论文信息 - SAD: web session anomaly detection based on parameter estimation

SAD: web session anomaly detection based on parameter estimation

Web attacks are too numerous in numbers and serious in potential consequences for modern society to tolerate. Unfortunately, current generation signature-based intrusion detection systems (IDS) are inadequate, and security techniques such as firewalls or access control mechanisms do not work well when trying to secure web services. In this paper, we empirically demonstrate that the Bayesian parameter estimation method is effective in analyzing web logs and detecting anomalous sessions. When web attacks were simulated with Whisker software, Snort, a well-known IDS based on misuse detection, caught only slightly more than one third of web attacks. Our technique, session anomaly detection (SAD), on the other hand, detected nearly all such attacks without having to rely on attack signatures at all. SAD works by first developing normal usage profile and comparing the web logs, as they are generated, against the expected frequencies. Our research indicates that SAD has the potential of detecting previously unknown web attacks and that the proposed approach would play a key role in developing an integrated environment to provide secure and reliable web services.

Sung Deok Cha | Sanghyun Cho

[1] Thomas Henry Ptacek,et al. Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection , 1998 .

[2] R.K. Cunningham,et al. Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[3] Martin Roesch,et al. Snort - Lightweight Intrusion Detection for Networks , 1999 .

[4] Christopher Krügel,et al. Service specific anomaly detection for network intrusion detection , 2002, SAC '02.

[5] Jaideep Srivastava,et al. Data Preparation for Mining World Wide Web Browsing Patterns , 1999, Knowledge and Information Systems.

[6] Samuel Patton,et al. An Achilles Heel in Signature-Based IDS : Squealing False Positives in SNORT , 2001 .

[7] Salvatore J. Stolfo,et al. Detecting Malicious Software by Monitoring Anomalous Windows Registry Accesses , 2002, RAID.

[8] Philip K. Chan,et al. PHAD: packet header anomaly detection for identifying hostile network traffic , 2001 .

[9] Yoram Singer,et al. Efficient Bayesian Parameter Estimation in Large Discrete Domains , 1998, NIPS.