Statistical Modeling of Web Requests for Anomaly Detection in Web Applications

Harald Lampesberger; Markus Zeilinger; Eckehard Hermann

Statistical Modeling of Web Requests for Anomaly Detection in Web Applications

Harald Lampesberger, Markus Zeilinger, Eckehard Hermann

Institute for Application-oriented Knowledge Processing

Research output: Chapter in Book/Report/Conference proceeding › Chapter › peer-review

Abstract

We present an algorithm for learning a statistical representation of web application communication. The algorithm estimates the average probability of every observed web request. If the estimated probability deviates from recent observations, the web request is classified as anomalous. With every classification result, the statistical model parameters are updated, so the algorithm gains on-line learning capabilities and it self-adjusts to the observed data without prior training. Experiments on log data from a social networking web site indicate high detection rates at acceptable false-alarm rates. Also, the evaluation shows that the degree of abnormality of a web request does not explain the potential danger.

Original language	English
Title of host publication	Advances on IT Early Warning -- The Many-folded Facets of IT Early Warning - Open Issues, Current Research
Publisher	Fraunhofer Verlag
Number of pages	13
Publication status	Published - 2012

Fields of science

102 Computer Sciences
102001 Artificial intelligence

JKU Focus areas

Computation in Informatics and Mathematics

Cite this

@inbook{aefab5a51ee04a7f962cb973f70091c4,

title = "Statistical Modeling of Web Requests for Anomaly Detection in Web Applications",

abstract = "We present an algorithm for learning a statistical representation of web application communication. The algorithm estimates the average probability of every observed web request. If the estimated probability deviates from recent observations, the web request is classified as anomalous. With every classification result, the statistical model parameters are updated, so the algorithm gains on-line learning capabilities and it self-adjusts to the observed data without prior training. Experiments on log data from a social networking web site indicate high detection rates at acceptable false-alarm rates. Also, the evaluation shows that the degree of abnormality of a web request does not explain the potential danger.",

author = "Harald Lampesberger and Markus Zeilinger and Eckehard Hermann",

year = "2012",

language = "English",

booktitle = "Advances on IT Early Warning -- The Many-folded Facets of IT Early Warning - Open Issues, Current Research",

publisher = "Fraunhofer Verlag",

}

TY - CHAP

T1 - Statistical Modeling of Web Requests for Anomaly Detection in Web Applications

AU - Lampesberger, Harald

AU - Zeilinger, Markus

AU - Hermann, Eckehard

PY - 2012

Y1 - 2012

N2 - We present an algorithm for learning a statistical representation of web application communication. The algorithm estimates the average probability of every observed web request. If the estimated probability deviates from recent observations, the web request is classified as anomalous. With every classification result, the statistical model parameters are updated, so the algorithm gains on-line learning capabilities and it self-adjusts to the observed data without prior training. Experiments on log data from a social networking web site indicate high detection rates at acceptable false-alarm rates. Also, the evaluation shows that the degree of abnormality of a web request does not explain the potential danger.

AB - We present an algorithm for learning a statistical representation of web application communication. The algorithm estimates the average probability of every observed web request. If the estimated probability deviates from recent observations, the web request is classified as anomalous. With every classification result, the statistical model parameters are updated, so the algorithm gains on-line learning capabilities and it self-adjusts to the observed data without prior training. Experiments on log data from a social networking web site indicate high detection rates at acceptable false-alarm rates. Also, the evaluation shows that the degree of abnormality of a web request does not explain the potential danger.

M3 - Chapter

BT - Advances on IT Early Warning -- The Many-folded Facets of IT Early Warning - Open Issues, Current Research

PB - Fraunhofer Verlag

ER -