A Novel Framework for Active Detection of HTTP Based Attacks
Web application vulnerabilities represent a substantial portion of the security exposures of computer networks. Considering HTTP protocol is stateless, we explore the effectiveness of HTTP-session model to effectively describe http behavior. Based on the HTTP-session model and the analysis of http attack behavior, we present a novel framework to actively detect http attacks. Our method takes http requests as input and calculates anomalous probability for each session attribute and for the session as a whole as output. All the probabilities are weighted and summed up to produce final probability, and this probability is used to decide whether http session is attack or not. We demonstrate the effectiveness of the proposed methods via simulation studies using real-world web access logs. Experiments prove that our detection framework achieves high detection rates under very few false positives.
KeywordsHTTP-session anomaly detection http attacks
Unable to display preview. Download preview PDF.
- 1.Chen, M., Park, J., Yu, P.: Data mining for path traversal patterns in a web environment. In: ICDCS (1996)Google Scholar
- 2.Liu, H., Kešelj, V.: Combined mining of Web server logs and web contents for classifying user navigation patterns and predicting users’ future requests. Data & Knowledge Engineering (2007)Google Scholar
- 3.Srikant, R., Yang, Y.: Mining web logs to improve website organization. In: International Conference on World Wide Web (2001)Google Scholar
- 5.Kruegel, C., Vigna, G.: Anomaly detection of web based attacks. In: Proceedings of the 10th ACM conference on Computer and communications security, pp. 251–261 (2003)Google Scholar
- 6.Kruegel, C., Vigna, G., Robertson, W.: A Multi-model Approach to the Detection of Web-based Attacks. Journal of Computer Networks 48(5) (2005)Google Scholar
- 8.Kantardzic, M.: Data Mining Concepts, Models, Methods and Algorithm. IEEE Press, New York (2002)Google Scholar
- 9.Yatagai, T., Isohara, T., Sasase, I.: Detection of HTTP-GET flood Attack Based on Analysis of Page Access Behavior. In: Proceedings of the 2007 IEEE Pacific Rim Conference on Communications, Computers and Signal Processing, Victoria, Canada, pp. 232–235 (2007)Google Scholar