McPAD: A multiple classifier system for accurate payload-based anomaly detection

Computer Networks

Volumn 53, Issue 6, 2009, Pages 864-881

  Perdisci, Roberto ^a,b   Ariu, Davide ^c   Fogla, Prahlad ^d   Giacinto, Giorgio ^c   Lee, Wenke ^b  

^a Damballa Inc   (United States)

^b Georgia Institute of Technology   (United States)

^c UNIVERSITY OF CAGLIARI   (Italy)

^d GOOGLE INC   (United States)

Author keywords

Anomaly detection; Multiple classifiers; Network intrusion detection; One class SVM; Shell code attacks

Indexed keywords

BLENDING; CLASSIFIERS; COMPUTER CRIME; INTERNET; OBJECT RECOGNITION; SUPPORT VECTOR MACHINES;

ANOMALY DETECTION; MULTIPLE CLASSIFIERS; NETWORK INTRUSION DETECTION; ONE-CLASS SVM; SHELL-CODE ATTACKS;

INTRUSION DETECTION;

EID: 61749083929     PISSN: 13891286     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.comnet.2008.11.011     Document Type: Article

References (37)

1. Arce I. The shellcode generation. IEEE Security and Privacy 2 5 (2004) 72-76
2. S. Axelsson, The base-rate fallacy and its implications for the difficulty of intrusion detection, in: CCS'99: Proceedings of the Sixth ACM Conference on Computer and Communications Security, 1999, pp. 1-7.
3. Bradley A.P. The use of the area under the roc curve in the evaluation of machine learning algorithms. Pattern Recognition 30 7 (1997) 1145-1159
4. Brunelli R., and Falavigna D. Person identification using multiple cues. IEEE Transaction on Pattern Analysis and Machine Intelligence 17 10 (1995) 955-966
5. R. Chinchani, E.V.D. Berg, A fast static analysis approach to detect exploit code inside network flows, in: Recent Advances in Intrusion Detection (RAID), 2005.
6. L.P. Cordella, A. Limongiello, C. Sansone, Network intrusion detection by a multi-stage classification system, in: Multiple Classifier Systems (MCS), 2004, pp. 324-333.
7. C. Cortes, M. Mohri, Confidence intervals for the area under the roc curve, in: NIPS 2004: Advances in Neural Information Processing Systems, 2004.
8. T. Detristan, T. Ulenspiegel, Y. Malcom, M. Underduk, Polymorphic shellcode engine using spectrum analysis, Phrack Issue 0x3d, 2003.
9. Dhillon I.S., Mallela S., and Kumar R. A divisive information-theoretic feature clustering algorithm for text classification. Journal of Machine Learning Research 3 (2003) 1265-1287
10. T.G. Dietterich, Ensemble methods in machine learning, in: Multiple Classifier Systems (MCS), 2000.
11. Duda R.O., Hart P.E., and Stork D.G. Pattern Classification (2000), Wiley
12. Eskin E., Arnold A., Prerau M., Portnoy L., and Stolfo S. A geometric framework for unsupervised anomaly detection: detecting intrusions in unlabeled data. In: Barbara D., and Jajodia S. (Eds). Applications of Data Mining in Computer Security (2002), Kluwer
13. P. Fogla, W. Lee, Evading network anomaly detection systems: formal reasoning and practical techniques, in: CCS'06: Proceedings of the 13th ACM Conference on Computer and Communications Security, 2006, pp. 59-68.
14. P. Fogla, M. Sharif, R. Perdisci, O.M. Kolesnikov, W. Lee, Polymorphic blending attack, in: USENIX Security Symposium, 2006.
15. Giacinto G., Perdisci R., Del Rio M., and Roli F. Intrusion detection in computer networks by a modular ensemble of one-class classifiers. Information Fusion 9 1 (2008) 69-82
16. Giacinto G., Roli F., and Didaci L. Fusion of multiple classifiers for intrusion detection in computer networks. Pattern Recognition Letters 24 12 (2003) 1795-1803
17. K.L. Ingham, H. Inoue, Comparing anomaly detection techniques for HTTP, in: Recent Advances in Intrusion Detection (RAID), 2007.
18. Kittler J., Hatef M., Duin R.P.W., and Matas J. On combining classifiers. IEEE Transactions Pattern Analysis and Machine Intelligence 20 3 (1998) 226-239
19. C. Kruegel, T. Toth, E. Kirda, Service specific anomaly detection for network intrusion detection, in: ACM Symposium on Applied Computing (SAC), 2002.
20. Kuncheva L.I. Combining Pattern Classifiers: Methods and Algorithms (2004), Wiley
21. Leopold E., and Kindermann J. Text categorization with support vector machines. How to represent texts in input space?. Machine Learning 46 (2002) 423-444
22. Lippmann R., Haines J.W., Fried D.J., Korba J., and Das K. The 1999 darpa off-line intrusion detection evaluation. Computer Networks 34 4 (2000) 579-595
23. M.V. Mahoney, P.K. Chan, An analysis of the 1999 darpa lincoln laboratory evaluation data for network anomaly detection, in: Recent Advances in Intrusion Detection (RAID), 2003.
24. McHugh J. Testing intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory. ACM Transactions on Information and System Security 3 4 (2000) 262-294
25. McHugh J., Christie A., and Allen J. Defending yourself: The role of intrusion detection systems. IEEE Software (2000) 42-51
26. R. Perdisci, G. Gu, W. Lee, Using an ensemble of one-class svm classifiers to harden payload-based anomaly detection systems, in: ICDM'06: Proceedings of the Sixth International Conference on Data Mining, 2006, pp. 488-498.
27. L. Portnoy, E. Eskin, S. Stolfo, Intrusion detection with unlabeled data using clustering, in: ACM CSS Workshop on Data Mining Applied to Security, 2001.
28. Schölkopf B., Platt J., Shawe-Taylor J., Smola A.J., and Williamson R.C. Estimating the support of a high-dimensional distribution. Neural Computation 13 (2001) 1443-1471
29. Sebastiani F. Machine learning in automated text categorization. ACM Computing Surveys 34 1 (2002) 1-47
30. Y. Song, M.E. Locasto, A. Stavrou, A.D. Keromytis, S.J. Stolfo, On the infeasibility of modeling polymorphic shellcode, in: CCS'07: Proceedings of the 14th ACM Conference on Computer and Communications Security, 2007.
31. D.M.J. Tax, One-Class Classification, Concept Learning in the Absence of Counter Examples. Ph.D. Thesis, Delft University of Technology, Delft, Netherland, 2001.
32. D.M.J. Tax, R.P.W. Duin, Combining one-class classifiers, in: Multiple Classifier Systems (MCS), 2001.
33. T. Toth, C. Kruegel, Accurate buffer overflow detection via abstract payload execution, in: Recent Advances in Intrusion Detection (RAID), 2002.
34. Vapnik V. Statistical Learning Theory (1998), Wiley
35. K. Wang, S. Stolfo, Anomalous payload-based network intrusion detection, in: Recent Advances in Intrusion Detection (RAID), 2004.
36. K. Wang, S. Stolfo, Anomalous payload-based worm detection and signature generation, in: Recent Advances in Intrusion Detection (RAID), 2005.
37. K. Wang, S. Stolfo, Anagram: a content anomaly detector resistant to mimicry attack, in: Recent Advances in Intrusion Detection (RAID), 2006.