Volume 14, Issue 3 (12-2017)
JSDP 2017, 14(3): 83-96 |
Back to browse issues page
Download citation:
BibTeX | RIS | EndNote | Medlars | ProCite | Reference Manager | RefWorks
Send citation to:
BibTeX | RIS | EndNote | Medlars | ProCite | Reference Manager | RefWorks
Send citation to:
mirhadi tafreshi M A. Web Anomaly Detection by Using Access Log Usage Profile. JSDP 2017; 14 (3) :83-96
URL: http://jsdp.rcisp.ac.ir/article-1-418-en.html
URL: http://jsdp.rcisp.ac.ir/article-1-418-en.html
alzaha university
Abstract: (7146 Views)
Due to increasing in cyber-attacks, the need for web servers attack detection technique has drawn attentions today. Unfortunately, many available security solutions are inefficient in identifying web-based attacks.
The main aim of this study is to detect abnormal web navigations based on web usage profiles. In this paper, comparing scrolling behavior of a normal user with an attacker, and simultaneous use of the access control policy alarms provided in web pages crawling with high access level, leads to an attacker to be detected among ordinary users. Indeed, the proposed method in this research includes two main steps: firstly web usage profiles are extracted as web main patterns of users’ behavior. In order to cluster similar web sessions we used a system inspired by artificial immune system. In the employed method, the rate at which a particular web page is visited as well as the time a user spends on the pages, is calculated so as to estimate how interesting a specific page is in a user’s session. Therefore, the similarity in the web page is defined based on the combination of the similarity of web pages URLs and that of the users’ level of interest in visiting them. Secondly, the difference between each current user session from the main profiles is calculated. Additionally, the access control logs are derived from corresponding sessions in this stage. Regarding the noisy nature of web server logs, a method was required so that a slight change in the data would not make a noticeable change in the results validity. Hence, a fuzzy neural network has been applied to distinguish normal and abnormal scrolling behavior in second step.
Due to the lack of a standard data that contains both web pages scrolling and access control logs corresponding to it, providing such a data was required. At first, those intended logs were produced. To do so, an Apache web server was run on the platform of a Centos machine. In order to create the logs completely similar to a real server’s log, an e-commerce website was set up on Apache server. This website had about 160 different web pages to be visited by different users. At this point, a novel method is proposed to simulate the behavior of web users when they visit a website. Likewise, the abnormal data was generated by means of a large number of existing attack tools. It should also be noted that the access control policy has been used is SELinux and It has been added to Linux kernel.
As mentioned, web server access log varies greatly with changing user behaviors, the stability of the proposed method against noise should be evaluated. For this reason, the results has been investigated on noisy profiles created by making random changes on the main profiles, and only the testing phase is conducted again. Subsequently, the distance from the profiles having noise is compared with the main ones. To demonstrate the ability of this method, the results have been compared with a Support Vector Machine (SVM). The carried out evaluations show that our approach performs efficiently in identifying normal and abnormal scrolling.
The main aim of this study is to detect abnormal web navigations based on web usage profiles. In this paper, comparing scrolling behavior of a normal user with an attacker, and simultaneous use of the access control policy alarms provided in web pages crawling with high access level, leads to an attacker to be detected among ordinary users. Indeed, the proposed method in this research includes two main steps: firstly web usage profiles are extracted as web main patterns of users’ behavior. In order to cluster similar web sessions we used a system inspired by artificial immune system. In the employed method, the rate at which a particular web page is visited as well as the time a user spends on the pages, is calculated so as to estimate how interesting a specific page is in a user’s session. Therefore, the similarity in the web page is defined based on the combination of the similarity of web pages URLs and that of the users’ level of interest in visiting them. Secondly, the difference between each current user session from the main profiles is calculated. Additionally, the access control logs are derived from corresponding sessions in this stage. Regarding the noisy nature of web server logs, a method was required so that a slight change in the data would not make a noticeable change in the results validity. Hence, a fuzzy neural network has been applied to distinguish normal and abnormal scrolling behavior in second step.
Due to the lack of a standard data that contains both web pages scrolling and access control logs corresponding to it, providing such a data was required. At first, those intended logs were produced. To do so, an Apache web server was run on the platform of a Centos machine. In order to create the logs completely similar to a real server’s log, an e-commerce website was set up on Apache server. This website had about 160 different web pages to be visited by different users. At this point, a novel method is proposed to simulate the behavior of web users when they visit a website. Likewise, the abnormal data was generated by means of a large number of existing attack tools. It should also be noted that the access control policy has been used is SELinux and It has been added to Linux kernel.
As mentioned, web server access log varies greatly with changing user behaviors, the stability of the proposed method against noise should be evaluated. For this reason, the results has been investigated on noisy profiles created by making random changes on the main profiles, and only the testing phase is conducted again. Subsequently, the distance from the profiles having noise is compared with the main ones. To demonstrate the ability of this method, the results have been compared with a Support Vector Machine (SVM). The carried out evaluations show that our approach performs efficiently in identifying normal and abnormal scrolling.
Type of Study: Research |
Subject:
Paper
Received: 2015/09/11 | Accepted: 2017/08/27 | Published: 2018/01/29 | ePublished: 2018/01/29
Received: 2015/09/11 | Accepted: 2017/08/27 | Published: 2018/01/29 | ePublished: 2018/01/29
References
1. [1] J. Daniel E. Geer. The shrinking perimeter: Makingthe case for data-level risk case management. Veradsys White Paper, January 2004.
2. [2] C.Squicciarini, Elisa Bertino. Lorenzo D.Martino.Fedrica Paci.Anna. Security for Web Services and Service-Oriented Architectures. Springer, 2010. [PMID] [PMCID]
3. [3] R. Azmi, B. Pishgoo, H. Nemati, "Hypervisor-based Intrusion Detection Using Artificial Immune Systems", 8th International Iranian ISC Conference on Information Security and Cryptology, pp. 147-153, (2011).
4. [4] S. S. Anand and B. Mobasher, "Intelligent Techniques for Web Personalization", LNAI 3169, Springer-Verlag, 2005, 1–37.
5. [5] B. Mobasher, "Web Usage Mining and Personalization", Practical Handbook of Internet Computing, Chapman Hall and CRC Press, 2004. [DOI:10.1201/9780203507223.ch15]
6. [6] Selma Elsheikh.2008. Web Usage Data for Web Access Control (WUDWAC). World Congress on Engineering, Jul 2008. [PMCID]
7. [7] Priyanka V. Patil, Dharmaraj Patil , 2013,Preprocessing Web Logs for Web Intrusion Detection, IJAIS Proceedings on International Conference and workshop on Advanced Comput-ing 2013.
8. [8] Grant panel, Helen Ashman.2010, Anomaly Detection Over User Profiles for intrusion detection, Originally published in the Proceedings of the 8th Australian Information Security Mangement Conference, Edith Cowan University, Perth Western Australia.
9. [9] Yi Xie, Shensheng Tang. 2012,online anomaly detection based on web usage minig, IEEE 26th international parallel abd Distributed Processing Symposiom.
10. [10] Hamid Bagheri,Fereidoon Shams, 2011, "An Auto-Delegation Mechanism for Role Based Access Control model" 2nd World Conference on Information Technology", Antalya.
11. [11] Suganyadevi Janani Manimozhi Mirdula, 2002, "Preprocessing in Web Usage Mining" .
12. [12] R. Kosala and H. Blockeel, "Web mining research: a survey," ACM SIGKDD Explorations Newsletter, vol. 2, no. 1, pp. 1–15, Jun. 2000. [DOI:10.1145/360402.360406]
13. [13] P. R. Kumar and A. K. Singh, "Web Structure Mining: Exploring Hyperlinks and Algorithms for Information Retrieval," American Journal of applied sciences, vol. 7, no. 6, pp. 840–845, 2010. [DOI:10.3844/ajassp.2010.840.845]
14. [14] J. Sivaramakrishnan and V. Balakrishnan, "Web Mining Functions in an Academic Search Application," Informatica, vol. 13.
15. [15] J. Srivastava, R. Cooley, M. Deshpande, and P.-N. Tan, "Web usage mining: discovery and applications of usage patterns from Web data," ACM SIGKDD Explorations Newsletter, vol. 1, no. 2, pp. 12–23, Jan. 2000. [DOI:10.1145/846183.846188]
16. [16] L. K. Grace, V. Maheswari, and D. Nagamalai, "Analysis of Web Logs and Web User in Web Mining," International Journal of Network Security & Its Applications, Jan. 2011.
17. [17] D. Dixit and M. Kiruthika, "Preprocessing of Web Logs," International Journal on Computer Science and Engineering, vol. 2, pp. 2447-2452, 2010.
18. [18] V. Sathiya Moorthi and V. Murali Bhaskaran, "Data preparation Techniques for Web Usage Mining in World Wide Web–an approach," International Journal of Recent Trends in Engineering, vol. 2, no. 4, 2009.
19. [19] B. Mobasher, H. Dai, T. Luo, and M. Nakagawa, "Effective personalization based on association rule discovery from web usage data," in Proceedings of the 3rd international workshop on Web information and data management, Atlanta, Georgia, USA, 2001, pp. 9–15. [DOI:10.1145/502932.502935]
20. [20] H.Malek,M.M.Ebadzadeh,M.Rahmati, Threen-ew fuzzy neural networks learning algorithms based on clustering, training error and genetic algorithm,ApplIntell.35(2011)1–
21. [21] S.L. Chiu,Fuzzy model identification based on cluster estimation,J.Intell. Fuzzy S-yst.2(1994)209–219.
22. [22] R.R.Yager,D.P.Filev,Learning of fuzzy rules by mountain clustering,in: Proceeding ofSPIEConferenceonAppliedFuzzyLogicTechnology,1993, pp. 246–254.
23. [23] A. Salimi,M.M.Ebadzadeh, CFNN: Correlated fuzzy neural network, Neurocomput-ing148(2015)430–444. [DOI:10.1016/j.neucom.2014.07.021]
24. [24] G. Leng,Th.McGinnity,Design for self-organiz-ing fuzzy neural network based on geneticalgor-ithm,IEEETrans.FuzzySyst.14(2006)755–766. [DOI:10.1109/TFUZZ.2006.877361]
25. [25] B.Pizzileo,K.Li,G.W.Irwin,W.Zhao, Improved structure optimization for fuzzy-neuralnetwork-s,IEEETrans.FuzzySyst.20(2012)1076–1089. [DOI:10.1109/TFUZZ.2012.2193587]
26. [26] T. W. Yan, M. Jacobsen, H. Garcia-Molina, and U. Dayal, "From user access patterns to dynamic hypertext linking," Computer Networks and
27. [27] R. Forsati, M. R. Meybodi, and A. Rahbar, "An efficient algorithm for web recommendation systems," presented at the IEEE/ACS Interna-tional Conference on Computer Systems and Application-s, AICCSA 2009, 2009, pp. 579-586. [DOI:10.1109/AICCSA.2009.5069385]
28. [28] N. C. Jones and P. Pevzner, An introduction to bioinformatics algorithms. The MIT Press, 2004.
29. [29] W. Wang and O. R. Zaïane, "Clustering Web Sessions by Sequence Alignment," in Proceedings of 13th International Workshop on Database and Expert Systems Applications, Los Alamitos, CA, USA, 2002, vol. 0, p. 394. [DOI:10.1109/DEXA.2002.1045928]
30. [30] C. Li and Y. Lu, "Similarity Measurement of Web Sessions by Sequence Alignment," presented at the IFIP International Conference on Network and Parallel Computing Workshops, NPC Workshops, 2007, pp. 716-720.
https://doi.org/10.1007/s11859-007-0048-2 [DOI:10.1109/NPC.2007.66]
31. [31] B. Hay, G. Wets, and K. Vanhoof, "Segmentation of visiting patterns on web sites using a sequence alignment method," Journal of Retailing and Consumer Services, vol. 10, no. 3, pp. 145-153, May 2003. [DOI:10.1016/S0969-6989(03)00006-7]
32. [32] R.Azmi,M.Azimpour-kivi, "Applying Sequence Alignment in Tracking Evolving Clusters of Web-Sessions Data:an Artificial Immune Network Approach", 2011 Third International Conference on Computational Intelligence, Communication Systems and Networks.
33. [33] B. Hay, G. Wets, and K. Vanhoof, "Segmenta-tion of visiting patterns on web sites using a sequence alignment method," Journal of Retailing and Consumer Services, vol. 10, no. 3, pp. 145-153, May 2003. [DOI:10.1016/S0969-6989(03)00006-7]
34. [34] B. H. Helmi and A. T. Rahmani, "An AIS algorithm for Web usage mining with directed mutation," in IEEE Congress on Evolutionary Computation, CEC 2008 (IEEE World Congress on Computational Intelligence), 2008, pp. 3122-3127. [DOI:10.1109/CEC.2008.4631220]
35. [35] T. Zhang, R. Ramakrishnan, and M. Livny, "BIRCH: an efficient data clustering method for very large databases," ACM SIGMOD Record, vol. 25, no. 2, pp. 103–114, Jun. 1996. [DOI:10.1145/235968.233324]
36. [36] O. Nasraoui, C. C. Uribe, C. R. Coronel, and F. Gonzalez, "TECNO-STREAMS: tracking evolving clusters in noisy data streams with a scalable immune system learning model," presented at the Third IEEE International Conference on Data Mining, ICDM, 2003, pp. 235- 242. [DOI:10.1109/ICDM.2003.1250925]
37. [37] S.Alam,G.Dobbie,P.Riddle,"Particle Swarm Optimization basedClustering Of Web Usage Data",2008 IEEE/WIC/ACM International Conference on web Intelligent and Intelligent Agent Technology.
38. [38] R.Azmi,M.Raji,V.Derhami," Web Anomaly Detection Using Arti_cial Immune System and Web Usage Mining Approach "2012, ICIC,Zanjan
39. [39] C. Kruegel and G. Vigna, Anomaly detection of web-based attacks, in Proceedings of the 10th ACM Conference on Com-puter and Communications Security (2003), 251-261 [DOI:10.1145/948109.948144]
40. [40] L. Guangminl, Modeling Unknown Web Attacks in Network Anomaly Detection, International Conference on Conver-gence and Hybrid Information Technology (2008).
41. [41] M. Danforth, Towards a Classifying Arti_cial Immune Sys-tem for Web Server Attacks: Department of Computer andElectrical Engineering and Computer Science, Interna-tional Conference on Machine Learning and Applications (2009).
42. [42] M. A. Rassam, M. A. Maarof, and A. Zainal, Intrusion De-tection System Using Unsupervis-ed Immune Network Cluster-ing with Reduced Features, Int. J. Advance. Soft Comput. Appl. 2/2010 (2010).
43. [43] Valeur, F., Mutz, D., Vigna, G.: A learning-based approach to the detection of SQL attacks. In: Julisch, K., Krügel, C. (eds.) DIMVA 2005. LNCS, vol. 3548, pp. 123–140. Springer, Heidelberg (2005). [DOI:10.1007/11506881_8]
44. [44] Kantardzic, M.: Data Mining Concepts, Models, Methods and Algorithm. IEEE Press, New York (2002). [PMID]
45. [45] L. Jie, S. Jianwei, H.Changzhen," A Novel Framework for Active Detection of HTTP Based Attack", Communication Systems and Information Technology,.Springer-Verlag Berlin Heidelberg 2011. [DOI:10.1007/978-3-642-21762-3_53]
46. [46] R. Anderson. Security Engineering: A Guide to Building Dependable Distributed Systems. WileyComputer Publishing, New York, New York, 2001.
47. [47] A.Jafarian-Moghaddam,F. Barzinpour,M. Fath-ian, new clustering Technique us-ing Artificial Immune System and Hierarchical techni-que,Quarty journal Signal and Data Processing, Volume 13, Issue 4 (3-2017).
48. [48] B. W. Lampson. Protection. ACM SIGOPS Operating System Review, 8(1):18–24, January 1974. [DOI:10.1145/775265.775268]
49. [49] Wu, S. X., Banzhaf, W.,"The use of computat-ional intelligence in intrusion detectionsystems: A review", Applied Soft Computing, vol. 10, pp. 1–35, (2010).
https://doi.org/10.1103/PhysRevA.82.014303
https://doi.org/10.1103/PhysRevA.81.061805
https://doi.org/10.1103/PhysRevA.81.042301
https://doi.org/10.1103/PhysRevA.82.032307
https://doi.org/10.1103/PhysRevA.81.033625
https://doi.org/10.1103/PhysRevA.82.052339
https://doi.org/10.1103/PhysRevA.82.053834
https://doi.org/10.1103/PhysRevA.81.044305
https://doi.org/10.1103/PhysRevA.81.053401
https://doi.org/10.1103/PhysRevA.82.043431
https://doi.org/10.1103/PhysRevA.82.034307
https://doi.org/10.1103/PhysRevA.82.053416
https://doi.org/10.1103/PhysRevA.82.052111
https://doi.org/10.1103/PhysRevA.82.013411 [DOI:10.1103/PhysRevA.82.013807] [PMID]
Send email to the article author
| Rights and permissions | |
 |
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License. |
