1
1. 11. 2008.
NIDS based on payload word frequencies and anomaly of transitions
This paper presents a novel payload analysis method. Consecutive bytes are separated by boundary symbols and defined as words. The frequencies of word appearance and word to word transitions are used to build a model of normal behavior. A simple anomaly score calculation is designed for fast attack detection. The method was tested using real traffic and recent attacks to demonstrate that it can be used in IDS. Tolerance to small number of attack in training data is shown.