Conference Paper

An Approach to Detect Executable Content for Anomaly Based Network Intrusion Detection.

DOI: 10.1109/IPDPS.2007.370614 Conference: 21th International Parallel and Distributed Processing Symposium (IPDPS 2007), Proceedings, 26-30 March 2007, Long Beach, California, USA
Source: DBLP


Since current internet threats contain not only malicious codes like Trojan or worms, but also spyware and adware which do not have explicit illegal content, it is necessary to have a mechanism to prevent hidden executable files downloading in the network traffic. In this paper, we present a new solution to identify executable content for anomaly based network intrusion detection system (NIDS) based on file byte frequency distribution. First, a brief introduction to application level anomaly detection is given, as well as some typical examples of compromising user computers by recent attacks. In addition to a review of the related research on malicious code identification and file type detection in section 2, we will also discuss the drawback when applying them for NIDS. After that, the background information of our approach is presented with examples, in which the details of how we create the profile and how to perform the detection are thoroughly discussed. The experiment results are crucial in our research because they provide the essential support for the implementing. In the final experiment simulating the situation of uploading executable files to a FTP server, our approach demonstrates great performance on the accuracy and stability.

Download full-text


Available from: Gregory White
  • Source
    • "A statistical approach uses quantitative features, however, a structural approach uses morphological features [28]. Recently, most of researches in format feature extraction are statistical approaches, such as Shannon entropy, byte frequency distribution, and N-gram [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18]. Because of all the video formats involve high compression method and entropy coding, those features are not suitable for distinguishing the formats of video fragments. "
    [Show abstract] [Hide abstract]
    ABSTRACT: In this paper, we present a practical identification approach of video fragment for digital video files. Before analyzing the video content, we must decode it based on its encoding format first. In order to effectively identify the format of a fragment, a format classification is performed before the format identification. The methods of format classification and identification are discriminative subspace clustering (DiSC) and the Knearest neighbor (KNN).Because of losing the meta-information, we add a maximum similar header (MSH) to the front of the fragment to recover the video content. We adopt a simple key frame detection method using standard deviation and mean value. Motion vectors of macro blocks are utilized to classify the video features for effectively identifying the video. Several edges of frames are accumulated and compose a video feature. The experimental results show the evaluations of the video format classification and identification, fragment recovery, and content identification.
    Preview · Article · Jun 2015 · International Journal of Multimedia and Ubiquitous Engineering
  • Source
    • "Their method is based on data fragments of files and does not need any metadata. Zhang et al. [7] used the BFD in conjunction with a simple Manhattan distance comparison to detect whether the examined file is executable or not. "
    [Show abstract] [Hide abstract]
    ABSTRACT: File type identification and file type clustering may be difficult tasks that have an increasingly importance in the field of computer and network security. Classical methods of file type detection including considering file extensions and magic bytes can be easily spoofed. Content-based file type detection is a newer way that is taken into account recently. In this paper, a new content-based method for the purpose of file type detection and file type clustering is proposed that is based on the PCA and neural networks. The proposed method has a good accuracy and is fast enough.
    Full-text · Conference Paper · Jul 2008
  • [Show abstract] [Hide abstract]
    ABSTRACT: The present paper introduces an innovative approach for the anomaly-based intrusion detection systems (IDS). The main idea is to construct a model that characterizes the expected/acceptable behavior of the system using list decoding techniques and distinguishes the intrusive activity from legal one using string metric algorithms. The conducted simulation experiments are represented and discussed as well.
    No preview · Conference Paper · May 2009
Show more