bg<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
  <meta http-equiv="content-type"
        content="text/html; charset=iso-8859-1" />
  <meta name="robots"
        content="all" />
  <meta name="generator"
        content="RapidWeaver" />
  <meta name="generatorversion"
        content="3.2 (v1.0 Build 47)" />

  <title>PAYL project</title>
  <link rel="stylesheet"
        type="text/css"
        media="screen"
        href="styles.css" />
  <link rel="stylesheet"
        type="text/css"
        media="print"
        href="print.css" />
  <link rel="stylesheet"
        type="text/css"
        media="screen"
        href="css/styles/blue.css" />
  <link rel="stylesheet"
        type="text/css"
        media="screen"
        href=
        "css/width/width_default.css" />
  <link rel="stylesheet"
        type="text/css"
        media="screen"
        href=
        "css/sidebar/sidebar_right.css" />
        
<script type="text/javascript"
      src="rw_common/themes/business/javascript.js">
</script>
</head>
<!-- This page was created with RapidWeaver from Realmac Software. http://www.realmacsoftware.com -->

<body>
  <div id="container">
    <!-- Start container -->

    <div id="pageHeader">
      <!-- Start page header -->

      <h1>Intrusion Detection Systems Lab</h1>

      <h2>Computer Science Department, Columbia University</h2>
    </div><!-- End page header -->

    <div id="sidebarContainer">
      <!-- Start Sidebar wrapper -->

      <div id="navcontainer">
        <!-- Start Navigation -->

        <ul>
          <li><a href="index.html"
             rel="self"
             id="current"
             name="current">IDS Homepage</a></li>
		  <li><a href="projects.html"
             rel="self"
             id="current"
             name="current">Projects</a></li>
		  <li><a href="publications.html"
             rel="self"
             id="current"
             name="current">Publications</a></li>
		  <li><a href="people.html"
             rel="self"
             id="current"
             name="current">People</a></li> 
	     <li><a href="meetings.html"
             rel="self"
             id="current"
             name="current">Group Meetings</a></li> 	 	 
        </ul>
      </div><!-- End navigation -->

      <div class="sideHeader"></div><!-- Sidebar header -->

      <div id="sidebar">
        <!-- Start sidebar content -->

        <br />
        <!-- sidebar content you enter in the page inspector -->
         <!-- sidebar content such as the blog archive links -->
      </div><!-- End sidebar content -->
    </div><!-- End sidebar wrapper -->

    <div id="contentContainer">
      <!-- Start main content wrapper -->

      <div id="content">
        <!-- Start content -->
		<div class="table">
			<a href="projects.html">&lt;&lt;BACK</a>
		</div>
		<img
			src="payl_images/payl-logo-200px.png" class="img";
		/>
		<div class="table">
		Every
computer on the Internet nowadays is a potential target for attack at any
moment. Such attacks may result in services being disabled or system crashes
resulting in losses of critical information. We consider the problem of
detecting these “zero-day” intrusions quickly and accurately upon their very
first appearance. </div>


<div class="table">PAYL 
is a payload-based anomaly detector for intrusion detection. Most
current Network Intrusion Detection Systems (NIDS) use packet headers and
derived statistics describing connections and sessions (packet rates, bytes transferred,
etc.) to detect unusual events that are likely attacks, but these approaches are
<i>blind to content</i><span style='mso-bidi-font-style:italic'> of the packet
stream. </span>PAYL is designed to detect attacks that are otherwise normal
connections except that the packets carry bad (anomalous) content indicative of
a new exploits. PAYL augments other sensors and enriches the view of network
traffic to detect malicious events.<o:p></o:p></div>


<div class="table">PAYL
models the normal application payload of network traffic in a fully automatic,
unsupervised and very efficient fashion. We first compute, during a training
phase, a profile byte frequency distribution and their standard deviation of
the application payload flowing to a single host and port. We then use
Mahalanobis distance during the detection phase to calculate the similarity of
new data against the pre-computed profile. The detector compares this measure
against a threshold and generates an alert when the distance of the new input
exceeds this threshold. We experimentally demonstrate that the <span
style='mso-bidi-font-style:italic'>site-specific</span> <span style='mso-bidi-font-style:
italic'>models</span> trained and used for testing by PAYL are capable of
detecting new intrusions with high accuracy.</div>
<div align="center">
<img
	src="payl_images/model.jpg" width="480" class="img";
/>

<img
	src="payl_images/distance.jpg" class="img";
/>
</div>

<div class="table">We 
also developed a new approach that correlates ingress/egress PAYL alerts to identify
the worm’s initial propagation. Since our approach only uses packet payloads, <span
style='mso-bidi-font-style:italic'>unlike other systems,</span> PAYL is not
dependent upon detection of probing or scanning behavior or the prevalence of
common probe payloads, and is especially good for the detection of slow and
stealthy worms.<span style='mso-spacerun:yes'>  </span>This method also enables
automatic signature generation very early in the worm’s propagation stage.
These signatures can be deployed immediately to network firewalls and content
filters to proactively protect other hosts. </div>


<div align="center">
<img
	src="payl_images/sig.jpg" class="img";
/>
</div>
	
<div class="table">
<div class="table_header">
	Papers
	</div>
<ul>
<li>Ke Wang, Salvatore J. Stolfo. &quot;Anomalous Payload-based Network Intrusion 
    	Detection&quot;. <em>RAID, </em>Sept., 2004. &nbsp;[<a target="_blank" href="publications/RAID4.PDF">PDF</a>]
<li> Ke Wang, Gabriela Cretu, Salvatore J. Stolfo &quot;Anomalous Payload-based Worm Detection and Signature Generation&quot;
  		<em>Proceedings of the Eighth International Symposium on Recent Advances in Intrusion Detection(RAID 2005)</em>&nbsp;[<a target="_blank" href="publications/raid-camerav.pdf">PDF</a>]
</ul>			       
</div>
<div class="table_header">
Sponsor:
		</div>	
<div class="table">
<a target="_blank" href="http://www.arl.army.mil/main/main/default.cfm?Action=29&Page=29">
<img
   src="images/aro.gif" width="60" class="img";
                                />
</a>
</div>
      </div><!-- End content -->
    </div><!-- End main content wrapper -->

    <div class="clearer"></div>

    <div id="footer">
      <!-- Start Footer -->

      <p>© 2005 IDS Lab </p>
    </div><!-- End Footer -->
  </div>
  <!-- End container -->
</body>
</html>