N-gram Against the Machine: On the Feasibility of the N-gram Network Analysis for Binary Protocols

D. Hadziosmanovic; Lorenzo Simionato; D. Bolzoni; Emmanuele Zambon; Sandro Etalle

doi:10.1007/978-3-642-33338-5_18

N-gram Against the Machine: On the Feasibility of the N-gram Network Analysis for Binary Protocols

D. Hadziosmanovic, Lorenzo Simionato, D. Bolzoni, Emmanuele Zambon, Sandro Etalle

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

63 Citations (Scopus)

133 Downloads (Pure)

Abstract

In recent years we have witnessed several complex and high-impact attacks specifically targeting “binary‿ protocols (RPC, Samba and, more recently, RDP). These attacks could not be detected by current – signature-based – detection solutions, while – at least in theory – they could be detected by state-of-the-art anomaly-based systems. This raises once again the still unanswered question of how effective anomaly-based systems are in practice. To contribute to answering this question, in this paper we investigate the effectiveness of a widely studied category of network intrusion detection systems: anomaly-based algorithms using n-gram analysis for payload inspection. Specifically, we present a thorough analysis and evaluation of several detection algorithms using variants of n-gram analysis on real-life environments. Our tests show that the analyzed systems, in presence of data with high variability, cannot deliver high detection and low false positive rates at the same time.

Original language	Undefined
Title of host publication	Proceedings of the 15th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2012)
Place of Publication	Heidelberg
Publisher	Springer
Pages	354-373
Number of pages	20
ISBN (Print)	978-3-642-33337-8
DOIs	https://doi.org/10.1007/978-3-642-33338-5_18
Publication status	Published - Sept 2012
Event	15th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2012 - Amsterdam, The Netherlands Duration: 12 Sept 2012 → 14 Sept 2012

Publication series

Name	Lecture Notes in Computer Science
Publisher	Springer Verlag
Volume	7462
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	15th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2012
Period	12/09/12 → 14/09/12
Other	12-14 September 2012

Keywords

METIS-296090
IR-81815
Detection
N-gram
EWI-22269
feasibility
SCS-Cybersecurity
DIES-Network Security
binary protocol

Access to Document

10.1007/978-3-642-33338-5_18

RAID2012-HSBZE

Cite this

Hadziosmanovic, D., Simionato, L., Bolzoni, D., Zambon, E., & Etalle, S. (2012). N-gram Against the Machine: On the Feasibility of the N-gram Network Analysis for Binary Protocols. In Proceedings of the 15th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2012) (pp. 354-373). (Lecture Notes in Computer Science; Vol. 7462). Springer. https://doi.org/10.1007/978-3-642-33338-5_18

@inproceedings{db214a765dd64e5ab3a0ef8aebc1874a,

title = "N-gram Against the Machine: On the Feasibility of the N-gram Network Analysis for Binary Protocols",

abstract = "In recent years we have witnessed several complex and high-impact attacks specifically targeting “binary‿ protocols (RPC, Samba and, more recently, RDP). These attacks could not be detected by current – signature-based – detection solutions, while – at least in theory – they could be detected by state-of-the-art anomaly-based systems. This raises once again the still unanswered question of how effective anomaly-based systems are in practice. To contribute to answering this question, in this paper we investigate the effectiveness of a widely studied category of network intrusion detection systems: anomaly-based algorithms using n-gram analysis for payload inspection. Specifically, we present a thorough analysis and evaluation of several detection algorithms using variants of n-gram analysis on real-life environments. Our tests show that the analyzed systems, in presence of data with high variability, cannot deliver high detection and low false positive rates at the same time.",

keywords = "METIS-296090, IR-81815, Detection, N-gram, EWI-22269, feasibility, SCS-Cybersecurity, DIES-Network Security, binary protocol",

author = "D. Hadziosmanovic and Lorenzo Simionato and D. Bolzoni and Emmanuele Zambon and Sandro Etalle",

note = "10.1007/978-3-642-33338-5_18 ; 15th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2012 ; Conference date: 12-09-2012 Through 14-09-2012",

year = "2012",

month = sep,

doi = "10.1007/978-3-642-33338-5_18",

language = "Undefined",

isbn = "978-3-642-33337-8",

series = "Lecture Notes in Computer Science",

publisher = "Springer",

pages = "354--373",

booktitle = "Proceedings of the 15th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2012)",

}

Hadziosmanovic, D, Simionato, L, Bolzoni, D, Zambon, E & Etalle, S 2012, N-gram Against the Machine: On the Feasibility of the N-gram Network Analysis for Binary Protocols. in Proceedings of the 15th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2012). Lecture Notes in Computer Science, vol. 7462, Springer, Heidelberg, pp. 354-373, 15th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2012, 12/09/12. https://doi.org/10.1007/978-3-642-33338-5_18

N-gram Against the Machine: On the Feasibility of the N-gram Network Analysis for Binary Protocols. / Hadziosmanovic, D.; Simionato, Lorenzo; Bolzoni, D. et al.
Proceedings of the 15th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2012). Heidelberg: Springer, 2012. p. 354-373 (Lecture Notes in Computer Science; Vol. 7462).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - N-gram Against the Machine: On the Feasibility of the N-gram Network Analysis for Binary Protocols

AU - Hadziosmanovic, D.

AU - Simionato, Lorenzo

AU - Bolzoni, D.

AU - Zambon, Emmanuele

AU - Etalle, Sandro

N1 - 10.1007/978-3-642-33338-5_18

PY - 2012/9

Y1 - 2012/9

N2 - In recent years we have witnessed several complex and high-impact attacks specifically targeting “binary‿ protocols (RPC, Samba and, more recently, RDP). These attacks could not be detected by current – signature-based – detection solutions, while – at least in theory – they could be detected by state-of-the-art anomaly-based systems. This raises once again the still unanswered question of how effective anomaly-based systems are in practice. To contribute to answering this question, in this paper we investigate the effectiveness of a widely studied category of network intrusion detection systems: anomaly-based algorithms using n-gram analysis for payload inspection. Specifically, we present a thorough analysis and evaluation of several detection algorithms using variants of n-gram analysis on real-life environments. Our tests show that the analyzed systems, in presence of data with high variability, cannot deliver high detection and low false positive rates at the same time.

AB - In recent years we have witnessed several complex and high-impact attacks specifically targeting “binary‿ protocols (RPC, Samba and, more recently, RDP). These attacks could not be detected by current – signature-based – detection solutions, while – at least in theory – they could be detected by state-of-the-art anomaly-based systems. This raises once again the still unanswered question of how effective anomaly-based systems are in practice. To contribute to answering this question, in this paper we investigate the effectiveness of a widely studied category of network intrusion detection systems: anomaly-based algorithms using n-gram analysis for payload inspection. Specifically, we present a thorough analysis and evaluation of several detection algorithms using variants of n-gram analysis on real-life environments. Our tests show that the analyzed systems, in presence of data with high variability, cannot deliver high detection and low false positive rates at the same time.

KW - METIS-296090

KW - IR-81815

KW - Detection

KW - N-gram

KW - EWI-22269

KW - feasibility

KW - SCS-Cybersecurity

KW - DIES-Network Security

KW - binary protocol

U2 - 10.1007/978-3-642-33338-5_18

DO - 10.1007/978-3-642-33338-5_18

M3 - Conference contribution

SN - 978-3-642-33337-8

T3 - Lecture Notes in Computer Science

SP - 354

EP - 373

BT - Proceedings of the 15th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2012)

PB - Springer

CY - Heidelberg

T2 - 15th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2012

Y2 - 12 September 2012 through 14 September 2012

ER -

Hadziosmanovic D, Simionato L, Bolzoni D, Zambon E, Etalle S. N-gram Against the Machine: On the Feasibility of the N-gram Network Analysis for Binary Protocols. In Proceedings of the 15th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2012). Heidelberg: Springer. 2012. p. 354-373. (Lecture Notes in Computer Science). doi: 10.1007/978-3-642-33338-5_18