Payload modeling for network Intrusion Detection Systems

A number of Intrusion Detection Systems (IDS) research efforts have demonstrated that network-based attacks can be detected by modeling normal network packet payloads and watching for anomalies. In this paper, we explore a data mining technique based on Principal Component Analysis that can identify specific features within packet payloads that are highly representative of the network traffic. of their respective services. Apart from reducing the processing overhead through minimization of the feature space, the autonomous identification of such sub-groups of features can readily enable IDS´s to develop classifiers that are more apt at separating normal traffic from anomalous traffic. We demonstrate the effectiveness of this techniques by generating feature sets from a collection of network traffic and applying them to the training and detection phases of a payload-based IDS. The results show that it is able to separate network attacks while maintaining low false positive rates. We also show that random sampling of less than 100% of the payload is possible and allows the IDS to combat attack obfuscation.