ADAM: Web anomaly detection assistant based on feature matrix

Sungdeok Cha; Junsup Lee; Sangrok Kim; Sanghyun Cho

doi:10.1109/QSIC.2009.24

ADAM: Web anomaly detection assistant based on feature matrix

Sungdeok Cha, Junsup Lee, Sangrok Kim, Sanghyun Cho

Department of Computer Science and Engineering

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

2 Citations (Scopus)

Abstract

Importance of web security cannot be overemphasized in the era of web-based economy. Although anomaly detection has long been considered a promising alternative to signature-based misuse detection technique, most studies to date used either small scale or artificially generated attack data. In this paper, based on security analysis applied on anonymous www.microsoft.com log of about 250GB, we propose Anomaly Feature Matrix (AFM) as an effective framework to characterize anomalies. Feature selection of AFM is based on the characteristics of well-known (e.g., DDoS) attacks as well as patterns of anomalous logs found in the Microsoft data. Independent security analysis performed on the same data by Microsoft security engineers concluded that 1) We did not miss any major attacks; and 2) AFM is a general enough framework to characterize likely web attacks. In order to assist AFM-based anomaly analysis in large organizations, we implemented an interactive and visual analysis tool named ADAM (Anomaly Detection Assistant based on feature Matrix). Integrated with mapping software such as Virtual Earth, ADAM enables efficient and focused security analysis on web logs.

Original language	English
Title of host publication	QSIC 2009 - Proceedings of the 9th International Conference on Quality Software
Pages	123-128
Number of pages	6
DOIs	https://doi.org/10.1109/QSIC.2009.24
Publication status	Published - 2009
Event	9th International Conference on Quality Software, QSIC 2009 - Jeju, Korea, Republic of Duration: 2009 Aug 24 → 2009 Aug 25

Publication series

Name	Proceedings - International Conference on Quality Software
ISSN (Print)	1550-6002

Other

Other	9th International Conference on Quality Software, QSIC 2009
Country	Korea, Republic of
City	Jeju
Period	09/8/24 → 09/8/25

Keywords

Anomaly detection
Network security
Web data mining
Web security

ASJC Scopus subject areas

Engineering(all)

Access to Document

10.1109/QSIC.2009.24

Fingerprint Dive into the research topics of 'ADAM: Web anomaly detection assistant based on feature matrix'. Together they form a unique fingerprint.

Cite this

ADAM : Web anomaly detection assistant based on feature matrix. / Cha, Sungdeok; Lee, Junsup; Kim, Sangrok; Cho, Sanghyun.

QSIC 2009 - Proceedings of the 9th International Conference on Quality Software. 2009. p. 123-128 5381495 (Proceedings - International Conference on Quality Software).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Cha, S, Lee, J, Kim, S & Cho, S 2009, ADAM: Web anomaly detection assistant based on feature matrix. in QSIC 2009 - Proceedings of the 9th International Conference on Quality Software., 5381495, Proceedings - International Conference on Quality Software, pp. 123-128, 9th International Conference on Quality Software, QSIC 2009, Jeju, Korea, Republic of, 09/8/24. https://doi.org/10.1109/QSIC.2009.24

@inproceedings{c8bb669f01004b3996ab6123bfbf1c6a,

title = "ADAM: Web anomaly detection assistant based on feature matrix",

abstract = "Importance of web security cannot be overemphasized in the era of web-based economy. Although anomaly detection has long been considered a promising alternative to signature-based misuse detection technique, most studies to date used either small scale or artificially generated attack data. In this paper, based on security analysis applied on anonymous www.microsoft.com log of about 250GB, we propose Anomaly Feature Matrix (AFM) as an effective framework to characterize anomalies. Feature selection of AFM is based on the characteristics of well-known (e.g., DDoS) attacks as well as patterns of anomalous logs found in the Microsoft data. Independent security analysis performed on the same data by Microsoft security engineers concluded that 1) We did not miss any major attacks; and 2) AFM is a general enough framework to characterize likely web attacks. In order to assist AFM-based anomaly analysis in large organizations, we implemented an interactive and visual analysis tool named ADAM (Anomaly Detection Assistant based on feature Matrix). Integrated with mapping software such as Virtual Earth, ADAM enables efficient and focused security analysis on web logs.",

keywords = "Anomaly detection, Network security, Web data mining, Web security",

author = "Sungdeok Cha and Junsup Lee and Sangrok Kim and Sanghyun Cho",

year = "2009",

doi = "10.1109/QSIC.2009.24",

language = "English",

isbn = "9780769538280",

series = "Proceedings - International Conference on Quality Software",

pages = "123--128",

booktitle = "QSIC 2009 - Proceedings of the 9th International Conference on Quality Software",

note = "9th International Conference on Quality Software, QSIC 2009 ; Conference date: 24-08-2009 Through 25-08-2009",

}

TY - GEN

T1 - ADAM

T2 - 9th International Conference on Quality Software, QSIC 2009

AU - Cha, Sungdeok

AU - Lee, Junsup

AU - Kim, Sangrok

AU - Cho, Sanghyun

PY - 2009

Y1 - 2009

N2 - Importance of web security cannot be overemphasized in the era of web-based economy. Although anomaly detection has long been considered a promising alternative to signature-based misuse detection technique, most studies to date used either small scale or artificially generated attack data. In this paper, based on security analysis applied on anonymous www.microsoft.com log of about 250GB, we propose Anomaly Feature Matrix (AFM) as an effective framework to characterize anomalies. Feature selection of AFM is based on the characteristics of well-known (e.g., DDoS) attacks as well as patterns of anomalous logs found in the Microsoft data. Independent security analysis performed on the same data by Microsoft security engineers concluded that 1) We did not miss any major attacks; and 2) AFM is a general enough framework to characterize likely web attacks. In order to assist AFM-based anomaly analysis in large organizations, we implemented an interactive and visual analysis tool named ADAM (Anomaly Detection Assistant based on feature Matrix). Integrated with mapping software such as Virtual Earth, ADAM enables efficient and focused security analysis on web logs.

AB - Importance of web security cannot be overemphasized in the era of web-based economy. Although anomaly detection has long been considered a promising alternative to signature-based misuse detection technique, most studies to date used either small scale or artificially generated attack data. In this paper, based on security analysis applied on anonymous www.microsoft.com log of about 250GB, we propose Anomaly Feature Matrix (AFM) as an effective framework to characterize anomalies. Feature selection of AFM is based on the characteristics of well-known (e.g., DDoS) attacks as well as patterns of anomalous logs found in the Microsoft data. Independent security analysis performed on the same data by Microsoft security engineers concluded that 1) We did not miss any major attacks; and 2) AFM is a general enough framework to characterize likely web attacks. In order to assist AFM-based anomaly analysis in large organizations, we implemented an interactive and visual analysis tool named ADAM (Anomaly Detection Assistant based on feature Matrix). Integrated with mapping software such as Virtual Earth, ADAM enables efficient and focused security analysis on web logs.

KW - Anomaly detection

KW - Network security

KW - Web data mining

KW - Web security

UR - http://www.scopus.com/inward/record.url?scp=77950617700&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=77950617700&partnerID=8YFLogxK

U2 - 10.1109/QSIC.2009.24

DO - 10.1109/QSIC.2009.24

M3 - Conference contribution

AN - SCOPUS:77950617700

SN - 9780769538280

T3 - Proceedings - International Conference on Quality Software

SP - 123

EP - 128

BT - QSIC 2009 - Proceedings of the 9th International Conference on Quality Software

Y2 - 24 August 2009 through 25 August 2009

ER -