Top

Published in:

2018 | OriginalPaper | Chapter

A Parameter-Free Method for the Detection of Web Attacks

Authors : Gonzalo de la Torre-Abaitua, Luis F. Lago-Fernández, David Arroyo

Published in: International Joint Conference SOCO’17-CISIS’17-ICEUTE’17 León, Spain, September 6–8, 2017, Proceeding

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Logs integration is one of the most challenging concerns in current security systems. Certainly, the accurate identification of security events requires to handle and merge highly heterogeneous sources of information. As a result, there is an urge to construct general codification and classification procedures to be applied on any type of security log. This work is focused on defining such a method using the so-called Normalised Compression Distance (NCD). NCD is parameter-free and can be applied to determine the distance between events expressed using strings. On the grounds of the NCD, we propose an anomaly-based procedure for identifying web attacks from web logs. Given a web query as stored in a security log, a NCD-based feature vector is created and classified using a Support Vector Machine (SVM). The method is tested using the CSIC-2010 dataset, and the results are analysed with respect to similar proposals.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter A Proposal for Using a Cryptographic National Identity Card in Social Networks

next chapter A Review of Cryptographically Secure PRNGs in Constrained Devices for the IoT

The preprocessed data can be accessed upon request.

Gartner: Gartner Says 6.4 Billion Connected “Things” Will Be in Use in 2016, Up 30 Percent From 2015. http://www.gartner.com/newsroom/id/3165317. Accessed 1 Apr 2017

Ziv, A.: The Ethereal Perimeter. https://www.linkedin.com/pulse/ethereal-perimeter-avishai-ziv. Accessed 1 Apr 2017

Curry, S., Kirda, E., Schwartz, E., Stewart, W.H., Yoran, A.: Big data fuels intelligence-driven security. RSA Security Brief (2013)

Wolpert, D.H., Macready, W.G.: No free lunch theorems for optimization. IEEE Trans. Evol. Comput. 1(1), 67–82 (1997)CrossRef

Veeramachaneni, K., Arnaldo, I., Korrapati, V., Bassias, C., Li, K.: AI\(^{2}\): Training a big data machine to defend. In: 2016 IEEE 2nd International Conference on Big Data Security on Cloud (BigDataSecurity), IEEE International Conference on High Performance and Smart Computing (HPSC), and IEEE International Conference on Intelligent Data and Security (IDS), pp. 49–54. IEEE (2016)

Keogh, E., Lonardi, S., Ratanamahatana, C.A.: Towards parameter-free data mining. In: Proceedings of the Tenth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 206–215. ACM (2004)

Cilibrasi, R., Vitanyi, P.: Automatic extraction of meaning from the web. In: 2006 IEEE International Symposium on Information Theory, pp. 2309–2313. IEEE (2006)

García-Teodoro, P., Díaz-Verdejo, J., Maciá-Fernández, G., Vázquez, E.: Anomaly-based network intrusion detection: techniques, systems and challenges. Comput. Secur. 28(1–2), 18–28 (2009)CrossRef

Kruegel, C., Valeur, F., Vigna, G.: Intrusion Detection and Correlation: Challenges and Solutions, vol. 14. Springer Science & Business Media, Heidelberg (2004)MATH

10.

Chandola, V., Banerjee, A., Kumar, V.: Anomaly detection: a survey. ACM Comput. Surv. (CSUR) 41(3), 1–72 (2009)CrossRef

11.

Chaurasia, M.A.: Comparative study of data mining techniques in intrusion dectection. Int. J. Curr. Eng. Sci. Res. (IJCESR) 3(9), 107–112 (2016)

12.

Bhuyan, M.H., Bhattacharyya, D.K., Kalita, J.K.: Network anomaly detection: methods, systems and tools. IEEE Commun. Surv. Tutor. 16(1), 303–336 (2014)CrossRef

13.

Hodo, E., Bellekens, X., Hamilton, A., Tachtatzis, C., Robert, A.: Shallow and deep networks intrusion detection system: a taxonomy and survey, pp. 1–43 (2017). ArXiv e-prints

14.

Deepa, G., Thilagam, P.S.: Securing web applications from injection and logic vulnerabilities: approaches and challenges. Inf. Softw. Technol. 74, 160–180 (2016)CrossRef

15.

Ingham, K.L., Inoue, H.: Comparing anomaly detection techniques for HTTP. In: Raid, vol. 4637, pp. 42–62 (2007)

16.

Kruegel, C., Vigna, G.: Anomaly detection of web-based attacks. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, pp. 251–261. ACM, New York (2003)

17.

Dong, Y., Zhang, Y.: Adaptively Detecting Malicious Queries in Web Attacks. ArXiv e-prints (2017)

18.

Bronte, R., Shahriar, H., Haddad, H.: Information theoretic anomaly detection framework for web application. In: 2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC), pp. 394–399 (2016)

19.

Kozik, R., Choraś, M., Renk, R., Hołubowicz, W.: Patterns extraction method for anomaly detection in HTTP traffic. In: International Joint Conference. Advances in Intelligent Systems and Computing, vol. 369, pp. 227–236. Springer, Cham (2015)

20.

Corona, I., Giacinto, G.: Detection of server-side web attacks. J. Mach. Learn. Res. 11, 160–166 (2010)

21.

Juvonen, A., Sipola, T., Hämäläinen, T.: Online anomaly detection using dimensionality reduction techniques for HTTP log analysis. Comput. Netw. 91, 46–56 (2015)CrossRef

22.

Pillai, T.R., Palaniappan, S., Abdullah, A.: Predictive modeling for intrusions in communication systems using GARMA and ARMA models. In: 2015 5th National Symposium on Information Technology: Towards New Smart World, NSITNSW 2015, pp. 1–6. IEEE (2015)

23.

Shahriar, H., Zulkernine, M.: Information-theoretic detection of SQL injection attacks. In: Proceedings of IEEE International Symposium on High Assurance Systems Engineering, pp. 40–47. IEEE (2012)

24.

Ashfaq, A.B., Javed, M., Khayam, S.A., Radha, H.: An information-theoretic combining method for multi-classifier anomaly detection systems. In: IEEE International Conference on Communications, pp. 1–5. IEEE (2010)

25.

Zolotukhin, M., Hamalainen, T., Kokkonen, T., Siltanen, J.: Increasing web service availability by detecting application-layer DDoS attacks in encrypted traffic. In: 2016 23rd International Conference on Telecommunications, ICT 2016 (2016)

26.

Medeiros, I., Neves, N., Correia, M.: Detecting and removing web application vulnerabilities with static analysis and data mining. IEEE Trans. Reliab. 65(1), 54–69 (2016)CrossRef

27.

Yahalom, S.: URI anomaly detection using similarity metrics. Ph.D. thesis, Tel-Aviv (2008)

28.

Zolotukhin, M., Hämäläinen, T., Kokkonen, T., Siltanen, J.: Analysis of HTTP requests for anomaly detection of web attacks. In: Proceedings - 2014 World Ubiquitous Science Congress: 2014 IEEE 12th International Conference on Dependable, Autonomic and Secure Computing, DASC 2014, pp. 406–411 (2014)

29.

Moh, M., Pininti, S., Doddapaneni, S., Moh, T.S.: Detecting web attacks using multi-stage log analysis. In: Proceedings - 6th International Advanced Computing Conference, IACC 2016, pp. 733–738 (2016)

30.

Song, Y., Keromytis, A.D., Stolfo, S.J.: Spectrogram: a mixture-of-markov-chains model for anomaly detection in web traffic. In: NDSS, p. 15 (2009)

31.

Ye, N.: A markov chain model of temporal behavior for anomaly detection. In: Proceedings of the 2000 IEEE Systems, Man, and Cybernetics Information Assurance and Security Workshop, pp. 171–174 (2000)

32.

Ariu, D., Tronci, R., Giacinto, G.: HMMPayl: an intrusion detection system based on Hidden Markov Models. Comput. Secur. 30(4), 221–241 (2011)CrossRef

33.

Lampesberger, H., Winter, P., Zeilinger, M., Hermann, E.: An on-line learning statistical model to detect malicious web requests. In: Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering. LNICST, vol. 96, pp. 19–38 (2012)

34.

Garcia-Teodoro, P., Diaz-Verdejo, J.E., Tapiador, J.E., Salazar-Hernandez, R.: Automatic generation of HTTP intrusion signatures by selective identification of anomalies. Comput. Secur. 55, 159–174 (2015)CrossRef

35.

Jongsuebsuk, P., Wattanapongsakorn, N., Charnsripinyo, C.: Network intrusion detection with fuzzy genetic algorithm for unknown attacks. In: International Conference on Information Networking, pp. 1–5. IEEE (2013)

36.

Senthilnayaki, B., Venkatalakshmi, K., Kannan, A.: Intrusion detection using optimal genetic feature selection and SVM based classifier. In: 2015 3rd International Conference on Signal Processing, Communication and Networking (ICSCN), pp. 1–4. IEEE (2015)

37.

Akbar, S., Chandulal, J.A., Rao, K.N., Kumar, G.S.: Improving network security using machine learning techniques. In: 2012 IEEE International Conference on Computational Intelligence and Computing Research, pp. 1–5. IEEE (2012)

38.

Enache, A.C., Sgârciu, V.: Anomaly intrusions detection based on support vector machines with an improved bat algorithm (2015)

39.

Aburomman, A.A., Ibne Reaz, M.B.: A novel SVM-kNN-PSO ensemble method for intrusion detection system. Appl. Soft Comput. J. 38, 360–372 (2016)CrossRef

40.

Lin, W.C., Ke, S.W., Tsai, C.F.: CANN: an intrusion detection system based on combining cluster centers and nearest neighbors. Knowl. Based Syst. 78(1), 13–21 (2015)CrossRef

41.

Horng, S.J., Su, M.Y., Chen, Y.H., Kao, T.W., Chen, R.J., Lai, J.L., Perkasa, C.D.: A novel intrusion detection system based on hierarchical clustering and support vector machines. Expert Syst. Appl. 38(1), 306–313 (2011)CrossRef

42.

Pan, Z., Lian, H., Hu, G., Ni, G.: An integrated model of intrusion detection based on neural network and expert system. In: 17th IEEE International Conference on Tools with Artificial Intelligence (ICTAI 2005), vol. 2005, pp. 671–672 (2005)

43.

Sheu, T.F., Huang, N.F., Lee, H.P.: NIS04-6: A time-and memory-efficient string matching algorithm for intrusion detection systems. In: Global Telecommunications Conference, GLOBECOM 2006, IEEE, pp. 1–5. IEEE (2006)

44.

Fogla, P., Lee, W.: Evading network anomaly detection systems: formal reasoning and practical techniques. In: Proceedings of the 13th ACM conference on Computer and Communications Security, pp. 59–68 (2006)

45.

Weller-Fahy, D.J., Borghetti, B.J., Sodemann, A.A.: A survey of distance and similarity measures used within network intrusion anomaly detection. IEEE Commun. Surv. Tutor. 17(1), 70–91 (2015)CrossRef

46.

Vitányi, P.M.B., Balbach, F.J., Cilibrasi, R.L., Li, M.: Normalized information distance. In: Emmert-Streib, F., Dehmer, M. (eds.) Information Theory and Statistical Learning, pp. 45–82. Springer, Boston (2009)CrossRef

47.

GNU: gzip - GNU Project - Free Software Foundation. https://www.gnu.org/software/gzip/. Accessed 6 Apr 2017

48.

bzip.org: bzip2: Home. http://www.bzip.org/. Accessed 6 Apr 2017

49.

Bloom, C.: Charles Bloom’s Page: Source Code: PPMZ. http://www.cbloom.com/src/ppmz.html. Accessed 6 Apr 2017

50.

Cilibrasi, R., Vitányi, P.M.B.: Clustering by compression. IEEE Trans. Inf. Theory 51(4), 1523–1545 (2005)MathSciNetCrossRefMATH

51.

Bertacchini, M., Fierens, P.I.: Preliminary results on masquerader detection using compression based similarity metrics 2 previous work. Electron. J. SADIO 7(1), 31–42 (2007)MATH

52.

Bertacchini, M., Benitez, C.E.: NCD based masquerader detection using enriched command lines. Innovation, vol. 4397 (2004)

53.

CSIC-dataset: HTTP DATASET CSIC 2010. http://www.isi.csic.es/dataset/. Accessed 29 Mar 2017

54.

Tukaani-project: A Quick Benchmark: Gzip vs. Bzip2 vs. LZMA. http://tukaani.org/lzma/benchmarks.html. Accessed 6 Apr 2017

55.

Scikit learn: scikit-learn: machine learning in Python - scikit-learn 0.18.1 documentation. http://scikit-learn.org/stable/. Accessed 29 Mar 2017

56.

Nguyen, H.T., Torrano-Gimenez, C., Alvarez, G., Petrović, S., Franke, K.: Application of the generic feature selection measure in detection of web attacks. In: Computational Intelligence in Security for Information Systems, pp. 25–32. Springer (2011)

57.

Marty, R.: Applied Security Visualization. Addison-Wesley, Upper Saddle River (2009)

58.

Zhang, T.: Bridging the gap of network management and anomaly detection through interactive visualization. In: 2014 IEEE Pacific Visualization Symposium, pp. 253–257 (2014)

Title: A Parameter-Free Method for the Detection of Web Attacks
Authors: Gonzalo de la Torre-Abaitua
Luis F. Lago-Fernández
David Arroyo
Publisher: Springer International Publishing
Book: International Joint Conference SOCO’17-CISIS’17-ICEUTE’17 León, Spain, September 6–8, 2017, Proceeding
Print ISBN: 978-3-319-67179-6

Electronic ISBN: 978-3-319-67180-2

Copyright Year: 2018
DOI: https://doi.org/10.1007/978-3-319-67180-2_64

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner