An On-line Learning Statistical Model to Detect Malicious Web Requests

Harald Lampesberger; Philipp Winter; Markus Zeilinger; Eckehard Hermann

An On-line Learning Statistical Model to Detect Malicious Web Requests

Harald Lampesberger
, Philipp Winter
, Markus Zeilinger
, Eckehard Hermann

Institut für Anwendungsorientierte Wissensverarbeitung

Publikation: Beitrag in Buch/Bericht/Konferenzband › Konferenzbeitrag › Begutachtung

Abstract

Detecting malicious connection attempts and attacks against web-based applications is one of many approaches to protect the World Wide Web and its users. In this paper, we present a generic method for detecting anomalous and potentially malicious web requests from the network's point of view without prior knowledge or training data of the web-based application. The algorithm assumes that a legitimate request is an ordered sequence of semantic entities. Malicious requests are in different order or include entities which deviate from the structure of the majority of requests. Our method learns a variable-order Markov model from legitimate sequences of semantic entities. If a sequence's probability deviates from previously seen ones, it is reported as anomalous. Experiments were conducted on logs from a social networking web site. The results indicate that that the proposed method achieves good detection rates at acceptable false-alarm rates.

Originalsprache	Englisch
Titel	Security and Privacy in Communication Networks - 7th Iternational ICST Conference, SecureComm 2011, London
Seitenumfang	20
Publikationsstatus	Veröffentlicht - 2011

Wissenschaftszweige

102 Informatik
102001 Artificial Intelligence

JKU-Schwerpunkte

Computation in Informatics and Mathematics

Dieses zitieren

@inproceedings{f25af2590de845ab9ad1240077c0aff6,

title = "An On-line Learning Statistical Model to Detect Malicious Web Requests",

abstract = "Detecting malicious connection attempts and attacks against web-based applications is one of many approaches to protect the World Wide Web and its users. In this paper, we present a generic method for detecting anomalous and potentially malicious web requests from the network's point of view without prior knowledge or training data of the web-based application. The algorithm assumes that a legitimate request is an ordered sequence of semantic entities. Malicious requests are in different order or include entities which deviate from the structure of the majority of requests. Our method learns a variable-order Markov model from legitimate sequences of semantic entities. If a sequence's probability deviates from previously seen ones, it is reported as anomalous. Experiments were conducted on logs from a social networking web site. The results indicate that that the proposed method achieves good detection rates at acceptable false-alarm rates.",

author = "Harald Lampesberger and Philipp Winter and Markus Zeilinger and Eckehard Hermann",

year = "2011",

language = "English",

booktitle = "Security and Privacy in Communication Networks - 7th Iternational ICST Conference, SecureComm 2011, London",

}

TY - GEN

T1 - An On-line Learning Statistical Model to Detect Malicious Web Requests

AU - Lampesberger, Harald

AU - Winter, Philipp

AU - Zeilinger, Markus

AU - Hermann, Eckehard

PY - 2011

Y1 - 2011

N2 - Detecting malicious connection attempts and attacks against web-based applications is one of many approaches to protect the World Wide Web and its users. In this paper, we present a generic method for detecting anomalous and potentially malicious web requests from the network's point of view without prior knowledge or training data of the web-based application. The algorithm assumes that a legitimate request is an ordered sequence of semantic entities. Malicious requests are in different order or include entities which deviate from the structure of the majority of requests. Our method learns a variable-order Markov model from legitimate sequences of semantic entities. If a sequence's probability deviates from previously seen ones, it is reported as anomalous. Experiments were conducted on logs from a social networking web site. The results indicate that that the proposed method achieves good detection rates at acceptable false-alarm rates.

AB - Detecting malicious connection attempts and attacks against web-based applications is one of many approaches to protect the World Wide Web and its users. In this paper, we present a generic method for detecting anomalous and potentially malicious web requests from the network's point of view without prior knowledge or training data of the web-based application. The algorithm assumes that a legitimate request is an ordered sequence of semantic entities. Malicious requests are in different order or include entities which deviate from the structure of the majority of requests. Our method learns a variable-order Markov model from legitimate sequences of semantic entities. If a sequence's probability deviates from previously seen ones, it is reported as anomalous. Experiments were conducted on logs from a social networking web site. The results indicate that that the proposed method achieves good detection rates at acceptable false-alarm rates.

M3 - Conference proceedings

BT - Security and Privacy in Communication Networks - 7th Iternational ICST Conference, SecureComm 2011, London

ER -