Using Amazon GenAI to classify HTTP logs
Last updated
Was this helpful?
Last updated
Was this helpful?
Model: Amazon Nova Micro 1.0
Area of interest: Cybersecurity
This use case focuses on classifying specific types of anomalies in HTTP server logs originating from the Akamai platform. Using the generative model Claude (via Amazon Bedrock), our platform processes potentially anomalous logs and classifies them into one of the following predefined categories:
SQL Injection Attack – Indicates an attempt to manipulate backend databases by injecting SQL statements through the URL or input fields.
Unauthorized Access Attempt – Attempts to access protected resources (e.g., /admin, /wp-login.php)
without proper authentication.
Server Configuration Error – Wrong configurations causing unexpected errors (e.g., frequent 500s or access denials due to misrules).
Server Overload due to High Traffic – Excessive requests from the same source or globally, leading to slow responses or 429 errors.
Unknown – Used when the entry doesn't match any known pattern or lacks sufficient context for confident classification.
Once classified, these log entries are routed to the appropriate internal teams for triage and mitigation.
A conditional action is used to route only ambiguous or potentially malicious entries to the GenAI model to reduce unnecessary inference costs. The following conditions are typically used:
Status codes such as 403, 429, 500
Suspicious endpoints such as /wp-login.php, /admin, /xmlrpc.php
Abnormal frequency from single IPs
Known suspicious user-agents (e.g., curl, python-requests)
Logs that match these criteria are passed to the Claude model in Amazon Bedrock with a prompt dynamically generated from log content.
Based on the classification, the log is enriched and routed to the appropriate destination:
Unauthorized Access Attempt → Security Incident Response team
Server Configuration Error → Infrastructure team
Overload → Traffic Monitoring
SQL Injection → Threat Intelligence
Unknown → Stored for manual review or feedback loop