WSAD: An Unsupervised Web Session Anomaly Detection Method

Abstract

servers in the Internet are vulnerable to Web attacks, to detect Web attacks, a commonly used method is to detect anomalies in the request parameters by making regular-expression-based matching rules for the parameters based on known security threats. However, such methods cannot detect unknown anomalies well and they can also be easily bypassed by using techniques like transcoding. Moreover, existing anomaly detection methods are usually based on a single HTTP request, which is easy to ignore the attack behavior within a period of time, such as brute-force password cracking attack. In this paper, we propose an unsupervised W eb S ession A nomaly D etection method called WSAD. WSAD uses ten features of web session to perform anomaly detection. After extracting the ten features, WSAD uses the DBSCAN algorithm to cluster the features of each session and outputs the outliers found in the clustering process as anomalies. We evaluate the performance of WSAD on several datasets from multiple real websites of a company. The results indicate that WSAD could detect malicious behaviors that could not be detected by Web Application Firewall, and it almost has no false positives.