Ariu - Workshop On Multiple Classifier System - 2011

University of Cagliari
Department of Electric and Electronic Engineering
A modular architecture for the analysis of HTTP payloads based on Multiple Classiers
Davide Ariu davide.ariu@diee.unica.it Giorgio Giacinto giacinto@diee.unica.it
Napoli, 17 Giugno 2011 Group

Pattern Recognition and Applications Group
http://prag.diee.unica.it
Thisresearchwassponsoredbythe AutonomousRegionofSardiniathroughagrant nancedwiththeSardiniaPOFSE20072013 fundsandprovidedaccordingtotheL.R.7/2007
Outline
Motivations The proposed system Experimental Setup and Results Conclusions
Group

The objective
Design of an anomaly based Intrusion Detection System for the protection of Web Servers and Applications. The HTTP traffic toward the web servers is inspected by a multiple classifier system.
Group

Why Web Applications?
Group

Why Anomaly Detection?
Group

A legitimate Payload...
GET /pra/ita/home.php HTTP/1.1 Host: prag.diee.unica.it Accept: text/*, text/html User-Agent: Mozilla/4.0
Group

Request Line
Group

Request Line
Request Headers
Group

...and some attacks

Long Request Buffer Overflow
HEAD / aaaaaaaaaaaaaaaaaaa
URL Decoding Error

GET /d/winnt/sys32/cmd.exe?/c+dir HTTP/1.0 Host: www Connection: close
Group

Why Payload Analysis?

Detection of Web-based attacks based on the
Analysis of the Request-Line
Allows detecting only attacks that exploit input-validation flows e.g. Spectrogram ([Song,2009]), HMM-Web ([Corona,2009])
HTTP Payload Analysis

Takes into account the whole HTTP-request, and thus it can (in principle) detect any kind of attack
Group
10
SOA - Payload Analysis

Payl [Wang,2004]
n-grams to represent byte statistics
McPAD [Perdisci,2009]
Ensemble of one-class SVM trained on -grams
Spectrogram [Wang,2009]
Ensemble of Markov Chains to analyze the request-Line
HMMPayl [Ariu,2011]
Ensemble of HMM to analyze sequences of bytes from the whole payload
None of the above techniques represented the structure of the payload

Group
11
The proposed system

Basic Idea
We propose to take into account the structure of HTTP payloads For each line of the payload, an ensemble of HMM is used to model the sequences of bytes. The final decision is obtained by using the HMM outputs as features. The payload is thus classified by a one-class classifier trained on the outputs of the HMM ensembles.
Group
12
The proposed system

A scheme
HMMEnsemble
RequestLine
HTTPPayload
GET /pra/index.php HTTP/1.1 Host: prag.diee.unica.it User-Agent: Mozilla/5.0 Accept-Encoding: gzip, deate
HMMEnsemble
AcceptLanguage
IDS
0.62 1 0.53 0.34 0.49 OneClass Classier OutputScore or ClassLabel
HMMEnsemble
Host
HMMEnsemble
UserAgent
HMMEnsemble
AcceptEncoding
Group

13
Missing Features
Each request typically does not contain all the headers
Training phase: the value of the feature related to a missing header has been set to the average value Testing phase: the value of the feature related to a missing header has been set to -1
Group

14
Experimental Setup - 1
2 Datasets of traffic Real legitimate
DIEE, collected at the University of Cagliari GT, collected at Georgia Tech
Group

15
3 Datasets of Real Attacks
Generic, 66 Attacks Shell-code, 11 Attacks XSS-SQL Injection,38 Attacks
Training: 1 day of traffic Test: the remaining traffic plus attacks

K-fold CV
16
4 One-class classification algorithms with default setting of parameters
Gauss - Gaussian distribution Mog Mixture of Gaussians Parzen Parzen density estimator SVM SVM with RBF Kernel
Performance evaluated using the AUC

Computed in the FP range [0,0.1] Normalized dividing by 0.1
Group
Partial
17
Experimental Results
Partial AUC DIEE Dataset
Group

18
Multiple HMM DIEE Dataset Shellcode Attacks
Group

19
Partial AUC GT Dataset
Group

20
Comparison with similar IDS
Group

21
Computational Cost
Group

22
Conclusions
We proposed an anomaly based IDS for the protection of Web-Servers and WebApplications We exploited the MCS paradigm
To analyze the structure of the HTTP payload By combining the outputs through a One-class classifier
Compared to similar systems, our propoal

Provides high performance in attack detection Is fast
Group

23
ThankYou!

Ariu - Workshop On Multiple Classifier System - 2011

Enviado por

Dados do documento

Descrição original:

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Ariu - Workshop On Multiple Classifier System - 2011

Enviado por

Direitos autorais:

Formatos disponíveis

University of Cagliari

Department of Electric and Electronic Engineering

Napoli, 17 Giugno 2011 Group

Pattern Recognition and Applications Group

Pattern Recognition and Applications Group

Why Web Applications?

Pattern Recognition and Applications Group

Why Anomaly Detection?

Pattern Recognition and Applications Group

Pattern Recognition and Applications Group

Pattern Recognition and Applications Group

Pattern Recognition and Applications Group

...and some attacks

URL Decoding Error

Pattern Recognition and Applications Group

Why Payload Analysis?

HTTP Payload Analysis

SOA - Payload Analysis

None of the above techniques represented the structure of the payload

The proposed system

The proposed system

Pattern Recognition and Applications Group

Pattern Recognition and Applications Group

Pattern Recognition and Applications Group

Training: 1 day of traffic Test: the remaining traffic plus attacks

Performance evaluated using the AUC

Pattern Recognition and Applications Group

Multiple HMM DIEE Dataset Shellcode Attacks

Pattern Recognition and Applications Group

Pattern Recognition and Applications Group

Pattern Recognition and Applications Group

Pattern Recognition and Applications Group

Compared to similar systems, our propoal

Pattern Recognition and Applications Group

Você também pode gostar