Using Amazon GenAI to classify HTTP logs

Model: Amazon Nova Micro 1.0

Area of interest: Cybersecurity

Overview

This use case focuses on classifying specific types of anomalies in HTTP server logs originating from the Akamai platform. Using the generative model Claude (via Amazon Bedrock), our platform processes potentially anomalous logs and classifies them into one of the following predefined categories:

Anomaly Types:

SQL Injection Attack – Indicates an attempt to manipulate backend databases by injecting SQL statements through the URL or input fields.
Unauthorized Access Attempt – Attempts to access protected resources (e.g., /admin, /wp-login.php) without proper authentication.
Server Configuration Error – Wrong configurations causing unexpected errors (e.g., frequent 500s or access denials due to misrules).
Server Overload due to High Traffic – Excessive requests from the same source or globally, leading to slow responses or 429 errors.
Unknown – Used when the entry doesn't match any known pattern or lacks sufficient context for confident classification.

Once classified, these log entries are routed to the appropriate internal teams for triage and mitigation.

The Use Case

Data collection and preparation

Set up the corresponding listener with logs collected from HTTP servers, capturing details such as request methods, URLs, status codes, timestamps, and user-agent strings.

Data structuring

Use the Parser action to prescreen Logs are pre-screened and identify unusual status codes that may indicate potential anomalies.

Initial filtering

A conditional action is used to route only ambiguous or potentially malicious entries to the GenAI model to reduce unnecessary inference costs. The following conditions are typically used:

Status codes such as 403, 429, 500
Suspicious endpoints such as /wp-login.php, /admin, /xmlrpc.php
Abnormal frequency from single IPs
Known suspicious user-agents (e.g., curl, python-requests)

Logs that match these criteria are passed to the Claude model in Amazon Bedrock with a prompt dynamically generated from log content.

Integration with AWS Bedrock

A prompt template like the following is used to query the model:

Process the model output

Based on the classification, the log is enriched and routed to the appropriate destination:

Unauthorized Access Attempt → Security Incident Response team
Server Configuration Error → Infrastructure team
Overload → Traffic Monitoring
SQL Injection → Threat Intelligence
Unknown → Stored for manual review or feedback loop

Send results

All enriched logs are indexed into a SIEM (e.g., Elastic, Splunk) and optionally annotated with tags like genai_result: overload.

PreviousClassifying Anomalies in HTTP Requests NextData Enrichment

Last updated 15 days ago

Was this helpful?

Overview

Anomaly Types:

SQL Injection Attack – Indicates an attempt to manipulate backend databases by injecting SQL statements through the URL or input fields.

Unauthorized Access Attempt – Attempts to access protected resources (e.g., /admin, /wp-login.php) without proper authentication.

Server Configuration Error – Wrong configurations causing unexpected errors (e.g., frequent 500s or access denials due to misrules).

Server Overload due to High Traffic – Excessive requests from the same source or globally, leading to slow responses or 429 errors.

Unknown – Used when the entry doesn't match any known pattern or lacks sufficient context for confident classification.

Once classified, these log entries are routed to the appropriate internal teams for triage and mitigation.

The Use Case

Data collection and preparation

Set up the corresponding listener with logs collected from HTTP servers, capturing details such as request methods, URLs, status codes, timestamps, and user-agent strings.

Data structuring

Use the Parser action to prescreen Logs are pre-screened and identify unusual status codes that may indicate potential anomalies.

Initial filtering

A conditional action is used to route only ambiguous or potentially malicious entries to the GenAI model to reduce unnecessary inference costs. The following conditions are typically used:

Status codes such as 403, 429, 500
Suspicious endpoints such as /wp-login.php, /admin, /xmlrpc.php
Abnormal frequency from single IPs
Known suspicious user-agents (e.g., curl, python-requests)

Logs that match these criteria are passed to the Claude model in Amazon Bedrock with a prompt dynamically generated from log content.

Integration with AWS Bedrock

A prompt template like the following is used to query the model:

Process the model output

Based on the classification, the log is enriched and routed to the appropriate destination:

Unauthorized Access Attempt → Security Incident Response team
Server Configuration Error → Infrastructure team
Overload → Traffic Monitoring
SQL Injection → Threat Intelligence
Unknown → Stored for manual review or feedback loop

Send results

All enriched logs are indexed into a SIEM (e.g., Elastic, Splunk) and optionally annotated with tags like genai_result: overload.