MINES: Explainable Anomaly Detection through Web API Invariant Inference
Title: MINES: Achieving Explainable Anomaly Detection via Web API Invariant Inference
Abstract
Ensuring the reliability of web services is paramount, as web applications serve as critical infrastructure for both modern enterprises and government bodies. Consequently, detecting anomalies within these systems is essential. Today’s web applications predominantly rely on web APIs—such as RESTful interfaces, SOAP, and WebSockets. While these APIs facilitate functionality, their exposure creates vulnerabilities to both targeted attacks and unauthorized access, leading to irregular system behaviors.
A significant challenge in this domain is that anomalous logs often bear a striking resemblance to normal logs, frequently lacking the crucial contextual data stored in databases that would aid in differentiation. Moreover, log instances are often noisy, a factor that can cause state-of-the-art log learning solutions to identify spurious correlations. This leads to the development of superficial detection rules and models that lack robustness.
To address these issues, we introduce MINES, a novel approach that infers explainable API invariants from the schema level rather than relying on detailed raw log instances. This methodology offers two primary advantages: (1) it effectively filters out noise to pinpoint precise normal behaviors, and (2) it identifies abnormal activities that may not be explicitly captured in instrumented logs.
Technically, MINES operates through a multi-step process. First, it transforms API signatures into table schemas, thereby augmenting the original database schema. Second, it deduces potential database constraints on this enhanced schema to uncover latent relationships between APIs and database tables. Large Language Models (LLMs) are employed to extract these potential relationships based on provided table structures. Subsequently, normal log instances are utilized to validate these LLM-generated invariants, accepting valid ones and rejecting invalid ones. Finally, MINES converts these inferred constraints into invariants, generating Python code to verify runtime logs.
We conducted extensive evaluations of MINES against baselines such as LogRobust, LogFormer, and WebNorm, focusing on web-tamper attacks across benchmarks including TrainTicket, NiceFish, Gitea, Mastodon, and NextCloud. The findings demonstrate that MINES delivers high recall for anomalies while maintaining virtually zero false positives, establishing a new state-of-the-art in anomaly detection.
Source: arXiv Generated at: 2026-06-02 00:00:00 UTC
