N3: A geometrical approach for network intrusion detection at the application layer

Abstract

In this work, a novel approach for the purpose of anomaly-based network intrusion detection at the application layer is presented. The problem of identifying anomalous payloads is addressed by using a technique based on the modelling of short sequences of adjoining bytes in the requests destined to a given service. Upon this theoretical framework, we propose an algorithm that assigns an anomaly score to each service request on the basis of its similarity with a previously established model of normality. The introduced approach has been evaluated by considering datasets composed of HTTP and DNS traffic. Thus, a large amount of attacks related with such services has been gathered, and detailed experimental results concerning the detection capability of the proposed system are shown. The experiments demonstrate that our approach yields a very high detection rate with a low level of false alarms. © Springer-Verlag 2004.