OC-WAD: A one-class classifier ensemble approach for anomaly detection in web traffic

In recent years, web-based attacks have made up a substantial portion of all security attacks because web-based vulnerabilities are so common and so easy to exploit. To counter these attacks, many anomaly detection systems have been proposed that are able to detect both known and unknown attacks launched against web-based applications. However, most of them suffer from a large number of false alarms. In this paper, we address this problem by presenting OC-WAD, a novel approach to construct an ensemble of one-class SVM classifiers for anomaly detection in web traffic. OC-WAD uses a novel binary artificial bee colony algorithm, called BeeSnips, to prune the initial ensemble of one-class SVM classifiers and to find a near-optimal sub-ensemble. It is motivated by the observation that the fusion of multiple one-class classifiers can considerably decrease the false alarm rate without a significant change in the detection rate. The results of experiments carried out on a real dataset show that OC-WAD can detect web-based attacks with a high detection rate and an acceptable false alarm rate.

[1]  B. Tabachnick,et al.  Using Multivariate Statistics , 1983 .

[2]  Mahdi Abadi,et al.  BeeMiner: A novel artificial bee colony algorithm for classification rule discovery , 2014, 2014 Iranian Conference on Intelligent Systems (ICIS).

[3]  Michal Choras,et al.  Modelling HTTP Requests with Regular Expressions for Detection of Cyber Attacks Targeted at Web Applications , 2014, SOCO-CISIS-ICEUTE.

[4]  Bernhard Schölkopf,et al.  Estimating the Support of a High-Dimensional Distribution , 2001, Neural Computation.

[5]  Chih-Jen Lin,et al.  LIBSVM: A library for support vector machines , 2011, TIST.

[6]  Ludmila I. Kuncheva,et al.  Measures of Diversity in Classifier Ensembles and Their Relationship with the Ensemble Accuracy , 2003, Machine Learning.

[7]  Christopher Krügel,et al.  Anomaly detection of web-based attacks , 2003, CCS '03.

[8]  Wenke Lee,et al.  McPAD: A multiple classifier system for accurate payload-based anomaly detection , 2009, Comput. Networks.

[9]  Gonzalo Álvarez,et al.  Application of the Generic Feature Selection Measure in Detection of Web Attacks , 2011, CISIS.

[10]  Christopher Krügel,et al.  Protecting a Moving Target: Addressing Web Application Concept Drift , 2009, RAID.

[11]  Guofei Gu,et al.  Using an Ensemble of One-Class SVM Classifiers to Harden Payload-based Anomaly Detection Systems , 2006, Sixth International Conference on Data Mining (ICDM'06).

[12]  Fabio Roli,et al.  Intrusion detection in computer networks by a modular ensemble of one-class classifiers , 2008, Inf. Fusion.

[13]  Giovanni Vigna,et al.  A Learning-Based Approach to the Detection of SQL Attacks , 2005, DIMVA.

[14]  Tin Kam Ho,et al.  The Random Subspace Method for Constructing Decision Forests , 1998, IEEE Trans. Pattern Anal. Mach. Intell..

[15]  George M. Mohay,et al.  Evaluation of Anomaly Based Character Distribution Models in the Detection of SQL Injection Attacks , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[16]  Dervis Karaboga,et al.  A powerful and efficient algorithm for numerical function optimization: artificial bee colony (ABC) algorithm , 2007, J. Glob. Optim..

[17]  Mahdi Abadi,et al.  An ABC-AIS Hybrid Approach to Dynamic Anomaly Detection in AODV-Based MANETs , 2011, 2011IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications.

[18]  Corinna Cortes,et al.  Support-Vector Networks , 1995, Machine Learning.

[19]  Timo Hämäläinen,et al.  Detection of Anomalous HTTP Requests Based on Advanced N-gram Model and Clustering Techniques , 2013, NEW2AN.

[20]  Christopher Krügel,et al.  Using Generalization and Characterization Techniques in the Anomaly-based Detection of Web Attacks , 2006, NDSS.

[21]  Giorgio Giacinto,et al.  HMM-Web: A Framework for the Detection of Attacks Against Web Applications , 2009, 2009 IEEE International Conference on Communications.

[22]  Mark Stamp,et al.  HTTP attack detection using n-gram analysis , 2014, Comput. Secur..