User Session Modeling for Effective Application Intrusion Detection

With the number of data breaches on a rise, effective and efficient detection of anomalous activities in applications which manages data is critical. In this paper, we introduce a novel approach to improve attack detection at application layer by modeling user sessions as a sequence of events instead of analyzing every single event in isolation.We also argue that combining application access logs and the corresponding data access logs to generate unified logs eliminates the need to analyze them separately thereby resulting in an efficient and accurate system. We evaluate various methods such as conditional random fields, support vector machines, decision trees and naive Bayes, and experimental results show that our approach based on conditional random fields is feasible and can detect attacks at an early stage even when they are disguised within normal events.

[1]  Jung-Min Park,et al.  An overview of anomaly detection techniques: Existing solutions and latest technological trends , 2007, Comput. Networks.

[2]  Qiang Chen,et al.  Probabilistic techniques for intrusion detection based on computer audit data , 2001, IEEE Trans. Syst. Man Cybern. Part A.

[3]  Wouter Joosen,et al.  Bridging the gap between web application firewalls and web applications , 2006, FMSE '06.

[4]  Yi Hu,et al.  Identification of malicious transactions in database systems , 2003, Seventh International Database Engineering and Applications Symposium, 2003. Proceedings..

[5]  Anja Feldmann,et al.  Dynamic Application-Layer Protocol Analysis for Network Intrusion Detection , 2006, USENIX Security Symposium.

[6]  Stefan Axelsson Research in Intrusion-Detection Systems: A Survey , 1998 .

[7]  Sin Yeung Lee,et al.  Learning Fingerprints for a Database Intrusion Detection System , 2002, ESORICS.

[8]  Andrew McCallum,et al.  Conditional Random Fields: Probabilistic Models for Segmenting and Labeling Sequence Data , 2001, ICML.

[9]  Kotagiri Ramamohanarao,et al.  Attacking Confidentiality: An Agent Based Approach , 2006, ISI.

[10]  Xiao-Lin Qin,et al.  Research on algorithm of user query frequent itemsets mining , 2004, Proceedings of 2004 International Conference on Machine Learning and Cybernetics (IEEE Cat. No.04EX826).

[11]  Kotagiri Ramamohanarao,et al.  Layered Approach Using Conditional Random Fields for Intrusion Detection , 2010, IEEE Transactions on Dependable and Secure Computing.

[12]  Elisa Bertino,et al.  Intrusion detection in RBAC-administered databases , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[13]  Zhen Zhu,et al.  A clustering method based on data queries and its application in database intrusion detection , 2005, 2005 International Conference on Machine Learning and Cybernetics.

[14]  Yi Hu,et al.  A data mining approach for database intrusion detection , 2004, SAC '04.

[15]  Andrew McCallum,et al.  An Introduction to Conditional Random Fields for Relational Learning , 2007 .

[16]  Magnus Almgren,et al.  Application-Integrated Data Collection for Security Monitoring , 2001, Recent Advances in Intrusion Detection.

[17]  Michael Gertz,et al.  DEMIDS: A Misuse Detection System for Database Systems , 2000, IICIS.

[18]  Dan Klein,et al.  Conditional Structure versus Conditional Estimation in NLP Models , 2002, EMNLP.

[19]  Kotagiri Ramamohanarao,et al.  Conditional Random Fields for Intrusion Detection , 2007, 21st International Conference on Advanced Information Networking and Applications Workshops (AINAW'07).

[20]  A. N. Zincir-Heywood,et al.  Intrusion Detection Systems , 2008 .

[21]  Joseph Lee,et al.  DIDAFIT: Detecting Intrusions in Databases Through Fingerprinting Transactions , 2002, ICEIS.