{"title":"一种无监督Web会话异常检测方法","authors":"Yizhen Sun, Yiman Xie, Weiping Wang, Shigeng Zhang, Jun Gao, Yating Chen","doi":"10.1109/MSN50589.2020.00125","DOIUrl":null,"url":null,"abstract":"servers in the Internet are vulnerable to Web attacks, to detect Web attacks, a commonly used method is to detect anomalies in the request parameters by making regular-expression-based matching rules for the parameters based on known security threats. However, such methods cannot detect unknown anomalies well and they can also be easily bypassed by using techniques like transcoding. Moreover, existing anomaly detection methods are usually based on a single HTTP request, which is easy to ignore the attack behavior within a period of time, such as brute-force password cracking attack. In this paper, we propose an unsupervised W eb S ession A nomaly D etection method called WSAD. WSAD uses ten features of web session to perform anomaly detection. After extracting the ten features, WSAD uses the DBSCAN algorithm to cluster the features of each session and outputs the outliers found in the clustering process as anomalies. We evaluate the performance of WSAD on several datasets from multiple real websites of a company. The results indicate that WSAD could detect malicious behaviors that could not be detected by Web Application Firewall, and it almost has no false positives.","PeriodicalId":447605,"journal":{"name":"2020 16th International Conference on Mobility, Sensing and Networking (MSN)","volume":"32 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2020-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":"{\"title\":\"WSAD: An Unsupervised Web Session Anomaly Detection Method\",\"authors\":\"Yizhen Sun, Yiman Xie, Weiping Wang, Shigeng Zhang, Jun Gao, Yating Chen\",\"doi\":\"10.1109/MSN50589.2020.00125\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"servers in the Internet are vulnerable to Web attacks, to detect Web attacks, a commonly used method is to detect anomalies in the request parameters by making regular-expression-based matching rules for the parameters based on known security threats. However, such methods cannot detect unknown anomalies well and they can also be easily bypassed by using techniques like transcoding. Moreover, existing anomaly detection methods are usually based on a single HTTP request, which is easy to ignore the attack behavior within a period of time, such as brute-force password cracking attack. In this paper, we propose an unsupervised W eb S ession A nomaly D etection method called WSAD. WSAD uses ten features of web session to perform anomaly detection. After extracting the ten features, WSAD uses the DBSCAN algorithm to cluster the features of each session and outputs the outliers found in the clustering process as anomalies. We evaluate the performance of WSAD on several datasets from multiple real websites of a company. The results indicate that WSAD could detect malicious behaviors that could not be detected by Web Application Firewall, and it almost has no false positives.\",\"PeriodicalId\":447605,\"journal\":{\"name\":\"2020 16th International Conference on Mobility, Sensing and Networking (MSN)\",\"volume\":\"32 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2020-12-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"1\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2020 16th International Conference on Mobility, Sensing and Networking (MSN)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/MSN50589.2020.00125\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2020 16th International Conference on Mobility, Sensing and Networking (MSN)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/MSN50589.2020.00125","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
WSAD: An Unsupervised Web Session Anomaly Detection Method
servers in the Internet are vulnerable to Web attacks, to detect Web attacks, a commonly used method is to detect anomalies in the request parameters by making regular-expression-based matching rules for the parameters based on known security threats. However, such methods cannot detect unknown anomalies well and they can also be easily bypassed by using techniques like transcoding. Moreover, existing anomaly detection methods are usually based on a single HTTP request, which is easy to ignore the attack behavior within a period of time, such as brute-force password cracking attack. In this paper, we propose an unsupervised W eb S ession A nomaly D etection method called WSAD. WSAD uses ten features of web session to perform anomaly detection. After extracting the ten features, WSAD uses the DBSCAN algorithm to cluster the features of each session and outputs the outliers found in the clustering process as anomalies. We evaluate the performance of WSAD on several datasets from multiple real websites of a company. The results indicate that WSAD could detect malicious behaviors that could not be detected by Web Application Firewall, and it almost has no false positives.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
