High-speed web attack detection through extracting exemplars from HTTP traffic

Abstract
In this work, we propose an effective method for high-speed web attack detection by extracting exemplars from HTTP traffic before the detection model is built. The smaller set of exemplars keeps valuable information of the original traffic while it significantly reduces the size of the traffic so that the detection remains effective and improves the detection efficiency. The Affinity Propagation (AP) is employed to extract the exemplars from the HTTP traffic. K-Nearest Neighbor(K-NN) and one class Support Vector Machine (SVM) are used for anomaly detection. To facilitate comparison, we also employ information gain to select key attributes (a.k.a. features) from the HTTP traffic for web attack detection. Two large real HTTP traffic are used to validate our methods. The extensive test results show that the AP based exemplar extraction significantly improves the real-time performance of the detection compared to using all the HTTP traffic and achieves a more robust detection performance than information gain based attribute selection for web attack detection. © 2011 ACM.

Citation
Wang, W., & Zhang, X. (2011). High-speed web attack detection through extracting exemplars from HTTP traffic. Proceedings of the 2011 ACM Symposium on Applied Computing - SAC ’11. doi:10.1145/1982185.1982512

Publisher
Association for Computing Machinery (ACM)

Journal
Proceedings of the 2011 ACM Symposium on Applied Computing - SAC '11

Conference/Event Name
26th Annual ACM Symposium on Applied Computing, SAC 2011

DOI
10.1145/1982185.1982512

Permanent link to this record