A clustering-based method for intrusion detection in web servers

Today, intrusion detection systems (IDS) are indispensable to protect environments that provide information via Internet. In the present trend of self-organizing and self-protecting system, a special type of IDS that operates by non-supervised learning is an interesting approach. This type of IDS is able to extract models of behavior of the environment without the need of prior knowledge about attacks or signatures. One of the techniques used to create such models is data clustering, where patterns of data access are collected and grouped to create IDS rules. In this paper we focus on the development of a non-supervised IDS for protecting Web servers from attacks using malicious HTTP access patterns. We propose a heuristic method for assigning labels to groups considering simultaneously the source and the content of the HTTP requests. The proposed method is completely self-organized, and does not require configuration or signature updates to prepare the IDS to detect new forms of attacks. Our evaluation shows that the proposed method yield fewer false positive alerts when compared to similar non-supervised methods in the literature.