On-the-fly intrusion detection for Web portals

Remote access to distributed hyperlinked information proves to be one of the killer applications for computer networks. More and more content in current inter and intranets is available as hyperdata, a form easing its distribution and semantic organization. In the framework of the Internet´s Web-portals and pay-sites, mechanisms for login based on username and password enable the dynamic customization as well as partial protection of the content. In other applications (e.g. commercial intranets) various similar schemes of authentication are deployed. Nevertheless, stolen passwords are an easy avenue to identity theft, in both public and commercial data networks. Once a perpetrator enters a system, assuming an authorized user´s identity, the task of actually detecting this intrusion becomes non-trivial and is often ignored completely. Thus, in addition to the initial authentication step we propose a runtime intrusion detection mechanism, required to maintain a virtually continuous user authentication process and detect identity theft and password misuses. The current paper focuses on designing a pervasive intrusion detection method for hyperdata systems, based on training on and analyzing of access patterns to hyperlinked data, aiming at detecting intruders and raising a red flag at the content provider´s side. Our solution is based on a new technique, on-the-fly adaptive training for normality on streams of data access patterns. This enables runtime intrusion detection through analysis of correlations between current patterns and the adaptive past-knowledge. Such a method is to be used in conjunction with current username-password protection schemes. We introduce the motivation behind our solution, discuss the novel detection and training metrics and propose a real-life deployment design. We implement the main algorithm and perform experiments for assessing its intrusion detection ability, with very encouraging results. We also discuss the deployment of our method for detecting automatic spam-bot accesses.