Combining Multiple One-Class Classifiers for Hardening Payload-based Anomaly Detection Systems (Extended Abstract)

Intrusion Detection Systems (IDS) are valuable tools for the defense-in-depth of computer networks. Network IDS look for known or potential malicious activities in network traffic and raise an alarm whenever a suspicious activity is detected. Two main approaches to intrusion detection are used, namely misuse and anomaly detec- tion (10). Misuse detectors are based on a description of known malicious activities. This description is often modeled as a set of rules referred to as attack signatures. Activities that match an attack signature are classified as malicious. Anomaly detectors are based on a description of normal or benign activities. A distance between the description of normal events and new network activities is measured. As malicious activities are expected to be different from normal activities, a suitable distance measure allows anomaly-based IDS to detect attack traffic. Anomaly-based detection systems usually produce a relatively higher number of false positives, compared to the misuse-based or signature-based detection systems. However, anomaly detectors are able to detect zero-day (i.e., never-before-seen) attacks, whereas signature-based systems are not. Unsupervised or unlabeled learning approaches for network anomaly detection have been proposed in (12, 4). These methods aim to work on datasets of traffic extracted fromreal networks without the necessity of a labeling process. Unlabeled anomaly detection systems are based on the reasonable assumption that the percentage of attack patterns in the extracted traffic traces is usually much lower than the percentage of normal patterns (12). Furthermore, it is possible to use signature-based IDS in order to filter the extracted traffic by removing the known attacks, thus further reducing the number of attack patterns possibly present in the dataset. Another assumption is that the attack patterns are supposed to be distinguishable from the normal patterns in a suitable feature space. The term "unlabeled anomaly detection" used in the intrusion detection field actually refears to what in machine learning is more often called "novelty detection", "outlier detection" or "one-class classification". Recent work on unlabeled anomaly detection focused on high speed classification based on simple payload� statistics (7, 9, 14, 15). For example, PAYL (14, 15) extracts 256 features from the payload. Each feature represents the occurrence frequency in the payload of one of the 256 possible byte values. A simple model of normal traffic is then constructed by computing the average and standard deviation of each feature. A payload is considered anomalous if a simplified Mahalanobis distance between the payload under test and the model of normal traffic exceeds a predetermined threshold. Wang et al. (14) also proposed a more generic n-gram† version of PAYL. In this case the payload is described by a pattern vector in a 256n-dimensional feature space. The n-grams extract byte sequence information from the payload, which helps in constructing a more precise model of the normal traffic compared to the simple byte frequency-based model. The extraction of n-gram statistics from the payload can be performed efficiently and the IDS can be used to monitor highspeed links in real time. However, given the exponentially growing number of extracted features, the higher n the more difficult it may be to construct an accurate model because of the curse of dimensionality and possible computational complexity problems. It has been demonstrated that many anomaly detection systems can be "evaded" by mimicry attacks (13, 6, 1, 5). A mimicry attack is an attack against a network or system vulnerability that is carefully crafted so that the attack