Open Access Open Access  Restricted Access Subscription or Fee Access

Anomaly Payload Signature Generation System Based on Efficient Tokenization Methodology

(*) Corresponding author

Authors' affiliations



Signature-based intrusion detection systems are widely used as an efficient network security control. Unfortunately, security experts manually craft attack signatures after capturing and analyzing the exploit code. Therefore, those systems are only able to detect known attacks. In this paper, we propose a new automated and content-based signature generation system that generates anomaly profiles to detect new and previously unknown attacks and worms. The proposed system, denoted SCANS, uses a natural tokenization method that speeds up the signature generation process by producing a fewer number of substrings. In this system, we propose a new stop character technique that will help to overcome signatures’ substrings granularity limitations of the old stop word techniques. In addition, SCANS introduces an improved normalized binary detection model specifically tailored for attacks detection. Experimental testing using DARPA IDS dataset shows a 95% malicious packets detection rate for port 23, with specificity of 88.4% and 94.6% for ports 21 and 25, respectively.
Copyright © 2018 Praise Worthy Prize - All rights reserved.


Anomaly Detection; Signature Generation; Natural Tokenization

Full Text:



H. Wang, S. Jha, V. Ganapathy. NetSpy: Automatic Generation of Spyware Signatures for NIDS, Proceedings of the 22nd Annual Computer Security Applications Conference (ACSAC'06), Miami Beach, FL, 2006.

M. Aldwairi and K. Al-Khamaiseh, Exhaust: Optimizing Wu-Manber pattern matching for intrusion detection using Bloom filters, 2015 2nd World Symposium on Web Applications and Networking (WSWAN), Sousse, 2015, pp. 1-6. doi: 10.1109/WSWAN.2015.7209081

M. Kharbutli, M. Aldwairi and A. Mughrabi, Function and data parallelization of Wu-Manber pattern matching for intrusion detection systems. Network Protocols and Algorithms, (4)3:46-61,2012.

M. Aldwairi, Y. Khamayseh, M. Al Masri, Application of artificial bee colony for intrusion detection systems. Security and Communication Networks, John Wiley & Sons Ltd., (8)16:2730-2740, 2015/11.

S. Singh, C. Estan, G. Varghese, S. Savage, Automated worm fingerprinting. In Proceedings of the 6th conference on USENIX Symposium on Operating Systems Design & Implementation (OSDI'04), USENIX Association, Berkeley, CA, USA, 2004, (6):4-4.

H. Shirazi, Y. Kalaji, An Intelligent Intrusion Detection System Using Genetic Algorithms and Features Selection. Majlesi Journal of Electrical Engineering, 2010, 4(1): 34-43.

G. Szabo, Z. Turanyi, L. Toka, S. Molnár, A. Santos, Automatic Protocol Signature Generation Framework for Deep Packet Inspection, Proceedings of the 5th International ICST Conference on Performance Evaluation Methodologies and Tools (ValueTools'11), Cachan, France, 2011.Conference on Computer and Electrical Engineering, Phuket, Thailand, 2008.

T. Krueger, N. Krämer, K. Rieck, ASAP: Automatic semantics-aware analysis of network payloads, Proceedings of international ECML/PKDD conference on privacy and security issues in data mining and machine learning (PSDML'10), Berlin, Germany, 2010.

M. Mohssen, H. Antony, N. Ventura, M. Hashim, E. Bashier, An Automated Signature Generation Approach for Polymorphic Worms Using Principal Component Analysis, In International Journal for Information Security Research (IJISR), 2011, 45-52.

M. Roesch, Snort - lightweight intrusion detection for networks, Proceedings of the 13th Systems Administration Conference (LISA99), Seattle, 1999.

Bro Network Security Monitor. [Online]. [accessed: 13/06/2015].

K. Rieck, G. Schwenk, T. Limmer, Botzilla: Detecting the "Phoning Home" of Malicious Software, Proceedings of ACM Symposium on Applied Computing (SAC '10), New York, 2010.

N. Provos, P. Mavrommatis, M. A. Rajab, and F. Monrose. All your iFRAMEs point to Us. In Proceedings of the 17th USENIX conference on Security symposium (SS'08). USENIX Association, Berkeley, CA, USA, 1-15.

D. D. Dominic, A. M. Said, Network Anomaly Detection Approach Based on Frequent Pattern Mining Technique, Computational Science and Technology (ICCST), International Conference, IEEE, Kota Kinabalu, 2014, 1-6.

T. Werner, C. Fuchs, E. Gerhards-Padilla, P. Martini, Nebula – Generating Syntactical Network Intrusion Signatures, Proceedings of 4th International Conference on Malicious and Unwanted Software (MALWARE’09), Montreal, Canada, 2009.

E. Ukkonen, Online Construction of Suffix Trees, Algorithmica, 1995, 14(3).

Y. Wang, Y. Xiang, W. Zhou, S. Yu, Generating regular expression signatures for network traffic classification in trusted network management, Journal of Network and Computer Applications, 2011, 35(3): 992–1000.

T. Jirachan, K. Piromsopa, Applying KSE-test and K-means clustering towards Scalable Unsupervised Intrusion Detection, Computer Science and Software Engineering (JCSSE), 12th International Joint Conference, IEEE, Songkhla, 2015, 82-87.

B. Cui, S. He, H. Jin, Multi-Layer Anomaly Detection for Internet Traffic Based on Data Mining, Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS), 9th International Conference, IEEE, Santa Cantarina, Brazil, 2015, 277-282.

D. B. Shukla, G. S. Chandel, An Approach for Classification of Network Traffic on Semi - Supervised Data using Clustering Techniques, IEEE, Ahmedabad, 2013, 1-6.

J. Newsome, D. Song, Dynamic taint analysis for automatic detection, Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS’05), San Diego, California, USA, 2005.

R. Perdisci, D. Ariu, P. Fogla, G. Giacinto, W. Lee, McPAD: A multiple classifier system for accurate payload-based anomaly detection. Computer Networks, In Press, Corrected Proof, 2008.

S. M. A. Gadal and S. R. A. Mokhtar, Anomaly detection approach using hybrid algorithm of data mining technique. In 2017 International Conference on Communication, Control, Computing and Electronics Engineering (ICCCCEE), pp. 1-6. IEEE, 2017.

X. N. Nguyen, D. T. Nguyen and L. H. Vu. "POCAD: A novel pay load-based one-class classifier for anomaly detection." In Information and Computer Science (NICS), 2016 3rd National Foundation for Science and Technology Development Conference on, pp. 74-79. IEEE, 2016.

D. Ariu, R. Tronci, G. Giacinto, HMMPayl: An intrusion detection system based on Hidden Markov Models, Computers and Security, 2011, 30(4): 221–241.

K. Wang, S. Stolfo, Anomalous payload-based network intrusion detection, Proceedings of the 7th International Symposium Recent Advances in Intrusion Detection (RAID), Sophia Antipolis, France, 2004.

M. Aldwairi, Yahya Flaifel, Baeza-Yates and Navarro Approximate String Matching for Spam Filtering, In Proc. of the Second International Conference on Innovative Computing Technology (INTECH 2012), Rabat, Morocco, September 2012.

M. Aldwairi, R. Alsalman, MALURLs: Malicious URLs Classification System. In Proc. of the Annual International Conference on Information Theory and Applications, Singapore, 2011.

M. Mohammed, H. A. Chan, N. Ventura, Honeycyber: Automated signature generation for zero-day polymorphic worms, Proceedings of IEEE Military Communications Conference (MILCOM), 2008.

K. Wang, J. Parekh, S. Stolfo, Anagram: A Content Anomaly Detector Resistant to Mimicry Attack, Proceedings of the 9th international conference on Recent Advances in Intrusion Detection (RAID'06), Berlin, 2006.

WinPcap [Online]. [accessed: 13/06/2015].

DARPA Intrusion Detection Data Sets 1999 [Online]. [accessed: 13/06/2015].

Vitekar, A., Kota, P., A Survey on Evolution in Information Security, (2017) International Journal on Communications Antenna and Propagation (IRECAP), 7 (6), pp. 502-508.

Mehdizadeh, A., Khatun, S., Ali, B., Raja Abdullah, R., Kurup, G., Security Enhancement of Route Optimization in Mobile IPv6 Networks, (2017) International Journal on Engineering Applications (IREA), 5 (5), pp. 155-164.

Jaradat, Y., Masoud, M., Jannoud, I., Azzawi, H., Basic Review of Low Rate Denial of Service Attack on Wired and Wireless Networks, (2016) International Journal on Communications Antenna and Propagation (IRECAP), 6 (6), pp. 390-399.


  • There are currently no refbacks.

Please send any question about this web site to
Copyright © 2005-2023 Praise Worthy Prize