Web Service Intrusion Detection Using a Probabilistic Framework

In this paper, we propose an anomaly-based approach to detect intrusions attempts that may target web services. These intrusions (or attacks) are modeled as outliers (or noise) within a principled probabilistic framework. The proposed framework is based on finite Gaussian mixtures and allows the detection of both previously seen and unknown attacks against web services. The main idea of our framework is based on the consideration of malicious requests as outliers within our finite mixture model. Using this idea the intrusion detection problem is reduced to an adversarial classification problem. The merits of the proposed approach are shown using a data set containing both normal and intrusive requests, which were collected from a large real-life web service.

[1]  Graham J. Williams,et al.  On-Line Unsupervised Outlier Detection Using Finite Mixtures with Discounting Learning Algorithms , 2000, KDD '00.

[2]  Douglas M. Hawkins Identification of Outliers , 1980, Monographs on Applied Probability and Statistics.

[3]  Bhavani M. Thuraisingham,et al.  A new intrusion detection system using support vector machines and hierarchical clustering , 2007, The VLDB Journal.

[4]  Geoffrey J. McLachlan,et al.  Finite Mixture Models , 2019, Annual Review of Statistics and Its Application.

[5]  Ron G. van Schyndel,et al.  Protecting Consumer Data in Composite Web Services , 2005, SEC.

[6]  Sergio M. Savaresi,et al.  Unsupervised learning techniques for an intrusion detection system , 2004, SAC '04.

[7]  Nils Gruschka,et al.  A survey of attacks on web services , 2009, Computer Science - Research and Development.

[8]  Michael Kirchner A framework for detecting anomalies in HTTP traffic using instance-based learning and k-nearest neighbor classification , 2010, 2010 2nd International Workshop on Security and Communication Networks (IWSCN).

[9]  Vic Barnett,et al.  Outliers in Statistical Data , 1980 .

[10]  Nizar Bouguila,et al.  Unsupervised Anomaly Intrusion Detection via Localized Bayesian Feature Selection , 2011, 2011 IEEE 11th International Conference on Data Mining.

[11]  G. McLachlan,et al.  The EM algorithm and extensions , 1996 .

[12]  Timo Hämäläinen,et al.  Growing Hierarchical Self-organizing Maps and Statistical Distribution Models for Online Detection of Web Attacks , 2012, WEBIST.

[13]  Nils Gruschka,et al.  SOA and Web Services: New Technologies, New Standards - New Attacks , 2007, ECOWS 2007.

[14]  Nizar Bouguila,et al.  Bayesian learning of finite generalized Gaussian mixture models on images , 2011, Signal Process..

[15]  Cristian Pinzón,et al.  Protecting Web Services against DoS Attacks: A Case-Based Reasoning Approach , 2010, HAIS.

[16]  Stephen Northcutt,et al.  Network Intrusion Detection: An Analyst's Hand-book , 1999 .

[17]  Nizar Bouguila,et al.  Unsupervised selection of a finite Dirichlet mixture model: an MML-based approach , 2006, IEEE Transactions on Knowledge and Data Engineering.

[18]  Giorgio Giacinto,et al.  Detection of Server-side Web Attacks , 2010, WAPA.

[19]  Nils Gruschka,et al.  Protecting Web Services from DoS Attacks by SOAP Message Validation , 2006, SEC.

[20]  Christopher Meek,et al.  Adversarial learning , 2005, KDD '05.

[21]  Christopher Leckie,et al.  A survey of coordinated attacks and collaborative intrusion detection , 2010, Comput. Secur..

[22]  D. Ziou,et al.  A powerful finite mixture model based on the generalized Dirichlet distribution: unsupervised learning and applications , 2004, Proceedings of the 17th International Conference on Pattern Recognition, 2004. ICPR 2004..

[23]  Nizar Bouguila,et al.  Robust simultaneous positive data clustering and unsupervised feature selection using generalized inverted Dirichlet mixture models , 2014, Knowl. Based Syst..

[24]  Nizar Bouguila,et al.  Trustworthy Web Service Selection Using Probabilistic Models , 2012, 2012 IEEE 19th International Conference on Web Services.

[25]  G.S.V.R.K. Rao,et al.  An Adaptive Intrusion Detection and Prevention (ID/IP) Framework for Web Services , 2007, 2007 International Conference on Convergence Information Technology (ICCIT 2007).

[26]  Nizar Bouguila,et al.  A finite mixture model for simultaneous high-dimensional clustering, localized feature selection and outlier rejection , 2012, Expert Syst. Appl..

[27]  Philip K. Chan,et al.  Machine Learning for Computer Security , 2006, J. Mach. Learn. Res..

[28]  Dan Klein,et al.  Online EM for Unsupervised Models , 2009, NAACL.

[29]  Wouter Joosen,et al.  Threat Modelling for Web Services Based Web Applications , 2004, Communications and Multimedia Security.

[30]  Edgard Jamhour,et al.  A clustering-based method for intrusion detection in web servers , 2013, ICT 2013.

[31]  Jung-Min Park,et al.  An overview of anomaly detection techniques: Existing solutions and latest technological trends , 2007, Comput. Networks.

[32]  Nizar Bouguila,et al.  A Robust Approach for Multivariate Binary Vectors Clustering and Feature Selection , 2011, ICONIP.

[33]  Timo Hämäläinen,et al.  Detection of Anomalous HTTP Requests Based on Advanced N-gram Model and Clustering Techniques , 2013, NEW2AN.

[34]  Christin Schäfer,et al.  Learning Intrusion Detection: Supervised or Unsupervised? , 2005, ICIAP.

[35]  T. Kanade,et al.  Robust subspace clustering by combined use of kNND metric and SVD algorithm , 2004, CVPR 2004.

[36]  Wei-Yang Lin,et al.  Intrusion detection by machine learning: A review , 2009, Expert Syst. Appl..

[37]  Allou Samé,et al.  An online classification EM algorithm based on the mixture model , 2007, Stat. Comput..

[38]  Nizar Bouguila,et al.  Dirichlet-based probability model applied to human skin detection [image skin detection] , 2004, 2004 IEEE International Conference on Acoustics, Speech, and Signal Processing.

[39]  B. Kröse,et al.  An EM-like algorithm for color-histogram-based object tracking , 2004, CVPR 2004.

[40]  Shi-Jinn Horng,et al.  A novel intrusion detection system based on hierarchical clustering and support vector machines , 2011, Expert Syst. Appl..

[41]  José M. N. Leitão,et al.  On Fitting Mixture Models , 1999, EMMCVPR.

[42]  Urjita Thakar,et al.  Intrusion Attack Pattern Analysis and Signature Extraction for Web Services Using Honeypots , 2008, 2008 First International Conference on Emerging Trends in Engineering and Technology.

[43]  Nizar Bouguila,et al.  Using unsupervised learning of a finite Dirichlet mixture model to improve pattern recognition applications , 2005, Pattern Recognit. Lett..

[44]  Radford M. Neal A new view of the EM algorithm that justifies incremental and other variants , 1993 .