Anomaly Detection in XML-Structured SOAP Messages Using Tree-Based Association Rule Mining

TL;DR

This paper introduces a novel tree-based association rule mining approach for detecting anomalies in XML-structured SOAP messages, enhancing Web service security by reducing false alarms and maintaining high detection rates.

Contribution

It proposes a new anomaly detection method using tree-based association rule mining on SOAP messages, addressing limitations of existing solutions.

Findings

Low false alarm rate achieved

High detection rate maintained

Effective in identifying Web service attacks

Abstract

Web services are software systems designed for supporting interoperable dynamic cross-enterprise interactions. The result of attacks to Web services can be catastrophic and causing the disclosure of enterprises' confidential data. As new approaches of attacking arise every day, anomaly detection systems seem to be invaluable tools in this context. The aim of this work has been to target the attacks that reside in the Web service layer and the extensible markup language (XML)-structured simple object access protocol (SOAP) messages. After studying the shortcomings of the existing solutions, a new approach for detecting anomalies in Web services is outlined. More specifically, the proposed technique illustrates how to identify anomalies by employing mining methods on XML-structured SOAP messages. This technique also takes the advantages of tree-based association rule mining to extract knowledge in the training phase, which is used in the test phase to detect anomalies. In addition, this novel composition of techniques brings nearly low false alarm rate while maintaining the detection rate reasonably high, which is shown by a case study.