Paper Info
Title
Advanced Payload Analyzer Preprocessor.
Abstract
Advanced Payload Analyzer Pre-processor (APAP) is an intrusion detection system by analysis of Payload from network traffic looking for malware. APAP implements its detection algorithm as “dynamic pre-processor” of Snort. By working together, a highly effective system to known attacks (by passing Snort rules) and equally effective against new and unknown attacks is obtained. APAP consists of two phases: training and detection. During training, a statistical model of legitimate network traffic through the techniques Bloom filter and n-grams is created. Then results obtained by analyzing a dataset of attacks with this model are compared. Consequently, a set of rules able to determine whether a payload corresponds to malware or otherwise legitimate traffic is obtained. During detection, monitored traffic is passed by the Bloom filter which is created in the training phase, and the obtained results are compared with rules. Training requires two datasets: a collection of habitual and legitimate traffic and samples of malicious traffic. This approach offers various improvements compared with similar proposals. The most outstanding is a new method for filling Bloom filters and thereby building usage models. The implementation of a rule system based on Ks speeds up decision-making. Results obtained by analyzing real HTTP traffic prove a high hit rate (95%) and a low false positive rate (0.1%).
Year
DOI
Venue
2017
10.1016/j.future.2016.10.032
Future Generation Computer Systems
Keywords
Field
DocType
APAP,Bloomfilter,n-gram,NIDS,PayLoad,Snort
Hit rate,Bloom filter,False positive rate,Computer science,Real-time computing,Preprocessor,Statistical model,Malware,Intrusion detection system,Payload
Journal
Volume
ISSN
Citations 
76
0167-739X
1
PageRank 
References 
Authors
0.36
0
3
Name
Order
Citations
PageRank
Luis Javier Garcí-a Villalba119028.39
Ana Lucila Sandoval Orozco217426.45
Jorge Maestre Vidal3318.39