Detection of anomalous web sessions using page sequences

Abstract

Frequency of attacks on web services and resulting damage continue to grow as web services become popular. Unfortunately, existing signature-based intrusion detection techniques are inadequate in providing reasonable degree of web security. Web attacks are diverse in nature, and typical web architecture consists of complex and hierarchically organized components. Because attack strategies often vary depending on the web contents, it is impossible to develop fixed patterns capturing unknown attacks. Protection mechanisms such as anomaly based intrusion detection and application-level IDS, tailored to web services, are need to detect web attacks. In this dissertation, we propose a Session Anomaly Detection (SAD) that can detect anomalous web session through the statistical approach to model the visiting sequences of static pages and input parameter values. We empirically demonstrate that a SAD is effective in analyzing web logs and detecting anomalous sessions. Our technique, SAD, modelling page sequence, works by first developing normal usage profile and comparing the web logs, as they generated, against the probabilities. It detected nearly all such attacks without having to rely on attack signatures at all. SAD-Dynamic, modelling parameter values, also works by classifying all parameters requested. To evaluate SAD-Dynamic, we made an experiment on three real web sites through attack simulation. Our research indicates that SAD has the potential of detecting previously unknown web attacks and that the proposed approach would play a key role in developing an integrated environment to provide secure and reliable web services and a good adaptive method to traditional intrusion detection system. In addition, the experiment results show that page sequences and parameter values are one of critical features to develop web application IDS.