Ariu - Workshop on Multiple Classifier System - 2011
Transcript of Ariu - Workshop on Multiple Classifier System - 2011
8/4/2019 Ariu - Workshop on Multiple Classifier System - 2011
http://slidepdf.com/reader/full/ariu-workshop-on-multiple-classifier-system-2011 1/24
A modular architecture for the
analysis of HTTP payloads based
on Multiple ClassifiersDavide Ariu
Giorgio Giacinto
Department of Electric and
Electronic Engineering University of Cagliari
Pattern Recognition and Applications Group
http://prag.diee.unica.itGroup
This research was sponsored by the
Autonomous Region of Sardinia through a grant
financed with the ”Sardinia PO FSE 2007‐2013” funds and provided according to the L.R. 7/2007
Napoli, 17 Giugno 2011
8/4/2019 Ariu - Workshop on Multiple Classifier System - 2011
http://slidepdf.com/reader/full/ariu-workshop-on-multiple-classifier-system-2011 2/24
Outline
• Motivations• The proposed system• Experimental Setup and Results• Conclusions
2Pattern Recognition and Applications Group
http://prag.diee.unica.itGroup
8/4/2019 Ariu - Workshop on Multiple Classifier System - 2011
http://slidepdf.com/reader/full/ariu-workshop-on-multiple-classifier-system-2011 3/24
The objective
Design of an anomaly based
Intrusion Detection System
for the protection of
Web Servers and Applications.
The HTTP traffic toward the web
servers is inspected by a
multiple classifier system .
3Pattern Recognition and Applications Group
http://prag.diee.unica.itGroup
8/4/2019 Ariu - Workshop on Multiple Classifier System - 2011
http://slidepdf.com/reader/full/ariu-workshop-on-multiple-classifier-system-2011 4/24
Why Web Applications?
4Pattern Recognition and Applications Group
http://prag.diee.unica.itGroup
8/4/2019 Ariu - Workshop on Multiple Classifier System - 2011
http://slidepdf.com/reader/full/ariu-workshop-on-multiple-classifier-system-2011 5/24
Why Anomaly Detection?
5Pattern Recognition and Applications Group
http://prag.diee.unica.itGroup
8/4/2019 Ariu - Workshop on Multiple Classifier System - 2011
http://slidepdf.com/reader/full/ariu-workshop-on-multiple-classifier-system-2011 6/24
A legitimate Payload...
GET /pra/ita/home.php HTTP/1.1
Host: prag.diee.unica.it
Accept: text/*, text/html
User-Agent: Mozilla/4.0
6Pattern Recognition and Applications Group
http://prag.diee.unica.itGroup
8/4/2019 Ariu - Workshop on Multiple Classifier System - 2011
http://slidepdf.com/reader/full/ariu-workshop-on-multiple-classifier-system-2011 7/24
A legitimate Payload...
GET /pra/ita/home.php HTTP/1.1
Host: prag.diee.unica.it
Accept: text/*, text/html
User-Agent: Mozilla/4.0
7Pattern Recognition and Applications Group
http://prag.diee.unica.itGroup
Request Line
8/4/2019 Ariu - Workshop on Multiple Classifier System - 2011
http://slidepdf.com/reader/full/ariu-workshop-on-multiple-classifier-system-2011 8/24
A legitimate Payload...
GET /pra/ita/home.php HTTP/1.1
Host: prag.diee.unica.it
Accept: text/*, text/html
User-Agent: Mozilla/4.0
8Pattern Recognition and Applications Group
http://prag.diee.unica.itGroup
Request Line
Request Headers
8/4/2019 Ariu - Workshop on Multiple Classifier System - 2011
http://slidepdf.com/reader/full/ariu-workshop-on-multiple-classifier-system-2011 9/24
...and some attacks
• Long Request Buffer OverflowHEAD / aaaaaaa…aaaaaaaaaaaa
• URL Decoding Error GET /d/winnt/sys32/cmd.exe?/c+dir HTTP/1.0
Host: www
Connection: close
9Pattern Recognition and Applications Group
http://prag.diee.unica.itGroup
8/4/2019 Ariu - Workshop on Multiple Classifier System - 2011
http://slidepdf.com/reader/full/ariu-workshop-on-multiple-classifier-system-2011 10/24
Why Payload Analysis?
• Detection of Web-based attacks basedon the
– Analysis of the Request-Line• Allows detecting only attacks that exploit
input-validation flowse.g. Spectrogram ([Song,2009]), HMM-Web
([Corona,2009])
– HTTP Payload Analysis• Takes into account the whole HTTP-request,
and thus it can (in principle) detect anykind of attack
10Pattern Recognition and Applications Group
http://prag.diee.unica.itGroup
8/4/2019 Ariu - Workshop on Multiple Classifier System - 2011
http://slidepdf.com/reader/full/ariu-workshop-on-multiple-classifier-system-2011 11/24
SOA - Payload Analysis
• Payl [Wang,2004] – n-grams to represent byte statistics
• McPAD [Perdisci,2009] – Ensemble of one-class SVM trained on ν-grams
• Spectrogram [Wang,2009] – Ensemble of Markov Chains to analyze the request-Line
• HMMPayl [Ariu,2011] –
Ensemble of HMM to analyze sequences of bytes fromthe whole payload
None of the above techniques
represented the structure of the payload
11Pattern Recognition and Applications Group
http://prag.diee.unica.itGroup
8/4/2019 Ariu - Workshop on Multiple Classifier System - 2011
http://slidepdf.com/reader/full/ariu-workshop-on-multiple-classifier-system-2011 12/24
The proposed system Basic Idea
• We propose to take into account thestructure of HTTP payloads
– For each line of the payload, an
ensemble of HMM is used to model the
sequences of bytes.
– The final decision is obtained byusing the HMM outputs as features.
The payload is thus classified by a
one-class classifier trained on theoutputs of the HMM ensembles.
12Pattern Recognition and Applications Group
http://prag.diee.unica.itGroup
8/4/2019 Ariu - Workshop on Multiple Classifier System - 2011
http://slidepdf.com/reader/full/ariu-workshop-on-multiple-classifier-system-2011 13/24
The proposed system A scheme
13Pattern Recognition and Applications Group
http://prag.diee.unica.itGroup
HMM EnsembleRequest‐Line
HMM EnsembleUser‐Agent
HMM EnsembleHost
HMM EnsembleAccept‐Encoding
HMM EnsembleAccept‐Language
0.62
‐1
0.53
0.34
0.49
One‐Class
Classifier
Output Score
or
Class‐Label
IDS
GET /pra/index.php HTTP/1.1Host: prag.diee.unica.itUser-Agent: Mozilla/5.0 Accept-Encoding: gzip, deflate
HTTP Payload
8/4/2019 Ariu - Workshop on Multiple Classifier System - 2011
http://slidepdf.com/reader/full/ariu-workshop-on-multiple-classifier-system-2011 14/24
Missing Features
• Each request typically does notcontain all the headers
– Training phase: the value of the
feature related to a missing header has
been set to the average value
– Testing phase: the value of the featurerelated to a missing header has been
set to -1
14Pattern Recognition and Applications Group
http://prag.diee.unica.itGroup
8/4/2019 Ariu - Workshop on Multiple Classifier System - 2011
http://slidepdf.com/reader/full/ariu-workshop-on-multiple-classifier-system-2011 15/24
Experimental Setup - 1
• 2 Datasets of Real legitimate
traffic
– DIEE, collected at the University of
Cagliari
– GT, collected at Georgia Tech
15Pattern Recognition and Applications Group
http://prag.diee.unica.itGroup
8/4/2019 Ariu - Workshop on Multiple Classifier System - 2011
http://slidepdf.com/reader/full/ariu-workshop-on-multiple-classifier-system-2011 16/24
Experimental Setup - 2
• 3 Datasets of Real Attacks
– Generic, 66 Attacks
– Shell-code, 11 Attacks – XSS-SQL Injection,38 Attacks
• Training: 1 day of traffic • Test: the remaining traffic plusattacks – K-fold CV
16
8/4/2019 Ariu - Workshop on Multiple Classifier System - 2011
http://slidepdf.com/reader/full/ariu-workshop-on-multiple-classifier-system-2011 17/24
Experimental Setup - 3
• 4 One-class classification algorithmswith default setting of parameters
– Gauss - Gaussian distribution
– Mog – Mixture of Gaussians
– Parzen – Parzen density estimator
– SVM – SVM with RBF Kernel
• Performance evaluated using the Partial
AUC – Computed in the FP range [0,0.1] – Normalized dividing by 0.1
17Pattern Recognition and Applications Group
http://prag.diee.unica.itGroup
8/4/2019 Ariu - Workshop on Multiple Classifier System - 2011
http://slidepdf.com/reader/full/ariu-workshop-on-multiple-classifier-system-2011 18/24
Experimental Results
Partial AUC – DIEE Dataset
18Pattern Recognition and Applications Group
http://prag.diee.unica.itGroup
8/4/2019 Ariu - Workshop on Multiple Classifier System - 2011
http://slidepdf.com/reader/full/ariu-workshop-on-multiple-classifier-system-2011 19/24
Experimental Results Multiple HMM – DIEE Dataset – Shellcode Attacks
19Pattern Recognition and Applications Group
http://prag.diee.unica.itGroup
8/4/2019 Ariu - Workshop on Multiple Classifier System - 2011
http://slidepdf.com/reader/full/ariu-workshop-on-multiple-classifier-system-2011 20/24
Experimental Results
Partial AUC – GT Dataset
20Pattern Recognition and Applications Group
http://prag.diee.unica.itGroup
8/4/2019 Ariu - Workshop on Multiple Classifier System - 2011
http://slidepdf.com/reader/full/ariu-workshop-on-multiple-classifier-system-2011 21/24
Experimental Results
Comparison with similar IDS
21Pattern Recognition and Applications Group
http://prag.diee.unica.itGroup
8/4/2019 Ariu - Workshop on Multiple Classifier System - 2011
http://slidepdf.com/reader/full/ariu-workshop-on-multiple-classifier-system-2011 22/24
Computational Cost
22Pattern Recognition and Applications Group
http://prag.diee.unica.itGroup
8/4/2019 Ariu - Workshop on Multiple Classifier System - 2011
http://slidepdf.com/reader/full/ariu-workshop-on-multiple-classifier-system-2011 23/24
Conclusions
• We proposed an anomaly based IDS for the
protection of Web-Servers and Web-
Applications
• We exploited the MCS paradigm
– To analyze the structure of the HTTP payload
– By combining the outputs through a One-class
classifier
• Compared to similar systems, our propoal – Provides high performance in attack detection
– Is fast
23Pattern Recognition and Applications Group
http://prag.diee.unica.itGroup
8/4/2019 Ariu - Workshop on Multiple Classifier System - 2011
http://slidepdf.com/reader/full/ariu-workshop-on-multiple-classifier-system-2011 24/24
Thank You!