In recent years we have witnessed several complex and high-impact attacks specifically targeting “binary‿ protocols (RPC, Samba and, more recently, RDP). These attacks could not be detected by current – signature-based – detection solutions, while – at least in theory – they could be detected by state-of-the-art anomaly-based systems. This raises once again the still unanswered question of how effective anomaly-based systems are in practice. To contribute to answering this question, in this paper we investigate the effectiveness of a widely studied category of network intrusion detection systems: anomaly-based algorithms using n-gram analysis for payload inspection. Specifically, we present a thorough analysis and evaluation of several detection algorithms using variants of n-gram analysis on real-life environments. Our tests show that the analyzed systems, in presence of data with high variability, cannot deliver high detection and low false positive rates at the same time.
|Name||Lecture Notes in Computer Science|
|Conference||15th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2012|
|Period||12/09/12 → 14/09/12|
|Other||12-14 September 2012|
- DIES-Network Security
- binary protocol