EEMCS

Home > Publications
Home University of Twente
Education
Research
Prospective Students
Jobs
Publications
Intranet (internal)
 
 Nederlands
 Contact
 Search
 Organisation

EEMCS EPrints Service


22269 N-gram Against the Machine: On the Feasibility of the N-gram Network Analysis for Binary Protocols
Home Policy Brochure Browse Search User Area Contact Help

Hadžiosmanović, D. and Simionato, L. and Bolzoni, D. and Zambon, Emmanuele and Etalle, S. (2012) N-gram Against the Machine: On the Feasibility of the N-gram Network Analysis for Binary Protocols. In: Proceedings of the 15th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2012), 12-14 Sep 2012, Amsterdam, The Netherlands. pp. 354-373. Lecture Notes in Computer Science 7462. Springer Verlag. ISSN 0302-9743 ISBN 978-3-642-33337-8

Full text available as:

PDF

193 Kb
Open Access



Official URL: http://dx.doi.org/10.1007/978-3-642-33338-5_18

Exported to Metis

Abstract

In recent years we have witnessed several complex and high-impact attacks specifically targeting “binary” protocols (RPC, Samba and, more recently, RDP). These attacks could not be detected by current – signature-based – detection solutions, while – at least in theory – they could be detected by state-of-the-art anomaly-based systems. This raises once again the still unanswered question of how effective anomaly-based systems are in practice. To contribute to answering this question, in this paper we investigate the effectiveness of a widely studied category of network intrusion detection systems: anomaly-based algorithms using n-gram analysis for payload inspection. Specifically, we present a thorough analysis and evaluation of several detection algorithms using variants of n-gram analysis on real-life environments. Our tests show that the analyzed systems, in presence of data with high variability, cannot deliver high detection and low false positive rates at the same time.

Item Type:Conference or Workshop Paper (Full Paper, Talk)
Research Group:EWI-DIES: Distributed and Embedded Security
Research Program:CTIT-ISTRICE: Integrated Security and Privacy in a Networked World
Research Project:MIDAS: Intrusion detection for SCADA, CASTOR: Controlling Access to SCADA Networked Systems, HERMES: Host-based Event Mining in SCADA systems
Uncontrolled Keywords:N-gram, feasibility, binary protocol, detection
ID Code:22269
Status:Published
Deposited On:03 October 2012
Refereed:Yes
International:Yes
More Information:statisticsmetis

Export this item as:

To correct this item please ask your editor

Repository Staff Only: edit this item