Minimum description length principles for detection and classification of FTP exploits

In this paper we build on the principle of "conservation of complexity", analyzed in Evans, S et al. (2001), to measure protocol redundancy and pattern content as a metric for information assurance. We first analyze complexity estimators as a tool for detecting FTP exploits. Results showing the utility of complexity-based information assurance to detect exploits over the file transfer protocol are presented and analyzed. We show that complexity metrics are able to distinguish between FTP exploits and normal sessions within some margin of error. We then derive a new heuristic for complexity estimation using minimum description length principles and develop a new complexity estimator and compression algorithm based on grammar inference using this heuristic. This estimator is used to provide meaningful models of unknown data sets. Finally we demonstrate the capability of our complexity-based approach to classify protocol behavior based on similarity distance metrics from known behaviors.