Service-independent payload analysis to improve intrusion detection in network traffic

Perona, I., Gurrutxaga, I., Arbelaitz, O., Martin, J.I., Muguerza, J. and Ma Perez, J.

    The popularity of computer networks broadens the scope for network attackers and increases the damage these attacks can cause. In this context, Intrusion Detection Systems (IDS) are included as part of any complete security package. This work focuses on nIDSs which work by scanning the network traffic. A serviceindependent payload processing approach is presented to increase detection rates in non-flood attacks. Three different techniques for payload processing are proposed and they are shown to be able to efficiently detect some of the attack types. Moreover, the proper integration of the knowledge of the different techniques, payload-based and packet header-based, always improves the results. This work leads us to conclude that payload analysis can be used in a general manner, with no service- or port-specific modelling, to detect attacks in network traffic.
Cite as: Perona, I., Gurrutxaga, I., Arbelaitz, O., Martin, J.I., Muguerza, J. and Ma Perez, J. (2008). Service-independent payload analysis to improve intrusion detection in network traffic. In Proc. Seventh Australasian Data Mining Conference (AusDM 2008), Glenelg, South Australia. CRPIT, 87. Roddick, J. F., Li, J., Christen, P. and Kennedy, P. J., Eds. ACS. 171-178.
pdf (from crpit.com) pdf (local if available) BibTeX EndNote GS