SlideShare a Scribd company logo

Ariu - Workshop on Multiple Classifier Systems 2011

Pluribus One
Pluribus One

The document proposes a modular architecture for analyzing HTTP payloads using multiple classifiers to detect anomalies and intrusions. It trains ensembles of hidden Markov models on different lines of HTTP payloads like the request line, host, and user agent. The HMM outputs are then used as features for a one-class classifier to classify the full payload. The approach is evaluated on real traffic datasets and shown to outperform similar systems with high detection rates while being computationally efficient.

Technology
1 of 24
Download to read offline
University of Cagliari Department of Electric and Electronic Engineering A modular architecture for the analysis of HTTP payloads based on Multiple Classifiers Davide Ariu Giorgio Giacinto davide.ariu@diee.unica.it giacinto@diee.unica.it Napoli, 17 Giugno 2011 This research was sponsored by the  Pattern Recognition and Applications Group Autonomous Region of Sardinia through a grant  Group  http://prag.diee.unica.it financed with the ”Sardinia PO FSE 2007‐2013”  funds and provided according to the L.R. 7/2007 
Outline •  Motivations •  The proposed system •  Experimental Setup and Results •  Conclusions Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 2
The objective Design of an anomaly based Intrusion Detection System for the protection of Web Servers and Applications. The HTTP traffic toward the web servers is inspected by a multiple classifier system. Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 3
Why Web Applications? Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 4
Why Anomaly Detection? Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 5
A legitimate Payload... GET /pra/ita/home.php HTTP/1.1 Host: prag.diee.unica.it Accept: text/*, text/html User-Agent: Mozilla/4.0 Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 6
A legitimate Payload... Request Line GET /pra/ita/home.php HTTP/1.1 Host: prag.diee.unica.it Accept: text/*, text/html User-Agent: Mozilla/4.0 Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 7
A legitimate Payload... Request Line GET /pra/ita/home.php HTTP/1.1 Host: prag.diee.unica.it Accept: text/*, text/html User-Agent: Mozilla/4.0 Request Headers Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 8
...and some attacks •  Long Request Buffer Overflow HEAD / aaaaaaa…aaaaaaaaaaaa •  URL Decoding Error GET /d/winnt/sys32/cmd.exe?/c+dir HTTP/1.0 Host: www Connection: close Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 9
Why Payload Analysis? •  Detection of Web-based attacks based on the –  Analysis of the Request-Line •  Allows detecting only attacks that exploit input-validation flows e.g. Spectrogram ([Song,2009]), HMM-Web ([Corona,2009]) –  HTTP Payload Analysis •  Takes into account the whole HTTP-request, and thus it can (in principle) detect any kind of attack Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 10
SOA - Payload Analysis •  Payl [Wang,2004] –  n-grams to represent byte statistics •  McPAD [Perdisci,2009] –  Ensemble of one-class SVM trained on ν-grams •  Spectrogram [Wang,2009] –  Ensemble of Markov Chains to analyze the request-Line •  HMMPayl [Ariu,2011] –  Ensemble of HMM to analyze sequences of bytes from the whole payload None of the above techniques represented the structure of the payload Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 11
The proposed system Basic Idea •  We propose to take into account the structure of HTTP payloads – For each line of the payload, an ensemble of HMM is used to model the sequences of bytes. – The final decision is obtained by using the HMM outputs as features. The payload is thus classified by a one-class classifier trained on the outputs of the HMM ensembles. Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 12
The proposed system A scheme HMM Ensemble  HTTP Payload  Request‐Line  IDS  HMM Ensemble  GET /pra/index.php HTTP/1.1 Accept‐Language  0.62  Host: prag.diee.unica.it ‐1  User-Agent: Mozilla/5.0 Output Score   One‐Class  Accept-Encoding: gzip, deflate HMM Ensemble  0.53  or  Classifier  Host  Class‐Label  0.34  HMM Ensemble  0.49  User‐Agent  HMM Ensemble  Accept‐Encoding  Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 13
Missing Features •  Each request typically does not contain all the headers –  Training phase: the value of the feature related to a missing header has been set to the average value –  Testing phase: the value of the feature related to a missing header has been set to -1 Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 14
Experimental Setup - 1 •  2 Datasets of Real legitimate traffic –  DIEE, collected at the University of Cagliari –  GT, collected at Georgia Tech Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 15
Experimental Setup - 2  •  3 Datasets of Real Attacks – Generic, 66 Attacks – Shell-code, 11 Attacks – XSS-SQL Injection,38 Attacks •  Training: 1 day of traffic •  Test: the remaining traffic plus attacks – K-fold CV 16 
Experimental Setup - 3 •  4 One-class classification algorithms with default setting of parameters –  Gauss - Gaussian distribution –  Mog – Mixture of Gaussians –  Parzen – Parzen density estimator –  SVM – SVM with RBF Kernel •  Performance evaluated using the Partial AUC –  Computed in the FP range [0,0.1] –  Normalized dividing by 0.1 Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 17
Experimental Results Partial AUC – DIEE Dataset Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 18
Experimental Results Multiple HMM – DIEE Dataset – Shellcode Attacks Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 19
Experimental Results Partial AUC – GT Dataset Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 20
Experimental Results Comparison with similar IDS Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 21
Computational Cost Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 22
Conclusions •  We proposed an anomaly based IDS for the protection of Web-Servers and Web- Applications •  We exploited the MCS paradigm –  To analyze the structure of the HTTP payload –  By combining the outputs through a One-class classifier •  Compared to similar systems, our propoal –  Provides high performance in attack detection –  Is fast Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 23
Thank You!  

Recommended

口試投影片(詹智傑) Final
口試投影片(詹智傑) Final口試投影片(詹智傑) Final
口試投影片(詹智傑) Final
詹智傑
 
Video Quality Measurements
Video Quality MeasurementsVideo Quality Measurements
Video Quality Measurements
Yoss Cohen
 
Dynamic Adaptive Streaming over HTTP: From Content Creation to Consumption
Dynamic Adaptive Streaming over HTTP: From Content Creation to ConsumptionDynamic Adaptive Streaming over HTTP: From Content Creation to Consumption
Dynamic Adaptive Streaming over HTTP: From Content Creation to Consumption
Alpen-Adria-Universität
 
ARM LPC2300/LPC2400 TCP/IP Stack Porting
ARM LPC2300/LPC2400 TCP/IP Stack PortingARM LPC2300/LPC2400 TCP/IP Stack Porting
ARM LPC2300/LPC2400 TCP/IP Stack Porting
Mathivanan Elangovan
 
report
reportreport
report
Christian Uldall Pedersen
 
Technology Update: MPEG-Dash
Technology Update: MPEG-DashTechnology Update: MPEG-Dash
Technology Update: MPEG-Dash
Media Perspectives
 
Microsoft PowerPoint - WirelessCluster_Pres
Microsoft PowerPoint - WirelessCluster_PresMicrosoft PowerPoint - WirelessCluster_Pres
Microsoft PowerPoint - WirelessCluster_Pres
Videoguy
 
Common Pitfalls of Functional Programming and How to Avoid Them: A Mobile Gam...
Common Pitfalls of Functional Programming and How to Avoid Them: A Mobile Gam...Common Pitfalls of Functional Programming and How to Avoid Them: A Mobile Gam...
Common Pitfalls of Functional Programming and How to Avoid Them: A Mobile Gam...
gree_tech
 

Recommended

口試投影片(詹智傑) Final
口試投影片(詹智傑) Final口試投影片(詹智傑) Final
口試投影片(詹智傑) Final
詹智傑
 
Video Quality Measurements
Video Quality MeasurementsVideo Quality Measurements
Video Quality Measurements
Yoss Cohen
 
Dynamic Adaptive Streaming over HTTP: From Content Creation to Consumption
Dynamic Adaptive Streaming over HTTP: From Content Creation to ConsumptionDynamic Adaptive Streaming over HTTP: From Content Creation to Consumption
Dynamic Adaptive Streaming over HTTP: From Content Creation to Consumption
Alpen-Adria-Universität
 
ARM LPC2300/LPC2400 TCP/IP Stack Porting
ARM LPC2300/LPC2400 TCP/IP Stack PortingARM LPC2300/LPC2400 TCP/IP Stack Porting
ARM LPC2300/LPC2400 TCP/IP Stack Porting
Mathivanan Elangovan
 
report
reportreport
report
Christian Uldall Pedersen
 
Technology Update: MPEG-Dash
Technology Update: MPEG-DashTechnology Update: MPEG-Dash
Technology Update: MPEG-Dash
Media Perspectives
 
Microsoft PowerPoint - WirelessCluster_Pres
Microsoft PowerPoint - WirelessCluster_PresMicrosoft PowerPoint - WirelessCluster_Pres
Microsoft PowerPoint - WirelessCluster_Pres
Videoguy
 
Common Pitfalls of Functional Programming and How to Avoid Them: A Mobile Gam...
Common Pitfalls of Functional Programming and How to Avoid Them: A Mobile Gam...Common Pitfalls of Functional Programming and How to Avoid Them: A Mobile Gam...
Common Pitfalls of Functional Programming and How to Avoid Them: A Mobile Gam...
gree_tech
 
Generating Ideas: Getting the most out of (un)usual suspects
Generating Ideas: Getting the most out of (un)usual suspectsGenerating Ideas: Getting the most out of (un)usual suspects
Generating Ideas: Getting the most out of (un)usual suspects
Social Innovation Exchange
 
VZYT
VZYTVZYT
VZYT
Iolo Jones
 
Naked by the Sea (Sometimes) Poster
Naked by the Sea (Sometimes) PosterNaked by the Sea (Sometimes) Poster
Naked by the Sea (Sometimes) Poster
Adrian Smith
 
+®S
+®S+®S
+®S
louisemichelchampigny
 
Boe a-2013-4028
Boe a-2013-4028Boe a-2013-4028
Boe a-2013-4028
poligonolorca
 
Anthony Weiner: Maybe He Knows Something We Don’t
Anthony Weiner: Maybe He Knows Something We Don’tAnthony Weiner: Maybe He Knows Something We Don’t
Anthony Weiner: Maybe He Knows Something We Don’t
Dominic Carter
 
1 18 11 Updated Health Care Reform Iia
1 18 11 Updated Health Care Reform Iia1 18 11 Updated Health Care Reform Iia
1 18 11 Updated Health Care Reform Iia
Brandon Lagarde
 
Napoleon
NapoleonNapoleon
Napoleon
Juan Jose Principe Campos
 
El hombre y el universo
El hombre y el universoEl hombre y el universo
El hombre y el universo
Miriam Madridano
 
Quantum-grizzly-packet-filtering
Quantum-grizzly-packet-filteringQuantum-grizzly-packet-filtering
Quantum-grizzly-packet-filtering
Akihiro Motoki
 
Web Sphere Problem Determination Ext
Web Sphere Problem Determination ExtWeb Sphere Problem Determination Ext
Web Sphere Problem Determination Ext
Rohit Kelapure
 
Art Of Message Queues
Art Of Message QueuesArt Of Message Queues
Art Of Message Queues
Mike Willbanks
 
eXo Platform SEA - Play Framework Introduction
eXo Platform SEA - Play Framework IntroductioneXo Platform SEA - Play Framework Introduction
eXo Platform SEA - Play Framework Introduction
vstorm83
 
Open source security tools for Kubernetes.
Open source security tools for Kubernetes.Open source security tools for Kubernetes.
Open source security tools for Kubernetes.
Michael Ducy
 
Sonar En
Sonar EnSonar En
Sonar En
Aleksey Trusov
 
Build cloud native solution using open source
Build cloud native solution using open source Build cloud native solution using open source
Build cloud native solution using open source
Nitesh Jadhav
 
Prometheus - Intro, CNCF, TSDB,PromQL,Grafana
Prometheus - Intro, CNCF, TSDB,PromQL,GrafanaPrometheus - Intro, CNCF, TSDB,PromQL,Grafana
Prometheus - Intro, CNCF, TSDB,PromQL,Grafana
Sridhar Kumar N
 
Wissbi osdc pdf
Wissbi osdc pdfWissbi osdc pdf
Wissbi osdc pdf
Chris Huang
 
QA. Load Testing
QA. Load TestingQA. Load Testing
QA. Load Testing
Alex Galkin
 
Rohit yadav cloud stack internals
Rohit yadav cloud stack internalsRohit yadav cloud stack internals
Rohit yadav cloud stack internals
ShapeBlue
 
Automatic test packet generation
Automatic test packet generationAutomatic test packet generation
Automatic test packet generation
tusharjadhav2611
 
php[world] Magento101
php[world] Magento101php[world] Magento101
php[world] Magento101
Mathew Beane
 

More Related Content

Viewers also liked

Generating Ideas: Getting the most out of (un)usual suspects
Generating Ideas: Getting the most out of (un)usual suspectsGenerating Ideas: Getting the most out of (un)usual suspects
Generating Ideas: Getting the most out of (un)usual suspects
Social Innovation Exchange
 
1 18 11 Updated Health Care Reform Iia
1 18 11 Updated Health Care Reform Iia1 18 11 Updated Health Care Reform Iia
1 18 11 Updated Health Care Reform Iia
Brandon Lagarde
 

Viewers also liked (9)

Generating Ideas: Getting the most out of (un)usual suspects
Generating Ideas: Getting the most out of (un)usual suspectsGenerating Ideas: Getting the most out of (un)usual suspects
Generating Ideas: Getting the most out of (un)usual suspects
 
VZYT
VZYTVZYT
VZYT
 
Naked by the Sea (Sometimes) Poster
Naked by the Sea (Sometimes) PosterNaked by the Sea (Sometimes) Poster
Naked by the Sea (Sometimes) Poster
 
+®S
+®S+®S
+®S
 
Boe a-2013-4028
Boe a-2013-4028Boe a-2013-4028
Boe a-2013-4028
 
Anthony Weiner: Maybe He Knows Something We Don’t
Anthony Weiner: Maybe He Knows Something We Don’tAnthony Weiner: Maybe He Knows Something We Don’t
Anthony Weiner: Maybe He Knows Something We Don’t
 
1 18 11 Updated Health Care Reform Iia
1 18 11 Updated Health Care Reform Iia1 18 11 Updated Health Care Reform Iia
1 18 11 Updated Health Care Reform Iia
 
Napoleon
NapoleonNapoleon
Napoleon
 
El hombre y el universo
El hombre y el universoEl hombre y el universo
El hombre y el universo
 

Similar to Ariu - Workshop on Multiple Classifier Systems 2011

Quantum-grizzly-packet-filtering
Quantum-grizzly-packet-filteringQuantum-grizzly-packet-filtering
Quantum-grizzly-packet-filtering
Akihiro Motoki
 
Web Sphere Problem Determination Ext
Web Sphere Problem Determination ExtWeb Sphere Problem Determination Ext
Web Sphere Problem Determination Ext
Rohit Kelapure
 
eXo Platform SEA - Play Framework Introduction
eXo Platform SEA - Play Framework IntroductioneXo Platform SEA - Play Framework Introduction
eXo Platform SEA - Play Framework Introduction
vstorm83
 
Open source security tools for Kubernetes.
Open source security tools for Kubernetes.Open source security tools for Kubernetes.
Open source security tools for Kubernetes.
Michael Ducy
 
How to accelerate docker adoption with a simple and powerful user experience
How to accelerate docker adoption with a simple and powerful user experienceHow to accelerate docker adoption with a simple and powerful user experience
How to accelerate docker adoption with a simple and powerful user experience
Docker, Inc.
 
Thesis Presentation P2 P Vo D On Internet Rodrigo Godoi
Thesis Presentation P2 P Vo D On Internet Rodrigo GodoiThesis Presentation P2 P Vo D On Internet Rodrigo Godoi
Thesis Presentation P2 P Vo D On Internet Rodrigo Godoi
Rodrigo Godoi, PMP
 

Similar to Ariu - Workshop on Multiple Classifier Systems 2011 (20)

Quantum-grizzly-packet-filtering
Quantum-grizzly-packet-filteringQuantum-grizzly-packet-filtering
Quantum-grizzly-packet-filtering
 
Web Sphere Problem Determination Ext
Web Sphere Problem Determination ExtWeb Sphere Problem Determination Ext
Web Sphere Problem Determination Ext
 
Art Of Message Queues
Art Of Message QueuesArt Of Message Queues
Art Of Message Queues
 
eXo Platform SEA - Play Framework Introduction
eXo Platform SEA - Play Framework IntroductioneXo Platform SEA - Play Framework Introduction
eXo Platform SEA - Play Framework Introduction
 
Open source security tools for Kubernetes.
Open source security tools for Kubernetes.Open source security tools for Kubernetes.
Open source security tools for Kubernetes.
 
Sonar En
Sonar EnSonar En
Sonar En
 
Build cloud native solution using open source
Build cloud native solution using open source Build cloud native solution using open source
Build cloud native solution using open source
 
Prometheus - Intro, CNCF, TSDB,PromQL,Grafana
Prometheus - Intro, CNCF, TSDB,PromQL,GrafanaPrometheus - Intro, CNCF, TSDB,PromQL,Grafana
Prometheus - Intro, CNCF, TSDB,PromQL,Grafana
 
Wissbi osdc pdf
Wissbi osdc pdfWissbi osdc pdf
Wissbi osdc pdf
 
QA. Load Testing
QA. Load TestingQA. Load Testing
QA. Load Testing
 
Rohit yadav cloud stack internals
Rohit yadav cloud stack internalsRohit yadav cloud stack internals
Rohit yadav cloud stack internals
 
Automatic test packet generation
Automatic test packet generationAutomatic test packet generation
Automatic test packet generation
 
php[world] Magento101
php[world] Magento101php[world] Magento101
php[world] Magento101
 
How to accelerate docker adoption with a simple and powerful user experience
How to accelerate docker adoption with a simple and powerful user experienceHow to accelerate docker adoption with a simple and powerful user experience
How to accelerate docker adoption with a simple and powerful user experience
 
Node js meetup
Node js meetupNode js meetup
Node js meetup
 
Node.js security tour
Node.js security tourNode.js security tour
Node.js security tour
 
Summarizing Software API Usage Examples Using Clustering Techniques
Summarizing Software API Usage Examples Using Clustering TechniquesSummarizing Software API Usage Examples Using Clustering Techniques
Summarizing Software API Usage Examples Using Clustering Techniques
 
The PeriCAT Framework
The PeriCAT FrameworkThe PeriCAT Framework
The PeriCAT Framework
 
Thesis Presentation P2 P Vo D On Internet Rodrigo Godoi
Thesis Presentation P2 P Vo D On Internet Rodrigo GodoiThesis Presentation P2 P Vo D On Internet Rodrigo Godoi
Thesis Presentation P2 P Vo D On Internet Rodrigo Godoi
 
43
4343
43
 

More from Pluribus One

Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
Pluribus One
 
Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...
Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...
Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...
Pluribus One
 
Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...
Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...
Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...
Pluribus One
 
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...
Pluribus One
 
Battista Biggio @ AISec 2014 - Poisoning Behavioral Malware Clustering
Battista Biggio @ AISec 2014 - Poisoning Behavioral Malware ClusteringBattista Biggio @ AISec 2014 - Poisoning Behavioral Malware Clustering
Battista Biggio @ AISec 2014 - Poisoning Behavioral Malware Clustering
Pluribus One
 
Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...
Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...
Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...
Pluribus One
 
Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...
Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...
Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...
Pluribus One
 
Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...
Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...
Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...
Pluribus One
 
Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"
Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"
Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"
Pluribus One
 
Zahid Akhtar - Ph.D. Defense Slides
Zahid Akhtar - Ph.D. Defense SlidesZahid Akhtar - Ph.D. Defense Slides
Zahid Akhtar - Ph.D. Defense Slides
Pluribus One
 
Design of robust classifiers for adversarial environments - Systems, Man, and...
Design of robust classifiers for adversarial environments - Systems, Man, and...Design of robust classifiers for adversarial environments - Systems, Man, and...
Design of robust classifiers for adversarial environments - Systems, Man, and...
Pluribus One
 

More from Pluribus One (20)

Smart Textiles - Prospettive di mercato - Davide Ariu
Smart Textiles - Prospettive di mercato - Davide Ariu Smart Textiles - Prospettive di mercato - Davide Ariu
Smart Textiles - Prospettive di mercato - Davide Ariu
 
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning - 2019 Int...
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning - 2019 Int...Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning - 2019 Int...
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning - 2019 Int...
 
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning. ICMLC 201...
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning. ICMLC 201...Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning. ICMLC 201...
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning. ICMLC 201...
 
Wild patterns - Ten years after the rise of Adversarial Machine Learning - Ne...
Wild patterns - Ten years after the rise of Adversarial Machine Learning - Ne...Wild patterns - Ten years after the rise of Adversarial Machine Learning - Ne...
Wild patterns - Ten years after the rise of Adversarial Machine Learning - Ne...
 
WILD PATTERNS - Introduction to Adversarial Machine Learning - ITASEC 2019
WILD PATTERNS - Introduction to Adversarial Machine Learning - ITASEC 2019WILD PATTERNS - Introduction to Adversarial Machine Learning - ITASEC 2019
WILD PATTERNS - Introduction to Adversarial Machine Learning - ITASEC 2019
 
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...
 
On Security and Sparsity of Linear Classifiers for Adversarial Settings
On Security and Sparsity of Linear Classifiers for Adversarial SettingsOn Security and Sparsity of Linear Classifiers for Adversarial Settings
On Security and Sparsity of Linear Classifiers for Adversarial Settings
 
Secure Kernel Machines against Evasion Attacks
Secure Kernel Machines against Evasion AttacksSecure Kernel Machines against Evasion Attacks
Secure Kernel Machines against Evasion Attacks
 
Machine Learning under Attack: Vulnerability Exploitation and Security Measures
Machine Learning under Attack: Vulnerability Exploitation and Security MeasuresMachine Learning under Attack: Vulnerability Exploitation and Security Measures
Machine Learning under Attack: Vulnerability Exploitation and Security Measures
 
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
 
Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...
Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...
Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...
 
Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...
Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...
Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...
 
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...
 
Battista Biggio @ AISec 2014 - Poisoning Behavioral Malware Clustering
Battista Biggio @ AISec 2014 - Poisoning Behavioral Malware ClusteringBattista Biggio @ AISec 2014 - Poisoning Behavioral Malware Clustering
Battista Biggio @ AISec 2014 - Poisoning Behavioral Malware Clustering
 
Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...
Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...
Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...
 
Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...
Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...
Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...
 
Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...
Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...
Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...
 
Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"
Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"
Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"
 
Zahid Akhtar - Ph.D. Defense Slides
Zahid Akhtar - Ph.D. Defense SlidesZahid Akhtar - Ph.D. Defense Slides
Zahid Akhtar - Ph.D. Defense Slides
 
Design of robust classifiers for adversarial environments - Systems, Man, and...
Design of robust classifiers for adversarial environments - Systems, Man, and...Design of robust classifiers for adversarial environments - Systems, Man, and...
Design of robust classifiers for adversarial environments - Systems, Man, and...
 

Recently uploaded

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Recently uploaded (20)

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

Ariu - Workshop on Multiple Classifier Systems 2011

  • 1. University of Cagliari Department of Electric and Electronic Engineering A modular architecture for the analysis of HTTP payloads based on Multiple Classifiers Davide Ariu Giorgio Giacinto davide.ariu@diee.unica.it giacinto@diee.unica.it Napoli, 17 Giugno 2011 This research was sponsored by the  Pattern Recognition and Applications Group Autonomous Region of Sardinia through a grant  Group  http://prag.diee.unica.it financed with the ”Sardinia PO FSE 2007‐2013”  funds and provided according to the L.R. 7/2007 
  • 2. Outline •  Motivations •  The proposed system •  Experimental Setup and Results •  Conclusions Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 2
  • 3. The objective Design of an anomaly based Intrusion Detection System for the protection of Web Servers and Applications. The HTTP traffic toward the web servers is inspected by a multiple classifier system. Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 3
  • 4. Why Web Applications? Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 4
  • 5. Why Anomaly Detection? Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 5
  • 6. A legitimate Payload... GET /pra/ita/home.php HTTP/1.1 Host: prag.diee.unica.it Accept: text/*, text/html User-Agent: Mozilla/4.0 Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 6
  • 7. A legitimate Payload... Request Line GET /pra/ita/home.php HTTP/1.1 Host: prag.diee.unica.it Accept: text/*, text/html User-Agent: Mozilla/4.0 Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 7
  • 8. A legitimate Payload... Request Line GET /pra/ita/home.php HTTP/1.1 Host: prag.diee.unica.it Accept: text/*, text/html User-Agent: Mozilla/4.0 Request Headers Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 8
  • 9. ...and some attacks •  Long Request Buffer Overflow HEAD / aaaaaaa…aaaaaaaaaaaa •  URL Decoding Error GET /d/winnt/sys32/cmd.exe?/c+dir HTTP/1.0 Host: www Connection: close Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 9
  • 10. Why Payload Analysis? •  Detection of Web-based attacks based on the –  Analysis of the Request-Line •  Allows detecting only attacks that exploit input-validation flows e.g. Spectrogram ([Song,2009]), HMM-Web ([Corona,2009]) –  HTTP Payload Analysis •  Takes into account the whole HTTP-request, and thus it can (in principle) detect any kind of attack Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 10
  • 11. SOA - Payload Analysis •  Payl [Wang,2004] –  n-grams to represent byte statistics •  McPAD [Perdisci,2009] –  Ensemble of one-class SVM trained on ν-grams •  Spectrogram [Wang,2009] –  Ensemble of Markov Chains to analyze the request-Line •  HMMPayl [Ariu,2011] –  Ensemble of HMM to analyze sequences of bytes from the whole payload None of the above techniques represented the structure of the payload Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 11
  • 12. The proposed system Basic Idea •  We propose to take into account the structure of HTTP payloads – For each line of the payload, an ensemble of HMM is used to model the sequences of bytes. – The final decision is obtained by using the HMM outputs as features. The payload is thus classified by a one-class classifier trained on the outputs of the HMM ensembles. Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 12
  • 13. The proposed system A scheme HMM Ensemble  HTTP Payload  Request‐Line  IDS  HMM Ensemble  GET /pra/index.php HTTP/1.1 Accept‐Language  0.62  Host: prag.diee.unica.it ‐1  User-Agent: Mozilla/5.0 Output Score   One‐Class  Accept-Encoding: gzip, deflate HMM Ensemble  0.53  or  Classifier  Host  Class‐Label  0.34  HMM Ensemble  0.49  User‐Agent  HMM Ensemble  Accept‐Encoding  Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 13
  • 14. Missing Features •  Each request typically does not contain all the headers –  Training phase: the value of the feature related to a missing header has been set to the average value –  Testing phase: the value of the feature related to a missing header has been set to -1 Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 14
  • 15. Experimental Setup - 1 •  2 Datasets of Real legitimate traffic –  DIEE, collected at the University of Cagliari –  GT, collected at Georgia Tech Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 15
  • 16. Experimental Setup - 2  •  3 Datasets of Real Attacks – Generic, 66 Attacks – Shell-code, 11 Attacks – XSS-SQL Injection,38 Attacks •  Training: 1 day of traffic •  Test: the remaining traffic plus attacks – K-fold CV 16 
  • 17. Experimental Setup - 3 •  4 One-class classification algorithms with default setting of parameters –  Gauss - Gaussian distribution –  Mog – Mixture of Gaussians –  Parzen – Parzen density estimator –  SVM – SVM with RBF Kernel •  Performance evaluated using the Partial AUC –  Computed in the FP range [0,0.1] –  Normalized dividing by 0.1 Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 17
  • 18. Experimental Results Partial AUC – DIEE Dataset Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 18
  • 19. Experimental Results Multiple HMM – DIEE Dataset – Shellcode Attacks Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 19
  • 20. Experimental Results Partial AUC – GT Dataset Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 20
  • 21. Experimental Results Comparison with similar IDS Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 21
  • 22. Computational Cost Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 22
  • 23. Conclusions •  We proposed an anomaly based IDS for the protection of Web-Servers and Web- Applications •  We exploited the MCS paradigm –  To analyze the structure of the HTTP payload –  By combining the outputs through a One-class classifier •  Compared to similar systems, our propoal –  Provides high performance in attack detection –  Is fast Pattern Recognition and Applications Group Group  http://prag.diee.unica.it 23