Browse > Article
http://dx.doi.org/10.13089/JKIISC.2003.13.2.115

SAD : Web Session Anomaly Detection based on Bayesian Estimation  

조상현 (한국과학기술원 전자전산학과)
김한성 (한국과학기술원 전자전산학과)
이병희 (한국과학기술원 전자전산학과)
차성덕 (한국과학기술원 전자전산학과)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.13, no.2, 2003 , pp. 115-125 More about this Journal
Abstract
As Web services are generally open for external uses and not filtered by Firewall, these result in attacker's target. Web attacks which exploit vulnerable web-applications and malicious users' requests cause economical and social problems. In this paper, we are modelling general web service usages based on user-web-session and detect anomal usages with Bayesian estimation method. Finally we propose SAD(Session Anomaly Detection) for detection unknown web attacks. To evaluate SAD, we made an experiment on attack simulation with web vulnerability scanner, whisker. The results show that the detection rate of SAD is over 90%, which is influenced by several features such as size of window or training set, detection filter method and web topology.
Keywords
intrusion detection; web attack detection; anomaly detection; network security; bayesian estimation;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Application integrated data collection for securtiy monitoring /
[ Magnus Almgren;Ult Lindqvist ] / Proceeding of Recent Advances in Intrusion Detection (RAID 2001)
2 An intrusion-detection model /
[ Dorothy E.Denning ] / IEEE Transactions on Software Engineering   ScienceOn
3 /
[ ISS ] / Network vs host-based intrusion detection
4 A lightweight tool for detecting web server attacks /
[ Herve Debar Magnus Almgren;Marc Dacier ] / Proceedings of Network and Distributed System Security Symposium
5 An approaches to web attack categorization /
[ Jeong Seok Seo ] / Master's Thesis, KAIST
6 A real-time intrusion detection expert system (ides) /
[ F.Gilham;R.Jagnathan;P.Neumann;H.Javitz;A.Valdes;T.Lunt;A.Tamaru;T.Garvey ] / Technical report
7 /
[ Rain Forest Puppy ] / A look at whisker's anti-IDS tactics
8 /
[ CERT Coordination Center ] / Overview of attack trends. Technical report
9 An achillesi heel in signature-based ids: Squealing false positives in snort /
[ William Yurcik Samuel Patton;David Dos ] / RAID 2001
10 Snort - lightweight intrusion detection for networks /
[ M.Roesch ] / Porceedings of USENIX LISA'99
11 Nimda worm analysis /
[ Ryan Russell;Andrew Mackie;Jensenne Roculan;Mario Van Velzen ] / Technical report, Securityfocus.com Incident Analysis Report
12 Phad: Packet header anomaly detection for indentifying hostile network traffic /
[ Matthew V.Mahoney;Philip K.Chan ] / Florida Tech. CS-2001-4
13 Evaluating intrusion detection systems: The 1998 DARPA on-line intrusion detection evaluation /
[ Richard Lippmann(et al.) ] / Proceedings of the DARPA Information Survivability Conference and Exposition
14 Insertion, evasion, and denial of service : Eluding network intrusion detection /
[ Thoms H.Ptacek;Timothy N.Newsham ] / Technical report
15 /
[ N.Friedman;Y.Singer ] / Efficient bayesian parameter estimation in large discrete domains
16 Data preparation for mining world wide web browsing patterns /
[ Robert Cooley;Bamshad Mobasher;Jaideep Srivastava ] / Knowledge and Infromation Systems
17 Detecting Malicious Software by Monitoring Anomalous Windows Registry Accesses /
[ Frank Apap(etc.) ] / RAID 2002, LNCS 2516
18 Data mining approaches for intrusion detection /
[ Wenke Lee;Salvatore Stolfo ] / Proceedings of the 7th USENIX Security Symposium
19 Service specific anornaly detection for network intrusion detection /
[ Thomas Toth Christopher Krugel;Engin Kirda ] / Proceedings of Symposium on Applied Computing
20 Design and implementation of an anomaly detection system: an empirical approach /
[ Stefano Suin Luca Deri;Gaia Maselli ] / Technical report