{"title":"基于有效载荷的HTTP网络流量异常检测的n图统计分析","authors":"R. Pal, Naveen Chowdary","doi":"10.1109/ANTS.2018.8710080","DOIUrl":null,"url":null,"abstract":"Anomalous HTTP traffic can be identified by analysing the content of HTTP packet as payload. n-gram analysis is a prominent technique for payload analysis. In this paper, a novel n-gram based anomaly detection method has been proposed for HTTP traffic. During the training phase, statistical profiling (the maximum, the minimum, the median and the average of number of occurrences in a packet) of n-grams for a data set of normal (not malicious) HTTP packets provides the basis for this work. In a test packet, the number of occurrences of an n-gram decides whether the n-gram is anomalous or not. Moreover, the deviation of number of occurrences of such an anomalous n-gram from the median (or the average) of number of occurrences of the n-gram in training packets is considered for estimating an anomaly score of the test packet. Consideration of this magnitude of the deviation from the statistical profile (median or average) of n-gram occurrences for a normal HTTP traffic is the highlight of the proposed method. Finally, an anomaly-to-normal ratio for the test packet determines whether it is malicious or normal. This technique yields better performance as compared to an existing n-gram based method of anomalous HTTP traffic detection.","PeriodicalId":273443,"journal":{"name":"2018 IEEE International Conference on Advanced Networks and Telecommunications Systems (ANTS)","volume":"84 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2018-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":"{\"title\":\"Statistical Profiling of n-grams for Payload Based Anomaly Detection for HTTP Web Traffic\",\"authors\":\"R. Pal, Naveen Chowdary\",\"doi\":\"10.1109/ANTS.2018.8710080\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Anomalous HTTP traffic can be identified by analysing the content of HTTP packet as payload. n-gram analysis is a prominent technique for payload analysis. In this paper, a novel n-gram based anomaly detection method has been proposed for HTTP traffic. During the training phase, statistical profiling (the maximum, the minimum, the median and the average of number of occurrences in a packet) of n-grams for a data set of normal (not malicious) HTTP packets provides the basis for this work. In a test packet, the number of occurrences of an n-gram decides whether the n-gram is anomalous or not. Moreover, the deviation of number of occurrences of such an anomalous n-gram from the median (or the average) of number of occurrences of the n-gram in training packets is considered for estimating an anomaly score of the test packet. Consideration of this magnitude of the deviation from the statistical profile (median or average) of n-gram occurrences for a normal HTTP traffic is the highlight of the proposed method. Finally, an anomaly-to-normal ratio for the test packet determines whether it is malicious or normal. This technique yields better performance as compared to an existing n-gram based method of anomalous HTTP traffic detection.\",\"PeriodicalId\":273443,\"journal\":{\"name\":\"2018 IEEE International Conference on Advanced Networks and Telecommunications Systems (ANTS)\",\"volume\":\"84 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2018-12-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"1\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2018 IEEE International Conference on Advanced Networks and Telecommunications Systems (ANTS)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ANTS.2018.8710080\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2018 IEEE International Conference on Advanced Networks and Telecommunications Systems (ANTS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ANTS.2018.8710080","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Statistical Profiling of n-grams for Payload Based Anomaly Detection for HTTP Web Traffic
Anomalous HTTP traffic can be identified by analysing the content of HTTP packet as payload. n-gram analysis is a prominent technique for payload analysis. In this paper, a novel n-gram based anomaly detection method has been proposed for HTTP traffic. During the training phase, statistical profiling (the maximum, the minimum, the median and the average of number of occurrences in a packet) of n-grams for a data set of normal (not malicious) HTTP packets provides the basis for this work. In a test packet, the number of occurrences of an n-gram decides whether the n-gram is anomalous or not. Moreover, the deviation of number of occurrences of such an anomalous n-gram from the median (or the average) of number of occurrences of the n-gram in training packets is considered for estimating an anomaly score of the test packet. Consideration of this magnitude of the deviation from the statistical profile (median or average) of n-gram occurrences for a normal HTTP traffic is the highlight of the proposed method. Finally, an anomaly-to-normal ratio for the test packet determines whether it is malicious or normal. This technique yields better performance as compared to an existing n-gram based method of anomalous HTTP traffic detection.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
