We propose a method for network intrusion detection based on language models such as n-grams and words. Our method proceeds by extracting these models from TCP connection payloads and applying unsupervised anomaly detection. The essential part of our approach is linear-time computation of similarity measures between language models stored in trie data structures. Results of our experiments conducted on two datasets of network traffic demonstrate the importance of higher-order n-grams for detection of unknown network attacks. Our method is also suitable for language models based on words, which are more amenable in practical security applications. An implementation of our system achieved detection accuracy of over 80% with no false positives on instances of recent attacks in HTTP, FTP and SMTP traffic. © Springer-Verlag Berlin Heidelberg 2006.
CITATION STYLE
Rieck, K., & Laskov, P. (2006). Detecting unknown network attacks using language models. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 4064 LNCS, pp. 74–90). Springer Verlag. https://doi.org/10.1007/11790754_5
Mendeley helps you to discover research relevant for your work.