Abstract
servers in the Internet are vulnerable to Web attacks, to detect Web attacks, a commonly used method is to detect anomalies in the request parameters by making regular-expression-based matching rules for the parameters based on known security threats. However, such methods cannot detect unknown anomalies well and they can also be easily bypassed by using techniques like transcoding. Moreover, existing anomaly detection methods are usually based on a single HTTP request, which is easy to ignore the attack behavior within a period of time, such as brute-force password cracking attack. In this paper, we propose an unsupervised W eb S ession A nomaly D etection method called WSAD. WSAD uses ten features of web session to perform anomaly detection. After extracting the ten features, WSAD uses the DBSCAN algorithm to cluster the features of each session and outputs the outliers found in the clustering process as anomalies. We evaluate the performance of WSAD on several datasets from multiple real websites of a company. The results indicate that WSAD could detect malicious behaviors that could not be detected by Web Application Firewall, and it almost has no false positives.
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
