Spectrogram: A Mixture-of-Markov-Chains Model for Anomaly Detection in Web Traffic

Song, Yingbo; Keromytis, Angelos D.; Stolfo, Salvatore

We present Spectrogram, a machine learning based statistical anomaly detection (AD) sensor for defense against web-layer code-injection attacks. These attacks include PHP file inclusion, SQL-injection and cross-site-scripting; memory-layer exploits such as buffer overflows are addressed as well. Statistical AD sensors offer the advantage of being driven by the data that is being protected and not by malcode samples captured in the wild. While models using higher order statistics can often improve accuracy, trade-offs with false-positive rates and model efficiency remain a limiting usability factor. This paper presents a new model and sensor framework that offers a favorable balance under this constraint and demonstrates improvement over some existing approaches. Spectrogram is a network situated sensor that dynamically assembles packets to reconstruct content flows and learns to recognize legitimate web-layer script input. We describe an efficient model for this task in the form of a mixture of Markovchains and derive the corresponding training algorithm. Our evaluations show significant detection results on an array of real world web layer attacks, comparing favorably against other AD approaches.



Also Published In

Network and Distributed System Security Symposium 2009: February 8-11, 2009, San Diego, California: Proceedings
Internet Society

More About This Work

Academic Units
Computer Science
Published Here
March 9, 2012