TY - GEN
T1 - Content-based methodology for anomaly detection on the web
AU - Last, Mark
AU - Shapira, Bracha
AU - Elovici, Yuval
AU - Zaafrany, Omer
AU - Kandel, Abraham
N1 - Publisher Copyright:
© 2003 Springer-Verlag Berlin Heidelberg.
PY - 2003/4/30
Y1 - 2003/4/30
N2 - As became apparent after the tragic events of September 11, 2001, terrorist organizations and other criminal groups are increasingly using the legitimate ways of Internet access to conduct their malicious activities. Such actions cannot be detected by existing intrusion detection systems that are generally aimed at protecting computer systems and networks from some kind of "cyber attacks". Preparation of an attack against the human society itself can only be detected through analysis of the content accessed by the users. The proposed study aims at developing an innovative methodology for abnormal activity detection, which uses web content as the audit information provided to the detection system. The new behavior-based detection method learns the normal behavior by applying an unsupervised clustering algorithm to the contents of publicly available web pages viewed by a group of similar users. In this paper, we represent page content by the well-known vector space model. The content models of normal behavior are used in real-time to reveal deviation from normal behavior at a specific location on the net. The detection algorithm sensitivity is controlled by a threshold parameter. The method is evaluated by the tradeoff between the detection rate (TP) and the false positive rate (FP).
AB - As became apparent after the tragic events of September 11, 2001, terrorist organizations and other criminal groups are increasingly using the legitimate ways of Internet access to conduct their malicious activities. Such actions cannot be detected by existing intrusion detection systems that are generally aimed at protecting computer systems and networks from some kind of "cyber attacks". Preparation of an attack against the human society itself can only be detected through analysis of the content accessed by the users. The proposed study aims at developing an innovative methodology for abnormal activity detection, which uses web content as the audit information provided to the detection system. The new behavior-based detection method learns the normal behavior by applying an unsupervised clustering algorithm to the contents of publicly available web pages viewed by a group of similar users. In this paper, we represent page content by the well-known vector space model. The content models of normal behavior are used in real-time to reveal deviation from normal behavior at a specific location on the net. The detection algorithm sensitivity is controlled by a threshold parameter. The method is evaluated by the tradeoff between the detection rate (TP) and the false positive rate (FP).
KW - Activity monitoring
KW - Anomaly detection
KW - Information retrieval
KW - Unsupervised clustering
KW - User modeling
KW - Web security
UR - http://www.scopus.com/inward/record.url?scp=4544330446&partnerID=8YFLogxK
U2 - 10.1007/3-540-44831-4_13
DO - 10.1007/3-540-44831-4_13
M3 - Conference contribution
AN - SCOPUS:4544330446
SN - 3540401245
SN - 9783540401247
T3 - Lecture Notes in Artificial Intelligence (Subseries of Lecture Notes in Computer Science)
SP - 113
EP - 123
BT - Advances in Web Intelligence
A2 - Menasalvas, Ernestina
A2 - Segovia, Javier
A2 - Szczepaniak, Piotr S.
PB - Springer Verlag
T2 - 1st International Atlantic Web Intelligence Conference, AWIC 2003
Y2 - 5 May 2003 through 6 May 2003
ER -
