OCPAD: One class Naive Bayes classifier for payload based anomaly detection

Abstract

Application specific attack detection requires packet payload analysis. Current payload analysis techniques suffer from failed detection as they use only the presence or absence of short sequences of a packet in a knowledge-base created out of non-malicious packets. In this paper, we describe OCPAD a content anomaly detection method to identify network packets with suspicious payload content. Proposed method combines the benefits of one class classification and frequency information of short sequences. We adapt one class Multinomial Naive Bayes classifier as anomaly detector for detecting HTTP attacks. OCPAD uses likelihood of each short sequence's occurrence in a payload of known non-malicious packets as a measure to derive the degree of maliciousness of a packet. In the training phase, OCPAD generates the likelihood range of each sequence's occurrence from every packet. In order to store the likelihood range of these sequences, we propose a novel and efficient data structure called Probability Tree. In the testing phase, it treats a short sequence as anomalous if it is not found in the database or its likelihood of occurrence in a packet is not in the range found in training phase. Using the likelihood of anomalous short sequences, it generates a class label for a test packet. Our experiments with a large dataset of 1 million HTTP packets collected from an academic network revealed OCPAD has a high Detection Rate (up to 100%) compared to previous methods and acceptable rate of False Positives (less than 0.6%). © 2016 Elsevier Ltd