[1]YANG Xiaofeng,LI Wei,SUN Mingming,et al.Web attack detection method on the basis of text clustering[J].CAAI Transactions on Intelligent Systems,2014,9(1):40-46.[doi:10.3969/j.issn.1673-4785.201108007]
Copy

Web attack detection method on the basis of text clustering

CAAI Transactions on Intelligent Systems[ISSN 1673-4785/CN 23-1538/TP] Volume: 9 Number of periods: 2014 1 Page number: 40-46 Column: 学术论文—自然语言处理与理解 Public date: 2014-02-25
Title:
Web attack detection method on the basis of text clustering
Author(s):
YANG Xiaofeng1 LI Wei12 SUN Mingming1 HU Xuelei1
1. School of Computer Science and Technology, Nanjing University of Science and Technology, Nanjing 210094, China;
2. Dana-Farber Cancer Institute, Harvard Medical School, Boston, Massachusetts 02115, USA
Keywords:
Web attackWeb attack detectiontext clusteringunsupervised detection algorithm
CLC:
TP393
DOI:
10.3969/j.issn.1673-4785.201108007
Abstract:
The attacks aiming at Web service applications within the past several years have become more widely-propagated, and the present attack detection algorithms mostly use the supervision study to determine the border between normal the behavior and attack behavior; however, for the supervision and detection model, before the detection, a complex studying process is necessary, this will lower the practical effects of the system. Therefore, on the basis of the realistic difference between the normal visit specimen and the attack specimen on the aspects of quantity and distribution, an unsupervised detection algorithm based on text clustering is proposed. In the algorithm, firstly, the iteratively clustered process is applied to cluster specimens, until reaching a category; in addition, according to the distribution law of the abnormal and normal specimens, in the clustering process, the optimal maximum category is considered as the normal specimen category and the others are considered as an abnormal specimen category. The optimal scheme is determined on the basis of the principle of the minimum classification error. The experiment shows that, in comparison with many traditional detection methods, the method used in this paper omits complex study processes and improves adaptability; the detection rate and the false positive rate are excellent.
References:
[1] CHRISTEY S, MARTIN R A. Vulnerability type distributions in CVE [EB/OL]. [2011-08-20]. http://cwe.mitre.org/documents/vuln-trends.html.
[2] FIELDING R, GETTYS J, MOGUL J, et al. RFC-2616: hypertext transfer protocol-HTTP/1.1[S]. Montreal: Internet Engineering Task Force (IETF), 1999.
[3] INGHAM K L, SOMAYAJIB A, BURGEA J, et al. Learning DFA representations of HTTP for protecting web applications[J]. Computer Networks, 2007, 51(5): 1239-1255.
[4] CORONA I, ARIU D, GIACINTO G. HMM-Web: a framework for the detection of attacks against web applications[C]//IEEE International Conference on Communications. Dresden, Germany, 2009: 1-6.
[5] DURY A, HALLAL H H, PETRENKO A. Inferring behavioural models from traces of business applications[C]//IEEE International Conference on Web Services. Los Angeles, USA, 2009: 791-798.
[6] BACE R. Intrusion detection[M]. [S.l.]: Macmillan Publishing Co. Inc., 2000: 1-4.
[7] ROESCH M. Snort-lightweight intrusion detection for networks[C]//Proceedings of the 13th USENIX Conference on System Administration. Seattle, USA, 1999: 229-238.
[8] CHANDOLA V, BANERJEE A, KUMAR V. Anomaly detection: a survey[J]. ACM Computing Surveys, 2009, 41(3): artical no. 15.
[9] KRUEGEL C, VIGNA G. Anomaly detection of web-based attacks[C]//Proceedings of the 10th ACM Conference on Computer and Communications Security. Washington, DC, USA: ACM, 2003: 251-261.
[10] KRUEGEL C, VIGNA G, ROBERTSON W. A multi-model approach to the detection of web-based attacks[J]. Computer Networks, 2005, 48(5): 717-738.
[11] PORTNOY L, ESKIN E, STOLFO S. Intrusion detection with unlabeled data using clustering[C]//Proceedings of ACM CSS Workshop on Data Mining Applied to Security. Philadelphia, USA, 2001: 5-8.
[12] MAHONEY M V, CHAN P K. Learning nonstationary models of normal network traffic for detecting novel attacks[C]//Proceedings of the 8th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. New York, USA: ACM, 2002: 376-385.
[13] WARRENDER C, FORREST S, PEARLMUTTER B. Detecting intrusions using system calls: alternative data models[C]//Proceedings of IEEE Symposium on Security and Privacy. Oakland, USA, 1999: 133-145.
[14] SENGAR H, WIJESEKERA D, WANG H, et al. VoIP intrusion detection through interacting protocol state machines[C]//Proceedings of International Conference on Dependable Systems and Networks. Philadelphia, USA: IEEE/IFIP, 2006: 393-402.
[15] 周东清,张海锋,张绍武,等.基于HMM的分布式拒绝服务攻击检测方法[J].计算机研究与发展, 2005, 42(9): 1594-1599.ZHOU Qingdong, ZHANG Haifeng, ZHANG Shaowu, et al. A DDos attack detection method based on hidden Markov model[J]. Journal of Computer Research and Development, 2005, 42(9): 1594-1599.
[16] INGHAM K L, INOUE H. Comparing anomaly detection techniques for HTTP[C]//Proceedings of the 10th International Conference on Recent Advances in Intrusion Detection. Gold Goast, Australia, 2007: 42-62.
[17] JULISCH K. Clustering intrusion detection alarms to support root cause analysis[J]. ACM Transactions on Information and System Security, 2003, 6(4): 443-471.
[18] HAINES J W, LIPPMANN R P, FRIED D J, et al. 1999 DARPA intrusion detection system evaluation: design and procedures, TR-1062[R]. Lexington, USA: Lincoln Laboratory, Massachusetts Institute of Technology, 2001.
[19] LIPPMANN R P, HAINES J W, FRIED D J, et al. The 1999 DARPA off-line intrusion detection evaluation[J]. Computer Networks, 2000, 34(4): 579-595.
[20] The UCI KDD Archive. KDD Cup 1999 data[EB/OL]. (1999-10-28)[2011-08-20]. http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html.
Similar References:

Memo

-

Last Update: 1900-01-01

Copyright © CAAI Transactions on Intelligent Systems