TY - JOUR
T1 - SAD
T2 - Web session anomaly detection based on parameter estimation
AU - Cho, Sanghyun
AU - Cha, Sungdeok
N1 - Funding Information:
This work was partially supported by the Korea Science and Engineering Foundation (KOSEF) through the Advanced Information Technology Research Center (AITrc), Software Process Improvement Center (SPIC) and by Internet Intrusion Response Technology Research Center (IIRTRC).
PY - 2004/6
Y1 - 2004/6
N2 - Web attacks are too numerous in numbers and serious in potential consequences for modern society to tolerate. Unfortunately, current generation signature-based intrusion detection systems (IDS) are inadequate, and security techniques such as firewalls or access control mechanisms do not work well when trying to secure web services. In this paper, we empirically demonstrate that the Bayesian parameter estimation method is effective in analyzing web logs and detecting anomalous sessions. When web attacks were simulated with Whisker software, Snort, a well-known IDS based on misuse detection, caught only slightly more than one third of web attacks. Our technique, session anomaly detection (SAD), on the other hand, detected nearly all such attacks without having to rely on attack signatures at all. SAD works by first developing normal usage profile and comparing the web logs, as they are generated, against the expected frequencies. Our research indicates that SAD has the potential of detecting previously unknown web attacks and that the proposed approach would play a key role in developing an integrated environment to provide secure and reliable web services.
AB - Web attacks are too numerous in numbers and serious in potential consequences for modern society to tolerate. Unfortunately, current generation signature-based intrusion detection systems (IDS) are inadequate, and security techniques such as firewalls or access control mechanisms do not work well when trying to secure web services. In this paper, we empirically demonstrate that the Bayesian parameter estimation method is effective in analyzing web logs and detecting anomalous sessions. When web attacks were simulated with Whisker software, Snort, a well-known IDS based on misuse detection, caught only slightly more than one third of web attacks. Our technique, session anomaly detection (SAD), on the other hand, detected nearly all such attacks without having to rely on attack signatures at all. SAD works by first developing normal usage profile and comparing the web logs, as they are generated, against the expected frequencies. Our research indicates that SAD has the potential of detecting previously unknown web attacks and that the proposed approach would play a key role in developing an integrated environment to provide secure and reliable web services.
KW - Anomaly detection
KW - Computer security
KW - Intrusion detection
KW - Machine learning
KW - Parameter estimation
KW - Web attacks
UR - http://www.scopus.com/inward/record.url?scp=2942533003&partnerID=8YFLogxK
U2 - 10.1016/j.cose.2004.01.006
DO - 10.1016/j.cose.2004.01.006
M3 - Article
AN - SCOPUS:2942533003
VL - 23
SP - 312
EP - 319
JO - Computers and Security
JF - Computers and Security
SN - 0167-4048
IS - 4
ER -