A General Framework for Adaptive and Online Detection of Web attacks

Wei Wang 1 Florent Masseglia 2 Thomas Guyet 3 René Quiniou 3 Marie-Odile Cordier 3
2 AxIS - Usage-centered design, analysis and improvement of information systems
CRISAM - Inria Sophia Antipolis - Méditerranée , Inria Paris-Rocquencourt
3 DREAM - Diagnosing, Recommending Actions and Modelling
Inria Rennes – Bretagne Atlantique , IRISA-D7 - GESTION DES DONNÉES ET DE LA CONNAISSANCE
Abstract : Detection of web attacks is an important issue in current defense-in-depth security framework. Many existing anomaly detection methods require a large amount of precisely labeled data to build a static model that is then used for attack detection. In practical environments, however, labeled data is very difficult to obtain. Moreover, the audit data for attack detection is typically streaming and the behavioral model is always evolving. Static detection models thus lead to considerable false positives. In this paper, we propose a novel general framework for adaptive and online detection of web attacks. The general framework can be based on any online clustering methods. A detection model based on the framework is able to learn online and deal with concept drift in web audit data streams. Str-DBSCAN that we extended DBSCAN [1] to streaming data as well as StrAP [3] are both used to validate the framework. The detection model based on the framework automatically labels the web audit data and adapts to normal behavior changes while identifies attacks through dynamical clustering of the streaming data. A very large size of real HTTP Log data collected in our institute is used to validate the framework and the model. The preliminary testing results demonstrated its effectiveness and efficiency.
Type de document :
Communication dans un congrès
18th International World Wide Web Conference - WWW 2009, Apr 2009, Madrid, Spain. 2009
Liste complète des métadonnées

https://hal.inria.fr/inria-00461391
Contributeur : Thomas Guyet <>
Soumis le : jeudi 4 mars 2010 - 15:28:01
Dernière modification le : mercredi 2 août 2017 - 10:07:06

Identifiants

  • HAL Id : inria-00461391, version 1

Citation

Wei Wang, Florent Masseglia, Thomas Guyet, René Quiniou, Marie-Odile Cordier. A General Framework for Adaptive and Online Detection of Web attacks. 18th International World Wide Web Conference - WWW 2009, Apr 2009, Madrid, Spain. 2009. 〈inria-00461391〉

Partager

Métriques

Consultations de la notice

256