Protecting a Moving Target: Addressing Web Application Concept Drift
Source: University of California
Because of the ad hoc nature of web applications, intrusion detection systems that leverage machine learning techniques are particularly well-suited for protecting websites. The reason is that these systems are able to characterize the applications' normal behavior in an automated fashion. However, anomaly-based detectors for web applications suffer from false positives that are generated whenever the applications being protected change. These false positives need to be analyzed by the security officer who then has to interact with the web application developers to confirm that the reported alerts were indeed erroneous detections. In this paper, the authors propose a novel technique for the automatic detection of changes in web applications, which allows for the selective retraining of the affected anomaly detection models.