SAD: Web session anomaly detection based on parameter estimation

Sanghyun Cho; Sungdeok Cha

doi:10.1016/j.cose.2004.01.006

SAD: Web session anomaly detection based on parameter estimation

Sanghyun Cho, Sungdeok Cha

Research output: Contribution to journal › Article

52 Citations (Scopus)

Abstract

Web attacks are too numerous in numbers and serious in potential consequences for modern society to tolerate. Unfortunately, current generation signature-based intrusion detection systems (IDS) are inadequate, and security techniques such as firewalls or access control mechanisms do not work well when trying to secure web services. In this paper, we empirically demonstrate that the Bayesian parameter estimation method is effective in analyzing web logs and detecting anomalous sessions. When web attacks were simulated with Whisker software, Snort, a well-known IDS based on misuse detection, caught only slightly more than one third of web attacks. Our technique, session anomaly detection (SAD), on the other hand, detected nearly all such attacks without having to rely on attack signatures at all. SAD works by first developing normal usage profile and comparing the web logs, as they are generated, against the expected frequencies. Our research indicates that SAD has the potential of detecting previously unknown web attacks and that the proposed approach would play a key role in developing an integrated environment to provide secure and reliable web services.

Original language	English
Pages (from-to)	312-319
Number of pages	8
Journal	Computers and Security
Volume	23
Issue number	4
DOIs	https://doi.org/10.1016/j.cose.2004.01.006
Publication status	Published - 2004 Jun 1
Externally published	Yes

Fingerprint

Intrusion detection

Parameter estimation

Web services

Access control

Society

software

Keywords

Anomaly detection
Computer security
Intrusion detection
Machine learning
Parameter estimation
Web attacks

ASJC Scopus subject areas

Computer Science(all)

Cite this

Cho, S., & Cha, S. (2004). SAD: Web session anomaly detection based on parameter estimation. Computers and Security, 23(4), 312-319. https://doi.org/10.1016/j.cose.2004.01.006

SAD : Web session anomaly detection based on parameter estimation. / Cho, Sanghyun; Cha, Sungdeok.

In: Computers and Security, Vol. 23, No. 4, 01.06.2004, p. 312-319.

Research output: Contribution to journal › Article

Cho, S & Cha, S 2004, 'SAD: Web session anomaly detection based on parameter estimation', Computers and Security, vol. 23, no. 4, pp. 312-319. https://doi.org/10.1016/j.cose.2004.01.006

Cho S, Cha S. SAD: Web session anomaly detection based on parameter estimation. Computers and Security. 2004 Jun 1;23(4):312-319. https://doi.org/10.1016/j.cose.2004.01.006

Cho, Sanghyun ; Cha, Sungdeok. / SAD : Web session anomaly detection based on parameter estimation. In: Computers and Security. 2004 ; Vol. 23, No. 4. pp. 312-319.

@article{52c8325dc1074258bc18987042c9fe84,

title = "SAD: Web session anomaly detection based on parameter estimation",

abstract = "Web attacks are too numerous in numbers and serious in potential consequences for modern society to tolerate. Unfortunately, current generation signature-based intrusion detection systems (IDS) are inadequate, and security techniques such as firewalls or access control mechanisms do not work well when trying to secure web services. In this paper, we empirically demonstrate that the Bayesian parameter estimation method is effective in analyzing web logs and detecting anomalous sessions. When web attacks were simulated with Whisker software, Snort, a well-known IDS based on misuse detection, caught only slightly more than one third of web attacks. Our technique, session anomaly detection (SAD), on the other hand, detected nearly all such attacks without having to rely on attack signatures at all. SAD works by first developing normal usage profile and comparing the web logs, as they are generated, against the expected frequencies. Our research indicates that SAD has the potential of detecting previously unknown web attacks and that the proposed approach would play a key role in developing an integrated environment to provide secure and reliable web services.",

keywords = "Anomaly detection, Computer security, Intrusion detection, Machine learning, Parameter estimation, Web attacks",

author = "Sanghyun Cho and Sungdeok Cha",

year = "2004",

month = "6",

day = "1",

doi = "10.1016/j.cose.2004.01.006",

language = "English",

volume = "23",

pages = "312--319",

journal = "Computers and Security",

issn = "0167-4048",

publisher = "Elsevier Limited",

number = "4",

}

TY - JOUR

T1 - SAD

T2 - Web session anomaly detection based on parameter estimation

AU - Cho, Sanghyun

AU - Cha, Sungdeok

PY - 2004/6/1

Y1 - 2004/6/1

N2 - Web attacks are too numerous in numbers and serious in potential consequences for modern society to tolerate. Unfortunately, current generation signature-based intrusion detection systems (IDS) are inadequate, and security techniques such as firewalls or access control mechanisms do not work well when trying to secure web services. In this paper, we empirically demonstrate that the Bayesian parameter estimation method is effective in analyzing web logs and detecting anomalous sessions. When web attacks were simulated with Whisker software, Snort, a well-known IDS based on misuse detection, caught only slightly more than one third of web attacks. Our technique, session anomaly detection (SAD), on the other hand, detected nearly all such attacks without having to rely on attack signatures at all. SAD works by first developing normal usage profile and comparing the web logs, as they are generated, against the expected frequencies. Our research indicates that SAD has the potential of detecting previously unknown web attacks and that the proposed approach would play a key role in developing an integrated environment to provide secure and reliable web services.

AB - Web attacks are too numerous in numbers and serious in potential consequences for modern society to tolerate. Unfortunately, current generation signature-based intrusion detection systems (IDS) are inadequate, and security techniques such as firewalls or access control mechanisms do not work well when trying to secure web services. In this paper, we empirically demonstrate that the Bayesian parameter estimation method is effective in analyzing web logs and detecting anomalous sessions. When web attacks were simulated with Whisker software, Snort, a well-known IDS based on misuse detection, caught only slightly more than one third of web attacks. Our technique, session anomaly detection (SAD), on the other hand, detected nearly all such attacks without having to rely on attack signatures at all. SAD works by first developing normal usage profile and comparing the web logs, as they are generated, against the expected frequencies. Our research indicates that SAD has the potential of detecting previously unknown web attacks and that the proposed approach would play a key role in developing an integrated environment to provide secure and reliable web services.

KW - Anomaly detection

KW - Computer security

KW - Intrusion detection

KW - Machine learning

KW - Parameter estimation

KW - Web attacks

UR - http://www.scopus.com/inward/record.url?scp=2942533003&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=2942533003&partnerID=8YFLogxK

U2 - 10.1016/j.cose.2004.01.006

DO - 10.1016/j.cose.2004.01.006

M3 - Article

AN - SCOPUS:2942533003

VL - 23

SP - 312

EP - 319

JO - Computers and Security

JF - Computers and Security

SN - 0167-4048

IS - 4

ER -

Access to Document

10.1016/j.cose.2004.01.006