웹셸 탐지를 위한 TF-IDF 및 응답 용량 변동 기반 사용자 행위 임베딩

Vol. 34, No. 6, pp. 1231-1238, 12월. 2024
10.13089/JKIISC.2024.34.6.1231, Full Text:
Keywords: Anomaly Detection, Threat Detection, Access Log, Embedding, TF-IDF
Abstract

As the demand for web applications grows, the importance of security control increases, particularly for detecting webshell attacks that remotely access servers and execute malicious commands. Existing security measures, like web firewalls, can be bypassed and are vulnerable to unknown attacks. Therefore, an anomaly detection technique is needed to define normal behavior from log data and detect deviations. This study proposes a TF-IDF-based embedding technique to vectorize user behavior from web server access logs, thereby defining normal states and detecting anomalies, such as web shell attacks. The proposed method incorporates byte variation count to provide a more refined embedding of user behavior, enabling effective detection of abnormal states like web shell attacks.

Statistics
Show / Hide Statistics

Statistics (Cumulative Counts from December 1st, 2017)
Multiple requests among the same browser session are counted as one view.
If you mouse over a chart, the values of data points will be shown.


Cite this article
[IEEE Style]
김강문 and 이인섭, "User Behavior Embedding via TF-IDF-BVC for Web Shell Detection," Journal of The Korea Institute of Information Security and Cryptology, vol. 34, no. 6, pp. 1231-1238, 2024. DOI: 10.13089/JKIISC.2024.34.6.1231.

[ACM Style]
김강문 and 이인섭. 2024. User Behavior Embedding via TF-IDF-BVC for Web Shell Detection. Journal of The Korea Institute of Information Security and Cryptology, 34, 6, (2024), 1231-1238. DOI: 10.13089/JKIISC.2024.34.6.1231.