eprintid: 2361
rev_number: 15
eprint_status: archive
userid: 274
dir: disk0/00/00/23/61
datestamp: 2016-12-29 08:24:16
lastmod: 2017-01-12 16:15:40
status_changed: 2016-12-29 08:24:16
type: conference_item
metadata_visibility: show
creators_name: Nguyen, Xuan Nam
creators_name: Nguyen, Dai Tho
creators_name: Vu, Hai Long
creators_id: namnx228@gmail.com
creators_id: nguyendaitho@vnu.edu.vn
creators_id: lhvu@us.ibm.com
corp_creators: University of Engineering and Technology, Vietnam National University, Hanoi
title: POCAD: a Novel Payload-based One-Class Classifier for Anomaly Detection
ispublished: pub
subjects: IT
divisions: fac_fit
abstract: In this paper, we propose a novel Payload-based One-class Classifier for Anomaly Detection called POCAD, which combines a generalized 2v-gram feature extractor and a one-class SVM classifier to effectively detect network intrusion attacks. We extensively evaluate POCAD with real-world datasets of HTTP-based attacks. Our experiment results show that POCAD can quickly detect malicious payload and achieves a high detection rate as well as a low false positive rate. The experiment results also show that POCAD outperforms state of the art payload-based detection schemes such as McPAD [8] and PAYL [5].
date: 2016
date_type: published
official_url: http://www.nafosted-nics.org
contact_email: nguyendaitho@vnu.edu.vn
full_text_status: public
pres_type: paper
pagerange: 74-79
event_title: 2016 3rd National Foundation for Science and Technology Development (NAFOSTED) Conference on Information and Computer Science (NICS)
event_location: Danang City, Vietnam
event_dates: September 14-16, 2016
event_type: conference
refereed: TRUE
referencetext: [1] Sebastian Muniz, Killing the myth of Cisco IOS
rootkits, DIK, 2008. In EUSecWest
[2] IEEE Standard Glossary of Software Engineering
Terminology. IEEE Std 610.12-1990, pages
1–84,1990.
[3] H.Grant, O.Arias, D.Buentello, and Y.Jin, Smart nest
thermostat: A smart spy in your home, Black Hat
USA, 2014.
[4] C. Heffner, Reverse Engineering a D-Link Backdoor,
October 2013
[5] C.Kruegel and Y.Shoshitaishvili, Using Static Binary
Analysis To Find Vulnerabilities And Backdoors In
Firmware, Black Hat USA, 2015.
[6] Yan Shoshitaishvili, Ruoyu Wang, Christophe
Hauser, Christopher Kruegel, Giovanni Vigna,
Firmalice - Automatic Detection of Authentication
Bypass Vulnerabilities in Binary Firmware, NDSS
Symposium, 2015
[7] D.Davidson, B.Moench, S.Jha,and T.Ristenpart, FIE
on Firmware, Finding vulnerabilities in embedded
systems using symbolic execution in Proceedings
of the 22nd USENIX Security Symposium.
USENIX, 2013, pp. 463–478. [Online]. Available:
https://www.usenix.org/conference/ usenixsecurity13/
technicalsessions/paper/davidson
[8] Daming D.Chen*, Manuel Egele, Maverick Woo and
David Brumley, Towards Automated Dynamic Analysis
for Linux-based Embedded Firmware, Carnegie
Mellon University, 2015.
[9] http://pethole.net/
[10] Firmware Mod Kit. Available:
https://github.com/mirror/firmware-mod-kit.
[11] Binwalk [Online]. Available http://binwalk.org
[12] Nikolai Hampton, Patryk Szewczyk, A survey and
method for analysing SoHo router firmware currency,
Australian Information Security Management, 2015
[13] Shodan [Online]. Available: http://shodan.io
[14] A.Costin, J.Zaddach, A.Francillon and
D. Balazarotti, A large-scale analysis of
the security of embedded firmwares, in
Proceedings of the 23rd USENIX Security
Symposium, 2014, pp.95-110 [Online].Available:
https://www.usenix.org/conference/usenixsecurity14/
techincal-sessions/presentation/costin.
Hëi th£o l¦n thù I: Mët sè v§n �· chån låc v· an toàn an ninh thông tin – Hà Nëi, 28/11/2016
[15] Jonas Zaddach, Andrei Costin, Embedded Devices
Security and Firmware Reverse Engineering,
EURECOM,Sophia-Antipolis, Biot, France, 2013.
[16] https://pypi.python.org/pypi/filemagic/
[17] Hui Suo, Jiafu Wan, Caifeng Zou, Jianqi Liu, Security
in the Internet of Things: A Review LATEX,
Guangzhou, China, 2012.
[18] Tr¦n Nghi Phú, Ngô Quèc Dung, Nguy¹n Huy
Trung, Nguy¹n Ngåc Bình, Mô hình phát hi»n mã
�ëc trong ph¦n m·m nhúng trên thi¸t bà �ành tuy¸n,
Hëi th£o quèc gia l¦n thù XIX: Mët sè v§n �· chån
låc cõa CNTT&TT - Hà Nëi, 2016.
[19] FTP indexing engines firmware Crawler. Available
http://www.mmnt.ru/
http://filemare.com/
http://www.filesearching.com/
[20] Xuan Nam Nguyen, Dai Tho Nguyen, Long Hai Vu,
POCAD: a Novel Payload-based One-Class Classifier
for Anomaly Detection, 2016 3rd National
Foundation for Science and Technology Development
(NAFOSTED) Conference on Information and Computer
Science (NICS), Da Nang, 2016
citation:   Nguyen, Xuan Nam and Nguyen, Dai Tho and Vu, Hai Long  (2016) POCAD: a Novel Payload-based One-Class Classifier for Anomaly Detection.  In: 2016 3rd National Foundation for Science and Technology Development (NAFOSTED) Conference on Information and Computer Science (NICS), September 14-16, 2016, Danang City, Vietnam.     
document_url: https://eprints.uet.vnu.edu.vn/eprints/id/eprint/2361/1/POCAD_CameraReady.pdf