McPAD and HMMPayl

Two Multiple-Classifier Payload-based Anomaly Detectors

What is Payload Analysis?
Payload Analysis refers to the analysis of the application layer payload* which is aimed to discriminate among "normal" and "malicious" payloads. A payload is considered "malicious" if it carries an attack toward either the web server or the hosted web applications.
The detection of the malicious traffic is based on the assumption that bytes' distributions are different among the normal and the malicious payloads.

*(that is the portion of the network packet which carries application layer protocols such as HTTP, FTP, SMTP, etc.)

What are McPAD and HMMPayl?
McPAD and HMMPayl are two network-based Intrusion Detection Systems that implement payload analysis. During the training phase they do create a model of the bytes' distribution of the normal payloads. During the detection phase they flag a payload as anomalous if the bytes' distribution results statistically different from that of the normal payloads.

McPAD uses the 2-nu-gram analysis to represent bytes' distribution. This analysis is an approximation of the n-gram analysis which is commonly used in text-classification tasks. According to the paradigm of Multiple Classifier Systems, an ensemble of Support Vector Machines is used to classify the payloads.
HMMPayl creates a more accurate model of the payload, as it realizes a full n-gram analysis. The analysis is implemented by the means of an ensemble of Hidden Markov Models. As it is generates a model of the payload which is by far more accurate, during the experimental comparison HMMPayl resulted generally more accurate than McPAD generating both less false positives and false negatives.
Both McPAD and HMMPayl have been deeply evaluated on the HTTP traffic, but the algorithms they do implement are absolutely general and can be in principle applied to model whatever application layer protocol.