Conference Paper

An Approach to Detect Executable Content for Anomaly Based Network Intrusion Detection.

DOI: 10.1109/IPDPS.2007.370614 Conference: 21th International Parallel and Distributed Processing Symposium (IPDPS 2007), Proceedings, 26-30 March 2007, Long Beach, California, USA
Source: DBLP


Since current internet threats contain not only malicious codes like Trojan or worms, but also spyware and adware which do not have explicit illegal content, it is necessary to have a mechanism to prevent hidden executable files downloading in the network traffic. In this paper, we present a new solution to identify executable content for anomaly based network intrusion detection system (NIDS) based on file byte frequency distribution. First, a brief introduction to application level anomaly detection is given, as well as some typical examples of compromising user computers by recent attacks. In addition to a review of the related research on malicious code identification and file type detection in section 2, we will also discuss the drawback when applying them for NIDS. After that, the background information of our approach is presented with examples, in which the details of how we create the profile and how to perform the detection are thoroughly discussed. The experiment results are crucial in our research because they provide the essential support for the implementing. In the final experiment simulating the situation of uploading executable files to a FTP server, our approach demonstrates great performance on the accuracy and stability.

Download full-text


Available from: Gregory White,
78 Reads
  • Source
    • "Their method is based on data fragments of files and does not need any metadata. Zhang et al. [7] used the BFD in conjunction with a simple Manhattan distance comparison to detect whether the examined file is executable or not. "
    [Show abstract] [Hide abstract]
    ABSTRACT: File type identification and file type clustering may be difficult tasks that have an increasingly importance in the field of computer and network security. Classical methods of file type detection including considering file extensions and magic bytes can be easily spoofed. Content-based file type detection is a newer way that is taken into account recently. In this paper, a new content-based method for the purpose of file type detection and file type clustering is proposed that is based on the PCA and neural networks. The proposed method has a good accuracy and is fast enough.
    IEEE Symposium on Computers and Communications (ISCC'08); 07/2008
  • [Show abstract] [Hide abstract]
    ABSTRACT: The present paper introduces an innovative approach for the anomaly-based intrusion detection systems (IDS). The main idea is to construct a model that characterizes the expected/acceptable behavior of the system using list decoding techniques and distinguishes the intrusive activity from legal one using string metric algorithms. The conducted simulation experiments are represented and discussed as well.
    Computer Science and Information Engineering, 2009 WRI World Congress on; 05/2009
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Digital information is packed into files when it is going to be stored on storage media. Each computer file is associated with a type. Type detection of computer data is a building block in different applications of computer forensics and security. Traditional methods were based on file extensions and metadata. The content-based method is a newer approach with the lowest probability of being spoofed and is the only way for type detection of data packets and file fragments. In this paper, a content-based method that deploys principle component analysis and neural networks for an automatic feature extraction is proposed. The extracted features are then applied to a classifier for the type detection. Our experiments show that the proposed method works very well for type detection of computer files when considering the whole content of a file. Its accuracy and speed is also significant for the case of file fragments, where data is captured from random starting points within files, but the accuracy differs according to the lengths of file fragments. Copyright © 2012 John Wiley & Sons, Ltd.
    Security and Communication Networks 01/2013; 6(1):115-128. DOI:10.1002/sec.553 · 0.72 Impact Factor
Show more