An Approach to Detect Executable Content for Anomaly Based Network Intrusion Detection

@article{Zhang2007AnAT,
  title={An Approach to Detect Executable Content for Anomaly Based Network Intrusion Detection},
  author={Like Zhang and Gregory B. White},
  journal={2007 IEEE International Parallel and Distributed Processing Symposium},
  year={2007},
  pages={1-8}
}
  • Like Zhang, G. White
  • Published 26 March 2007
  • Computer Science
  • 2007 IEEE International Parallel and Distributed Processing Symposium
Since current Internet threats contain not only malicious codes like Trojan or worms, but also spyware and adware which do not have explicit illegal content, it is necessary to have a mechanism to prevent hidden executable files downloading in the network traffic. In this paper, we present a new solution to identify executable content for anomaly based network intrusion detection system (NIDS) based on file byte frequency distribution. First, a brief introduction to application level anomaly… 
Data preprocessing for anomaly based network intrusion detection: A review
TLDR
The review finds that many NIDS limit their view of network traffic to the TCP/IP packet headers, and shows a trend toward deeper packet inspection to construct more relevant features through targeted content parsing.
A New Approach to Executable File Fragment Detection in Network Forensics
TLDR
A Shannon entropy approach is proposed to identify executable file content for anomaly-based network attack detection in network forensics systems and Experimental results show that the proposed approach provides high detection rate.
Proactive malware detection
TLDR
A proactive approach to detect emerging malware threats using open source tools and intelligence to discover patterns and behaviors of malicious attacks and adversaries to increase understanding of the methods and techniques used by cyber adversaries is developed.
An approach to detect network attacks applied for network forensics
TLDR
This work proposes an approach based on Shannon entropy and machine learning techniques to identify executable content for anomaly-based network attack detection in network forensics systems and Experimental results show that the proposed approach provides very high detection rate.
Network Intrusion Detection: Using MDLcompress for deep packet inspection
TLDR
This work applies MDL compress, a grammar inference engine, to network intrusion detection (NID) utilizing the DARPA 1999 data sets and creates modern attack traffic using Nessus to target HTTP payload analysis of deep packet inspection (DPI).
A sublexical unit based hash model approach for spam detection
TLDR
This research introduces an original anomaly detection approach based on a sublexical unit hash model for application level content based on the split fovea theory in human recognition that is an advance over previous arbitrarily defined payload keyword and 1-gram frequency analysis approaches.
An Adaptive Approach of String Metrics Application in the Intrusion Detection Systems
TLDR
The main idea is to construct a model that characterizes the expected/acceptable behavior of the system using list decoding techniques and distinguishes the intrusive activity from legal one using string metric algorithms.
File Carving and Malware Identification Algorithms Applied to Firmware Reverse Engineering
TLDR
Of the algorithms this research considers, a combination of a byte-value frequency file carving algorithm and a support vector machine (SVM) algorithm using information gain (IG) for feature selection achieve the best performance.
Clear and Present Data: Opaque Traffic and its Security Implications for the Future
TLDR
Evaluation on traffic from two campuses reveals that new techniques for accurate real-time winnowing, or filtering, of opaque traffic are able to identify opaque data with 95% accuracy, on average, while examining less than 16 bytes of payload data.
Machine learning and feature engineering for computer network security
TLDR
This thesis presents a framework for automatically constructing relevant features suitable for machine learning directly from network traffic, and tests the effectiveness of the framework by applying it to three Cyber security problems: HTTP tunnel detection, DNS tunnel Detection, and traffic classification.
...
1
2
3
4
...

References

SHOWING 1-10 OF 16 REFERENCES
A Comparative Study of Anomaly Detection Schemes in Network Intrusion Detection
TLDR
The experimental results indicate that some anomaly detection schemes appear very promising when detecting novel intrusions in both DARPA’98 data and real network data.
A data mining framework for building intrusion detection models
  • Wenke Lee, S. Stolfo, K. Mok
  • Computer Science
    Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344)
  • 1999
TLDR
A data mining framework for adaptively building Intrusion Detection (ID) models is described, to utilize auditing programs to extract an extensive set of features that describe each network connection or host session, and apply data mining programs to learn rules that accurately capture the behavior of intrusions and normal activities.
Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation
  • R. Lippmann, D. Fried, +8 authors M. Zissman
  • Computer Science
    Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00
  • 2000
TLDR
An intrusion detection evaluation test bed was developed which generated normal traffic similar to that on a government site containing 100's of users on 1000's of hosts and the best systems failed to detect roughly half these new attacks which included damaging access to root-level privileges by remote users.
Detection of New Malicious Code Using N-grams Signatures
TLDR
This work employs n-grams analysis to automatically generate signatures from malicious and benign software collections, capable of classifying unseen benign and malicious code.
Static Analysis of Executables to Detect Malicious Patterns
TLDR
An architecture for detecting malicious patterns in executables that is resilient to common obfuscation transformations is presented, and experimental results demonstrate the efficacy of the prototype tool, SAFE (a static analyzer for executables).
The 1999 DARPA off-line intrusion detection evaluation
TLDR
This report describes new and known approaches and strategies that were used to make attacks stealthy for the 1999 DARPA Intrusion Detection Evaluation, and includes many examples of stealthy scripts that can be use to implement stealthy procedures.
Detecting Malicious Code by Model Checking
TLDR
This paper introduces the specification language CTPL (Computation Tree Predicate Logic) which extends the well-known logic CTL, and describes an efficient model checking algorithm which is able to detect a large number of worm variants with a single specification.
HUNTING FOR METAMORPHIC
As virus writers developed numerous polymorphic engines, virus scanners became stronger in their defense against them. A virus scanner which used a code emulator to detect viruses looked like it was
Robust Support Vector Machines for Anomaly Detection in Computer Security
Using the 1998 DARPA BSM data set collected at MIT’s Lincoln Labs to study intrusion detection systems, the performance of robust support vector machines (RVSMs) was compared with that of
An application of principal component analysis to the detection and visualization of computer network attacks
TLDR
Principal Component Analysis is applied to selected network attacks from the Darpa 1998 intrusion detection data sets namely: Denial-of-Service and Network Probe attacks to enable simpler analysis and visualization of the traffic.
...
1
2
...