N-gram Against the Machine: On the Feasibility of the N-gram Network Analysis for Binary Protocols

D. Hadziosmanovic, Lorenzo Simionato, D. Bolzoni, Emmanuele Zambon, Sandro Etalle

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    55 Citations (Scopus)
    99 Downloads (Pure)

    Abstract

    In recent years we have witnessed several complex and high-impact attacks specifically targeting “binary‿ protocols (RPC, Samba and, more recently, RDP). These attacks could not be detected by current – signature-based – detection solutions, while – at least in theory – they could be detected by state-of-the-art anomaly-based systems. This raises once again the still unanswered question of how effective anomaly-based systems are in practice. To contribute to answering this question, in this paper we investigate the effectiveness of a widely studied category of network intrusion detection systems: anomaly-based algorithms using n-gram analysis for payload inspection. Specifically, we present a thorough analysis and evaluation of several detection algorithms using variants of n-gram analysis on real-life environments. Our tests show that the analyzed systems, in presence of data with high variability, cannot deliver high detection and low false positive rates at the same time.
    Original languageUndefined
    Title of host publicationProceedings of the 15th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2012)
    Place of PublicationHeidelberg
    PublisherSpringer
    Pages354-373
    Number of pages20
    ISBN (Print)978-3-642-33337-8
    DOIs
    Publication statusPublished - Sep 2012
    Event15th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2012 - Amsterdam, The Netherlands
    Duration: 12 Sep 201214 Sep 2012

    Publication series

    NameLecture Notes in Computer Science
    PublisherSpringer Verlag
    Volume7462
    ISSN (Print)0302-9743
    ISSN (Electronic)1611-3349

    Conference

    Conference15th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2012
    Period12/09/1214/09/12
    Other12-14 September 2012

    Keywords

    • METIS-296090
    • IR-81815
    • Detection
    • N-gram
    • EWI-22269
    • feasibility
    • SCS-Cybersecurity
    • DIES-Network Security
    • binary protocol

    Cite this