Anomaly-based network intrusion detection systems (NIDSs) can take
into consideration packet headers, the payload, or a combination of both. We argue
that payload-based approaches are becoming the most effective methods to detect attacks.
Nowadays, attacks aim mainly to exploit vulnerabilities at application level:
thus, the payload contains the most important information to differentiate normal
traffic from anomalous activity. To support our thesis, we present a comparison between
different anomaly-based NIDSs, focusing in particular on the data analyzed
by the detection engine to discover possible malicious activities. Furthermore, we
present a comparison of two payload and anomaly-based NIDSs: PAYL and POSEIDON.
|Title of host publication||Intrusion Detection Systems|
|Editors||R. Di Pietro, L.V. Mancini|
|Place of Publication||London|
|Publication status||Published - 2008|
|Name||Advances in Information Security|