Abstract
In this paper we propose an Intrusion Detection System (IDS) for the detection of attacks against a web server. The system analyzes the requests received by a web server, and is based on a two-stages classification algorithm that heavily relies on the MCS paradigm. In the first stage the structure of the HTTP requests is modeled using several ensembles of Hidden Markov Models. Then, the outputs of these ensembles are combined using a one-class classification algorithm. We evaluated the system on several datasets of real traffic and real attacks. Experimental results, and comparisons with state-of.the.art detection systems show the effectiveness of the proposed approach.
This research was sponsored by the RAS (Autonomous Region of Sardinia) through a grant financed with the ”Sardinia PO FSE 2007-2013” funds and provided according to the L.R. 7/2007. Any opinions, findings and conclusions expressed in this material are those of the authors and do not necessarily reflect the views of the RAS.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
RFC 2616 - Hypertext Transfer Protocol – HTTP/1.1(1999)
Ariu, D., Tronci, R., Giacinto HMMPayl, G.:HMMPayl: An intrusion detection system based on Hidden Markov Models. In: Computers & Security (in Press, 2011)
Baum, L.E., Petrie, T., Soules, G., Weiss, N.: A maximization technique occurring in the statistical analysis of probabilistic functions of markov chains. The Annals of Mathematical Statistics 41(1), 164–171 (1970)
Biggio, B., Fumera, G., Roli, F.: Multiple classifier systems for adversarial classification tasks. In: Benediktsson, J.A., Kittler, J., Roli, F. (eds.) MCS 2009. LNCS, vol. 5519, pp. 132–141. Springer, Heidelberg (2009)
Corona, I., Ariu, D., Giacinto, G.: HMM-Web: A framework for the detection of attacks against web applications. In: IEEE International Conference on Communications, Dresden, Germany (2009)
Kruegel, C., Vigna, G.: Anomaly detection of web-based attacks. In: ACM conference on Computer and Communications Security, New York, USA (2003)
Kruegel, C., Vigna, G., Robertson, W.: A multi-model approach to the detection of web-based attacks. Computer Networks 48(5), 717–738 (2005)
Marcialis, G.L., Roli, F., Didaci, L.: Personal identity verification by serial fusion of fingerprint and face matchers. Pattern Recognition 42(11), 2807–2817 (2009)
Perdisci, R., Ariu, D., Fogla, P., Giacinto, G., Lee, W.: McPAD: A multiple classifier system for accurate payload-based anomaly detection. Computer Networks 53(6), 864–881 (2009)
Rabiner, L.R.: A tutorial on hidden markov models and selected applications in speech recognition. Proceedings of the IEEE 77(2), 257–286 (1989)
Song, Y., Keromytis, A.D., Stolfo, S.J.: Spectrogram: A mixture-of-markov-chains model for anomaly detection in web traffic. In: NDSS, The Internet Society (2009)
Friedman, J., Hastie, T., Tibshirani, R.: The Elements of Statistical Learning: Data Mining, Inference, and Prediction, 2nd edn. Springer, Heidelberg (2009)
Wang, K., Stolfo, S.J.: Anomalous payload-based network intrusion detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 203–222. Springer, Heidelberg (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Ariu, D., Giacinto, G. (2011). A Modular Architecture for the Analysis of HTTP Payloads Based on Multiple Classifiers. In: Sansone, C., Kittler, J., Roli, F. (eds) Multiple Classifier Systems. MCS 2011. Lecture Notes in Computer Science, vol 6713. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-21557-5_35
Download citation
DOI: https://doi.org/10.1007/978-3-642-21557-5_35
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-21556-8
Online ISBN: 978-3-642-21557-5
eBook Packages: Computer ScienceComputer Science (R0)