Creation to ConsumptionDynamic Adaptive Streaming over HTTP: From Content Creation to Consumption
Dynamic Adaptive Streaming over HTTP: From Content Creation to ConsumptionAlpen-Adria-Universität
 
ARM LPC2300/LPC2400 TCP/IP Stack Porting
ARM LPC2300/LPC2400 TCP/IP Stack PortingARM LPC2300/LPC2400 TCP/IP Stack Porting
ARM LPC2300/LPC2400 TCP/IP Stack PortingMathivanan Elangovan
 
report
reportreport
reportChristian Uldall Pedersen
 
Technology Update: MPEG-Dash
Technology Update: MPEG-DashTechnology Update: MPEG-Dash
Technology Update: MPEG-DashMedia Perspectives
 
Microsoft PowerPoint - WirelessCluster_Pres
Microsoft PowerPoint - WirelessCluster_PresMicrosoft PowerPoint - WirelessCluster_Pres
Microsoft PowerPoint - WirelessCluster_PresVideoguy
 
Common Pitfalls of Functional Programming and How to Avoid Them: A Mobile Gam...
Common Pitfalls of Functional Programming and How to Avoid Them: A Mobile Gam...Common Pitfalls of Functional Programming and How to Avoid Them: A Mobile Gam...
Common Pitfalls of Functional Programming and How to Avoid Them: A Mobile Gam...gree_tech
 
Generating Ideas: Getting the most out of (un)usual suspects
Generating Ideas: Getting the most out of (un)usual suspectsGenerating Ideas: Getting the most out of (un)usual suspects
Generating Ideas: Getting the most out of (un)usual suspectsSocial Innovation Exchange
 
VZYT
VZYTVZYT
VZYTIolo Jones
 
Naked by the Sea (Sometimes) Poster
Naked by the Sea (Sometimes) PosterNaked by the Sea (Sometimes) Poster
Naked by the Sea (Sometimes) PosterAdrian Smith
 
+®S
+®S+®S
+®Slouisemichelchampigny
 
Boe a-2013-4028
Boe a-2013-4028Boe a-2013-4028
Boe a-2013-4028poligonolorca
 
Anthony Weiner: Maybe He Knows Something We Don’t
Anthony Weiner: Maybe He Knows Something We Don’tAnthony Weiner: Maybe He Knows Something We Don’t
Anthony Weiner: Maybe He Knows Something We Don’tDominic Carter
 
1 18 11 Updated Health Care Reform Iia
1 18 11 Updated Health Care Reform Iia1 18 11 Updated Health Care Reform Iia
1 18 11 Updated Health Care Reform IiaBrandon Lagarde
 
Napoleon
NapoleonNapoleon
NapoleonJuan Jose Principe Campos
 
El hombre y el universo
El hombre y el universoEl hombre y el universo
El hombre y el universoMiriam Madridano
 
Quantum-grizzly-packet-filtering
Quantum-grizzly-packet-filteringQuantum-grizzly-packet-filtering
Quantum-grizzly-packet-filteringAkihiro Motoki
 
Web Sphere Problem Determination Ext
Web Sphere Problem Determination ExtWeb Sphere Problem Determination Ext
Web Sphere Problem Determination ExtRohit Kelapure
 
Art Of Message Queues
Art Of Message QueuesArt Of Message Queues
Art Of Message QueuesMike Willbanks
 
eXo Platform SEA - Play Framework Introduction
eXo Platform SEA - Play Framework IntroductioneXo Platform SEA - Play Framework Introduction
eXo Platform SEA - Play Framework Introductionvstorm83
 
Open source security tools for Kubernetes.
Open source security tools for Kubernetes.Open source security tools for Kubernetes.
Open source security tools for Kubernetes.Michael Ducy
 
Sonar En
Sonar EnSonar En
Sonar EnAleksey Trusov
 
Build cloud native solution using open source
Build cloud native solution using open source Build cloud native solution using open source
Build cloud native solution using open source Nitesh Jadhav
 
Prometheus - Intro, CNCF, TSDB,PromQL,Grafana
Prometheus - Intro, CNCF, TSDB,PromQL,GrafanaPrometheus - Intro, CNCF, TSDB,PromQL,Grafana
Prometheus - Intro, CNCF, TSDB,PromQL,GrafanaSridhar Kumar N
 
Wissbi osdc pdf
Wissbi osdc pdfWissbi osdc pdf
Wissbi osdc pdfChris Huang
 
QA. Load Testing
QA. Load TestingQA. Load Testing
QA. Load TestingAlex Galkin
 
Rohit yadav cloud stack internals
Rohit yadav cloud stack internalsRohit yadav cloud stack internals
Rohit yadav cloud stack internalsShapeBlue
 
Automatic test packet generation
Automatic test packet generationAutomatic test packet generation
Automatic test packet generationtusharjadhav2611
 
php[world] Magento101
php[world] Magento101php[world] Magento101
php[world] Magento101Mathew Beane
 

Weitere ähnliche Inhalte

Andere mochten auch

Generating Ideas: Getting the most out of (un)usual suspects
Generating Ideas: Getting the most out of (un)usual suspectsGenerating Ideas: Getting the most out of (un)usual suspects
Generating Ideas: Getting the most out of (un)usual suspectsSocial Innovation Exchange
 
Naked by the Sea (Sometimes) Poster
Naked by the Sea (Sometimes) PosterNaked by the Sea (Sometimes) Poster
Naked by the Sea (Sometimes) PosterAdrian Smith
 
Anthony Weiner: Maybe He Knows Something We Don’t
Anthony Weiner: Maybe He Knows Something We Don’tAnthony Weiner: Maybe He Knows Something We Don’t
Anthony Weiner: Maybe He Knows Something We Don’tDominic Carter
 
1 18 11 Updated Health Care Reform Iia
1 18 11 Updated Health Care Reform Iia1 18 11 Updated Health Care Reform Iia
1 18 11 Updated Health Care Reform IiaBrandon Lagarde
 

Andere mochten auch (9)

Generating Ideas: Getting the most out of (un)usual suspects
Generating Ideas: Getting the most out of (un)usual suspectsGenerating Ideas: Getting the most out of (un)usual suspects
Generating Ideas: Getting the most out of (un)usual suspects
 
VZYT
VZYTVZYT
VZYT
 
Naked by the Sea (Sometimes) Poster
Naked by the Sea (Sometimes) PosterNaked by the Sea (Sometimes) Poster
Naked by the Sea (Sometimes) Poster
 
+®S
+®S+®S
+®S
 
Boe a-2013-4028
Boe a-2013-4028Boe a-2013-4028
Boe a-2013-4028
 
Anthony Weiner: Maybe He Knows Something We Don’t
Anthony Weiner: Maybe He Knows Something We Don’tAnthony Weiner: Maybe He Knows Something We Don’t
Anthony Weiner: Maybe He Knows Something We Don’t
 
1 18 11 Updated Health Care Reform Iia
1 18 11 Updated Health Care Reform Iia1 18 11 Updated Health Care Reform Iia
1 18 11 Updated Health Care Reform Iia
 
Napoleon
NapoleonNapoleon
Napoleon
 
El hombre y el universo
El hombre y el universoEl hombre y el universo
El hombre y el universo
 

Ähnlich wie HTTP Payload Analysis Using Multiple Classifiers

Quantum-grizzly-packet-filtering
Quantum-grizzly-packet-filteringQuantum-grizzly-packet-filtering
Quantum-grizzly-packet-filteringAkihiro Motoki
 
Web Sphere Problem Determination Ext
Web Sphere Problem Determination ExtWeb Sphere Problem Determination Ext
Web Sphere Problem Determination ExtRohit Kelapure
 
eXo Platform SEA - Play Framework Introduction
eXo Platform SEA - Play Framework IntroductioneXo Platform SEA - Play Framework Introduction
eXo Platform SEA - Play Framework Introductionvstorm83
 
Open source security tools for Kubernetes.
Open source security tools for Kubernetes.Open source security tools for Kubernetes.
Open source security tools for Kubernetes.Michael Ducy
 
Build cloud native solution using open source
Build cloud native solution using open source Build cloud native solution using open source
Build cloud native solution using open source Nitesh Jadhav
 
Prometheus - Intro, CNCF, TSDB,PromQL,Grafana
Prometheus - Intro, CNCF, TSDB,PromQL,GrafanaPrometheus - Intro, CNCF, TSDB,PromQL,Grafana
Prometheus - Intro, CNCF, TSDB,PromQL,GrafanaSridhar Kumar N
 
QA. Load Testing
QA. Load TestingQA. Load Testing
QA. Load TestingAlex Galkin
 
Rohit yadav cloud stack internals
Rohit yadav cloud stack internalsRohit yadav cloud stack internals
Rohit yadav cloud stack internalsShapeBlue
 
Automatic test packet generation
Automatic test packet generationAutomatic test packet generation
Automatic test packet generationtusharjadhav2611
 
php[world] Magento101
php[world] Magento101php[world] Magento101
php[world] Magento101Mathew Beane
 
How to accelerate docker adoption with a simple and powerful user experience
How to accelerate docker adoption with a simple and powerful user experienceHow to accelerate docker adoption with a simple and powerful user experience
How to accelerate docker adoption with a simple and powerful user experienceDocker, Inc.
 
Summarizing Software API Usage Examples Using Clustering Techniques
Summarizing Software API Usage Examples Using Clustering TechniquesSummarizing Software API Usage Examples Using Clustering Techniques
Summarizing Software API Usage Examples Using Clustering TechniquesNikos Katirtzis
 
The PeriCAT Framework
The PeriCAT FrameworkThe PeriCAT Framework
The PeriCAT FrameworkPERICLES_FP7
 
Thesis Presentation P2 P Vo D On Internet Rodrigo Godoi
Thesis Presentation P2 P Vo D On Internet Rodrigo GodoiThesis Presentation P2 P Vo D On Internet Rodrigo Godoi
Thesis Presentation P2 P Vo D On Internet Rodrigo GodoiRodrigo Godoi, PMP
 

Ähnlich wie HTTP Payload Analysis Using Multiple Classifiers (20)

Quantum-grizzly-packet-filtering
Quantum-grizzly-packet-filteringQuantum-grizzly-packet-filtering
Quantum-grizzly-packet-filtering
 
Web Sphere Problem Determination Ext
Web Sphere Problem Determination ExtWeb Sphere Problem Determination Ext
Web Sphere Problem Determination Ext
 
Art Of Message Queues
Art Of Message QueuesArt Of Message Queues
Art Of Message Queues
 
eXo Platform SEA - Play Framework Introduction
eXo Platform SEA - Play Framework IntroductioneXo Platform SEA - Play Framework Introduction
eXo Platform SEA - Play Framework Introduction
 
Open source security tools for Kubernetes.
Open source security tools for Kubernetes.Open source security tools for Kubernetes.
Open source security tools for Kubernetes.
 
Sonar En
Sonar EnSonar En
Sonar En
 
Build cloud native solution using open source
Build cloud native solution using open source Build cloud native solution using open source
Build cloud native solution using open source
 
Prometheus - Intro, CNCF, TSDB,PromQL,Grafana
Prometheus - Intro, CNCF, TSDB,PromQL,GrafanaPrometheus - Intro, CNCF, TSDB,PromQL,Grafana
Prometheus - Intro, CNCF, TSDB,PromQL,Grafana
 
Wissbi osdc pdf
Wissbi osdc pdfWissbi osdc pdf
Wissbi osdc pdf
 
QA. Load Testing
QA. Load TestingQA. Load Testing
QA. Load Testing
 
Rohit yadav cloud stack internals
Rohit yadav cloud stack internalsRohit yadav cloud stack internals
Rohit yadav cloud stack internals
 
Automatic test packet generation
Automatic test packet generationAutomatic test packet generation
Automatic test packet generation
 
php[world] Magento101
php[world] Magento101php[world] Magento101
php[world] Magento101
 
How to accelerate docker adoption with a simple and powerful user experience
How to accelerate docker adoption with a simple and powerful user experienceHow to accelerate docker adoption with a simple and powerful user experience
How to accelerate docker adoption with a simple and powerful user experience
 
Node js meetup
Node js meetupNode js meetup
Node js meetup
 
Node.js security tour
Node.js security tourNode.js security tour
Node.js security tour
 
Summarizing Software API Usage Examples Using Clustering Techniques
Summarizing Software API Usage Examples Using Clustering TechniquesSummarizing Software API Usage Examples Using Clustering Techniques
Summarizing Software API Usage Examples Using Clustering Techniques
 
The PeriCAT Framework
The PeriCAT FrameworkThe PeriCAT Framework
The PeriCAT Framework
 
Thesis Presentation P2 P Vo D On Internet Rodrigo Godoi
Thesis Presentation P2 P Vo D On Internet Rodrigo GodoiThesis Presentation P2 P Vo D On Internet Rodrigo Godoi
Thesis Presentation P2 P Vo D On Internet Rodrigo Godoi
 
43
4343
43
 

Mehr von Pluribus One

Smart Textiles - Prospettive di mercato - Davide Ariu
Smart Textiles - Prospettive di mercato - Davide Ariu Smart Textiles - Prospettive di mercato - Davide Ariu
Smart Textiles - Prospettive di mercato - Davide Ariu Pluribus One
 
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning - 2019 Int...
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning - 2019 Int...Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning - 2019 Int...
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning - 2019 Int...Pluribus One
 
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning. ICMLC 201...
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning. ICMLC 201...Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning. ICMLC 201...
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning. ICMLC 201...Pluribus One
 
Wild patterns - Ten years after the rise of Adversarial Machine Learning - Ne...
Wild patterns - Ten years after the rise of Adversarial Machine Learning - Ne...Wild patterns - Ten years after the rise of Adversarial Machine Learning - Ne...
Wild patterns - Ten years after the rise of Adversarial Machine Learning - Ne...Pluribus One
 
WILD PATTERNS - Introduction to Adversarial Machine Learning - ITASEC 2019
WILD PATTERNS - Introduction to Adversarial Machine Learning - ITASEC 2019WILD PATTERNS - Introduction to Adversarial Machine Learning - ITASEC 2019
WILD PATTERNS - Introduction to Adversarial Machine Learning - ITASEC 2019Pluribus One
 
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...Pluribus One
 
On Security and Sparsity of Linear Classifiers for Adversarial Settings
On Security and Sparsity of Linear Classifiers for Adversarial SettingsOn Security and Sparsity of Linear Classifiers for Adversarial Settings
On Security and Sparsity of Linear Classifiers for Adversarial SettingsPluribus One
 
Secure Kernel Machines against Evasion Attacks
Secure Kernel Machines against Evasion AttacksSecure Kernel Machines against Evasion Attacks
Secure Kernel Machines against Evasion AttacksPluribus One
 
Machine Learning under Attack: Vulnerability Exploitation and Security Measures
Machine Learning under Attack: Vulnerability Exploitation and Security MeasuresMachine Learning under Attack: Vulnerability Exploitation and Security Measures
Machine Learning under Attack: Vulnerability Exploitation and Security MeasuresPluribus One
 
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...Pluribus One
 
Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...
Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...
Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...Pluribus One
 
Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...
Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...
Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...Pluribus One
 
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...Pluribus One
 
Battista Biggio @ AISec 2014 - Poisoning Behavioral Malware Clustering
Battista Biggio @ AISec 2014 - Poisoning Behavioral Malware ClusteringBattista Biggio @ AISec 2014 - Poisoning Behavioral Malware Clustering
Battista Biggio @ AISec 2014 - Poisoning Behavioral Malware ClusteringPluribus One
 
Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...
Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...
Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...Pluribus One
 
Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...
Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...
Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...Pluribus One
 
Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...
Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...
Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...Pluribus One
 
Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"
Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"
Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"Pluribus One
 
Zahid Akhtar - Ph.D. Defense Slides
Zahid Akhtar - Ph.D. Defense SlidesZahid Akhtar - Ph.D. Defense Slides
Zahid Akhtar - Ph.D. Defense SlidesPluribus One
 
Design of robust classifiers for adversarial environments - Systems, Man, and...
Design of robust classifiers for adversarial environments - Systems, Man, and...Design of robust classifiers for adversarial environments - Systems, Man, and...
Design of robust classifiers for adversarial environments - Systems, Man, and...Pluribus One
 

Mehr von Pluribus One (20)

Smart Textiles - Prospettive di mercato - Davide Ariu
Smart Textiles - Prospettive di mercato - Davide Ariu Smart Textiles - Prospettive di mercato - Davide Ariu
Smart Textiles - Prospettive di mercato - Davide Ariu
 
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning - 2019 Int...
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning - 2019 Int...Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning - 2019 Int...
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning - 2019 Int...
 
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning. ICMLC 201...
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning. ICMLC 201...Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning. ICMLC 201...
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning. ICMLC 201...
 
Wild patterns - Ten years after the rise of Adversarial Machine Learning - Ne...
Wild patterns - Ten years after the rise of Adversarial Machine Learning - Ne...Wild patterns - Ten years after the rise of Adversarial Machine Learning - Ne...
Wild patterns - Ten years after the rise of Adversarial Machine Learning - Ne...
 
WILD PATTERNS - Introduction to Adversarial Machine Learning - ITASEC 2019
WILD PATTERNS - Introduction to Adversarial Machine Learning - ITASEC 2019WILD PATTERNS - Introduction to Adversarial Machine Learning - ITASEC 2019
WILD PATTERNS - Introduction to Adversarial Machine Learning - ITASEC 2019
 
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...
 
On Security and Sparsity of Linear Classifiers for Adversarial Settings
On Security and Sparsity of Linear Classifiers for Adversarial SettingsOn Security and Sparsity of Linear Classifiers for Adversarial Settings
On Security and Sparsity of Linear Classifiers for Adversarial Settings
 
Secure Kernel Machines against Evasion Attacks
Secure Kernel Machines against Evasion AttacksSecure Kernel Machines against Evasion Attacks
Secure Kernel Machines against Evasion Attacks
 
Machine Learning under Attack: Vulnerability Exploitation and Security Measures
Machine Learning under Attack: Vulnerability Exploitation and Security MeasuresMachine Learning under Attack: Vulnerability Exploitation and Security Measures
Machine Learning under Attack: Vulnerability Exploitation and Security Measures
 
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
 
Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...
Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...
Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...
 
Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...
Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...
Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...
 
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...
 
Battista Biggio @ AISec 2014 - Poisoning Behavioral Malware Clustering
Battista Biggio @ AISec 2014 - Poisoning Behavioral Malware ClusteringBattista Biggio @ AISec 2014 - Poisoning Behavioral Malware Clustering
Battista Biggio @ AISec 2014 - Poisoning Behavioral Malware Clustering
 
Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...
Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...
Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...
 
Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...
Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...
Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...
 
Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...
Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...
Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...
 
Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"
Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"
Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"
 
Zahid Akhtar - Ph.D. Defense Slides
Zahid Akhtar - Ph.D. Defense SlidesZahid Akhtar - Ph.D. Defense Slides
Zahid Akhtar - Ph.D. Defense Slides
 
Design of robust classifiers for adversarial environments - Systems, Man, and...
Design of robust classifiers for adversarial environments - Systems, Man, and...Design of robust classifiers for adversarial environments - Systems, Man, and...
Design of robust classifiers for adversarial environments - Systems, Man, and...
 

Kürzlich hochgeladen

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 

Kürzlich hochgeladen (20)

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 

HTTP Payload Analysis Using Multiple Classifiers

  • 1. University of Cagliari Department of Electric and Electronic Engineering A modular architecture for the analysis of HTTP payloads based on Multiple Classifiers Davide Ariu Giorgio Giacinto davide.ariu@diee.unica.it giacinto@diee.unica.it Napoli, 17 Giugno 2011 This research was sponsored by the  Pattern Recognition and Applications Group Autonomous Region of Sardinia through a grant  Group  http://prag.diee.unica.it financed with the ”Sardinia PO FSE 2007‐2013”  funds and provided according to the L.R. 7/2007 
  • 2. Outline •  Motivations •  The proposed system •  Experimental Setup and Results •  Conclusions Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 2
  • 3. The objective Design of an anomaly based Intrusion Detection System for the protection of Web Servers and Applications. The HTTP traffic toward the web servers is inspected by a multiple classifier system. Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 3
  • 4. Why Web Applications? Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 4
  • 5. Why Anomaly Detection? Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 5
  • 6. A legitimate Payload... GET /pra/ita/home.php HTTP/1.1 Host: prag.diee.unica.it Accept: text/*, text/html User-Agent: Mozilla/4.0 Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 6
  • 7. A legitimate Payload... Request Line GET /pra/ita/home.php HTTP/1.1 Host: prag.diee.unica.it Accept: text/*, text/html User-Agent: Mozilla/4.0 Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 7
  • 8. A legitimate Payload... Request Line GET /pra/ita/home.php HTTP/1.1 Host: prag.diee.unica.it Accept: text/*, text/html User-Agent: Mozilla/4.0 Request Headers Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 8
  • 9. ...and some attacks •  Long Request Buffer Overflow HEAD / aaaaaaa…aaaaaaaaaaaa •  URL Decoding Error GET /d/winnt/sys32/cmd.exe?/c+dir HTTP/1.0 Host: www Connection: close Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 9
  • 10. Why Payload Analysis? •  Detection of Web-based attacks based on the –  Analysis of the Request-Line •  Allows detecting only attacks that exploit input-validation flows e.g. Spectrogram ([Song,2009]), HMM-Web ([Corona,2009]) –  HTTP Payload Analysis •  Takes into account the whole HTTP-request, and thus it can (in principle) detect any kind of attack Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 10
  • 11. SOA - Payload Analysis •  Payl [Wang,2004] –  n-grams to represent byte statistics •  McPAD [Perdisci,2009] –  Ensemble of one-class SVM trained on ν-grams •  Spectrogram [Wang,2009] –  Ensemble of Markov Chains to analyze the request-Line •  HMMPayl [Ariu,2011] –  Ensemble of HMM to analyze sequences of bytes from the whole payload None of the above techniques represented the structure of the payload Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 11
  • 12. The proposed system Basic Idea •  We propose to take into account the structure of HTTP payloads – For each line of the payload, an ensemble of HMM is used to model the sequences of bytes. – The final decision is obtained by using the HMM outputs as features. The payload is thus classified by a one-class classifier trained on the outputs of the HMM ensembles. Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 12
  • 13. The proposed system A scheme HMM Ensemble  HTTP Payload  Request‐Line  IDS  HMM Ensemble  GET /pra/index.php HTTP/1.1 Accept‐Language  0.62  Host: prag.diee.unica.it ‐1  User-Agent: Mozilla/5.0 Output Score   One‐Class  Accept-Encoding: gzip, deflate HMM Ensemble  0.53  or  Classifier  Host  Class‐Label  0.34  HMM Ensemble  0.49  User‐Agent  HMM Ensemble  Accept‐Encoding  Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 13
  • 14. Missing Features •  Each request typically does not contain all the headers –  Training phase: the value of the feature related to a missing header has been set to the average value –  Testing phase: the value of the feature related to a missing header has been set to -1 Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 14
  • 15. Experimental Setup - 1 •  2 Datasets of Real legitimate traffic –  DIEE, collected at the University of Cagliari –  GT, collected at Georgia Tech Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 15
  • 16. Experimental Setup - 2  •  3 Datasets of Real Attacks – Generic, 66 Attacks – Shell-code, 11 Attacks – XSS-SQL Injection,38 Attacks •  Training: 1 day of traffic •  Test: the remaining traffic plus attacks – K-fold CV 16 
  • 17. Experimental Setup - 3 •  4 One-class classification algorithms with default setting of parameters –  Gauss - Gaussian distribution –  Mog – Mixture of Gaussians –  Parzen – Parzen density estimator –  SVM – SVM with RBF Kernel •  Performance evaluated using the Partial AUC –  Computed in the FP range [0,0.1] –  Normalized dividing by 0.1 Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 17
  • 18. Experimental Results Partial AUC – DIEE Dataset Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 18
  • 19. Experimental Results Multiple HMM – DIEE Dataset – Shellcode Attacks Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 19
  • 20. Experimental Results Partial AUC – GT Dataset Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 20
  • 21. Experimental Results Comparison with similar IDS Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 21
  • 22. Computational Cost Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 22
  • 23. Conclusions •  We proposed an anomaly based IDS for the protection of Web-Servers and Web- Applications •  We exploited the MCS paradigm –  To analyze the structure of the HTTP payload –  By combining the outputs through a One-class classifier •  Compared to similar systems, our propoal –  Provides high performance in attack detection –  Is fast Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 23