Misleading attack pose a huge threat to any anomaly detectors with signature generation. With compression technique, we propose a method of coping with misleading attack. We describe three situations which may occur and filter all the misleading attacks in the suspicious flows. This study suggests that Normalized Compression Distance can be an effective metric for the identification of network traffic flows.
Author's Name: Ma, J., Dai, G., Yan, Y.
Volume: Volume 7
Issues: Issue 2
Keywords: Misleading attack, Normal compression distance, Polymorphic worms