Detecting and Explaining Anomalies Caused by Web Tamper Attacks via Building Consistency-based Normality
Web applications are crucial infrastructures in the modern society, which have high demand of reliability and security. However, their frontend can be manipulable by the clients (e.g., the frontend code can be modified to bypass some validation steps), which incurs the runtime anomaly when operating...
Saved in:
| Published in | IEEE/ACM International Conference on Automated Software Engineering : [proceedings] pp. 531 - 543 |
|---|---|
| Main Authors | , , , , , , , , |
| Format | Conference Proceeding |
| Language | English |
| Published |
ACM
27.10.2024
|
| Subjects | |
| Online Access | Get full text |
| ISSN | 2643-1572 |
| DOI | 10.1145/3691620.3695024 |
Cover
| Abstract | Web applications are crucial infrastructures in the modern society, which have high demand of reliability and security. However, their frontend can be manipulable by the clients (e.g., the frontend code can be modified to bypass some validation steps), which incurs the runtime anomaly when operating the web service. Existing state-of-the-art anomaly detectors largely learn a deep learning model from the collected logs to predict abnormal logs with a probability. While effective in general, those approaches can suffer from (1) inaccuracy caused by subtle difference between the normal and abnormal/attack logs and (2) additional efforts for root cause analysis.In this work, we propose WebNorm, an anomaly detection approach to detect and explain the attack-caused anomalies on web applications in a unified way. Our rationale lies in learning the behaviorial normalities of a running web application as invariants. The normalities are designed regarding data normality (e.g., what information must be consistent across different events), flow normality (e.g., what events must happen under certain circumstances), and common-sense normality (e.g., what is the normal range of some parameters). The violation of the invariants indicates both the alarm and its explanation. WebNorm first monitors the normal behaviors of subject application and captures its information flows between entities such as frontend, service, and database. Then, it learns the behaviorial normalities in terms of logical rules so that it can detect and explain behaviorial anomaly by the inconsistency between the learned normalities and the runtime application behaviors. We model the invariants as first-order logics, transferrable to executable Python scripts to generate alarm with explainable root cause. Our extensive experiment shows that, on detecting the tamper attacks on the web applications as TrainTicket and NiceFish. WebNorm improves the precision and the recall of the baselines such as LogAnomaly, LogRobust, DeepLog, NeuralLog, PLELog, ReplicaWatcher by more than 56.1% and 35.1% respectively, serving as a new state-of-the-art anomaly detection solution. |
|---|---|
| AbstractList | Web applications are crucial infrastructures in the modern society, which have high demand of reliability and security. However, their frontend can be manipulable by the clients (e.g., the frontend code can be modified to bypass some validation steps), which incurs the runtime anomaly when operating the web service. Existing state-of-the-art anomaly detectors largely learn a deep learning model from the collected logs to predict abnormal logs with a probability. While effective in general, those approaches can suffer from (1) inaccuracy caused by subtle difference between the normal and abnormal/attack logs and (2) additional efforts for root cause analysis.In this work, we propose WebNorm, an anomaly detection approach to detect and explain the attack-caused anomalies on web applications in a unified way. Our rationale lies in learning the behaviorial normalities of a running web application as invariants. The normalities are designed regarding data normality (e.g., what information must be consistent across different events), flow normality (e.g., what events must happen under certain circumstances), and common-sense normality (e.g., what is the normal range of some parameters). The violation of the invariants indicates both the alarm and its explanation. WebNorm first monitors the normal behaviors of subject application and captures its information flows between entities such as frontend, service, and database. Then, it learns the behaviorial normalities in terms of logical rules so that it can detect and explain behaviorial anomaly by the inconsistency between the learned normalities and the runtime application behaviors. We model the invariants as first-order logics, transferrable to executable Python scripts to generate alarm with explainable root cause. Our extensive experiment shows that, on detecting the tamper attacks on the web applications as TrainTicket and NiceFish. WebNorm improves the precision and the recall of the baselines such as LogAnomaly, LogRobust, DeepLog, NeuralLog, PLELog, ReplicaWatcher by more than 56.1% and 35.1% respectively, serving as a new state-of-the-art anomaly detection solution. |
| Author | Teoh, Xiwen Lin, Yun Liauw, Frank Feng, Ruitao Dong, Jin Song Xu, Ming Liao, Yifan Zhang, Hongyu Xie, Xiaofei |
| Author_xml | – sequence: 1 givenname: Yifan surname: Liao fullname: Liao, Yifan email: yifan.liao@nusricq.cn organization: Shanghai Jiao Tong University,China – sequence: 2 givenname: Ming surname: Xu fullname: Xu, Ming email: mingxu@nus.edu.sg organization: Shanghai Jiao Tong University,China – sequence: 3 givenname: Yun surname: Lin fullname: Lin, Yun email: lin_yun@sjtu.edu.cn organization: Shanghai Jiao Tong University,China – sequence: 4 givenname: Xiwen surname: Teoh fullname: Teoh, Xiwen email: xiwen@nus.edu.sg organization: National University of Singapore,Singapore,Singapore – sequence: 5 givenname: Xiaofei surname: Xie fullname: Xie, Xiaofei email: xfxie@smu.edu.sg organization: Singapore Management University,Singapore,Singapore – sequence: 6 givenname: Ruitao surname: Feng fullname: Feng, Ruitao email: rtfeng@smu.edu.sg organization: Singapore Management University,Singapore,Singapore – sequence: 7 givenname: Frank surname: Liauw fullname: Liauw, Frank email: Frank_LIAUW@tech.gov.sg organization: Government Technology Agency of Singapore,Singapore,Singapore – sequence: 8 givenname: Hongyu surname: Zhang fullname: Zhang, Hongyu email: hongyujohn@gmail.com organization: Chongqing University,China – sequence: 9 givenname: Jin Song surname: Dong fullname: Dong, Jin Song email: dcsdjs@nus.edu.sg organization: National University of Singapore,Singapore,Singapore |
| BookMark | eNotkD1PwzAYhA0CiVIyszD4D6T4tR27GUsoH1IFSxFjZSevwSJ1qthF5N-TCKa7G57T6S7JWegCEnINbAEgi1uhSlCcLUYtGJcnJCt1uZSMaeByqU_JjCspcig0vyBZjN6y0RYKQM3I5z0mrJMPH9SEhq5_Dq3xYYqr0O1N6zHSyhwjNtQO9B0t3Zr9AXu6SsnUX5F-e0Pvjr5tJqbqQvQxYaiH3JoJeun6qSUNV-TcmTZi9q9z8vaw3lZP-eb18blabXIzjk25dNqBUAJQS6fqUoPUEmpXFhY148o2lnMntQXuoJS1s8IqIewSCw6KMTEnN3-9HhF3h97vTT_sgGk1nlOKX7baWWc |
| CODEN | IEEPAD |
| ContentType | Conference Proceeding |
| DBID | 6IE 6IL CBEJK RIE RIL |
| DOI | 10.1145/3691620.3695024 |
| DatabaseName | IEEE Electronic Library (IEL) Conference Proceedings IEEE Proceedings Order Plan All Online (POP All Online) 1998-present by volume IEEE Xplore All Conference Proceedings IEEE Electronic Library (IEL) IEEE Proceedings Order Plans (POP All) 1998-Present |
| DatabaseTitleList | |
| Database_xml | – sequence: 1 dbid: RIE name: IEEE Electronic Library (IEL) url: https://proxy.k.utb.cz/login?url=https://ieeexplore.ieee.org/ sourceTypes: Publisher |
| DeliveryMethod | fulltext_linktorsrc |
| Discipline | Computer Science |
| EISBN | 9798400712487 |
| EISSN | 2643-1572 |
| EndPage | 543 |
| ExternalDocumentID | 10765029 |
| Genre | orig-research |
| GroupedDBID | 6IE 6IF 6IH 6IK 6IL 6IM 6IN 6J9 AAJGR AAWTH ABLEC ACREN ADYOE ADZIZ AFYQB ALMA_UNASSIGNED_HOLDINGS AMTXH BEFXN BFFAM BGNUA BKEBE BPEOZ CBEJK CHZPO IEGSK IPLJI M43 OCL RIE RIL |
| ID | FETCH-LOGICAL-a248t-4f7f13631e74f6c9714741cf95be7026bdb22f47b12f194cfb3b633b8e5216003 |
| IEDL.DBID | RIE |
| IngestDate | Wed Jan 15 06:20:43 EST 2025 |
| IsPeerReviewed | false |
| IsScholarly | true |
| Language | English |
| LinkModel | DirectLink |
| MergedId | FETCHMERGED-LOGICAL-a248t-4f7f13631e74f6c9714741cf95be7026bdb22f47b12f194cfb3b633b8e5216003 |
| PageCount | 13 |
| ParticipantIDs | ieee_primary_10765029 |
| PublicationCentury | 2000 |
| PublicationDate | 2024-Oct.-27 |
| PublicationDateYYYYMMDD | 2024-10-27 |
| PublicationDate_xml | – month: 10 year: 2024 text: 2024-Oct.-27 day: 27 |
| PublicationDecade | 2020 |
| PublicationTitle | IEEE/ACM International Conference on Automated Software Engineering : [proceedings] |
| PublicationTitleAbbrev | ASE |
| PublicationYear | 2024 |
| Publisher | ACM |
| Publisher_xml | – name: ACM |
| SSID | ssib057256116 ssj0051577 |
| Score | 2.289874 |
| Snippet | Web applications are crucial infrastructures in the modern society, which have high demand of reliability and security. However, their frontend can be... |
| SourceID | ieee |
| SourceType | Publisher |
| StartPage | 531 |
| SubjectTerms | Anomaly detection Detectors log detection Logic Monitoring Predictive models Python Reliability Runtime Security web security Web services |
| Title | Detecting and Explaining Anomalies Caused by Web Tamper Attacks via Building Consistency-based Normality |
| URI | https://ieeexplore.ieee.org/document/10765029 |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| link | http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwjZ1LS8NAEMcX25On-qj4Zg9eU7uP7DbHWi0iWDy02FvJZicoYiptItRP70weioLgLYQQlt3ZzG-yM_Nn7AL6sZSJ7wfCewxQFCUBgHUEcn1HDk-XWof3E3M703fzcF4Xq5e1MABQJp9Bjy7Ls3y_TAr6VYY73CJQyKjFWmhnVbFWYzyhRectiHWqzzD6aWvrXj5Ch5fKIAhJjFFNhK_QP8RUSl8y7rBJM4oqheSlV-Sul3z8atD472HusO532R5_-HJIu2wLsj3WaXQbeL2N99nTNdDRAT7D48xzSsOrdCL4MFu-IpjDmo_iYg2euw1_BMenMdL1ig_znEry-ftzzK9qPW1eSn6uCb03AflEzyfEwYT3XTYb30xHt0GtuBDEUg_yQKc2FcooAVanJoms0EgcSRqFDixGa847KVNtnZCpiHSSOuWMUm4ASAGITuqAtbNlBoeMI6jhGvnEmZQa5GBgRn2EtDMIyJGMB0esSzO3eKuaaiyaSTv-4_4J25a4buQ2pD1l7XxVwBnyQO7OSzv4BMc3sqQ |
| linkProvider | IEEE |
| linkToHtml | http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwjZ3PS8MwFMeDzoOe5o-Jv83Ba-eSpsl6nNMxdSseNtxtNE2CInaytcL8632v7RQFwVsppYQ0yffzmrz3JeTCtmLOE9PymDEQoPh4CMAqjSDX0ih4ovA6HEayPxZ3k2BSJasXuTDW2uLwmW3iZbGXb2ZJjr_KYIYrAAoerpONAMIKVaZrrYZPoEC-GdJOuRCDUitVVfNhIrj0JaAQhyhVhvAS8cNOpVCTXp1Eq3aUh0hemnmmm8nHrxKN_27oNml8J-7Rhy9J2iFrNt0l9ZVzA60m8h55ura4eQDP0Dg1FA_ilU4RtJPOXgHN7YJ243xhDdVL-mg1HcXA13PayTJMyqfvzzG9qhy1aWH6uUD4XnqoioZGSMII-A0y7t2Mun2v8lzwYi7amSeccsyXPrNKOJmEiglgjsSFgbYK4jVtNOdOKM24Y6FInPa19H3dtsABAE_-Pqmls9QeEAqoBquBSbR0WCIHQjOsJCS0BEQOedw-JA3suelbWVZjuuq0oz_un5PN_mg4mA5uo_tjssXhG6KIcHVCatk8t6dAB5k-K8bEJ1uttfY |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=proceeding&rft.title=IEEE%2FACM+International+Conference+on+Automated+Software+Engineering+%3A+%5Bproceedings%5D&rft.atitle=Detecting+and+Explaining+Anomalies+Caused+by+Web+Tamper+Attacks+via+Building+Consistency-based+Normality&rft.au=Liao%2C+Yifan&rft.au=Xu%2C+Ming&rft.au=Lin%2C+Yun&rft.au=Teoh%2C+Xiwen&rft.date=2024-10-27&rft.pub=ACM&rft.eissn=2643-1572&rft.spage=531&rft.epage=543&rft_id=info:doi/10.1145%2F3691620.3695024&rft.externalDocID=10765029 |