TY - GEN
T1 - ADAM
T2 - 9th International Conference on Quality Software, QSIC 2009
AU - Cha, Sungdeok
AU - Lee, Junsup
AU - Kim, Sangrok
AU - Cho, Sanghyun
PY - 2009
Y1 - 2009
N2 - Importance of web security cannot be overemphasized in the era of web-based economy. Although anomaly detection has long been considered a promising alternative to signature-based misuse detection technique, most studies to date used either small scale or artificially generated attack data. In this paper, based on security analysis applied on anonymous www.microsoft.com log of about 250GB, we propose Anomaly Feature Matrix (AFM) as an effective framework to characterize anomalies. Feature selection of AFM is based on the characteristics of well-known (e.g., DDoS) attacks as well as patterns of anomalous logs found in the Microsoft data. Independent security analysis performed on the same data by Microsoft security engineers concluded that 1) We did not miss any major attacks; and 2) AFM is a general enough framework to characterize likely web attacks. In order to assist AFM-based anomaly analysis in large organizations, we implemented an interactive and visual analysis tool named ADAM (Anomaly Detection Assistant based on feature Matrix). Integrated with mapping software such as Virtual Earth, ADAM enables efficient and focused security analysis on web logs.
AB - Importance of web security cannot be overemphasized in the era of web-based economy. Although anomaly detection has long been considered a promising alternative to signature-based misuse detection technique, most studies to date used either small scale or artificially generated attack data. In this paper, based on security analysis applied on anonymous www.microsoft.com log of about 250GB, we propose Anomaly Feature Matrix (AFM) as an effective framework to characterize anomalies. Feature selection of AFM is based on the characteristics of well-known (e.g., DDoS) attacks as well as patterns of anomalous logs found in the Microsoft data. Independent security analysis performed on the same data by Microsoft security engineers concluded that 1) We did not miss any major attacks; and 2) AFM is a general enough framework to characterize likely web attacks. In order to assist AFM-based anomaly analysis in large organizations, we implemented an interactive and visual analysis tool named ADAM (Anomaly Detection Assistant based on feature Matrix). Integrated with mapping software such as Virtual Earth, ADAM enables efficient and focused security analysis on web logs.
KW - Anomaly detection
KW - Network security
KW - Web data mining
KW - Web security
UR - http://www.scopus.com/inward/record.url?scp=77950617700&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=77950617700&partnerID=8YFLogxK
U2 - 10.1109/QSIC.2009.24
DO - 10.1109/QSIC.2009.24
M3 - Conference contribution
AN - SCOPUS:77950617700
SN - 9780769538280
T3 - Proceedings - International Conference on Quality Software
SP - 123
EP - 128
BT - QSIC 2009 - Proceedings of the 9th International Conference on Quality Software
Y2 - 24 August 2009 through 25 August 2009
ER -