As web services become enormously popular and complex in architecture, web attacks became frequent in numbers and quite serious in consequences. Existing security solutions like firewalls or signature based intrusion detection systems are generally ineffective in securing web services, and manual analysis of raw web log data is simply impractical for most organizations. Visual and real-time display of “interpreted” web logs, with emphasis on detection of anomalous web sessions, is essential for an organization to efficiently manage web servers and deter potential web attacks at the earliest possible opportunity. In this paper, we identify design issues related to effective visualization of web logs and present SAD (Session Anomaly Detection) viewer designed to satisfy such needs. In addition to providing concise display on the overall web session patterns such as the frequency of visited pages and their sequences, SAD viewer guides security engineers to perform focused analysis in real-time on the details of any web session. Web logs matching specific area of interest (e.g., duration, source IP, similarity to past usage patterns, etc) can be selectively displayed, and only selected logs are displayed. Web sessions that seem anomalous are visually flagged, and various attributes including source IP and anomaly scores are displayed. Users can further analyze details on the pages included in the suspicious web session including probabilistic comparison to the established usage profiles. We conducted an empirical study in which anomalous web sessions (e.g., DoS attacks, Code-Red worms and Whisker scans) were artificially injected. Our experience confirms that SAD viewer is useful in assisting security engineers in monitoring web usage patterns in real-time and in identifying anomalous web sessions.
현재의 웹 규모는 과거와 비교할 수 없을 만큼 복잡해지고 사용자의 패턴 또한 다양해지고 있다. 웹에 대한 공격은 점차 증가하고 있으며 이에 대한 탐지는 점점 어려워지고 있다. 이러한 웹 사이트의 효과적인 관리를 위하여 시각화를 통한 사용자들의 사용패턴과 보안 측면에서 이상행위 발생에 대한 신속하고 적절한 정보전달이 필요하다. 본 연구에서는 이러한 필요성에 기반을 두어 웹 서버의 access log를 분석하여 웹 사용 현황과 이상행위에 대한 효율적인 실시간 시각화를 위한 요구사항을 제안하고 이를 만족시키기 위해 SAD Viewer라는 툴을 개발하였다. 그리고 실제 시그네춰 위반 공격, DoS 공격, 코드레드 공격, Whisker 공격에 대한 실험을 통하여 구현된 Viewer가 효율적으로 사용자의 사용패턴과 이상행위를 시각화함을 보여주었다.