An Anomaly Detection Method Based on Multi-models to Detect Web Attacks

Zhang, Ming; Lu, Shuaibing; Xu, Boyi

doi:10.1109/iscid.2017.223

Cited by 12 publications

(5 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Combining different classification algorithms is common: Wang and Zhang [103] introduced Information Gain based attribute selection, and then K-NN and OCSVM were used to detect anomalies. Zhang, Lu and Xu [63] propose a multi-model approach: First, the web request is partitioned into 7 fields: method, web resource, HTTP version, headers and headers inputs values are inspected by a probability distribution model, attribute sequence is inspected by HMM and attribute value is inspected by OCSVM. If one of the algorithms detects the request as anomalous, it is classified as anomalous.…”

Section: Discussionmentioning

confidence: 99%

Prevention and Fighting against Web Attacks through Anomaly Detection Technology. A Systematic Review

Riera

Higuera

et al. 2020

Sustainability

View full text Add to dashboard Cite

Numerous techniques have been developed in order to prevent attacks on web servers. Anomaly detection techniques are based on models of normal user and application behavior, interpreting deviations from the established pattern as indications of malicious activity. In this work, a systematic review of the use of anomaly detection techniques in the prevention and detection of web attacks is undertaken; in particular, we used the standardized method of a systematic review of literature in the field of computer science, proposed by Kitchenham. This method is applied to a set of 88 papers extracted from a total of 8041 reviewed papers, which have been published in notable journals. This paper discusses the process carried out in this systematic review, as well as the results and findings obtained to identify the current state of the art of web anomaly detection.

show abstract

Section: Discussionmentioning

confidence: 99%

Prevention and Fighting against Web Attacks through Anomaly Detection Technology. A Systematic Review

Riera

Higuera

et al. 2020

Sustainability

View full text Add to dashboard Cite

show abstract

“…Each model trained on a dataset contains normal requests only and is evaluated by using two datasets: Wikipedia access traces [22] and FuzzDB [23]. Using a multimodel-based method takes advantage of all models in it, by this method, the authors mitigated false positive issue significantly [24].…”

Section: Related Workmentioning

confidence: 99%

Web Application Firewall Using Machine Learning and Features Engineering

Shaheed

Kurdy

2022

Security and Communication Networks

View full text Add to dashboard Cite

Web application security has become a major requirement for any business, especially with the wide web attacks spreading despite the defensive measures and the continuous development of software frameworks and servers. In this study, we present a proposed model for a web application firewall that used machine learning and features engineering to detect common web attacks. Our proposed model analyses incoming requests to the webserver, parses these requests to extract four features that describe completely HTTP request parts (URL, payload, and headers), and classifies whether a request is normal or an anomaly. We took into consideration the limitation of previous works that use URL and payload only in classification and provided five features that describe and summarize all parts of the HTTP request using features engineering and previous experience in the field of the software security domain. Extracted features are length of request, percentage of characters allowed, percentage of special characters, and attack weight. These features were calculated for four different datasets CSIC 2010, HTTPParams 2015, Hybrid dataset (CSIC 2010 and HTTPParams), and real logs for the compromised web server. We evaluated our proposed model by using these updated datasets with four classification algorithms (Naive Bayes, logistic regression, decision tree, and support vector machine) with two methods (train test split and cross-validation) to negate the probability of overfitting and ensure that features are effective. Features values for a normal request are usually short request length, large allowed character ratio, small special character ratio, and zero attack weight or close to zero. Features values for anomaly requests are large request length, small allowed character percentage, large special character percentage, and very large numerically attack weight. Our proposed model achieved a classification accuracy of 99.6% with datasets used in research studies in this field and 98.8% with datasets of real web servers.

show abstract

“…The Long-short term memory model is generally used for anomaly detection and diagnosis in system logs [43]. Zhang et al [44] proposed a multi-model inspection of network request messages to identify attacks. Three machine learning models, such as probability distribution model, hidden Markov model and support vector machine model, are used to detect different fields of the network request message.…”

Section: Abnormal Network Traffic Detectionmentioning

confidence: 99%

Malware recognition approach based on self‐similarity and an improved clustering algorithm

et al. 2022

View full text Add to dashboard Cite

The recognition of malware in network traffic is an important research problem. However, existing solutions addressing this problem rely heavily on the source code and misrecognise vulnerabilities (i.e. incur a high false positive rate (FPR)) in some cases. In this paper, we initially use the K‐means clustering algorithm to extract malware patterns under user to root attacks in network traffic. Since the traditional K‐means algorithm needs to determine the number of clusters in advance and it is easily affected by the initial cluster centres, we propose an improved K‐means clustering algorithm (NIKClustering algorithm) for cluster analysis. Furthermore, we propose the use of self‐similarity and our improved clustering algorithm to recognise buffer overflow vulnerabilities for malware in network traffic. This motivates us to design and implement a recognition approach for buffer overflow vulnerabilities based on self‐similarity and our improved clustering algorithm, called Reliable Self‐Similarity with Improved K‐means Clustering (RSS‐IKClustering). Extensive experiments conducted on two different datasets demonstrate that the RSS‐IKClustering can achieve much fewer false positives than other notable approaches while increasing accuracy. We further apply our RSS‐IKClustering approach on a public dataset (Center for Applied Internet Data Analysis), which also exhibited a high accuracy and low FPR of 96% and 1.5%, respectively.

show abstract

An Anomaly Detection Method Based on Multi-models to Detect Web Attacks

Cited by 12 publications

References 6 publications

Prevention and Fighting against Web Attacks through Anomaly Detection Technology. A Systematic Review

Prevention and Fighting against Web Attacks through Anomaly Detection Technology. A Systematic Review

Web Application Firewall Using Machine Learning and Features Engineering

Malware recognition approach based on self‐similarity and an improved clustering algorithm

Contact Info

Product

Resources

About