HTTP attack detection using n-gram analysis

Oza, Aditya; Ross, Kevin; Low, Richard M.; Stamp, Mark

doi:10.1016/j.cose.2014.06.002

Cited by 30 publications

(7 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Support Vector Machines are a supervised learning methods, training a maximal margin separating hyperplane between linearly separable class data. While this can also be extended to non-linearly separable class data, we are using a linear kernel, which has shown very good results given sufficiently high-dimensional data, and specifically for protocolbased communication data [19][20][21]60]. For the MCP evaluation we are using a one-vs-rest (OVR) approach, as this includes calculating a separating hyperplane for each model class MC, which allows a confidence calibration to optimize the system precision, as explained in the next section.…”

Section: Learning Methodsmentioning

confidence: 99%

“…sequences of n arbitrary tokens. This feature representation is similar to spectrum kernels [12] and originates in the field of natural language processing [13][14][15][16], but has also been extended to network communication [17][18][19][20][21]. However, we are extending this structural feature type by including additional temporal information, and by also integrating a wider context for each token n-gram, an idea similar to the integration of additional context information as introduced in [22] for the CBOW (continuous bag of words) and Skip-gram models.…”

Section: Related Workmentioning

confidence: 99%

“…Of those methods support vector machines [50][51][52][53][54][55][56] are a well established method for feature-based sequence classification, which we are specifically interested in as we are trying to reflect the data properties by specific feature spaces. SVM approaches have shown a reliable performance, specifically when using non-sequential n-gram feature spaces for the respective sequential data, as done in the fields of natural language processing [13][14][15][16], intrusion detection [17,18], malware detection [57][58][59] and the analysis of network communication [19][20][21]60].…”

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

Features spaces and a learning system for structural-temporal data, and their application on a use case of real-time communication network validation data

Schwenk¹,

Jochinke²,

Müller³

2020

PLoS ONE

View full text Add to dashboard Cite

The service quality and system dependability of real-time communication networks strongly depends on the analysis of monitored data, to identify concrete problems and their causes. Many of these can be described by either their structural or temporal properties, or a combination of both. As current research is short of approaches sufficiently addressing both properties simultaneously, we propose a new feature space specifically suited for this task, which we analyze for its theoretical properties and its practical relevance. We evaluate its classification performance when used on real-world data sets of structural-temporal mobile communication data, and compare it to the performance achieved of feature representations used in related work. For this purpose we propose a system which allows the automatic detection and prediction of classes of pre-defined sequence behavior, greatly reducing costs caused by the otherwise required manual analysis. With our proposed feature spaces this system achieves a precision of more than 93% at recall values of 100%, with an up to 6.7% higher effective recall than otherwise similarly performing alternatives, notably outperforming alternative deep learning, kernel learning and ensemble learning approaches of related work. Furthermore the supported system calibration allows separating reliable from unreliable predictions more effectively, which is highly relevant for any practical application.

show abstract

Section: Learning Methodsmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Features spaces and a learning system for structural-temporal data, and their application on a use case of real-time communication network validation data

Schwenk¹,

Jochinke²,

Müller³

2020

PLoS ONE

View full text Add to dashboard Cite

show abstract

“…Mahalanobis distance is used to find the hidden correlation between the patterns and features. Oza et al proposed HTTP flooding attacks detection using statistical methods such as pattern counting, chi-square distance analysis, and ad-hoc distance measures and preprocessed each HTTP request by using n-gram analysis [34]. These methods take more time for the identification of traffic and also results in false positives.…”

Section: Web-based Attacksmentioning

confidence: 99%

HAP: detection of HTTP flooding attacks in cloud using diffusion map and affinity propagation clustering

Sree

Bhanu

2019

IET Information Security

View full text Add to dashboard Cite

“…In encrypted traffic environments, secure sockets layer (SSL), wired equivalent privacy WEP, or Internet protocol security (IPsec) protocols are utilised to offer better privacy and confidentiality. Previous work in detecting web-based attacks mainly focused on investigating the log/payload content [44,45]. In view that the traffic is encrypted, payload (log) is unavailable as the content is indecipherable.…”

Section: Attack On Webmentioning

confidence: 99%

A New Unified Intrusion Anomaly Detection in Identifying Unseen Web Attacks

Kamarudin

Maple

Watson

et al. 2017

Security and Communication Networks

View full text Add to dashboard Cite

The global usage of more sophisticated web-based application systems is obviously growing very rapidly. Major usage includes the storing and transporting of sensitive data over the Internet. The growth has consequently opened up a serious need for more secured network and application security protection devices. Security experts normally equip their databases with a large number of signatures to help in the detection of known web-based threats. In reality, it is almost impossible to keep updating the database with the newly identified web vulnerabilities. As such, new attacks are invisible. This research presents a novel approach of Intrusion Detection System (IDS) in detecting unknown attacks on web servers using the Unified Intrusion Anomaly Detection (UIAD) approach. The unified approach consists of three components (preprocessing, statistical analysis, and classification). Initially, the process starts with the removal of irrelevant and redundant features using a novel hybrid feature selection method. Thereafter, the process continues with the application of a statistical approach to identifying traffic abnormality. We performed Relative Percentage Ratio (RPR) coupled with Euclidean Distance Analysis (EDA) and the Chebyshev Inequality Theorem (CIT) to calculate the normality score and generate a finest threshold. Finally, Logitboost (LB) is employed alongside Random Forest (RF) as a weak classifier, with the aim of minimising the final false alarm rate. The experiment has demonstrated that our approach has successfully identified unknown attacks with greater than a 95% detection rate and less than a 1% false alarm rate for both the DARPA 1999 and the ISCX 2012 datasets.

show abstract

HTTP attack detection using n-gram analysis

Cited by 30 publications

References 15 publications

Features spaces and a learning system for structural-temporal data, and their application on a use case of real-time communication network validation data

Features spaces and a learning system for structural-temporal data, and their application on a use case of real-time communication network validation data

HAP: detection of HTTP flooding attacks in cloud using diffusion map and affinity propagation clustering

A New Unified Intrusion Anomaly Detection in Identifying Unseen Web Attacks

Contact Info

Product

Resources

About