Unsupervised machine learning methods for finding anomalies in real-time web sessions

Alexandra Zyablitseva


Detecting anomalies in web sessions is an important issue that is currently actively developing. To detect cyber threats, the signature-based anomaly detection method is generally used. Such methods effectively detect known attacks, but cannot detect unknown anomalies. In addition, existing anomaly detection methods are usually based on identifying abnormal sessions based on static data, having training data with tags, and also determine the session based on the IP address. In this paper, the main methods of collecting information about user actions on the network, forms of logging and collecting information about web sessions are considered, an approach to finding anomalies in web sessions is presented and justified. The anomaly detection model in web sessions uses an unsupervised clustering algorithm that does not require pre-marinated data, and the most effective clustering uses 13 of the most useful session parameters. The architecture of the developed approach is described for the presented model. At the end of the work, the result of the tethering is presented and further directions for the development of the project are described.

Full Text:

PDF (Russian)


Grace L. K., Maheswari V., Nagamalai D. Analysis of web logs and web user in web mining //arXiv preprint arXiv:1101.5668. – 2011.

Yixin Wu, Yuqiang Sun, Cheng Huang, Peng Jia, Luping Liu, "Session-Based Webshell Detection Using Machine Learning in Web Logs", Security and Communication Networks, vol. 2019, Article ID 3093809, 11

pages, 2019. https://doi.org/10.1155/2019/3093809

Sisodia D. S., Verma S. Web usage pattern analysis through web logs: A review //2012 Ninth International Conference on Computer Science and Software Engineering (JCSSE). – IEEE, 2012. – С. 49-53.

Cooley, R., Mobasher, B., and Srivastava, J, “Web mining: information and pattern discovery on the World Wide Web”, International Conference on Tools with Artificial Intelligence, Newport Beach, IEEE, 1997, pp. 558-567

Johns M. S. Identification protocol. – 1993. – №. rfc1413.

Bawany N. Z., Shamsi J. A., Salah K. DDoS attack detection and mitigation using SDN: methods, practices, and solutions //Arabian Journal for Science and Engineering. – 2017. – Т. 42. – С. 425-441.

Park J. et al. Network log-based SSH brute-force attack detection model //Computers, Materials & Continua. – 2021. – Т. 68. – №. 1.

Chen Q. et al. Privwatcher: Non-bypassable monitoring and protection of process credentials from memory corruption attacks //Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security. – 2017. – С. 167-178.

Gill R., Smith J., Clark A. Experiences in passively detecting session hijacking attacks in IEEE 802.11 networks //ACSW Frontiers 2006: Proceedings of the 4th Australasian Symposium on Grid Computing and e-Research (AusGrid 2006) and the 4th Australasian Information Security Workshop (Network Security)(AISW-NetSec 2006)[CRPIT, Volume 54]. – Australian Computer Society, 2006. – С. 221-230.

Sarmah U., Bhattacharyya D. K., Kalita J. K. A survey of detection methods for XSS attacks //Journal of Network and Computer Applications. – 2018. – Т. 118. – С. 113-143.

Calzavara S. et al. Mitch: A machine learning approach to the black-box detection of CSRF vulnerabilities //2019 IEEE European Symposium on Security and Privacy (EuroS&P). – IEEE, 2019. – С. 528-543.

Geiger I. I., Stuart R. Robots. txt: An Ethnographic Investigation of Automated Software Agents in User-Generated Content Platforms : дис. – UC Berkeley, 2015.

Martin Roesch et al. Snort: Lightweight intrusion detection for networks. In Lisa, volume 99, pages 229-238, 1999.

Magnus Almgren, Herve Debar, and Marc Dacier. A lightweight tool for detecting web server attacks. In NDSS, 2000.

Christopher Kruegel and Giovanni Vigna. Anomaly detection of web- based attacks. In Proceedings of the 10th ACM conference on Computer and communications security, pages 251-261, 2003.

Sarker I. H. Machine learning: Algorithms, real-world applications and research directions //SN computer science. – 2021. – Т. 2. – №. 3. – С. 160.

Swarndeep Saket J., Pandya S. An overview of partitioning algorithms in clustering techniques //International Journal of Advanced Research in Computer Engineering & Technology (IJARCET). – 2016. – Т. 5. – №. 6. – С. 1943-1946.

Truong Son Pham, Tuan Hao Hoang, and Vu Van Canh. Machine learning techniques for web intrusion detection— a comparison. In 2016 Eighth International Conference on Knowledge and Systems Engineer- ing (KSE), pages 291-297. IEEE, 2016.

Pengfei Liu, Weiping Wang, Xi Luo, Haodong Wang, and Chushu Liu. Nsdroid: efficient multi-classification of android malware using neighborhood signature in local function call graphs.International Journal of Information Security, pages 1-13, 2020.

Weiping Wang, Jianjian Wei, Shigeng Zhang, and Xi Luo. Lscdroid: Malware detection based on local sensitive api invocation sequences. IEEE Transactions on Reliability, 69(1):174-187, 2019.

Jingxi Liang, Wen Zhao, and Wei Ye. Anomaly-based web attack detection: a deep learning approach. In Proceedings of the 2017 VI International Conferen

Sun Y. et al. Wsad: An unsupervised web session anomaly detection method //2020 16th International Conference on Mobility, Sensing and Networking (MSN). – IEEE, 2020. – С. 735-739.

Saha J., Mukherjee J. IPD: An Incremental Prototype based DBSCAN for large-scale data with cluster representatives //arXiv preprint arXiv:2202.07870. – 2022. —DBSCAN

Azhir E. et al. An efficient automated incremental density-based algorithm for clustering and classification //Future Generation Computer Systems. – 2021. – Т. 114. – С. 665-678.—DBSCAN

Bakr A. M., Ghanem N. M., Ismail M. A. Efficient incremental density-based algorithm for clustering large datasets //Alexandria engineering journal. – 2015. – Т. 54. – №. 4. – С. 1147-1154

S. Young, I. Arel, A fast and stable incremental clustering algorithm, in: Seventh International Conference on Information Technology: New Generations (ITNG), April 2010, pp. 204–209.

A repository with the only code of the "J-wsad" software product. [electronic resource]. URL: https://github.com/jbrigett/j-wsad.git (accessed 05/10/2024).

A repository with the only code of the "J-wsad" software product. [electronic resource]. URL: https://github.com/jbrigett/j-wsad-utilities.git (accessed 05/10/2024).

Namiot, Dmitry, Eugene Ilyushin, and Ivan Chizhov. "Artificial intelligence and cybersecurity." International Journal of Open Information Technologies 10.9 (2022): 135-147. (in Russian)

Iskusstvennyj intellekt kak strategicheskij instrument jekonomicheskogo razvitija strany i sovershenstvovanija ee gosudarstvennogo upravlenija. Chast' 2. Perspektivy primenenija iskusstvennogo intellekta v Rossii dlja gosudarstvennogo upravlenija / I. A. Sokolov, V. I. Drozhzhinov, A. N. Rajkov [i dr.] // International Journal of Open Information Technologies. – 2017. – T. 5, # 9. – S. 76-101. – EDN ZEQDMT.

Kuprijanovskij, V. P. Demistifikacija cifrovoj jekonomiki / V. P. Kuprijanovskij, D. E. Namiot, S. A. Sinjagov // International Journal of Open Information Technologies. – 2016. – T. 4, # 11. – S. 59-63. – EDN WXQLIJ.

Roznichnaja torgovlja v cifrovoj jekonomike / V. P. Kuprijanovskij, S. A. Sinjagov, D. E. Namiot [i dr.] // International Journal of Open Information Technologies. – 2016. – T. 4, # 7. – S. 1-12. – EDN WCMIWN.


  • There are currently no refbacks.

Abava  Кибербезопасность MoNeTec 2024

ISSN: 2307-8162