Application-layer Anomaly Detection Based on Application-layer Protocols' Keywords

Nowadays most network-based attacks are based on application-layer protocols and don't present significant difference in network traffic. Observed from the network-layer and transport-layer, these attacks may not contain significant malicious activities, and generate abnormal network traffic. So it is difficult for existing methods to effectively detect such application-layer attacks without special techniques. In theory, application-layer anomaly detection can detect the known, unknown and novel attacks happened on application-layer, therefore the research of application-layer anomaly detection is very important. This paper presents an application-layer anomaly detection method based on application-layer protocols' keywords. In this method, the keywords of an application-layer protocol and their inter-arrival times are used as the observations, a hidden semi-Markov model is used to describe the behaviors of a normal user who is using the application-layer protocol. The experimental results show that this method has high detection accuracy and low false positive ratio.