Abstract
With the number of data breaches on a rise, effective and efficient detection of anomalous activities in applications which manages data is critical. In this paper, we introduce a novel approach to improve attack detection at application layer by modeling user sessions as a sequence of events instead of analyzing every single event in isolation.We also argue that combining application access logs and the corresponding data access logs to generate unified logs eliminates the need to analyze them separately thereby resulting in an efficient and accurate system. We evaluate various methods such as conditional random fields, support vector machines, decision trees and naive Bayes, and experimental results show that our approach based on conditional random fields is feasible and can detect attacks at an early stage even when they are disguised within normal events.
Chapter PDF
Similar content being viewed by others
Keywords
- Support Vector Machine
- Intrusion Detection
- Intrusion Detection System
- Conditional Random Field
- Attack Detection
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
ANSI/X3/SPARC Study Group on Data Base Management Systems: Interim Report, FDT (bulletin of ACM SIGMOD) 7, No.2, 1975.
osCommerce, Open Source Online Shop E-Commerce Solutions. Last accessed: January 08, 2008. http://www.oscommerce.com/.
M. Almgren and U. Lindqvist. Application-Integrated Data Collection for Security Monitoring. In 4th International Symposium on Recent Advances in Intrusion Detection, pages 22–36. LNCS, Springer-Verlag, Vol (2212), 2001.
S. Axelsson. Research in Intrusion-Detection Systems: A Survey. Technical Report 98-17, Department of Computer Engineering, Chalmers University of Technology, 1998.
R. Bace and P. Mell. Intrusion Detection Systems. Gaithersburg, MD : Computer Security Division, Information Technology Laboratory, NIST, 2001.
E. Bertino, A. Kamra, E. Terzi, and A. Vakali. Intrusion Detection in RBAC-Administered Databases. In 21st Annual Computer Security Applications Conference. IEEE, 2005.
C. Y. Chung, M. Gertz, and K. Levitt. DEMIDS: A Misuse Detection System for Database Systems. In 3rd International IFIP TC-11 WG11.5 Working Conference on Integrity and Internal Control in Information Systems, pages 159–178. Kluwer Academic Pub., 1999.
L. Desmet, F. Piessens, W. Joosen, and P. Verbaeten. Bridging the Gap Between Web Application Firewalls andWeb Applications. In 4th ACM workshop on Formal methods in security, FMSE, pages 67–77. ACM, 2006.
H. Dreger, A. Feldmann, M. Mai, V. Paxson, and R. Sommer. Dynamic Application-Layer Protocol Analysis for Network Intrusion Detection. In 15th Usenix Security Symposium, pages 257–272, 2006.
K. K. Gupta, B. Nath, and K. Ramamohanarao. Application Intrusion Detection Dataset. http://www.csse.unimelb.edu.au/\ kgupta.
K. K. Gupta, B. Nath, and K. Ramamohanarao. Layered Approach using Conditional Random Fields for Intrusion Detection. IEEE Transactions on Dependable and Secure Computing. In Press.
K. K. Gupta, B. Nath, and K. Ramamohanarao. Conditional Random Fields for Intrusion Detection. In 21st International Conference on Advanced Information Networking and Applications Workshops, pages 203–208. IEEE, 2007.
K. K. Gupta, B. Nath, K. Ramamohanarao, and A. Kazi. Attacking Confidentiality: An Agent Based Approach. In IEEE International Conference on Intelligence and Security Informatics, pages 285–296. LNCS, Springer Verlag, Vol (3975), 2006.
Y. Hu and B. Panda. Identification of Malicious Transactions in Database Systems. In 7th International Database Engineering and Applications Symposium, pages 329–335. IEEE, 2003.
Y. Hu and B. Panda. A Data Mining Approach for Database Intrusion Detection. In ACM symposium on Applied Computing, pages 711–716. ACM, 2004.
D. Klein and C. D. Manning. Conditional Structure versus Conditional Estimation in NLP Models. In ACL-02 Conference on Empirical methods in Natural Language Processing Vol (10), pages 9–16. Association for Computational Linguistics, Morristown, NJ, USA, 2002.
T. Kudu. CRF++: Yet another CRF toolkit. Last accessed: February 9, 2008. http:// crfpp.sourceforge.net/.
J. Lafferty, A. McCallum, and F. Pereira. Conditional Random Fields: Probabilistic Models for Segmenting and Labeling Sequence Data. In 18th International Conference on Machine Learning, pages 282–289, 2001.
S. Y. Lee,W. L. Low, and P. Y.Wong. Learning Fingerprints for a Database Intrusion Detection System. In 7th European Symposium on Research in Computer Security, Vol (2502), pages 264–279. LNCS, Springer-Verlag, 2002.
W. L. Low, J. Lee, and P. Teoh. DIDAFIT: Detecting Intrusions in Databases Through Fingerprinting Transactions. In 4th International Conference on Enterprise Information Systems, pages 264–269, 2002.
A. Patcha and J.-M. Park. An Overview of Anomaly Detection Techniques: Existing Solutions and Latest Technological Trends. Computer Networks, 51(12):3448–3470, 2007.
C. Sutton and A. McCallum. An Introduction to Conditional Random Fields for Relational Learning. In Introduction to Statistical Relational Learning. MIT, 2006.
I. H. Witten and E. Frank. Data Mining: Practical machine learning tools and techniques. Morgan Kaufmann, 2005.
N. Ye, X. Li, Q. Chen, S. M. Emran, and M. Xu. Probabilistic Techniques for Intrusion Detection Based on Computer Audit Data. IEEE Transactions on Systems, Man and Cybernetics, Part A: Systems and Humans, 31(4):266–274, 2001.
Y. Zhong and Xiao-Lin-Qin. Research on Algorithm of User Query Frequent Itemsets Mining. In 3rd International Conference on Machine Learning and Cybernetics, Vol (3), pages 1671– 1676. IEEE, 2004.
Y. Zhong, Z. Zhu, and X. Qin. A Clustering Method Based on Data Queries and Its Application in Database Intrusion Detection. In 4th International Conference on Machine Learning and Cybernetics, Vol (4), pages 2096–2101. IEEE, 2005.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 IFIP International Federation for Information Processing
About this paper
Cite this paper
Gupta, K.K., Nath, B., Ramamohanarao, K. (2008). User Session Modeling for Effective Application Intrusion Detection. In: Jajodia, S., Samarati, P., Cimato, S. (eds) Proceedings of The Ifip Tc 11 23rd International Information Security Conference. SEC 2008. IFIP – The International Federation for Information Processing, vol 278. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-09699-5_18
Download citation
DOI: https://doi.org/10.1007/978-0-387-09699-5_18
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-09698-8
Online ISBN: 978-0-387-09699-5
eBook Packages: Computer ScienceComputer Science (R0)