• Home

  • Documents

  • Anagram: A Content Anomaly Detector Resistant to Mimicry Attack
16
Anagram: A Content Anomaly Detector Resistant to Mimicry Attack Ke Wang; Janak J. Parekh; Salvatore J. Stolfo; Proc. Recent Advances in Intrusion Detection, 2006 1 Reporter: Luo Sheng-Yuan 2009/08/06

Anagram: A Content Anomaly Detector Resistant to Mimicry Attack

  • Upload
    kasia

  • View
    45

  • Download
    0

Tags:

Embed Size (px)

DESCRIPTION

Anagram: A Content Anomaly Detector Resistant to Mimicry Attack. Ke Wang; Janak J. Parekh; Salvatore J. Stolfo; Proc. Recent Advances in Intrusion Detection, 2006. Reporter: Luo Sheng-Yuan 2009/08/06. Outline. Introduction Related Work Proposed Scheme Experiments Result Conclusion. - PowerPoint PPT Presentation

Citation preview

Page 1: Anagram: A Content Anomaly Detector Resistant to Mimicry Attack

Anagram: A Content Anomaly Detector Resistant

to Mimicry Attack

Ke Wang; Janak J. Parekh; Salvatore J. Stolfo;Proc. Recent Advances in Intrusion Detection, 2006

1

Reporter: Luo Sheng-Yuan 2009/08/06

Page 2: Anagram: A Content Anomaly Detector Resistant to Mimicry Attack

Outline

•Introduction

•Related Work

•Proposed Scheme

•Experiments Result

•Conclusion

2

Page 3: Anagram: A Content Anomaly Detector Resistant to Mimicry Attack

Introduction

•Generality for broad application to any service

•Detect for zero-day attacks

•Against mimicry attacks

•High-order n-gram analysis

3

Page 4: Anagram: A Content Anomaly Detector Resistant to Mimicry Attack

Related Work

•Byte Frequency Distribution Wang, K. and S.J. Stolfo. Anomalous

Payload-based Network Intrusion Detection. in Symposium on Recent Advances in Intrusion Detection. 2004.

4

Page 5: Anagram: A Content Anomaly Detector Resistant to Mimicry Attack

Related Work

•PAYL’s Scheme

5

Training

ComputeMahalanobis

Distance

Incoming Packet

Normal Packet

Normal Abnormal

Page 6: Anagram: A Content Anomaly Detector Resistant to Mimicry Attack

Related Work

•Euclidean Distance & Mahalanobis Distance

6

Page 7: Anagram: A Content Anomaly Detector Resistant to Mimicry Attack

Related Work

•Evading PAYL Kolesnikov, O., D. Dagon, and W. Lee,

Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic, in USENIX Security Symposium. 2006.

7

Page 8: Anagram: A Content Anomaly Detector Resistant to Mimicry Attack

Proposed Scheme

•N-gram Analysis▫An n-gram is a subsequence of n items from

a given sequence. 5-gram example

Given a sequence of letters(“worl”), what is the next letter?(a=0.001, b=0.001, c=0.001, d=0.8, ......)

8

Page 9: Anagram: A Content Anomaly Detector Resistant to Mimicry Attack

Proposed Scheme

•N-gram Analysis▫Frequency-based

All element's value is probability▫Binary-based

All element's value is zero or one

•N-gram model size▫256^N in ASCII

9

Page 10: Anagram: A Content Anomaly Detector Resistant to Mimicry Attack

Proposed Scheme

•Training phase▫Storing all of the distinct n-grams observed

during training.

•Test phase

10

Page 11: Anagram: A Content Anomaly Detector Resistant to Mimicry Attack

Proposed Scheme

•Bloom Filter BF is a convenient tool to represent the

binary model.

11

Page 12: Anagram: A Content Anomaly Detector Resistant to Mimicry Attack

Proposed Scheme

•Randomization against mimicry attack

12

Page 13: Anagram: A Content Anomaly Detector Resistant to Mimicry Attack

Experiments Result

•Train for 500 hours of traffic data

13

Page 14: Anagram: A Content Anomaly Detector Resistant to Mimicry Attack

Experiments Result

•False positive rate

14

Page 15: Anagram: A Content Anomaly Detector Resistant to Mimicry Attack

Conclusion

•The core hypothesis is that any new, zero-day exploit will contain a portion of data that has never before been delivered to the application.

•Anagram raises the bar for attackers making mimicry attacks harder.

15

Page 16: Anagram: A Content Anomaly Detector Resistant to Mimicry Attack

Comment

•The binary-based approach is not tolerant of noisy training.

•Computation time is longer than PAYL.

16


ANAGRAM Anagram Finder

ANAGRAM Anagram Finder

Documents
Anagram nov 2013 fnl

Anagram nov 2013 fnl

Documents
Isomorphic mimicry -_can_camouflage_be_sabotaged

Isomorphic mimicry -_can_camouflage_be_sabotaged

News & Politics
Molecular Mimicry

Molecular Mimicry

Documents
CCConst Anagram

CCConst Anagram

Documents
Bio Mimicry Presentation

Bio Mimicry Presentation

Documents
BloomNet Anagram Balloon Catalog

BloomNet Anagram Balloon Catalog

Documents
Everyday 2009 Anagram

Everyday 2009 Anagram

Documents
Batesian Mimicry Research

Batesian Mimicry Research

Documents
Solve the anagram. What do these represent?. Solve the anagram. What do these represent? RING BUSSTAR

Solve the anagram. What do these represent?. Solve the anagram. What do these represent? RING BUSSTAR

Documents
Shakespeare and the Anagram

Shakespeare and the Anagram

Documents
CHRISTMAS ANAGRAM QUIZ

CHRISTMAS ANAGRAM QUIZ

Documents
anagram below

anagram below

Documents
Anagram: A Content Anomaly Detector Resistant to Mimicry ... · Anagram’s approach to network payload anomaly detection uses a mixture of higher order n-grams (n>1) to model and

Anagram: A Content Anomaly Detector Resistant to Mimicry ... · Anagram’s approach to network payload anomaly detection uses a mixture of higher order n-grams (n>1) to model and

Documents
Anagram 2011 picks

Anagram 2011 picks

Documents
Astronomy - Anagram Activity

Astronomy - Anagram Activity

Documents
MIMICRY ‘model’ ‘mimic’. ‘mimicry complex’ ‘diffuse mimicry’

MIMICRY ‘model’ ‘mimic’. ‘mimicry complex’ ‘diffuse mimicry’

Documents
anagram gen

anagram gen

Documents
fiixieenfl; (anagram

fiixieenfl; (anagram

Documents
2020 - STUDIO ANAGRAM

2020 - STUDIO ANAGRAM

Documents
European Anagram Challenge Activity

European Anagram Challenge Activity

Documents
Bio Mimicry

Bio Mimicry

Documents
V. Mimicry - Auburn University · E. Wasmannian Mimicry Mimicry of predator by prey “sheep in wolf’s clothing

V. Mimicry - Auburn University · E. Wasmannian Mimicry Mimicry of predator by prey “sheep in wolf’s clothing

Documents
Mimicry and amouflage

Mimicry and amouflage

Entertainment & Humor
Kaveri Seed - Anagram - Sept 2010

Kaveri Seed - Anagram - Sept 2010

Documents
Mimicry Reading

Mimicry Reading

Documents
Anagram aug 2014 fnl

Anagram aug 2014 fnl

Documents
(anagram of the mantra] étatrfi

(anagram of the mantra] étatrfi

Documents
Mimicry and camouflage

Mimicry and camouflage

Entertainment & Humor
Visual mimicry

Visual mimicry

Documents