Advanced Payload Analyzer Preprocessor

Advanced Payload Analyzer Pre-processor (APAP) is an intrusion detection system by analysis of Payload from network traffic looking for malware. APAP implements its detection algorithm as “dynamic pre-processor” of Snort. By working together, a highly effective system to known attacks (by passing Snort rules) and equally effective against new and unknown attacks is obtained. APAP consists of two phases: training and detection. During training, a statistical model of legitimate network traffic through the techniques Bloom filter and n-grams is created. Then results obtained by analyzing a dataset of attacks with this model are compared. Consequently, a set of rules able to determine whether a payload corresponds to malware or otherwise legitimate traffic is obtained. During detection, monitored traffic is passed by the Bloom filter which is created in the training phase, and the obtained results are compared with rules. Training requires two datasets: a collection of habitual and legitimate traffic and samples of malicious traffic. This approach offers various improvements compared with similar proposals. The most outstanding is a new method for filling Bloom filters and thereby building usage models. The implementation of a rule system based on Ks speeds up decision-making. Results obtained by analyzing real HTTP traffic prove a high hit rate (95%) and a low false positive rate (0.1%).