Detecting Anomalous Web Browsing via Diffusion Wavelets

Web access logs contain information which can be converted to represent the access history of individual users. A large number of essential attributes can be extracted from the access history. For example, the access counts of each webpage, the occurrence of different webpage access sequences and the time spent between consecutive accesses. Each of the above attributes represents a dimension in the feature space, and all the attributes together form a very high dimension space. Diffusion Wavelets can efficiently project the high dimensional data onto a low-dimensional space according to the correlations between various attributes, so that common anomaly detection algorithms can be applied. In this paper, we propose a system which leverages this technique to differentiate web-access requests generated by Denial of Service (DoS) attacks from legitimate ones. We demonstrate the effectiveness of the proposed system via simulation studies using real-world web access logs. For a simulated HTTP flooding attack which creates a 1000% overload at the web-server, the proposed scheme can reduce the ratio of the attack-to-legitimate requests admitted by the server from 200:1 to 30:1 so that more than 55% of the legitimate requests can still receive proper services under such a severe DoS attack.