Abstract
Nowadays HTTP servers and applications are some of the most popular targets for network attacks. In this research, we consider an algorithm for HTTP intrusions detection based on simple clustering algorithms and advanced processing of HTTP requests which allows the analysis of all queries at once and does not separate them by resource. The method proposed allows detection of HTTP intrusions in case of continuously updated web-applications and does not require a set of HTTP requests free of attacks to build the normal user behaviour model. The algorithm is tested using logs acquired from a large real-life web service and, as a result, all attacks from these logs are detected, while the number of false alarms remains zero.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Klein, A.: Detecting and Preventing HTTP Response Splitting and HTTP Request Smuggling Attacks at the TCP Level. Tech. Note (August 2005), http://www.securityfocus.com/archive/1/408135
Axelsson, S.: Research in intrusion-detection systems: a survey. Department of Computer Engineering, Chalmers University of Technology, Goteborg, Sweden. Technical Report. pp. 98–117 (December 1998)
Patcha, A., Park, J.M.: An overview of anomaly detection techniques: Existing solutions and latest technological trends. Computer Networks: The International Journal of Computer and Telecommunications Networking 51(12) (August 2007)
Verwoerd, T., Hunt, R.: Intrusion detection techniques and approaches. Computer Communications - COMCOM 25(15), 1356–1365 (2002)
Kemmerer, R.A., Vigna, G.: Intrusion Detection: A Brief History and Overview. Computer 35, 27–30 (2002)
Gollmann, D.: Computer Security, 2nd edn. Wiley (2006)
Sriraghavan, R.G.: Data processing and anomaly detection in web-based applications. In: IEEE Workshop on Machine Learning for Signal Processing, MLSP 2008, pp. 187–192 (October 2008)
Sipola, T., Juvonen, A., Lehtonen, J.: Anomaly detection from network logs using diffusion maps. In: Iliadis, L., Jayne, C. (eds.) EANN/AIAI 2011, Part I. IFIP AICT, vol. 363, pp. 172–181. Springer, Heidelberg (2011)
Zolotukhin, M., Hämäläinen, T., Juvonen, A.: Growing Hierarchical Self-organizing Maps and Statistical Distribution Models for Online Detection of Web Attacks. In: Cordeiro, J., Krempels, K.-H. (eds.) WEBIST 2012. Lecture Notes in Business Information Processing, vol. 140, pp. 281–295. Springer, Heidelberg (2013)
Zolotukhin, M., Hämäläinen, T., Juvonen, A.: Online Anomaly Detection by Using N-gram Model and Growing Hierarchical Self-Organizing Maps. In: Proc. of the IWCMC (2012)
Kirchner, M.: A framework for detecting anomalies in HTTP traffic using instance-based learning and k-nearest neighbor classification. In: 2nd International Workshop on Security and Communication Networks (IWSCN), pp. 1–8 (May 2010)
Kruegel, C., Vigna, G.: Anomaly detection of web-based attacks. In: Proc. of the 10th ACM Conference on Computer and Communications Security, pp. 251–261 (2003)
Lucchese, L.: Data processing and anomaly detection in web-based applications. In: IEEE Workshop on Machine Learning for Signal Processing, MLSP 2008, pp. 187–192 (October 2008)
Lin, L., Leckie, C., Chenfeng, Z.: Comparative Analysis of HTTP Anomaly Detection Algorithms: DFA vs N-Grams. In: 4th International Conference on Network and System Security (NSS), pp. 113–119 (September 2010)
Ingham, K., Somayaji, A., Burge, J., Forrest, S.: Learning DFA representations of HTTP for protecting web applications. Computer Networks 51, 1239–1255 (2007)
Sun, M., Xuelei, H., Yang, J.: Grammar-Based Anomaly Methods for HTTP Attacks. In: Chinese Conference on Pattern Recognition, CCPR 2009, vol. 1-5 (November 2009)
Suen, C.Y.: N-Gram Statistics for Natural Language Understanding and Text Processing. IEEE Transactions on Pattern Analysis and Machine Intelligence PAMI-1(2), 164–172 (1979)
Hirsimaki, T., Pylkkonen, J., Kurimo, M.: Importance of High-Order N-Gram Models in Morph-Based Speech Recognition. IEEE Transactions on Audio, Speech, and Language Processing 17(4), 724–732 (2009)
Corona, I., Giacinto, G.: Detection of Server-side Web Attacks. In: Proc. of JMLR: Workshop on Applications of Pattern Analysis, pp. 160–166 (2010)
Jain, A., Murty, M., Flynn, P.: Data clustering: a review. ACM Computing Surveys 31(3), 264–323 (1999) ISSN 0360-0300
Xie, J.: A Simple and Fast Algorithm for Global K-means Clustering. In: Proc. of 2nd International Workshop Education Technology and Computer Science (ETCS), vol. 2, pp. 36–40 (March 2010)
Ester, M., Kriegel, H.-P., Sander, J., Xu, X.: A density-based algorithm for discovering clusters in large spatial databases with noise. In: Proc. of 2nd International Conference on Knowledge Discovery and Data Mining, pp. 226–231 (1996)
Kim, J.: The Anomaly Detection by Using DBSCAN Clustering with Multiple Parameters. In: Proc. of ICISA, pp. 1–5 (April 2011)
Smiti, A.: DBSCAN-GM: An improved clustering method based on Gaussian Means and DBSCAN techniques. In: Proc. of International Conference on Intelligent Engineering Systems (INES), pp. 573–578 (June 2012)
Apache 2.0 Documentation (2011), http://www.apache.org/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Zolotukhin, M., Hämäläinen, T. (2013). Detection of Anomalous HTTP Requests Based on Advanced N-gram Model and Clustering Techniques. In: Balandin, S., Andreev, S., Koucheryavy, Y. (eds) Internet of Things, Smart Spaces, and Next Generation Networking. ruSMART NEW2AN 2013 2013. Lecture Notes in Computer Science, vol 8121. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-40316-3_33
Download citation
DOI: https://doi.org/10.1007/978-3-642-40316-3_33
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-40315-6
Online ISBN: 978-3-642-40316-3
eBook Packages: Computer ScienceComputer Science (R0)