Multidimensional and Hierarchical Anomaly Detection System of Web Attacks

In recent years, the large-scale dynamic HTTP requests have raised great challenges for traditional
detection system in web applications. In general, intrusion detection is classified into misuse detection
and anomaly detection. Misuse detection system has its own disadvantages in poor adaptability
and high-cost of renewal and maintenance. Therefore, anomaly detection system has emerged
as the improvement of misuse detection which can identify previously unknown attacks. However,
learning-based anomaly detection system is prone to result in high false positives. This paper presents
a hierarchical anomaly detection system that combines multidimensional feature generating system
and classification system. The whole system is divided into three steps: firstly, construct a separate
statistical model based on large quantities of HTTP access records; secondly, adopt unsupervised
learning algorithms to build a variety of detecting subsystems; finally, merge the results of every
subsystem by classification algorithm. We have evaluated this system by one month real web logs of
QIHU360. The results demonstrate that the proposed model has a good detection performance and
time complexity.