An On-line Learning Statistical Model to Detect Malicious Web Requests

Harald Lampesberger; Philipp Winter; Markus Zeilinger; Eckehard Hermann

An On-line Learning Statistical Model to Detect Malicious Web Requests

Harald Lampesberger, Philipp Winter, Markus Zeilinger, Eckehard Hermann

Institute for Application-oriented Knowledge Processing

Research output: Chapter in Book/Report/Conference proceeding › Conference proceedings › peer-review

Abstract

Detecting malicious connection attempts and attacks against web-based applications is one of many approaches to protect the World Wide Web and its users. In this paper, we present a generic method for detecting anomalous and potentially malicious web requests from the network's point of view without prior knowledge or training data of the web-based application. The algorithm assumes that a legitimate request is an ordered sequence of semantic entities. Malicious requests are in different order or include entities which deviate from the structure of the majority of requests. Our method learns a variable-order Markov model from legitimate sequences of semantic entities. If a sequence's probability deviates from previously seen ones, it is reported as anomalous. Experiments were conducted on logs from a social networking web site. The results indicate that that the proposed method achieves good detection rates at acceptable false-alarm rates.

Original language	English
Title of host publication	Security and Privacy in Communication Networks - 7th Iternational ICST Conference, SecureComm 2011, London
Number of pages	20
Publication status	Published - 2011

Fields of science

102 Computer Sciences
102001 Artificial intelligence

JKU Focus areas

Computation in Informatics and Mathematics

Cite this

@inproceedings{f25af2590de845ab9ad1240077c0aff6,

title = "An On-line Learning Statistical Model to Detect Malicious Web Requests",

abstract = "Detecting malicious connection attempts and attacks against web-based applications is one of many approaches to protect the World Wide Web and its users. In this paper, we present a generic method for detecting anomalous and potentially malicious web requests from the network's point of view without prior knowledge or training data of the web-based application. The algorithm assumes that a legitimate request is an ordered sequence of semantic entities. Malicious requests are in different order or include entities which deviate from the structure of the majority of requests. Our method learns a variable-order Markov model from legitimate sequences of semantic entities. If a sequence's probability deviates from previously seen ones, it is reported as anomalous. Experiments were conducted on logs from a social networking web site. The results indicate that that the proposed method achieves good detection rates at acceptable false-alarm rates.",

author = "Harald Lampesberger and Philipp Winter and Markus Zeilinger and Eckehard Hermann",

year = "2011",

language = "English",

booktitle = "Security and Privacy in Communication Networks - 7th Iternational ICST Conference, SecureComm 2011, London",

}

TY - GEN

T1 - An On-line Learning Statistical Model to Detect Malicious Web Requests

AU - Lampesberger, Harald

AU - Winter, Philipp

AU - Zeilinger, Markus

AU - Hermann, Eckehard

PY - 2011

Y1 - 2011

N2 - Detecting malicious connection attempts and attacks against web-based applications is one of many approaches to protect the World Wide Web and its users. In this paper, we present a generic method for detecting anomalous and potentially malicious web requests from the network's point of view without prior knowledge or training data of the web-based application. The algorithm assumes that a legitimate request is an ordered sequence of semantic entities. Malicious requests are in different order or include entities which deviate from the structure of the majority of requests. Our method learns a variable-order Markov model from legitimate sequences of semantic entities. If a sequence's probability deviates from previously seen ones, it is reported as anomalous. Experiments were conducted on logs from a social networking web site. The results indicate that that the proposed method achieves good detection rates at acceptable false-alarm rates.

AB - Detecting malicious connection attempts and attacks against web-based applications is one of many approaches to protect the World Wide Web and its users. In this paper, we present a generic method for detecting anomalous and potentially malicious web requests from the network's point of view without prior knowledge or training data of the web-based application. The algorithm assumes that a legitimate request is an ordered sequence of semantic entities. Malicious requests are in different order or include entities which deviate from the structure of the majority of requests. Our method learns a variable-order Markov model from legitimate sequences of semantic entities. If a sequence's probability deviates from previously seen ones, it is reported as anomalous. Experiments were conducted on logs from a social networking web site. The results indicate that that the proposed method achieves good detection rates at acceptable false-alarm rates.

M3 - Conference proceedings

BT - Security and Privacy in Communication Networks - 7th Iternational ICST Conference, SecureComm 2011, London

ER -