Anagram: A Content Anomaly Detector Resistant
to Mimicry Attack
Ke Wang; Janak J. Parekh; Salvatore J. Stolfo;Proc. Recent Advances in Intrusion Detection, 2006
1
Reporter: Luo Sheng-Yuan 2009/08/06
Outline
•Introduction
•Related Work
•Proposed Scheme
•Experiments Result
•Conclusion
2
Introduction
•Generality for broad application to any service
•Detect for zero-day attacks
•Against mimicry attacks
•High-order n-gram analysis
3
Related Work
•Byte Frequency Distribution Wang, K. and S.J. Stolfo. Anomalous
Payload-based Network Intrusion Detection. in Symposium on Recent Advances in Intrusion Detection. 2004.
4
Related Work
•PAYL’s Scheme
5
Training
ComputeMahalanobis
Distance
Incoming Packet
Normal Packet
Normal Abnormal
Related Work
•Euclidean Distance & Mahalanobis Distance
6
Related Work
•Evading PAYL Kolesnikov, O., D. Dagon, and W. Lee,
Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic, in USENIX Security Symposium. 2006.
7
Proposed Scheme
•N-gram Analysis▫An n-gram is a subsequence of n items from
a given sequence. 5-gram example
Given a sequence of letters(“worl”), what is the next letter?(a=0.001, b=0.001, c=0.001, d=0.8, ......)
8
Proposed Scheme
•N-gram Analysis▫Frequency-based
All element's value is probability▫Binary-based
All element's value is zero or one
•N-gram model size▫256^N in ASCII
9
Proposed Scheme
•Training phase▫Storing all of the distinct n-grams observed
during training.
•Test phase
10
Proposed Scheme
•Bloom Filter BF is a convenient tool to represent the
binary model.
11
Proposed Scheme
•Randomization against mimicry attack
12
Experiments Result
•Train for 500 hours of traffic data
13
Experiments Result
•False positive rate
14
Conclusion
•The core hypothesis is that any new, zero-day exploit will contain a portion of data that has never before been delivered to the application.
•Anagram raises the bar for attackers making mimicry attacks harder.
15
Comment
•The binary-based approach is not tolerant of noisy training.
•Computation time is longer than PAYL.
16