OCPAD: One class Naive Bayes classifier for payload based anomaly detection

We adapt one class Multinomial Naive Bayes classifier as anomaly detector for detecting HTTP attacks. OCPAD uses likelihood of each short sequence's occurrence in a payload of known non-malicious packets as a measure to derive the degree of maliciousness of a packet. In the training phase, OCPAD generates the likelihood range of each sequence's occurrence from every packet. In order to store the likelihood range of these sequences, we propose a novel and efficient data structure called Probability Tree. In the testing phase, it treats a short sequence as anomalous if it is not found in the database or its likelihood of occurrence in a packet is not in the range found in training phase. Using the likelihood of anomalous short sequences, it generates a class label for a test packet. Our experiments with a large dataset of 1 million HTTP packets collected from an academic network revealed OCPAD has a high Detection Rate (up to 100%) compared to previous methods and acceptable rate of False Positives (less than 0.6%).