Content-based methodology for anomaly detection on the web

Mark Last; Bracha Shapira; Yuval Elovici; Omer Zaafrany; Abraham Kandel

doi:10.1007/3-540-44831-4_13

Content-based methodology for anomaly detection on the web

Mark Last
, Bracha Shapira
, Yuval Elovici
, Omer Zaafrany
, Abraham Kandel

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

18 Scopus citations

Abstract

As became apparent after the tragic events of September 11, 2001, terrorist organizations and other criminal groups are increasingly using the legitimate ways of Internet access to conduct their malicious activities. Such actions cannot be detected by existing intrusion detection systems that are generally aimed at protecting computer systems and networks from some kind of "cyber attacks". Preparation of an attack against the human society itself can only be detected through analysis of the content accessed by the users. The proposed study aims at developing an innovative methodology for abnormal activity detection, which uses web content as the audit information provided to the detection system. The new behavior-based detection method learns the normal behavior by applying an unsupervised clustering algorithm to the contents of publicly available web pages viewed by a group of similar users. In this paper, we represent page content by the well-known vector space model. The content models of normal behavior are used in real-time to reveal deviation from normal behavior at a specific location on the net. The detection algorithm sensitivity is controlled by a threshold parameter. The method is evaluated by the tradeoff between the detection rate (TP) and the false positive rate (FP).

Original language	English
Title of host publication	Advances in Web Intelligence
Editors	Ernestina Menasalvas, Javier Segovia, Piotr S. Szczepaniak
Publisher	Springer Verlag
Pages	113-123
Number of pages	11
ISBN (Print)	3540401245, 9783540401247
DOIs	https://doi.org/10.1007/3-540-44831-4_13
State	Published - 1 Jan 2003
Event	1st International Atlantic Web Intelligence Conference, AWIC 2003 - Madrid, Spain Duration: 5 May 2003 → 6 May 2003

Publication series

Name	Lecture Notes in Artificial Intelligence (Subseries of Lecture Notes in Computer Science)
Volume	2663
ISSN (Print)	0302-9743

Conference

Conference	1st International Atlantic Web Intelligence Conference, AWIC 2003
Country/Territory	Spain
City	Madrid
Period	5/05/03 → 6/05/03

UN SDGs

This output contributes to the following UN Sustainable Development Goals (SDGs)

SDG 9 Industry, Innovation, and Infrastructure
SDG 16 Peace, Justice and Strong Institutions

Keywords

Activity monitoring
Anomaly detection
Information retrieval
Unsupervised clustering
User modeling
Web security

ASJC Scopus subject areas

Theoretical Computer Science
General Computer Science

Access to Document

10.1007/3-540-44831-4_13

Cite this

Last, M., Shapira, B., Elovici, Y., Zaafrany, O., & Kandel, A. (2003). Content-based methodology for anomaly detection on the web. In E. Menasalvas, J. Segovia, & P. S. Szczepaniak (Eds.), Advances in Web Intelligence (pp. 113-123). (Lecture Notes in Artificial Intelligence (Subseries of Lecture Notes in Computer Science); Vol. 2663). Springer Verlag. https://doi.org/10.1007/3-540-44831-4_13

@inproceedings{26d0bd2369ff4c71b88bcb46ed25e146,

title = "Content-based methodology for anomaly detection on the web",

abstract = "As became apparent after the tragic events of September 11, 2001, terrorist organizations and other criminal groups are increasingly using the legitimate ways of Internet access to conduct their malicious activities. Such actions cannot be detected by existing intrusion detection systems that are generally aimed at protecting computer systems and networks from some kind of {"}cyber attacks{"}. Preparation of an attack against the human society itself can only be detected through analysis of the content accessed by the users. The proposed study aims at developing an innovative methodology for abnormal activity detection, which uses web content as the audit information provided to the detection system. The new behavior-based detection method learns the normal behavior by applying an unsupervised clustering algorithm to the contents of publicly available web pages viewed by a group of similar users. In this paper, we represent page content by the well-known vector space model. The content models of normal behavior are used in real-time to reveal deviation from normal behavior at a specific location on the net. The detection algorithm sensitivity is controlled by a threshold parameter. The method is evaluated by the tradeoff between the detection rate (TP) and the false positive rate (FP).",

keywords = "Activity monitoring, Anomaly detection, Information retrieval, Unsupervised clustering, User modeling, Web security",

author = "Mark Last and Bracha Shapira and Yuval Elovici and Omer Zaafrany and Abraham Kandel",

note = "Publisher Copyright: {\textcopyright} 2003 Springer-Verlag Berlin Heidelberg.; 1st International Atlantic Web Intelligence Conference, AWIC 2003 ; Conference date: 05-05-2003 Through 06-05-2003",

year = "2003",

month = jan,

day = "1",

doi = "10.1007/3-540-44831-4\_13",

language = "English",

isbn = "3540401245",

series = "Lecture Notes in Artificial Intelligence (Subseries of Lecture Notes in Computer Science)",

publisher = "Springer Verlag",

pages = "113--123",

editor = "Ernestina Menasalvas and Javier Segovia and Szczepaniak, \{Piotr S.\}",

booktitle = "Advances in Web Intelligence",

address = "Germany",

}

Last, M , Shapira, B , Elovici, Y, Zaafrany, O & Kandel, A 2003, Content-based methodology for anomaly detection on the web. in E Menasalvas, J Segovia & PS Szczepaniak (eds), Advances in Web Intelligence. Lecture Notes in Artificial Intelligence (Subseries of Lecture Notes in Computer Science), vol. 2663, Springer Verlag, pp. 113-123, 1st International Atlantic Web Intelligence Conference, AWIC 2003, Madrid, Spain, 5/05/03. https://doi.org/10.1007/3-540-44831-4_13

Content-based methodology for anomaly detection on the web. / Last, Mark ; Shapira, Bracha ; Elovici, Yuval et al.
Advances in Web Intelligence. ed. / Ernestina Menasalvas; Javier Segovia; Piotr S. Szczepaniak. Springer Verlag, 2003. p. 113-123 (Lecture Notes in Artificial Intelligence (Subseries of Lecture Notes in Computer Science); Vol. 2663).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Content-based methodology for anomaly detection on the web

AU - Last, Mark

AU - Shapira, Bracha

AU - Elovici, Yuval

AU - Zaafrany, Omer

AU - Kandel, Abraham

PY - 2003/1/1

Y1 - 2003/1/1

N2 - As became apparent after the tragic events of September 11, 2001, terrorist organizations and other criminal groups are increasingly using the legitimate ways of Internet access to conduct their malicious activities. Such actions cannot be detected by existing intrusion detection systems that are generally aimed at protecting computer systems and networks from some kind of "cyber attacks". Preparation of an attack against the human society itself can only be detected through analysis of the content accessed by the users. The proposed study aims at developing an innovative methodology for abnormal activity detection, which uses web content as the audit information provided to the detection system. The new behavior-based detection method learns the normal behavior by applying an unsupervised clustering algorithm to the contents of publicly available web pages viewed by a group of similar users. In this paper, we represent page content by the well-known vector space model. The content models of normal behavior are used in real-time to reveal deviation from normal behavior at a specific location on the net. The detection algorithm sensitivity is controlled by a threshold parameter. The method is evaluated by the tradeoff between the detection rate (TP) and the false positive rate (FP).

AB - As became apparent after the tragic events of September 11, 2001, terrorist organizations and other criminal groups are increasingly using the legitimate ways of Internet access to conduct their malicious activities. Such actions cannot be detected by existing intrusion detection systems that are generally aimed at protecting computer systems and networks from some kind of "cyber attacks". Preparation of an attack against the human society itself can only be detected through analysis of the content accessed by the users. The proposed study aims at developing an innovative methodology for abnormal activity detection, which uses web content as the audit information provided to the detection system. The new behavior-based detection method learns the normal behavior by applying an unsupervised clustering algorithm to the contents of publicly available web pages viewed by a group of similar users. In this paper, we represent page content by the well-known vector space model. The content models of normal behavior are used in real-time to reveal deviation from normal behavior at a specific location on the net. The detection algorithm sensitivity is controlled by a threshold parameter. The method is evaluated by the tradeoff between the detection rate (TP) and the false positive rate (FP).

KW - Activity monitoring

KW - Anomaly detection

KW - Information retrieval

KW - Unsupervised clustering

KW - User modeling

KW - Web security

UR - https://www.scopus.com/pages/publications/4544330446

U2 - 10.1007/3-540-44831-4_13

DO - 10.1007/3-540-44831-4_13

M3 - Conference contribution

AN - SCOPUS:4544330446

SN - 3540401245

SN - 9783540401247

T3 - Lecture Notes in Artificial Intelligence (Subseries of Lecture Notes in Computer Science)

SP - 113

EP - 123

BT - Advances in Web Intelligence

A2 - Menasalvas, Ernestina

A2 - Segovia, Javier

A2 - Szczepaniak, Piotr S.

PB - Springer Verlag

T2 - 1st International Atlantic Web Intelligence Conference, AWIC 2003

Y2 - 5 May 2003 through 6 May 2003

ER -

Content-based methodology for anomaly detection on the web

Abstract

Publication series

Conference

UN SDGs

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this