LogoLogo
WebsiteBlogLogin
  • Onum Docs
  • Use Cases
  • Videos
  • Release Notes
  • Use Cases
  • Artificial Intelligence
  • Classifying Anomalies in HTTP Requests
  • Using Amazon GenAI to classify HTTP logs
  • Enrichment
    • Data Enrichment
  • Reduction
    • Data Reduction & Optimization
  • OBSERVABILITY
  • Security
    • Firewall Threat Reduction
    • The Impossible Traveler
Powered by GitBook
On this page
  • Overview
  • Anomaly Types:
  • The Use Case

Was this helpful?

Export as PDF

Using Amazon GenAI to classify HTTP logs

PreviousClassifying Anomalies in HTTP RequestsNextData Enrichment

Last updated 3 days ago

Was this helpful?

Model: Amazon Nova Micro 1.0

Area of interest: Cybersecurity

Overview

This use case focuses on classifying specific types of anomalies in HTTP server logs originating from the Akamai platform. Using the generative model Claude (via Amazon Bedrock), our platform processes potentially anomalous logs and classifies them into one of the following predefined categories:

Anomaly Types:

  1. SQL Injection Attack – Indicates an attempt to manipulate backend databases by injecting SQL statements through the URL or input fields.

  2. Unauthorized Access Attempt – Attempts to access protected resources (e.g., /admin, /wp-login.php) without proper authentication.

  3. Server Configuration Error – Wrong configurations causing unexpected errors (e.g., frequent 500s or access denials due to misrules).

  4. Server Overload due to High Traffic – Excessive requests from the same source or globally, leading to slow responses or 429 errors.

  5. Unknown – Used when the entry doesn't match any known pattern or lacks sufficient context for confident classification.

Once classified, these log entries are routed to the appropriate internal teams for triage and mitigation.

The Use Case

1

Data collection and preparation

Set up the corresponding listener with logs collected from HTTP servers, capturing details such as request methods, URLs, status codes, timestamps, and user-agent strings.

2

Data structuring

Use the Parser action to prescreen Logs are pre-screened and identify unusual status codes that may indicate potential anomalies.

3

Initial filtering

A conditional action is used to route only ambiguous or potentially malicious entries to the GenAI model to reduce unnecessary inference costs. The following conditions are typically used:

  • Status codes such as 403, 429, 500

  • Suspicious endpoints such as /wp-login.php, /admin, /xmlrpc.php

  • Abnormal frequency from single IPs

  • Known suspicious user-agents (e.g., curl, python-requests)

Logs that match these criteria are passed to the Claude model in Amazon Bedrock with a prompt dynamically generated from log content.

4

Integration with AWS Bedrock

A prompt template like the following is used to query the model:

5

Process the model output

Based on the classification, the log is enriched and routed to the appropriate destination:

  • Unauthorized Access Attempt → Security Incident Response team

  • Server Configuration Error → Infrastructure team

  • Overload → Traffic Monitoring

  • SQL Injection → Threat Intelligence

  • Unknown → Stored for manual review or feedback loop

6

Send results

All enriched logs are indexed into a SIEM (e.g., Elastic, Splunk) and optionally annotated with tags like genai_result: overload.