N-Gram against the Machine: On the Feasibility of the N-Gram Network Analysis for Binary Protocols. Hadžiosmanović, D., Simionato, L., Bolzoni, D., Zambon, E., & Etalle, S. In Balzarotti, D., Stolfo, S. J., & Cova, M., editors, Research in Attacks, Intrusions, and Defenses, pages 354–373, 2012. Springer Berlin Heidelberg.
abstract   bibtex   
In recent years we have witnessed several complex and high-impact attacks specifically targeting “binary” protocols (RPC, Samba and, more recently, RDP). These attacks could not be detected by current – signature-based – detection solutions, while – at least in theory – they could be detected by state-of-the-art anomaly-based systems. This raises once again the still unanswered question of how effective anomaly-based systems are in practice. To contribute to answering this question, in this paper we investigate the effectiveness of a widely studied category of network intrusion detection systems: anomaly-based algorithms using n-gram analysis for payload inspection. Specifically, we present a thorough analysis and evaluation of several detection algorithms using variants of n-gram analysis on real-life environments. Our tests show that the analyzed systems, in presence of data with high variability, cannot deliver high detection and low false positive rates at the same time.
@inproceedings{hadziosmanovic_n-gram_2012,
	title = {N-{Gram} against the {Machine}: {On} the {Feasibility} of the {N}-{Gram} {Network} {Analysis} for {Binary} {Protocols}},
	isbn = {978-3-642-33338-5},
	abstract = {In recent years we have witnessed several complex and high-impact attacks specifically targeting “binary” protocols (RPC, Samba and, more recently, RDP). These attacks could not be detected by current – signature-based – detection solutions, while – at least in theory – they could be detected by state-of-the-art anomaly-based systems. This raises once again the still unanswered question of how effective anomaly-based systems are in practice. To contribute to answering this question, in this paper we investigate the effectiveness of a widely studied category of network intrusion detection systems: anomaly-based algorithms using n-gram analysis for payload inspection. Specifically, we present a thorough analysis and evaluation of several detection algorithms using variants of n-gram analysis on real-life environments. Our tests show that the analyzed systems, in presence of data with high variability, cannot deliver high detection and low false positive rates at the same time.},
	booktitle = {Research in {Attacks}, {Intrusions}, and {Defenses}},
	publisher = {Springer Berlin Heidelberg},
	author = {Hadžiosmanović, Dina and Simionato, Lorenzo and Bolzoni, Damiano and Zambon, Emmanuele and Etalle, Sandro},
	editor = {Balzarotti, Davide and Stolfo, Salvatore J. and Cova, Marco},
	year = {2012},
	pages = {354--373},
}

Downloads: 0