2009 Articles
Spectrogram: A Mixture-of-Markov-Chains Model for Anomaly Detection in Web Traffic
We present Spectrogram, a machine learning based statistical anomaly detection (AD) sensor for defense against web-layer code-injection attacks. These attacks include PHP file inclusion, SQL-injection and cross-site-scripting; memory-layer exploits such as buffer overflows are addressed as well. Statistical AD sensors offer the advantage of being driven by the data that is being protected and not by malcode samples captured in the wild. While models using higher order statistics can often improve accuracy, trade-offs with false-positive rates and model efficiency remain a limiting usability factor. This paper presents a new model and sensor framework that offers a favorable balance under this constraint and demonstrates improvement over some existing approaches. Spectrogram is a network situated sensor that dynamically assembles packets to reconstruct content flows and learns to recognize legitimate web-layer script input. We describe an efficient model for this task in the form of a mixture of Markovchains and derive the corresponding training algorithm. Our evaluations show significant detection results on an array of real world web layer attacks, comparing favorably against other AD approaches.
Subjects
Files
-
ndss_09_07.pdf application/pdf 212 KB Download File
Also Published In
- Title
- Network and Distributed System Security Symposium 2009: February 8-11, 2009, San Diego, California: Proceedings
- Publisher
- Internet Society
More About This Work
- Academic Units
- Computer Science
- Published Here
- March 9, 2012