1 / 16

Anagram: A Content Anomaly Detector Resistant to Mimicry Attack

Anagram: A Content Anomaly Detector Resistant to Mimicry Attack. Ke Wang; Janak J. Parekh; Salvatore J. Stolfo; Proc. Recent Advances in Intrusion Detection, 2006. Reporter: Luo Sheng-Yuan 2009/08/06. Outline. Introduction Related Work Proposed Scheme Experiments Result Conclusion.

kasia
Download Presentation

Anagram: A Content Anomaly Detector Resistant to Mimicry Attack

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Anagram: A Content Anomaly Detector Resistant to Mimicry Attack Ke Wang; Janak J. Parekh; Salvatore J. Stolfo; Proc. Recent Advances in Intrusion Detection, 2006 Reporter: Luo Sheng-Yuan 2009/08/06

  2. Outline • Introduction • Related Work • Proposed Scheme • Experiments Result • Conclusion

  3. Introduction • Generality for broad application to any service • Detect for zero-day attacks • Against mimicry attacks • High-order n-gram analysis

  4. Related Work • Byte Frequency Distribution • Wang, K. and S.J. Stolfo. Anomalous Payload-based Network Intrusion Detection. in Symposium on Recent Advances in Intrusion Detection. 2004.

  5. Related Work • PAYL’s Scheme Normal Packet Incoming Packet Training Normal Abnormal Compute Mahalanobis Distance

  6. Related Work • Euclidean Distance & Mahalanobis Distance

  7. Related Work • Evading PAYL • Kolesnikov, O., D. Dagon, and W. Lee, Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic, in USENIX Security Symposium. 2006.

  8. Proposed Scheme • N-gram Analysis • An n-gram is a subsequence of n items from a given sequence. • 5-gram example Given a sequence of letters(“worl”), what is the next letter? (a=0.001, b=0.001, c=0.001, d=0.8, ......)

  9. Proposed Scheme • N-gram Analysis • Frequency-based • All element's value is probability • Binary-based • All element's value is zero or one • N-gram model size • 256^N in ASCII

  10. Proposed Scheme • Training phase • Storing all of the distinct n-grams observed during training. • Test phase

  11. Proposed Scheme • Bloom Filter • BF is a convenient tool to represent the binary model.

  12. Proposed Scheme • Randomization against mimicry attack

  13. Experiments Result • Train for 500 hours of traffic data

  14. Experiments Result • False positive rate

  15. Conclusion • The core hypothesis is that any new, zero-day exploit will contain a portion of data that has never before been delivered to the application. • Anagram raises the bar for attackers making mimicry attacks harder.

  16. Comment • The binary-based approach is not tolerant of noisy training. • Computation time is longer than PAYL.

More Related