6533b7d2fe1ef96bd125f4c8

RESEARCH PRODUCT

Growing Hierarchical Self-organizing Maps and Statistical Distribution Models for Online Detection of Web Attacks

Mikhail ZolotukhinTimo HämäläinenAntti Juvonen

subject

Self-organizing mapWeb serverComputer scienceServerHeaderSingle-linkage clusteringAnomaly detectionIntrusion detection systemData miningWeb servicecomputer.software_genrecomputer

description

In modern networks, HTTP clients communicate with web servers using request messages. By manipulating these messages attackers can collect confidential information from servers or even corrupt them. In this study, the approach based on anomaly detection is considered to find such attacks. For HTTP queries, feature matrices are obtained by applying an n-gram model, and, by learning on the basis of these matrices, growing hierarchical self-organizing maps are constructed. For HTTP headers, we employ statistical distribution models based on the lengths of header values and relative frequency of symbols. New requests received by the web-server are classified by using the maps and models obtained in the training stage. The technique proposed allows detecting online HTTP attacks in the case of continuous updated web-applications. The algorithm proposed is tested using logs, which were acquired from a large real-life web service and included normal and intrusive requests. As a result, almost all attacks from these logs are detected, and the number of false alarms remains very low.

yearjournalcountryeditionlanguage
2013-01-01
https://doi.org/10.1007/978-3-642-36608-6_18