Detecting web attacks with end-to-end deep learning
Abstract Web applications are popular targets for cyber-attacks because they are network-accessible and often contain vulnerabilities. An intrusion detection system monitors web applications and issues alerts when an attack attempt is detected. Existing implementations of intrusion detection systems...
Main Authors: | , , , , , , |
---|---|
Format: | Article |
Language: | English |
Published: |
Brazilian Computing Society (SBC)
2019-08-01
|
Series: | Journal of Internet Services and Applications |
Subjects: | |
Online Access: | http://link.springer.com/article/10.1186/s13174-019-0115-x |
_version_ | 1811273257172598784 |
---|---|
author | Yao Pan Fangzhou Sun Zhongwei Teng Jules White Douglas C. Schmidt Jacob Staples Lee Krause |
author_facet | Yao Pan Fangzhou Sun Zhongwei Teng Jules White Douglas C. Schmidt Jacob Staples Lee Krause |
author_sort | Yao Pan |
collection | DOAJ |
description | Abstract Web applications are popular targets for cyber-attacks because they are network-accessible and often contain vulnerabilities. An intrusion detection system monitors web applications and issues alerts when an attack attempt is detected. Existing implementations of intrusion detection systems usually extract features from network packets or string characteristics of input that are manually selected as relevant to attack analysis. Manually selecting features, however, is time-consuming and requires in-depth security domain knowledge. Moreover, large amounts of labeled legitimate and attack request data are needed by supervised learning algorithms to classify normal and abnormal behaviors, which is often expensive and impractical to obtain for production web applications. This paper provides three contributions to the study of autonomic intrusion detection systems. First, we evaluate the feasibility of an unsupervised/semi-supervised approach for web attack detection based on the Robust Software Modeling Tool (RSMT), which autonomically monitors and characterizes the runtime behavior of web applications. Second, we describe how RSMT trains a stacked denoising autoencoder to encode and reconstruct the call graph for end-to-end deep learning, where a low-dimensional representation of the raw features with unlabeled request data is used to recognize anomalies by computing the reconstruction error of the request data. Third, we analyze the results of empirically testing RSMT on both synthetic datasets and production applications with intentional vulnerabilities. Our results show that the proposed approach can efficiently and accurately detect attacks, including SQL injection, cross-site scripting, and deserialization, with minimal domain knowledge and little labeled training data. |
first_indexed | 2024-04-12T22:55:53Z |
format | Article |
id | doaj.art-91459b777bc34802895c67bd93d84b38 |
institution | Directory Open Access Journal |
issn | 1867-4828 1869-0238 |
language | English |
last_indexed | 2024-04-12T22:55:53Z |
publishDate | 2019-08-01 |
publisher | Brazilian Computing Society (SBC) |
record_format | Article |
series | Journal of Internet Services and Applications |
spelling | doaj.art-91459b777bc34802895c67bd93d84b382022-12-22T03:13:11ZengBrazilian Computing Society (SBC)Journal of Internet Services and Applications1867-48281869-02382019-08-0110112210.1186/s13174-019-0115-xDetecting web attacks with end-to-end deep learningYao Pan0Fangzhou Sun1Zhongwei Teng2Jules White3Douglas C. Schmidt4Jacob Staples5Lee Krause6Department of EECS, Vanderbilt UniversityDepartment of EECS, Vanderbilt UniversityDepartment of EECS, Vanderbilt UniversityDepartment of EECS, Vanderbilt UniversityDepartment of EECS, Vanderbilt UniversitySecurboration Inc.Securboration Inc.Abstract Web applications are popular targets for cyber-attacks because they are network-accessible and often contain vulnerabilities. An intrusion detection system monitors web applications and issues alerts when an attack attempt is detected. Existing implementations of intrusion detection systems usually extract features from network packets or string characteristics of input that are manually selected as relevant to attack analysis. Manually selecting features, however, is time-consuming and requires in-depth security domain knowledge. Moreover, large amounts of labeled legitimate and attack request data are needed by supervised learning algorithms to classify normal and abnormal behaviors, which is often expensive and impractical to obtain for production web applications. This paper provides three contributions to the study of autonomic intrusion detection systems. First, we evaluate the feasibility of an unsupervised/semi-supervised approach for web attack detection based on the Robust Software Modeling Tool (RSMT), which autonomically monitors and characterizes the runtime behavior of web applications. Second, we describe how RSMT trains a stacked denoising autoencoder to encode and reconstruct the call graph for end-to-end deep learning, where a low-dimensional representation of the raw features with unlabeled request data is used to recognize anomalies by computing the reconstruction error of the request data. Third, we analyze the results of empirically testing RSMT on both synthetic datasets and production applications with intentional vulnerabilities. Our results show that the proposed approach can efficiently and accurately detect attacks, including SQL injection, cross-site scripting, and deserialization, with minimal domain knowledge and little labeled training data.http://link.springer.com/article/10.1186/s13174-019-0115-xWeb securityDeep learningApplication instrumentation |
spellingShingle | Yao Pan Fangzhou Sun Zhongwei Teng Jules White Douglas C. Schmidt Jacob Staples Lee Krause Detecting web attacks with end-to-end deep learning Journal of Internet Services and Applications Web security Deep learning Application instrumentation |
title | Detecting web attacks with end-to-end deep learning |
title_full | Detecting web attacks with end-to-end deep learning |
title_fullStr | Detecting web attacks with end-to-end deep learning |
title_full_unstemmed | Detecting web attacks with end-to-end deep learning |
title_short | Detecting web attacks with end-to-end deep learning |
title_sort | detecting web attacks with end to end deep learning |
topic | Web security Deep learning Application instrumentation |
url | http://link.springer.com/article/10.1186/s13174-019-0115-x |
work_keys_str_mv | AT yaopan detectingwebattackswithendtoenddeeplearning AT fangzhousun detectingwebattackswithendtoenddeeplearning AT zhongweiteng detectingwebattackswithendtoenddeeplearning AT juleswhite detectingwebattackswithendtoenddeeplearning AT douglascschmidt detectingwebattackswithendtoenddeeplearning AT jacobstaples detectingwebattackswithendtoenddeeplearning AT leekrause detectingwebattackswithendtoenddeeplearning |