Securing Your Transactions: Detecting Anomalous Patterns In XML Documents

TL;DR

This paper introduces XML-AD, a machine learning framework for detecting and localizing anomalies in XML transactions, demonstrating high accuracy on real datasets.

Contribution

The paper presents a novel XML anomaly detection framework with automatic feature extraction and a new multi-univariate detection algorithm, ADIFA.

Findings

Achieved over 89% true positive rate in anomaly detection.

False positive rate was kept below 0.2%.

Validated on four real-world XML datasets.

Abstract

XML transactions are used in many information systems to store data and interact with other systems. Abnormal transactions, the result of either an on-going cyber attack or the actions of a benign user, can potentially harm the interacting systems and therefore they are regarded as a threat. In this paper we address the problem of anomaly detection and localization in XML transactions using machine learning techniques. We present a new XML anomaly detection framework, XML-AD. Within this framework, an automatic method for extracting features from XML transactions was developed as well as a practical method for transforming XML features into vectors of fixed dimensionality. With these two methods in place, the XML-AD framework makes it possible to utilize general learning algorithms for anomaly detection. Central to the functioning of the framework is a novel multi-univariate anomaly detection algorithm, ADIFA. The framework was evaluated on four XML transactions datasets, captured from real information systems, in which it achieved over 89% true positive detection rate with less than a 0.2% false positive rate.