HMMPayl: an application of HMM to the analysis of the HTTP Payload
Publication Type:Conference Paper
Source:Workshop on Applications of Pattern Analysis (2010)
Zero-days attacks are one of the most dangerous threats against computer networks. These, by deﬁnition, are attacks never seen before. Thus, defense tools based on a database of rules (usually referred as “signatures”) that describe known attacks cannot do anything against them. Recently, defense tools based on machine learning algorithms have gained an increasing popularity as they offer the possibility to ﬁght off also zero-days attacks. In this paper we propose HMMPayl, an anomaly based Intrusion Detection System for the protection of a web server and of the applications the server hosts. HMMPayl analyzes the network traffic toward the web server and it is based on Hidden Markov Models. With this paper we provide for several contributions. First, the algorithm implemented by HMMPayl allows to carefully model the payload increasing the classiﬁcation accuracy with respect to previously proposed solutions. Second, we show that an approach based on multiple classiﬁers leads to an increased classiﬁcation accuracy with respect to the case where a single classiﬁer is used. Third, exploiting the redundancy within the information extracted from the payload we propose a solution to reduce the computational cost of the algorithm.