ADAM: Web anomaly detection assistant based on feature matrix

Sungdeok Cha, Junsup Lee, Sangrok Kim, Sanghyun Cho

Research output: Chapter in Book/Report/Conference proceedingConference contribution

2 Citations (Scopus)


Importance of web security cannot be overemphasized in the era of web-based economy. Although anomaly detection has long been considered a promising alternative to signature-based misuse detection technique, most studies to date used either small scale or artificially generated attack data. In this paper, based on security analysis applied on anonymous log of about 250GB, we propose Anomaly Feature Matrix (AFM) as an effective framework to characterize anomalies. Feature selection of AFM is based on the characteristics of well-known (e.g., DDoS) attacks as well as patterns of anomalous logs found in the Microsoft data. Independent security analysis performed on the same data by Microsoft security engineers concluded that 1) We did not miss any major attacks; and 2) AFM is a general enough framework to characterize likely web attacks. In order to assist AFM-based anomaly analysis in large organizations, we implemented an interactive and visual analysis tool named ADAM (Anomaly Detection Assistant based on feature Matrix). Integrated with mapping software such as Virtual Earth, ADAM enables efficient and focused security analysis on web logs.

Original languageEnglish
Title of host publicationQSIC 2009 - Proceedings of the 9th International Conference on Quality Software
Number of pages6
Publication statusPublished - 2009
Event9th International Conference on Quality Software, QSIC 2009 - Jeju, Korea, Republic of
Duration: 2009 Aug 242009 Aug 25

Publication series

NameProceedings - International Conference on Quality Software
ISSN (Print)1550-6002


Other9th International Conference on Quality Software, QSIC 2009
Country/TerritoryKorea, Republic of


  • Anomaly detection
  • Network security
  • Web data mining
  • Web security

ASJC Scopus subject areas

  • Engineering(all)


Dive into the research topics of 'ADAM: Web anomaly detection assistant based on feature matrix'. Together they form a unique fingerprint.

Cite this