Detecting and Explaining Anomalies Caused by Web Tamper Attacks via Building Consistency-based Normality

Yifan Liao; Ming Xu; Yun Lin; Xiwen Teoh; Xiaofei Xie; Ruitao Feng; Frank Liaw; Hongyu Zhang; Jin Song Dong

doi:10.1145/3691620.3695024

Back

Conference proceeding

Detecting and Explaining Anomalies Caused by Web Tamper Attacks via Building Consistency-based Normality

Yifan Liao, Ming Xu, Yun Lin, Xiwen Teoh, Xiaofei Xie, Ruitao Feng, Frank Liaw, Hongyu Zhang and Jin Song Dong

Proceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering, pp.531-543

ACM Conferences

ASE '24: 39th IEEE/ACM International Conference on Automated Software Engineering, 39 (Sacramento, CA, United States, 27/10/2024–01/11/2024)

27/10/2024

DOI: https://doi.org/10.1145/3691620.3695024

Appears in Recent Faculty of Science and Engineering Publications

Metrics

1 Record Views

Abstract

Computing methodologies

Computing methodologies -- Machine learning

Computing methodologies -- Machine learning -- Learning paradigms

Computing methodologies -- Machine learning -- Learning paradigms -- Unsupervised learning

Computing methodologies -- Machine learning -- Learning paradigms -- Unsupervised learning -- Anomaly detection

Networks

Networks -- Network properties

Networks -- Network properties -- Network security

Security and privacy

Security and privacy -- Intrusion/anomaly detection and malware mitigation

Security and privacy -- Network security

Security and privacy -- Network security -- Web protocol security

Security and privacy -- Software and application security

Security and privacy -- Software and application security -- Web application security

Security and privacy -- Systems security

Security and privacy -- Systems security -- Vulnerability management

Security and privacy -- Systems security -- Vulnerability management -- Vulnerability scanners

Web applications are crucial infrastructures in the modern society, which have high demand of reliability and security. However, their frontend can be manipulable by the clients (e.g., the frontend code can be modified to bypass some validation steps), which incurs the runtime anomaly when operating the web service. Existing state-of-the-art anomaly detectors largely learn a deep learning model from the collected logs to predict abnormal logs with a probability. While effective in general, those approaches can suffer from (1) inaccuracy caused by subtle difference between the normal and abnormal/attack logs and (2) additional efforts for root cause analysis. In this work, we propose WebNorm, an anomaly detection approach to detect and explain the attack-caused anomalies on web applications in a unified way. Our rationale lies in learning the behaviorial normalities of a running web application as invariants. The normalities are designed regarding data normality (e.g., what information must be consistent across different events), flow normality (e.g., what events must happen under certain circumstances), and common-sense normality (e.g., what is the normal range of some parameters). The violation of the invariants indicates both the alarm and its explanation. WebNorm first monitors the normal behaviors of subject application and captures its information flows between entities such as frontend, service, and database. Then, it learns the behaviorial normalities in terms of logical rules so that it can detect and explain behaviorial anomaly by the inconsistency between the learned normalities and the runtime application behaviors. We model the invariants as first-order logics, transferrable to executable Python scripts to generate alarm with explainable root cause. Our extensive experiment shows that, on detecting the tamper attacks on the web applications as TrainTicket and NiceFish. WebNorm improves the precision and the recall of the baselines such as LogAnomaly, LogRobust, DeepLog, NeuralLog, PLELog, ReplicaWatcher by more than 56.1% and 35.1% respectively, serving as a new state-of-the-art anomaly detection solution.

Details

Title: Detecting and Explaining Anomalies Caused by Web Tamper Attacks via Building Consistency-based Normality
Creators: Yifan Liao - Shanghai Jiao Tong University
Ming Xu - Shanghai Jiao Tong University
Yun Lin - Shanghai Jiao Tong University
Xiwen Teoh - National University of Singapore, Singapore, Singapore
Xiaofei Xie - Singapore Management University
Ruitao Feng - Singapore Management University
Frank Liaw - Defence Science and Technology Agency
Hongyu Zhang - Chongqing University
Jin Song Dong - National University of Singapore
Publication Details: Proceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering, pp.531-543
Conference: ASE '24: 39th IEEE/ACM International Conference on Automated Software Engineering, 39 (Sacramento, CA, United States, 27/10/2024–01/11/2024)
Series: ACM Conferences
Publisher: Association for Computing Machinery (ACM); New York, NY, United States
Number of pages: 13
Grant note: National Research Foundation, SingaporeCyber SecurityAgency under its National Cybersecurity RD Programme: NCRP25-P04-TAICeN
This research/project is supported by the National Research Foundation, Singapore, and the Cyber SecurityAgency under its National Cybersecurity R&D Programme (NCRP25-P04-TAICeN). Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not reflect the views of National Research Foundation, Singapore and Cyber Security Agency of Singapore.
Identifiers: 991013245555402368
Academic Unit: Faculty of Science and Engineering
Language: English
Resource Type: Conference proceeding

Detecting and Explaining Anomalies Caused by Web Tamper Attacks via Building Consistency-based Normality

Related links

Metrics

Abstract

Details

Southern Cross University Social media