AppMine: Behavioral Analytics for Web Application Vulnerability Detection

Web applications in widespread use have always been the target of large-scale attacks, leading to massive disruption of services and financial loss, as in the Equifax data breach. It has become common practice to deploy web applications in containers like Docker for better portability and ease of deployment. We design a system called AppMine for lightweight monitoring of web applications running in Docker containers and detection of unknown web vulnerabilities. AppMine is an unsupervised learning system, trained only on legitimate workloads of web applications, to detect anomalies based on either traditional models (PCA and one-class SVM), or more advanced neural-network architectures (LSTM). In our evaluation, we demonstrate that the neural network model outperforms more traditional methods on a range of web applications and recreated exploits. For instance, AppMine achieves average AUC scores as high as 0.97 for the Apache Struts application (with the CVE-2017-5638 exploit used in the Equifax breach), while the AUC scores for PCA and one-class SVM are 0.81 and 0.83, respectively.

• Publication year

  2019

• Venue

  Cloud Computing Security Workshop

• Publication date

  2019-08-06

• Fields of study

  Computer Science

• Identifiers
  DOI 10.1145/3338466.3358923arXiv 1908.01928
• External record

  Open on Semantic Scholar

• Source metadata

  Semantic Scholar

• No claims are published for this paper.

• No concepts are published for this paper.

• Towards Scalable Cluster Auditing through Grammatical Inference over Provenance Graphs

  2018cited by this paper
• Runtime Analysis of Whole-System Provenance

  2018cited by this paper
• Cosmological implications of primordial black holes

  2017cited by this paper
• Process monitoring on sequences of system call count vectors

  2017cited by this paper
• FRAPpuccino: Fault-detection through Runtime Analysis of Provenance

  2017cited by this paper
• Practical whole-system provenance capture

  2017cited by this paper
• DeepLog: Anomaly Detection and Diagnosis from System Logs through Deep Learning

  2017cited by this paper
• Detecting and Removing Web Application Vulnerabilities with Static Analysis and Data Mining

  2016cited by this paper
• Web Application Vulnerability Prediction Using Hybrid Program Analysis and Machine Learning

  2015cited by this paper
• Docker - Build, Ship, and Run Any App, Anywhere

  2014cited by this paper
• Beehive: large-scale log analysis for detecting suspicious activity in enterprise networks

  2013cited by this paper
• Preventing Input Validation Vulnerabilities in Web Applications through Automated Type Analysis

  2012cited by this paper
• Disclosure: detecting botnet command and control servers through large-scale NetFlow analysis

  2012cited by this paper
• EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis

  2011cited by this paper
• Effective Anomaly Detection with Scarce Training Data

  2010cited by this paper
• Detecting Intrusions through System Call Sequence and Argument Analysis

  2010cited by this paper
• Outside the Closed World: On Using Machine Learning for Network Intrusion Detection

  2010cited by this paper
• Beyond blacklists: learning to detect malicious web sites from suspicious URLs

  2009cited by this paper
• Spectrogram: A Mixture-of-Markov-Chains Model for Anomaly Detection in Web Traffic

  2009cited by this paper
• Using spatio-temporal information in API calls with machine learning algorithms for malware detection

  2009cited by this paper
• Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications

  2008cited by this paper
• Leveraging User Interactions for In-Depth Testing of Web Applications

  2008cited by this paper
• Pattern recognition and machine learning, 5th Edition

  2007cited by this paper
• Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis

  2007cited by this paper
• Exploiting Execution Context for the Detection of Anomalous System Calls

  2007cited by this paper
• Analysis of Computer Intrusions Using Sequences of Function Calls

  2007cited by this paper
• Swaddler: An Approach for the Anomaly-Based Detection of State Violations in Web Applications

  2007cited by this paper
• Using Generalization and Characterization Techniques in the Anomaly-based Detection of Web Attacks

  2006cited by this paper
• Pixy: a static analysis tool for detecting Web application vulnerabilities

  2006cited by this paper
• Anomalous system call detection

  2006cited by this paper
• A multi-model approach to the detection of web-based attacks

  2005cited by this paper
• Bayesian event classification for intrusion detection

  2003cited by this paper
• Detecting intrusions using system calls: alternative data models

  1999cited by this paper
• An Application of Machine Learning to Anomaly Detection

  1999cited by this paper
• Data Mining Approaches for Intrusion Detection

  1998cited by this paper
• Intrusion detection using sequences of system calls

  1998cited by this paper
• Sequence Matching and Learning in Anomaly Detection for Computer Security

  1997cited by this paper
• Long Short-Term Memory

  1997cited by this paper
• A sense of self for Unix processes

  1996cited by this paper
• Learning representations by back-propagating errors

  1986cited by this paper

• WADBERT: Dual-channel Web Attack Detection Based on BERT Models

  2026cites this paper
• Applying Hidden Markov Models for user and entity behavioural analytics model

  2026cites this paper
• Artificial intelligence for system security assurance: A systematic literature review

  2024influential citation
• Survey on detecting and preventing web application broken access control attacks

  2024cites this paper
• A Survey on Web Application Testing: A Decade of Evolution

  2024cites this paper
• SoK: On the Offensive Potential of AI

  2024cites this paper
• Automation Frameworks and Best Practices for Cloud-Native Database Lifecycle Management

  2024cites this paper
• A Secure Framework for Communication and Data Processing in Web Applications

  2023cites this paper
• Deep Learning for Vulnerability and Attack Detection on Web Applications: A Systematic Literature Review

  2022cites this paper
• Applying unsupervised system-call based software security techniques for anomaly detection

  2022cites this paper
• Performance Anomaly Detection through Sequence Alignment of System-Level Traces

  2022cites this paper
• Neural software vulnerability analysis using rich intermediate graph representations of programs

  2021cites this paper