Protecting a Moving Target: Addressing Web Application Concept Drift

@InProceedings{	  maggi_conceptdrift_2009,
  abstract	= {Because of the ad hoc nature of web applications,
		  intrusion detection systems that leverage machine learning
		  techniques are particularly well-suited for protecting
		  websites. The reason is that these systems are able to
		  characterize the applications' normal behavior in an
		  automated fashion. However, anomaly-based detectors for web
		  applications suffer from false positives that are generated
		  whenever the applications being protected change. These
		  false positives need to be analyzed by the security officer
		  who then has to interact with the web application
		  developers to confirm that the reported alerts were indeed
		  erroneous detections. In this paper, we propose a novel
		  technique for the automatic detection of changes in web
		  applications, which allows for the selective retraining of
		  the affected anomaly detection models. We demonstrate that,
		  by correctly identifying legitimate changes in web
		  applications, we can reduce false positives and allow for
		  the automated retraining of the anomaly models. We have
		  evaluated our approach by analyzing a number of real-world
		  applications. Our analysis shows that web applications
		  indeed change substantially over time, and that our
		  technique is able to effectively detect changes and
		  automatically adapt the anomaly detection models to the new
		  structure of the changed web applications.},
  author	= {Maggi, Federico and Robertson, William and Kruegel,
		  Christopher and Vigna, Giovanni},
  booktitle	= {Proceedings of the International Symposium on Recent
		  Advances in Intrusion Detection (RAID)},
  date		= {2009-09-23},
  doi		= {10.1007/978-3-642-04342-0_2},
  file		= {files/papers/conference-papers/maggi_conceptdrift_2009.pdf},
  shorttitle	= {ConceptDrift},
  title		= {Protecting a Moving Target: Addressing Web Application
		  Concept Drift}
}