Ariu - Workshop on Applications of Pattern Analysis 2010 - Poster
0 likes429 views
This document summarizes an application of Hidden Markov Models (HMMs) to analyze HTTP payloads: 1. An HMM is used to associate a probability to each sequence of bytes in an HTTP payload and obtain an overall probability for the payload. 2. Real HTTP payload data collected from various sources on the internet is used to train the HMM. 3. The trained HMM can then be used to detect anomalies in new HTTP payloads by flagging payloads with significantly different probabilities as potential attacks or malware.
![HMMPayl: an application of HMM to
the analysis of the HTTP payload
University of Davide Ariu - Giorgio Giacinto Dept. of Electrical and
Cagliari - Italy [davide.ariu - giacinto]@diee.unica.it Electronic Engineering!
$"%&'()*+,%-./.01('%2(3%4()56/.3%#.0637/,% N"%FZZ=%=*,+(*8%&'*+,979%
96$!/3*871('*+%1334)126!0)!!'/3697('%-./.01('!
4$(-$%!)#!%5%0$&%!'1%$/!)#!1!/101'1%$!)*! "!9/*1910*+%%
97:'*/63.9!0610!/$%24-'$!;'(<'%1>12?%8! )(8.+!)*!06$!!
>,/.9]%%
=3(>+.)?%'.@.3A9..'A>.2(3.!@0610!-%!6';'(<'A! 879/37>61('!!
1>12?%!21#!#)0!'$!/$0$20$/BBB% F-06-#!06$!!
4(6'/.3).*963.?%1#)&1(5!'1%$/!CDE!24$10$!1! FZZ=%5*,+(*8%%
%01=%=21(!&)/$(!)*!06$!($<-=&10$!31>$4#%8!"#5! )*!06$!3.^6.9/9%%
31>$4#!F6)%$!%01=%=21(!&)/$(!/$:-10$%!*4)&!0610! 4$2$-:$/!'5!1!!
%0)4$/!-#!06$!%5%0$&!-%!(1'$($/!1%!1#!1>12?%8! <.>%9.3@.3%&-<60!!
B.3(A8*,9%*C*0;9%0*'%>.%8./.0/.8DDD!! 1(()F!0)!8./.0/%*C*0;9%*:*7'9/%/_.%<.>%9.3@.38!
E"%FGG=*,+?%*'%*'()*+,%>*9.8%!'/3697('%-./.01('%#,9/.)%
!"!G-:$#!1#!+99H!315()1/88! !Q"!96$!315()1/L%!34)'1'-(-=$%!
!!!"!"#!$#%$&'($!)*!+,,!-%!.%$/!0)!1%%)2-10$!1!!
34)'1'-(-05!0)!$126!%$7.$#2$!-#!#8!9)!)'01-#!1#! )'01-#$/!10!06$!34$:-).%!%0$3!14$!!
H$% IJ% KL% LH% JK% ):$41((!34)'1'-(-05!*)4!06$!315()1/;!06$!1:$41<$!)*! 2)&'-#$/!0)!)'01-#!1#!):$41((!!
34)'1'-(-=$%!$&->$/!'5!$126!+,,!-%!21(2.(10$/8! 34)'1'-(-05!)4!1!2(1%%!(1'$(!
!!"!881!%(-/-#<!F-#/)F!)*!F-/06!! FGG$% M"IE%
'!4.#%!):$4!06$!315()1/!1#/!! M"H$% M"II% !"#$%&#'
$I04120%!1!%$0!)*!%$7.$#2$%!! ($)*%*+,+-.'
#!@'JK!-#!06-%!$I1&3($A! M"IL%
/001' =3(>*>7+7/,%
H$% IJ% KL% FGGN% M"IO%
!"#$%&#'
G4#% )4!
($)*%*+,+-.' 4+*99%P*>.+!
IJ% KL% LH% /00D'
FGGE% M"IK% !"#$%&#'
KL% LH% JK% ($)*%*+,+-.'
/00H'
L"%RS5.37).'/*+%T.96+/9%
P.:71)*/.%/3*`0%%-*/*9./9?% &C*0;%-*/*9./9%@:14-).%!?-#/%!)*!4$1(!1>12?%!2)(($20$/!*4)&!
•! &T=&%@E5#06$=2A!
- :14-).%!%).42$%!)#!C#0$4#$0;!$8<8!FFF8&-(FN4&82)&A?%
•! Za%-!RR%@M$1(;!2)(($20$/!10!"21/$&-2!C#%=0.=)#%A!
•! _.++0(8.a%4PRZa%.'.370%1#/%b##A#cP!%%
#
&U45%('%/_.%.'.370%&C*0;%8*/*9./"% "#!1334)126!'1%$/!)#!)6+15+.%0+*997d.39% 96$!2)&3.01=)#1(!2)%0!!21#!'$!
FGG=*,+%126-$:$%!1#!6-<6$4!=*31*+!&U4! *++(<%!0)!1>1-#!>.C.3%4$%.(0%!-#!0$4&%!)*! %-<#-O21#0(5!4$/.2$/!'5!&):-#<!06$!9+787':%
F-06!4$%3$20!0)!34$:-).%(5!34)3)%$/! 0+*997d0*1('%*0063*0,% <7'8(<!)*!)(3.%/_*'%('.%>,/.%2(3<*38!
%)(.=)#%!@$8<8!G0=&-A! F-06).0!1!4$($:1#0!()%%!)*!&U45%
Pattern Recognition and 23+4'$#4#%$53'6%4'4()74)$#8'*.'-3#'!9-)7):)94';#&+)7')<'
WAPA 2010
P
R A Group Applications Group
RUTV=R&W%UW!VW% TR=UXP!4%VY%!Z&P[% &UZVWVGVU#%TR!VW%
=%$8+7+%'-3$)9&3'%'&$%7-'>7%75#8'6+-3'-3#'?=%$8+7+%'@A'B=C'
DEEFGDE1H?'<9784'%78'($)"+8#8'%55)$8+7&'-)'-3#'IJ;J'FKDEEFJ' Workshop on Applications
Of Pattern Analysis!
http://prag.diee.unica.it VY%#&T-!W!&%](https://image.slidesharecdn.com/ariuwapa2010postera1-111005062222-phpapp02/85/Ariu-Workshop-on-Applications-of-Pattern-Analysis-2010-Poster-1-320.jpg)
Ariu - Workshop on Applications of Pattern Analysis 2010 - Poster
- 1. HMMPayl: an application of HMM to the analysis of the HTTP payload University of Davide Ariu - Giorgio Giacinto Dept. of Electrical and Cagliari - Italy [davide.ariu - giacinto]@diee.unica.it Electronic Engineering! $"%&'()*+,%-./.01('%2(3%4()56/.3%#.0637/,% N"%FZZ=%=*,+(*8%&'*+,979% 96$!/3*871('*+%1334)126!0)!!'/3697('%-./.01('! 4$(-$%!)#!%5%0$&%!'1%$/!)#!1!/101'1%$!)*! "!9/*1910*+%% 97:'*/63.9!0610!/$%24-'$!;'(<'%1>12?%8! )(8.+!)*!06$!! >,/.9]%% =3(>+.)?%'.@.3A9..'A>.2(3.!@0610!-%!6';'(<'A! 879/37>61('!! 1>12?%!21#!#)0!'$!/$0$20$/BBB% F-06-#!06$!! 4(6'/.3).*963.?%1#)&1(5!'1%$/!CDE!24$10$!1! FZZ=%5*,+(*8%% %01=%=21(!&)/$(!)*!06$!($<-=&10$!31>$4#%8!"#5! )*!06$!3.^6.9/9%% 31>$4#!F6)%$!%01=%=21(!&)/$(!/$:-10$%!*4)&!0610! 4$2$-:$/!'5!1!! %0)4$/!-#!06$!%5%0$&!-%!(1'$($/!1%!1#!1>12?%8! <.>%9.3@.3%&-<60!! B.3(A8*,9%*C*0;9%0*'%>.%8./.0/.8DDD!! 1(()F!0)!8./.0/%*C*0;9%*:*7'9/%/_.%<.>%9.3@.38! E"%FGG=*,+?%*'%*'()*+,%>*9.8%!'/3697('%-./.01('%#,9/.)% !"!G-:$#!1#!+99H!315()1/88! !Q"!96$!315()1/L%!34)'1'-(-=$%! !!!"!"#!$#%$&'($!)*!+,,!-%!.%$/!0)!1%%)2-10$!1!! 34)'1'-(-05!0)!$126!%$7.$#2$!-#!#8!9)!)'01-#!1#! )'01-#$/!10!06$!34$:-).%!%0$3!14$!! H$% IJ% KL% LH% JK% ):$41((!34)'1'-(-05!*)4!06$!315()1/;!06$!1:$41<$!)*! 2)&'-#$/!0)!)'01-#!1#!):$41((!! 34)'1'-(-=$%!$&->$/!'5!$126!+,,!-%!21(2.(10$/8! 34)'1'-(-05!)4!1!2(1%%!(1'$(! !!"!881!%(-/-#<!F-#/)F!)*!F-/06!! FGG$% M"IE% '!4.#%!):$4!06$!315()1/!1#/!! M"H$% M"II% !"#$%&#' $I04120%!1!%$0!)*!%$7.$#2$%!! ($)*%*+,+-.' #!@'JK!-#!06-%!$I1&3($A! M"IL% /001' =3(>*>7+7/,% H$% IJ% KL% FGGN% M"IO% !"#$%&#' G4#% )4! ($)*%*+,+-.' 4+*99%P*>.+! IJ% KL% LH% /00D' FGGE% M"IK% !"#$%&#' KL% LH% JK% ($)*%*+,+-.' /00H' L"%RS5.37).'/*+%T.96+/9% P.:71)*/.%/3*`0%%-*/*9./9?% &C*0;%-*/*9./9%@:14-).%!?-#/%!)*!4$1(!1>12?%!2)(($20$/!*4)&! •! &T=&%@E5#06$=2A! - :14-).%!%).42$%!)#!C#0$4#$0;!$8<8!FFF8&-(FN4&82)&A?% •! Za%-!RR%@M$1(;!2)(($20$/!10!"21/$&-2!C#%=0.=)#%A! •! _.++0(8.a%4PRZa%.'.370%1#/%b##A#cP!%% # &U45%('%/_.%.'.370%&C*0;%8*/*9./"% "#!1334)126!'1%$/!)#!)6+15+.%0+*997d.39% 96$!2)&3.01=)#1(!2)%0!!21#!'$! FGG=*,+%126-$:$%!1#!6-<6$4!=*31*+!&U4! *++(<%!0)!1>1-#!>.C.3%4$%.(0%!-#!0$4&%!)*! %-<#-O21#0(5!4$/.2$/!'5!&):-#<!06$!9+787':% F-06!4$%3$20!0)!34$:-).%(5!34)3)%$/! 0+*997d0*1('%*0063*0,% <7'8(<!)*!)(3.%/_*'%('.%>,/.%2(3<*38! %)(.=)#%!@$8<8!G0=&-A! F-06).0!1!4$($:1#0!()%%!)*!&U45% Pattern Recognition and 23+4'$#4#%$53'6%4'4()74)$#8'*.'-3#'!9-)7):)94';#&+)7')<' WAPA 2010 P R A Group Applications Group RUTV=R&W%UW!VW% TR=UXP!4%VY%!Z&P[% &UZVWVGVU#%TR!VW% =%$8+7+%'-3$)9&3'%'&$%7-'>7%75#8'6+-3'-3#'?=%$8+7+%'@A'B=C' DEEFGDE1H?'<9784'%78'($)"+8#8'%55)$8+7&'-)'-3#'IJ;J'FKDEEFJ' Workshop on Applications Of Pattern Analysis! http://prag.diee.unica.it VY%#&T-!W!&%