A Hybrid Intrusion Detection Model for Web Log-Based Attacks

Attacks against web-based applications is one of the most serious network security threats. Currently, web-based attacks are so complex that single detection method cannot cope with the emerging attacks. Motivated by this, we efficiently merge misuse detection as well as anomaly detection, and propose a hybrid intrusion detection model for web log-based attacks. In this hybrid model, the malicious logs, which cannot be detected by the misuse detection model, will be loaded into the anomaly detection model for a second check. Firstly, we analyze the inherent features of HTTP logs and thus set up the rule base so as to identify the known web log-based attacks. Moreover, we utilize the K-means clustering algorithm of data mining for logs to construct the normal behavior library so as to distinguish between normal behavior and abnormal behavior. Finally, we evaluate the performance of our solutions using massive realistic web logs. A series of experimental data demonstrate the effectiveness of our hybrid model that contributes to simultaneously achieve high detection rate and low false alarm rate.