Spectrogram: A Mixture-of-Markov-Chains Model for Anomaly Detection in Web Traffic

This paper presents a new model and sensor framework that offers a favorable balance under this constraint and demonstrates improvement over some existing approaches. Spectrogram is a network situated sensor that dynamically assembles packets to reconstruct content flows and learns to recognize legitimate web-layer script input. It describes an efficient model for this task in the form of a mixture of Markovchains and derive the corresponding training algorithm. Its evaluations show significant detection results on an array of real world web layer attacks, comparing favorably against other AD approaches.