Detecting the anomalies of web applications, important infrastructures for running modern companies and governments, is crucial for providing reliable web services. Many modern web applications operate on web APIs (e.g., RESTful, SOAP, and WebSockets), their exposure invites intended attacks or unintended illegal visits, causing abnormal system behaviors. However, such anomalies can share very similar logs with normal logs, missing crucial information (which could be in database) for log discrimination. Further, log instances can be also noisy, which can further mislead the state-of-the-art log learning solutions to learn spurious correlation, resulting superficial models and rules for anomaly detection. In this work, we propose MINES which infers explainable API invariants for anomaly detection from the schema level instead of detailed raw log instances, which can (1) significantly discriminate noise in logs to identify precise normalities and (2) detect abnormal behaviors beyond the instrumented logs. Technically, MINES (1) converts API signatures into table schema to enhance the original database shema; and (2) infers the potential database constraints on the enhanced database schema to capture the potential relationships between APIs and database tables. MINES uses LLM for extracting potential relationship based on two given table structures; and use normal log instances to reject and accept LLM-generated invariants. Finally, MINES translates the inferred constraints into invariants to generate Python code for verifying the runtime logs. We extensively evaluate MINES on web-tamper attacks on the benchmarks of TrainTicket, NiceFish, Gitea, Mastodon, and NextCloud against baselines such as LogRobust, LogFormer, and WebNorm. The results show that MINES achieves high recall for the anomalies while introducing almost zero false positives, indicating a new state-of-the-art.

翻译：检测Web应用的异常——作为现代企业和政府运行的重要基础设施——对于提供可靠的Web服务至关重要。许多现代Web应用基于Web API（如RESTful、SOAP和WebSockets）运行，其暴露性会招致预期攻击或意外非法访问，导致系统行为异常。然而，此类异常可能与正常日志共享高度相似的记录，缺失用于日志判别的关键信息（可能存在于数据库中）。此外，日志实例可能包含噪声，进一步误导现有最先进的日志学习方案学习虚假关联，从而产生用于异常检测的浅层模型与规则。本文提出MINES方法，从模式层面而非原始日志实例细节中推断可解释的API不变式用于异常检测，该方法能够：(1) 显著区分日志中的噪声以识别精确的正常行为；(2) 检测超出日志记录范围的异常行为。技术层面，MINES (1) 将API签名转换为表模式以增强原始数据库模式；(2) 在增强后的数据库模式上推断潜在的数据库约束，捕获API与数据库表之间的潜在关联。MINES利用大语言模型（LLM）基于两个给定表结构提取潜在关系，并通过正常日志实例拒绝或接受LLM生成的不变式。最终，MINES将推断的约束转化为不变式，生成用于验证运行时日志的Python代码。我们基于TrainTicket、NiceFish、Gitea、Mastodon及NextCloud基准测试中的Web篡改攻击，与LogRobust、LogFormer和WebNorm等基线方法进行对比评估。结果表明，MINES在实现异常高召回率的同时几乎零误报，达到了新的最先进水平。