Detecting Malicious Behavior in Microservice Based Web Applications

Ozbek M., Sandıkkaya M. T.

27th Signal Processing and Communications Applications Conference (SIU), Sivas, Türkiye, 24 - 26 Nisan 2019 identifier identifier


Not only the increased complexity of the malicious acts on the Internet, but also the continuous increase of new attack methods compromise Internet-based services as a threat to the modern society. In this study, malicious behavior in a microservices-based web application is detected by measuring the patterns of CRUD (create, read, update, delete) access. The aim of this paper is to detect malicious users (or even the first malicious attempt of a trustworthy user) as soon as the action occurred according to the characteristics of the sequential use of microservices. The proposed approach renders OWASP Foundation's Top 10 critical web application security risks as possible attack vectors. Thus, a data set including such attacks together with mostly benign behavior is generated and measured on the microservices-based web application. The data set is then used to determine benign and malicious classes of behavior using RandomForest, NaiveBayes, J48, AdaBoost, ZeroR, Bagging, Logistic Regression and K-Star machine learning algorithms. The best malicious behavior detection accuracy encountered during experiments is an auspicious 99.36% using RandomForest classification algorithm. After the classification of malicious behavior, the respective user's further access to the microservices could be blocked to prevent the waste of resources.