SAD: Web session anomaly detection based on parameter estimation

Sanghyun Cho, Sungdeok Cha

Research output: Contribution to journalArticlepeer-review

63 Citations (Scopus)

Abstract

Web attacks are too numerous in numbers and serious in potential consequences for modern society to tolerate. Unfortunately, current generation signature-based intrusion detection systems (IDS) are inadequate, and security techniques such as firewalls or access control mechanisms do not work well when trying to secure web services. In this paper, we empirically demonstrate that the Bayesian parameter estimation method is effective in analyzing web logs and detecting anomalous sessions. When web attacks were simulated with Whisker software, Snort, a well-known IDS based on misuse detection, caught only slightly more than one third of web attacks. Our technique, session anomaly detection (SAD), on the other hand, detected nearly all such attacks without having to rely on attack signatures at all. SAD works by first developing normal usage profile and comparing the web logs, as they are generated, against the expected frequencies. Our research indicates that SAD has the potential of detecting previously unknown web attacks and that the proposed approach would play a key role in developing an integrated environment to provide secure and reliable web services.

Original languageEnglish
Pages (from-to)312-319
Number of pages8
JournalComputers and Security
Volume23
Issue number4
DOIs
Publication statusPublished - 2004 Jun
Externally publishedYes

Bibliographical note

Funding Information:
This work was partially supported by the Korea Science and Engineering Foundation (KOSEF) through the Advanced Information Technology Research Center (AITrc), Software Process Improvement Center (SPIC) and by Internet Intrusion Response Technology Research Center (IIRTRC).

Keywords

  • Anomaly detection
  • Computer security
  • Intrusion detection
  • Machine learning
  • Parameter estimation
  • Web attacks

ASJC Scopus subject areas

  • General Computer Science
  • Law

Fingerprint

Dive into the research topics of 'SAD: Web session anomaly detection based on parameter estimation'. Together they form a unique fingerprint.

Cite this