Web attack detection using entropy-based analysis

Threepak, Thanunchai; Watcharapupong, Akkradach

doi:10.1109/icoin.2014.6799699

Cited by 15 publications

(11 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Compared with Markov model, naive Bayes not only can achieve a desirable performance but also can finish in a short running time. Inspired by the methods from and , the details are introduced in the succeeding paragraphs. Split all string data t into tokens [ t 1 , t 2 ,…, t k ] by using delimiters or marks (i.e.…”

Section: A Multi‐layers Anomaly Detection Frameworkmentioning

confidence: 99%

“…Because a string can be seen as a text, string data also can be evaluated by entropy . To achieve simplification and normalization, we utilize the same splitting methods as stated earlier, and the relative entropy learned from is defined as the final value.

E_{t} = \frac{1}{λ} \sum_{i = 1}^{N} p_{i} [l o g (λ) - l o g (p_{i})]

E_{m a x} = \frac{1}{λ} \sum_{i = 1}^{N} 1 \times [l o g (λ) - l o g (1)] = l o g (λ)

E_{r e l} = \frac{E_{t}}{E_{m a x}} \times 100

where λ and N show that λ words with N distinct ones, and p i is the number of times that the i t h word appears.…”

Section: A Multi‐layers Anomaly Detection Frameworkmentioning

confidence: 99%

“…The experiment on the single layer and multiple layers is conducted on RanPF 2. Single TCP layer is used in KDD CUP99 dataset, and only web layer is utilized in Campus dataset.…”

mentioning

confidence: 99%

See 2 more Smart Citations

Towards a multi‐layers anomaly detection framework for analyzing network traffic

Zhang

2016

Concurrency and Computation

View full text Add to dashboard Cite

Summary Anomaly detection plays a crucial part in identifying unforeseen attacks for network and information security. However, the accuracy of existing network anomaly detection approaches is limited because of the lack of sufficient and high‐quality features. Most research works only take information from one network layer into account, which leads to a situation that some key features of other network layers are omitted. To address this issue, we propose a novel approach, named Multi‐Layers Anomaly Detection, which extracts and combines features from different network layers. In order to reduce redundancy and noise derived from the combination of multiple layers, an algorithm called RanPF is designed by applying principal components analysis (PCA) into random forest (RF) algorithm. RanPF uses features selected by PCA to decide the height of every tree in RF and provides a method to select which features for tree nodes to use according to the weights of principal components. To obtain high‐quality features, we adopt an attribute learning mechanism. Naive Bayes is used to characterize the attribute information, which is fast and simple compared with other learning algorithms such as SVM. In addition, a series of experiments conducted on two real‐life datasets demonstrate that our approach outperforms the state‐of‐the‐art methods in terms of detection rate and false alarm rate. MLAD achieves about 99% detection rate and about 0.6% false alarm rate on average when the ratio of the training set is 60%. Copyright © 2016 John Wiley & Sons, Ltd.

show abstract

Section: A Multi‐layers Anomaly Detection Frameworkmentioning

confidence: 99%

E_{t} = \frac{1}{λ} \sum_{i = 1}^{N} p_{i} [l o g (λ) - l o g (p_{i})]

E_{m a x} = \frac{1}{λ} \sum_{i = 1}^{N} 1 \times [l o g (λ) - l o g (1)] = l o g (λ)

E_{r e l} = \frac{E_{t}}{E_{m a x}} \times 100

where λ and N show that λ words with N distinct ones, and p i is the number of times that the i t h word appears.…”

Section: A Multi‐layers Anomaly Detection Frameworkmentioning

confidence: 99%

See 1 more Smart Citation

Towards a multi‐layers anomaly detection framework for analyzing network traffic

Zhang

2016

Concurrency and Computation

View full text Add to dashboard Cite

show abstract

“…A lot of research work regarding web logging and parameter inspection can be found in the literature [14], [15], [16], [17]. Investigation of anomalous activity in HTTP requests and the parameters used to pass values to server-side programs were performed in [18].…”

Section: A Related Workmentioning

confidence: 99%

Efficient tuning methodologies for a network payload anomaly inspection scheme

Edmonds

Kim

MacIntyre

et al. 2016

2016 13th IEEE Annual Consumer Communications &Amp; Networking Conference (CCNC)

View full text Add to dashboard Cite

Consumers and service providers are both becoming increasingly concerned about new, never-before-seen attacks. Anomaly-based intrusion prevention is an important part of cybersecurity, which offers the possibility of detecting some zeroday attacks. Typically, detection speed and efficacy (in terms of true and false positives) are considered in evaluating intrusion detection schemes. However, effective configuration (training and tuning) is critical for deployment of such schemes in practice. As network traffic may shift over time, the ability to perform fast reconfiguration is needed to provide the level of security necessary for future applications. We present parallel mapping and genetic algorithms-based approaches, which can be used to achieve rapid training and tuning for a highly efficient payload-based anomaly detection algorithm.

show abstract

“…The research proposed in [41] assumed that the attack patterns commonly have a level of complexity that exceeds normal access requests. This complexity is used as a benchmark in detecting attacks.…”

Section: Attack On Webmentioning

confidence: 99%

A New Unified Intrusion Anomaly Detection in Identifying Unseen Web Attacks

Kamarudin

Maple

Watson

et al. 2017

Security and Communication Networks

View full text Add to dashboard Cite

The global usage of more sophisticated web-based application systems is obviously growing very rapidly. Major usage includes the storing and transporting of sensitive data over the Internet. The growth has consequently opened up a serious need for more secured network and application security protection devices. Security experts normally equip their databases with a large number of signatures to help in the detection of known web-based threats. In reality, it is almost impossible to keep updating the database with the newly identified web vulnerabilities. As such, new attacks are invisible. This research presents a novel approach of Intrusion Detection System (IDS) in detecting unknown attacks on web servers using the Unified Intrusion Anomaly Detection (UIAD) approach. The unified approach consists of three components (preprocessing, statistical analysis, and classification). Initially, the process starts with the removal of irrelevant and redundant features using a novel hybrid feature selection method. Thereafter, the process continues with the application of a statistical approach to identifying traffic abnormality. We performed Relative Percentage Ratio (RPR) coupled with Euclidean Distance Analysis (EDA) and the Chebyshev Inequality Theorem (CIT) to calculate the normality score and generate a finest threshold. Finally, Logitboost (LB) is employed alongside Random Forest (RF) as a weak classifier, with the aim of minimising the final false alarm rate. The experiment has demonstrated that our approach has successfully identified unknown attacks with greater than a 95% detection rate and less than a 1% false alarm rate for both the DARPA 1999 and the ISCX 2012 datasets.

show abstract

Web attack detection using entropy-based analysis

Cited by 15 publications

References 9 publications

Towards a multi‐layers anomaly detection framework for analyzing network traffic

Towards a multi‐layers anomaly detection framework for analyzing network traffic

Efficient tuning methodologies for a network payload anomaly inspection scheme

A New Unified Intrusion Anomaly Detection in Identifying Unseen Web Attacks

Contact Info

Product

Resources

About