N-Gram against the Machine: On the Feasibility of the N-Gram Network Analysis for Binary Protocols

N-Gram against the Machine: On the Feasibility of the N-Gram Network Analysis for Binary Protocols. Hadžiosmanović, D., Simionato, L., Bolzoni, D., Zambon, E., & Etalle, S. In Balzarotti, D., Stolfo, S. J., & Cova, M., editors, Research in Attacks, Intrusions, and Defenses, pages 354–373, 2012. Springer Berlin Heidelberg.
abstract bibtex

In recent years we have witnessed several complex and high-impact attacks specifically targeting “binary” protocols (RPC, Samba and, more recently, RDP). These attacks could not be detected by current – signature-based – detection solutions, while – at least in theory – they could be detected by state-of-the-art anomaly-based systems. This raises once again the still unanswered question of how effective anomaly-based systems are in practice. To contribute to answering this question, in this paper we investigate the effectiveness of a widely studied category of network intrusion detection systems: anomaly-based algorithms using n-gram analysis for payload inspection. Specifically, we present a thorough analysis and evaluation of several detection algorithms using variants of n-gram analysis on real-life environments. Our tests show that the analyzed systems, in presence of data with high variability, cannot deliver high detection and low false positive rates at the same time.

@inproceedings{hadziosmanovic_n-gram_2012,
	title = {N-{Gram} against the {Machine}: {On} the {Feasibility} of the {N}-{Gram} {Network} {Analysis} for {Binary} {Protocols}},
	isbn = {978-3-642-33338-5},
	abstract = {In recent years we have witnessed several complex and high-impact attacks specifically targeting “binary” protocols (RPC, Samba and, more recently, RDP). These attacks could not be detected by current – signature-based – detection solutions, while – at least in theory – they could be detected by state-of-the-art anomaly-based systems. This raises once again the still unanswered question of how effective anomaly-based systems are in practice. To contribute to answering this question, in this paper we investigate the effectiveness of a widely studied category of network intrusion detection systems: anomaly-based algorithms using n-gram analysis for payload inspection. Specifically, we present a thorough analysis and evaluation of several detection algorithms using variants of n-gram analysis on real-life environments. Our tests show that the analyzed systems, in presence of data with high variability, cannot deliver high detection and low false positive rates at the same time.},
	booktitle = {Research in {Attacks}, {Intrusions}, and {Defenses}},
	publisher = {Springer Berlin Heidelberg},
	author = {Hadžiosmanović, Dina and Simionato, Lorenzo and Bolzoni, Damiano and Zambon, Emmanuele and Etalle, Sandro},
	editor = {Balzarotti, Davide and Stolfo, Salvatore J. and Cova, Marco},
	year = {2012},
	pages = {354--373},
}

Downloads: 0

{"_id":"ErnsM3cTuzFxv2a3G","bibbaseid":"hadiosmanovi-simionato-bolzoni-zambon-etalle-ngramagainstthemachineonthefeasibilityofthengramnetworkanalysisforbinaryprotocols-2012","downloads":0,"creationDate":"2017-03-01T17:17:32.925Z","title":"N-Gram against the Machine: On the Feasibility of the N-Gram Network Analysis for Binary Protocols","author_short":["Hadžiosmanović, D.","Simionato, L.","Bolzoni, D.","Zambon, E.","Etalle, S."],"year":2012,"bibtype":"inproceedings","biburl":"https://bibbase.org/zotero/hweffers","bibdata":{"bibtype":"inproceedings","type":"inproceedings","title":"N-Gram against the Machine: On the Feasibility of the N-Gram Network Analysis for Binary Protocols","isbn":"978-3-642-33338-5","abstract":"In recent years we have witnessed several complex and high-impact attacks specifically targeting “binary” protocols (RPC, Samba and, more recently, RDP). These attacks could not be detected by current – signature-based – detection solutions, while – at least in theory – they could be detected by state-of-the-art anomaly-based systems. This raises once again the still unanswered question of how effective anomaly-based systems are in practice. To contribute to answering this question, in this paper we investigate the effectiveness of a widely studied category of network intrusion detection systems: anomaly-based algorithms using n-gram analysis for payload inspection. Specifically, we present a thorough analysis and evaluation of several detection algorithms using variants of n-gram analysis on real-life environments. Our tests show that the analyzed systems, in presence of data with high variability, cannot deliver high detection and low false positive rates at the same time.","booktitle":"Research in Attacks, Intrusions, and Defenses","publisher":"Springer Berlin Heidelberg","author":[{"propositions":[],"lastnames":["Hadžiosmanović"],"firstnames":["Dina"],"suffixes":[]},{"propositions":[],"lastnames":["Simionato"],"firstnames":["Lorenzo"],"suffixes":[]},{"propositions":[],"lastnames":["Bolzoni"],"firstnames":["Damiano"],"suffixes":[]},{"propositions":[],"lastnames":["Zambon"],"firstnames":["Emmanuele"],"suffixes":[]},{"propositions":[],"lastnames":["Etalle"],"firstnames":["Sandro"],"suffixes":[]}],"editor":[{"propositions":[],"lastnames":["Balzarotti"],"firstnames":["Davide"],"suffixes":[]},{"propositions":[],"lastnames":["Stolfo"],"firstnames":["Salvatore","J."],"suffixes":[]},{"propositions":[],"lastnames":["Cova"],"firstnames":["Marco"],"suffixes":[]}],"year":"2012","pages":"354–373","bibtex":"@inproceedings{hadziosmanovic_n-gram_2012,\n\ttitle = {N-{Gram} against the {Machine}: {On} the {Feasibility} of the {N}-{Gram} {Network} {Analysis} for {Binary} {Protocols}},\n\tisbn = {978-3-642-33338-5},\n\tabstract = {In recent years we have witnessed several complex and high-impact attacks specifically targeting “binary” protocols (RPC, Samba and, more recently, RDP). These attacks could not be detected by current – signature-based – detection solutions, while – at least in theory – they could be detected by state-of-the-art anomaly-based systems. This raises once again the still unanswered question of how effective anomaly-based systems are in practice. To contribute to answering this question, in this paper we investigate the effectiveness of a widely studied category of network intrusion detection systems: anomaly-based algorithms using n-gram analysis for payload inspection. Specifically, we present a thorough analysis and evaluation of several detection algorithms using variants of n-gram analysis on real-life environments. Our tests show that the analyzed systems, in presence of data with high variability, cannot deliver high detection and low false positive rates at the same time.},\n\tbooktitle = {Research in {Attacks}, {Intrusions}, and {Defenses}},\n\tpublisher = {Springer Berlin Heidelberg},\n\tauthor = {Hadžiosmanović, Dina and Simionato, Lorenzo and Bolzoni, Damiano and Zambon, Emmanuele and Etalle, Sandro},\n\teditor = {Balzarotti, Davide and Stolfo, Salvatore J. and Cova, Marco},\n\tyear = {2012},\n\tpages = {354--373},\n}\n\n\n\n","author_short":["Hadžiosmanović, D.","Simionato, L.","Bolzoni, D.","Zambon, E.","Etalle, S."],"editor_short":["Balzarotti, D.","Stolfo, S. J.","Cova, M."],"key":"hadziosmanovic_n-gram_2012","id":"hadziosmanovic_n-gram_2012","bibbaseid":"hadiosmanovi-simionato-bolzoni-zambon-etalle-ngramagainstthemachineonthefeasibilityofthengramnetworkanalysisforbinaryprotocols-2012","role":"author","urls":{},"metadata":{"authorlinks":{}},"downloads":0,"html":""},"search_terms":["gram","against","machine","feasibility","gram","network","analysis","binary","protocols","hadžiosmanović","simionato","bolzoni","zambon","etalle"],"keywords":[],"authorIDs":[],"dataSources":["NtS8A4ZcMa63HtfYc","deqdwEwth2mY6hYZF"]}