1) Traditionally, IDS have used signatures to detect known attacks but cannot find new attacks. Anomaly detection uses a statistical model of normal patterns and flags deviations, enabling detection of zero-day attacks. 2) Previous work analyzing the byte distribution in HTTP payloads had limitations due to high-dimensional feature spaces and coarse payload representations. 3) The document proposes HMMPayl, which applies HMM to HTTP payload analysis for anomaly detection, achieving increased classification accuracy over previous solutions and enabling use of multiple classifier systems and reduced computational costs.

1. HMMPayl: an application of HMM to the
Dept. of Electrical and
analysis of the HTTP payload
University of
Cagliari - Italy Electronic Engineering
davide.ariu@diee.unica.it Davide Ariu - Giorgio Giacinto giacinto@diee.unica.it
Anomaly detec2on for Computer Security
• radi'onally, Intrusion Detec2on Systems (IDS) are based on a database of signatures
T
that describe known a3acks.
Problem: never‐seen‐before a3acks can not be detected!!!
• nomaly based IDS use a sta's'cal model of the legi'mate pa3erns. Any pa3ern
A
whose sta's'cal model deviates from that stored in the system is labeled as an a3acks.
Advantage: zero‐days aHacks can be detected!!!
HTTP Payload analysis
• he analysis of the bytes’ distribu'on in the HTTP payload of requests toward a web
T
server allows to detect a3acks against the web server
• everal solu'ons based on this approach (e.g. PAYL1, McPAD2)have been proposed but
S
they suffer of limita2ons due to:
• oo high size of the features space
T
• oarse representa2on of the payload
C
WAPA 2010
1 K. Wang et al. ”Anomalous Payload‐Based Network Intrusion Detec2on" , RAID, 2004.
2 R. Perdisci et. Al. ” McPAD: A mul/ple classifier system for accurate payload‐based anomaly detec/on”, Computer
Networks, 2009. Workshop on Applica/ons of Pa2ern Analysis
This research was sponsored by the
Pattern Recognition and Applications Group Autonomous Region of Sardinia through a grant
Group http://prag.diee.unica.it financed with the ”Sardinia PO FSE 2007‐2013”
funds and provided according to the L.R. 7/2007

2. HMMPayl: an application of HMM to the
Dept. of Electrical and
analysis of the HTTP payload
University of
Cagliari - Italy Electronic Engineering
davide.ariu@diee.unica.it Davide Ariu - Giorgio Giacinto giacinto@diee.unica.it
HMMPayl: a simplified scheme
WAPA 2010
Workshop on Applica/ons of Pa2ern Analysis
This research was sponsored by the
Pattern Recognition and Applications Group Autonomous Region of Sardinia through a grant
Group http://prag.diee.unica.it financed with the ”Sardinia PO FSE 2007‐2013”
funds and provided according to the L.R. 7/2007

3. HMMPayl: an application of HMM to the
Dept. of Electrical and
analysis of the HTTP payload
University of
Cagliari - Italy Electronic Engineering
davide.ariu@diee.unica.it Davide Ariu - Giorgio Giacinto giacinto@diee.unica.it
Experimental Results and Conclusions
1 ‐ Increased 2 – Benefits of the MCS 3 – Possibility of
Classifica2on Accuracy approach reducing the
computa2onal cost
WAPA 2010
Workshop on Applica/ons of Pa2ern Analysis
This research was sponsored by the
Pattern Recognition and Applications Group Autonomous Region of Sardinia through a grant
Group http://prag.diee.unica.it financed with the ”Sardinia PO FSE 2007‐2013”
funds and provided according to the L.R. 7/2007