Escolar Documentos
Profissional Documentos
Cultura Documentos
A modular architecture for the analysis of HTTP payloads based on Multiple Classiers
Davide Ariu davide.ariu@diee.unica.it Giorgio Giacinto giacinto@diee.unica.it
Outline
Motivations The proposed system Experimental Setup and Results Conclusions
Group
The objective
Design of an anomaly based Intrusion Detection System for the protection of Web Servers and Applications. The HTTP traffic toward the web servers is inspected by a multiple classifier system.
Group
Group
Group
A legitimate Payload...
GET /pra/ita/home.php HTTP/1.1 Host: prag.diee.unica.it Accept: text/*, text/html User-Agent: Mozilla/4.0
Group
A legitimate Payload...
Request Line
GET /pra/ita/home.php HTTP/1.1 Host: prag.diee.unica.it Accept: text/*, text/html User-Agent: Mozilla/4.0
Group
A legitimate Payload...
Request Line
GET /pra/ita/home.php HTTP/1.1 Host: prag.diee.unica.it Accept: text/*, text/html User-Agent: Mozilla/4.0
Request Headers
Group
Group
10
McPAD [Perdisci,2009]
Ensemble of one-class SVM trained on -grams
Spectrogram [Wang,2009]
Ensemble of Markov Chains to analyze the request-Line
HMMPayl [Ariu,2011]
Ensemble of HMM to analyze sequences of bytes from the whole payload
11
12
HTTPPayload
GET /pra/index.php HTTP/1.1
Host: prag.diee.unica.it
User-Agent: Mozilla/5.0
Accept-Encoding: gzip, deate
HMMEnsemble
AcceptLanguage
IDS
0.62 1 0.53 0.34 0.49 OneClass Classier OutputScore or ClassLabel
HMMEnsemble
Host
HMMEnsemble
UserAgent
HMMEnsemble
AcceptEncoding
Group
13
Missing Features
Each request typically does not contain all the headers
Training phase: the value of the feature related to a missing header has been set to the average value Testing phase: the value of the feature related to a missing header has been set to -1
Group
14
Experimental Setup - 1
2 Datasets of traffic Real legitimate
DIEE, collected at the University of Cagliari GT, collected at Georgia Tech
Group
15
Experimental Setup - 2
3 Datasets of Real Attacks
Generic, 66 Attacks Shell-code, 11 Attacks XSS-SQL Injection,38 Attacks
Experimental Setup - 3
4 One-class classification algorithms with default setting of parameters
Gauss - Gaussian distribution Mog Mixture of Gaussians Parzen Parzen density estimator SVM SVM with RBF Kernel
Partial
17
Experimental Results
Partial AUC DIEE Dataset
Group
18
Experimental Results
Group
19
Experimental Results
Partial AUC GT Dataset
Group
20
Experimental Results
Comparison with similar IDS
Group
21
Computational Cost
Group
22
Conclusions
We proposed an anomaly based IDS for the protection of Web-Servers and WebApplications We exploited the MCS paradigm
To analyze the structure of the HTTP payload By combining the outputs through a One-class classifier
Group
23
ThankYou!