{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,16]],"date-time":"2026-03-16T10:07:21Z","timestamp":1773655641446,"version":"3.50.1"},"reference-count":49,"publisher":"Association for Computing Machinery (ACM)","issue":"2","license":[{"start":{"date-parts":[[2018,1,20]],"date-time":"2018-01-20T00:00:00Z","timestamp":1516406400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Internet Technol."],"published-print":{"date-parts":[[2018,5,31]]},"abstract":"<jats:p>We present PCkAD, a novel semisupervised anomaly-based IDS (Intrusion Detection System) technique, detecting application-level content-based attacks. Its peculiarity is to learn legitimate payloads by splitting packets into chunks and determining the within-packet distribution of n-grams. This strategy is resistant to evasion techniques as blending. We prove that finding the right legitimate content is NP-hard in the presence of chunks. Moreover, it improves the false-positive rate for a given detection rate with respect to the case where the spatial information is not considered. Comparison with well-known IDSs using n-grams highlights that PCkAD achieves state-of-the-art performances.<\/jats:p>","DOI":"10.1145\/3143422","type":"journal-article","created":{"date-parts":[[2018,1,22]],"date-time":"2018-01-22T13:22:59Z","timestamp":1516627379000},"page":"1-21","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":3,"title":["Exploiting Content Spatial Distribution to Improve Detection of Intrusions"],"prefix":"10.1145","volume":"18","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-9860-7569","authenticated-orcid":false,"given":"Fabrizio","family":"Angiulli","sequence":"first","affiliation":[{"name":"University of Calabria, Rende(CS), Italy"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Luciano","family":"Argento","sequence":"additional","affiliation":[{"name":"University of Calabria, Rende(CS), Italy"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Angelo","family":"Furfaro","sequence":"additional","affiliation":[{"name":"University of Calabria, Rende(CS), Italy"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2018,1,20]]},"reference":[{"key":"e_1_2_1_2_1","unstructured":"Brandie Anderson Sue Barsamian Dustin Childs Jason Ding Joy Marie Forsythe Brian Gorenc Angela Gunn Alexander Hoole Howard Miller Sasi Siddharth Muthurajan Yekaterina Tsipenyuk O\u2019Neil John Park Oleg Petrovsky Barak Raz Nidhi Shah Vanja Svajcer Ken Tietjen and Jewel Timpe. 2016. Cyber Risk Report 2016. Technical Report. Hewlett Packard Enterprise.  Brandie Anderson Sue Barsamian Dustin Childs Jason Ding Joy Marie Forsythe Brian Gorenc Angela Gunn Alexander Hoole Howard Miller Sasi Siddharth Muthurajan Yekaterina Tsipenyuk O\u2019Neil John Park Oleg Petrovsky Barak Raz Nidhi Shah Vanja Svajcer Ken Tietjen and Jewel Timpe. 2016. Cyber Risk Report 2016. Technical Report. Hewlett Packard Enterprise."},{"key":"e_1_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICTAI.2015.155"},{"key":"e_1_2_1_4_1","unstructured":"Fabrizio Angiulli Luciano Argento and Angelo Furfaro. 2017. PCkAD source code. Retrieved from https:\/\/github.com\/F3nDis\/PCkAD.  Fabrizio Angiulli Luciano Argento and Angelo Furfaro. 2017. PCkAD source code. Retrieved from https:\/\/github.com\/F3nDis\/PCkAD."},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1109\/COMPSAC.2008.213"},{"key":"e_1_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-20248-8_15"},{"key":"e_1_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1109\/TKDE.2013.57"},{"key":"e_1_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/2420950.2420969"},{"key":"e_1_2_1_10_1","volume-title":"8th Annual Network and Distributed System Security Symposium.","author":"Bilge Leyla","year":"2011"},{"key":"e_1_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/2584679"},{"key":"e_1_2_1_12_1","volume-title":"Network Science and Cybersecurity","author":"Blowers Misty"},{"key":"e_1_2_1_13_1","volume-title":"Research in Attacks, Intrusions and Defenses","author":"Boggs Nathaniel"},{"key":"e_1_2_1_14_1","volume-title":"Stolfo","author":"Boggs Nathaniel","year":"2014"},{"key":"e_1_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1109\/IWIA.2006.18"},{"key":"e_1_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.5555\/176313.176316"},{"key":"e_1_2_1_17_1","volume-title":"Journal of Machine Learning Research 13","author":"Br\u00fcckner Michael","year":"2012"},{"key":"e_1_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2008.11"},{"key":"e_1_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1145\/1014052.1014066"},{"key":"e_1_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2011.05.008"},{"key":"e_1_2_1_21_1","volume-title":"Polymorphic shellcode engine using spectrum analysis","author":"Detristan Theo"},{"key":"e_1_2_1_22_1","volume-title":"Proceedings of the 15th USENIX Security Symposium","author":"Fogla Prahlad","year":"2006"},{"key":"e_1_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1016\/0022-0000(80)90004-5"},{"key":"e_1_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2008.08.003"},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/1143844.1143889"},{"key":"e_1_2_1_26_1","unstructured":"IETF. 1999. Hypertext Transfer Protocol -- HTTP\/1.1. Retrieved from https:\/\/tools.ietf.org\/html\/rfc2616.  IETF. 1999. Hypertext Transfer Protocol -- HTTP\/1.1. Retrieved from https:\/\/tools.ietf.org\/html\/rfc2616."},{"key":"e_1_2_1_27_1","volume-title":"International Symposium on Recent Advances in Intrusion Detection (RAID\u201907)","author":"Kenneth"},{"key":"e_1_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.comnet.2009.10.012"},{"key":"e_1_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1007\/s00778-006-0002-5"},{"key":"e_1_2_1_30_1","unstructured":"Amit Klein. 2005. Exploiting the XmlHttpRequest object in IE. Retrieved from http:\/\/www.securityfocus.com\/archive\/1\/411585.  Amit Klein. 2005. Exploiting the XmlHttpRequest object in IE. Retrieved from http:\/\/www.securityfocus.com\/archive\/1\/411585."},{"key":"e_1_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.eswa.2012.07.009"},{"key":"e_1_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.eswa.2011.07.032"},{"key":"e_1_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1016\/S1389-1286(00)00139-0"},{"key":"e_1_2_1_35_1","volume-title":"Common Vulnerabilities and Exposures. CVE 2012-0911","author":"MITRE Corporation","year":"2012"},{"key":"e_1_2_1_36_1","volume-title":"Common Vulnerabilities and Exposures. CVE 2014-6271","author":"MITRE Corporation","year":"2014"},{"key":"e_1_2_1_37_1","unstructured":"OWASP. 2016. Open Web Application Security Project. Retrieved from https:\/\/www.owasp.org.  OWASP. 2016. Open Web Application Security Project. Retrieved from https:\/\/www.owasp.org."},{"key":"e_1_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.comnet.2008.11.011"},{"key":"e_1_2_1_39_1","unstructured":"The Snort Project. 2016. Snort\u00ae Users Manual. Software. Cisco.  The Snort Project. 2016. Snort\u00ae Users Manual. Software. Cisco."},{"key":"e_1_2_1_40_1","volume-title":"Proceedings of the Network and Distributed System Security Symposium","author":"Song Yingbo","year":"2009"},{"key":"e_1_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.5555\/597917.597922"},{"key":"e_1_2_1_42_1","volume-title":"The Web Application Hacker\u2019s Handbook: Finding and Exploiting Security Flaws","author":"Stuttard Dafydd"},{"key":"e_1_2_1_43_1","volume-title":"Smola","author":"Teo Choon H.","year":"2007"},{"key":"e_1_2_1_44_1","unstructured":"Alvarez Torrano-Gimenez and Perez-Villegas. 2010. HTTP dataset CSIC. Retrieved from http:\/\/www.isi.csic.es\/dataset\/.  Alvarez Torrano-Gimenez and Perez-Villegas. 2010. HTTP dataset CSIC. Retrieved from http:\/\/www.isi.csic.es\/dataset\/."},{"key":"e_1_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1109\/APCIP.2009.218"},{"key":"e_1_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1007\/11663812_12"},{"key":"e_1_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1007\/11856214_12"},{"key":"e_1_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.patrec.2008.01.008"},{"key":"e_1_2_1_49_1","volume-title":"Proceedings of the 22nd International Symposium on Reliable Distributed Systems. 260--269","author":"Xu Jun"},{"key":"e_1_2_1_50_1","unstructured":"Thiago Zaninotti. 2006. Unfiltered Header Injection in Apache 1.3.34\/2.0.57\/2.2.1. Retrieved from http:\/\/www.securityfocus.com\/archive\/1\/433280.  Thiago Zaninotti. 2006. Unfiltered Header Injection in Apache 1.3.34\/2.0.57\/2.2.1. Retrieved from http:\/\/www.securityfocus.com\/archive\/1\/433280."},{"key":"e_1_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSMCC.2008.923876"},{"key":"e_1_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1145\/2339530.2339697"}],"container-title":["ACM Transactions on Internet Technology"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3143422","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3143422","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T02:13:21Z","timestamp":1750212801000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3143422"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2018,1,20]]},"references-count":49,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2018,5,31]]}},"alternative-id":["10.1145\/3143422"],"URL":"https:\/\/doi.org\/10.1145\/3143422","relation":{},"ISSN":["1533-5399","1557-6051"],"issn-type":[{"value":"1533-5399","type":"print"},{"value":"1557-6051","type":"electronic"}],"subject":[],"published":{"date-parts":[[2018,1,20]]},"assertion":[{"value":"2016-10-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2017-09-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2018-01-20","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}